fix: prevent invalid empty backend.tf.json generation (#1833)

* fix: prevent invalid empty backend.tf.json from being generated

- Add validation in generateComponentBackendConfig() to reject empty backend_type
- Add ErrBackendTypeRequired sentinel error for proper error handling
- Log warnings when skipping backend generation due to missing backend or backend_type
- Include auto_generate_backend_file setting hint in warning messages
- Add comprehensive tests to verify no backend files are generated when config is incomplete
- Tests validate both warning messages and file non-existence

This prevents the issue where an empty backend type would result in invalid Terraform config like `{"terraform": {"backend": {"": {}}}}`, which causes "Duplicate backend configuration" errors.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* test: improve test comment accuracy for backend_type warning path

Clarify that the YAML processor sets empty backend_type strings, so tests
hit the "empty after template processing" path rather than the "not configured" path.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* [autofix.ci] apply automated fixes

* refactor: extract backend validation into pure testable functions

- Add validateBackendConfig() pure function with 100% test coverage
- Add checkBackendTypeAfterProcessing() pure function with 100% test coverage
- Add comprehensive unit tests for all validation scenarios
- Refactor ExecuteTerraformGenerateBackends to use extracted functions

This improves testability by separating validation logic from side effects,
allowing direct unit testing of all validation paths without requiring
complex integration test setups.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor: rename backendConfigValidationResult to backendValidation

Simplify the type name and remove verbose field comments.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor: rename to backendConfig and extractBackendConfig

The struct holds the backend configuration, so backendConfig is clearer.
The function extracts config from the component section, so extractBackendConfig
better describes what it does.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor: use error type instead of string for skip reasons

Replace SkipReason string with Err error field in backendConfig.
Add sentinel errors: ErrBackendSectionMissing, ErrBackendTypeMissing,
ErrBackendTypeEmptyAfterRender.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: reject empty backend config for remote backends

When backend_type is set to s3, gcs, azurerm, or cloud but the backend
section is empty, skip backend generation with a warning instead of
generating invalid Terraform configuration like {"terraform":{"backend":{"s3":{}}}}.

The local backend is still allowed to have empty configuration since
Terraform supports it without any required fields.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* docs: add blog post for empty backend config validation fix

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Andriy Knysh <aknysh@users.noreply.github.com>

Author: 4 people

errors/errors.go

@@ -111,14 +111,19 @@ var (
 	ErrAzurePermissionDenied  = errors.New("permission denied accessing Azure blob")
 
 	// Azure authentication errors.
-	ErrAzureOIDClaimNotFound      = errors.New("oid claim not found in token")
-	ErrAzureUsernameClaimNotFound = errors.New("no username claim found in token (tried upn, unique_name, email)")
-	ErrAzureInvalidJWTFormat      = errors.New("invalid JWT format")
-	ErrAzureExpirationTimeEmpty   = errors.New("expiration time is empty")
-	ErrAzureTimeParseFailure      = errors.New("unable to parse time: tried RFC3339, local time formats, and Unix timestamp")
-	ErrAzureNoAccountsInCache     = errors.New("no accounts found in cache")
-	ErrAzureNoAccountForTenant    = errors.New("no account found for tenant")
-	ErrBackendConfigRequired      = errors.New("backend configuration is required")
+	ErrAzureOIDClaimNotFound       = errors.New("oid claim not found in token")
+	ErrAzureUsernameClaimNotFound  = errors.New("no username claim found in token (tried upn, unique_name, email)")
+	ErrAzureInvalidJWTFormat       = errors.New("invalid JWT format")
+	ErrAzureExpirationTimeEmpty    = errors.New("expiration time is empty")
+	ErrAzureTimeParseFailure       = errors.New("unable to parse time: tried RFC3339, local time formats, and Unix timestamp")
+	ErrAzureNoAccountsInCache      = errors.New("no accounts found in cache")
+	ErrAzureNoAccountForTenant     = errors.New("no account found for tenant")
+	ErrBackendConfigRequired       = errors.New("backend configuration is required")
+	ErrBackendTypeRequired         = errors.New("backend_type is required")
+	ErrBackendSectionMissing       = errors.New("no 'backend' section configured")
+	ErrBackendTypeMissing          = errors.New("no 'backend_type' configured")
+	ErrBackendTypeEmptyAfterRender = errors.New("'backend_type' is empty after template processing")
+	ErrBackendConfigEmpty          = errors.New("'backend' section is empty but 'backend_type' requires configuration")
 
 	// Git-related errors.
 	ErrGitNotAvailable      = errors.New("git must be available and on the PATH")

internal/exec/terraform_generate_backends.go

@@ -17,6 +17,46 @@ import (
 	u "github.com/cloudposse/atmos/pkg/utils"
 )
 
+// backendConfig holds extracted backend configuration from a component section.
+type backendConfig struct {
+	BackendSection map[string]any
+	BackendType    string
+	Err            error
+}
+
+// extractBackendConfig extracts and validates backend configuration from a component section.
+func extractBackendConfig(componentSection map[string]any) backendConfig {
+	backendSection, ok := componentSection[cfg.BackendSectionName].(map[string]any)
+	if !ok {
+		return backendConfig{Err: errUtils.ErrBackendSectionMissing}
+	}
+
+	backendType, ok := componentSection[cfg.BackendTypeSectionName].(string)
+	if !ok {
+		return backendConfig{Err: errUtils.ErrBackendTypeMissing}
+	}
+
+	// Check if backend section is empty for backends that require configuration.
+	// The "local" backend can work without any configuration, but remote backends
+	// like s3, gcs, azurerm, and cloud require at least some configuration.
+	if len(backendSection) == 0 && backendType != cfg.BackendTypeLocal {
+		return backendConfig{Err: errUtils.ErrBackendConfigEmpty}
+	}
+
+	return backendConfig{
+		BackendSection: backendSection,
+		BackendType:    backendType,
+	}
+}
+
+// checkBackendTypeAfterProcessing validates that backend_type is not empty after template processing.
+func checkBackendTypeAfterProcessing(backendType string) error {
+	if backendType == "" {
+		return errUtils.ErrBackendTypeEmptyAfterRender
+	}
+	return nil
+}
+
 // ExecuteTerraformGenerateBackendsCmd executes `terraform generate backends` command.
 func ExecuteTerraformGenerateBackendsCmd(cmd *cobra.Command, args []string) error {
 	defer perf.Track(nil, "exec.ExecuteTerraformGenerateBackendsCmd")()
@@ -132,15 +172,16 @@ func ExecuteTerraformGenerateBackends(
 					}
 				}
 
-				// Component backend
-				if backendSection, ok = componentSection[cfg.BackendSectionName].(map[string]any); !ok {
-					continue
-				}
-
-				// Backend type
-				if backendTypeSection, ok = componentSection[cfg.BackendTypeSectionName].(string); !ok {
+				// Extract backend configuration.
+				backend := extractBackendConfig(componentSection)
+				if backend.Err != nil {
+					log.Warn("Skipping backend generation: "+backend.Err.Error()+". "+
+						"Set 'components.terraform.auto_generate_backend_file: false' in atmos.yaml to disable.",
+						"component", componentName, "stack", stackFileName)
 					continue
 				}
+				backendSection = backend.BackendSection
+				backendTypeSection = backend.BackendType
 
 				if varsSection, ok = componentSection[cfg.VarsSectionName].(map[string]any); !ok {
 					varsSection = map[string]any{}
@@ -295,6 +336,14 @@ func ExecuteTerraformGenerateBackends(
 					backendTypeSection = i
 				}
 
+				// Skip if backend_type is empty after template processing.
+				if err := checkBackendTypeAfterProcessing(backendTypeSection); err != nil {
+					log.Warn("Skipping backend generation: "+err.Error()+". "+
+						"Set 'components.terraform.auto_generate_backend_file: false' in atmos.yaml to disable.",
+						"component", componentName, "stack", stackName)
+					continue
+				}
+
 				var backendFilePath string
 				var backendFileAbsolutePath string