Fix Terraform state authentication by passing auth context

CLAUDE.md

@@ -152,6 +152,51 @@ pkg/newfeature/
 ### Comment Style (MANDATORY)
 All comments must end with periods (enforced by `godot` linter).
 
+### Comment Preservation (MANDATORY)
+**NEVER delete existing comments without a very strong reason.**
+
+Comments are documentation that helps developers understand:
+- **Why** code was written a certain way
+- **How** complex algorithms or flows work
+- **What** edge cases or gotchas to be aware of
+- **Where** credentials or configuration come from
+
+**Guidelines:**
+- **Preserve helpful comments** - Especially those explaining credential resolution, complex logic, or non-obvious behavior
+- **Update comments to match code** - When refactoring, update comments to reflect current implementation
+- **Refactor for clarity** - It's okay to improve comment wording or structure for better readability
+- **Add context when modifying** - If changing code with comments, ensure comments still accurately describe the behavior
+
+**Acceptable reasons to remove comments:**
+- Comment is factually incorrect and cannot be updated
+- Code is completely removed
+- Comment duplicates what the code obviously does (e.g., `// increment counter` above `counter++`)
+- Comment is outdated TODO that has been completed
+
+**Anti-pattern:**
+```go
+// WRONG: Deleting helpful documentation during refactoring
+-// LoadAWSConfig looks for credentials in the following order:
+-//   1. Environment variables (AWS_ACCESS_KEY_ID, etc.)
+-//   2. Shared credentials file (~/.aws/credentials)
+-//   3. EC2 Instance Metadata Service (IMDS)
+-//   ... (more helpful details)
+ func LoadAWSConfig(ctx context.Context) (aws.Config, error) {
+```
+
+**Correct pattern:**
+```go
+// CORRECT: Preserving and updating helpful documentation
+-// LoadAWSConfig looks for credentials in the following order:
++// LoadAWSConfigWithAuth looks for credentials in the following order:
++// When authContext is provided, uses Atmos-managed credentials.
++// Otherwise, falls back to standard AWS SDK resolution:
+ //   1. Environment variables (AWS_ACCESS_KEY_ID, etc.)
+ //   2. Shared credentials file (~/.aws/credentials)
+ //   3. EC2 Instance Metadata Service (IMDS)
+ //   ... (more helpful details)
+```
+
 ### Import Organization (MANDATORY)
 Three groups separated by blank lines, sorted alphabetically:
 1. Go stdlib
@@ -168,11 +213,17 @@ Precedence: CLI flags → ENV vars → config files → defaults (use Viper)
 
 ### Error Handling (MANDATORY)
 - Wrap with static errors from `errors/errors.go`
-- Combine: `errors.Join(errUtils.ErrFoo, err)`
-- Add context: `fmt.Errorf("%w: msg", errUtils.ErrFoo)`
+- Chain errors: `fmt.Errorf("%w: msg", errUtils.ErrFoo)` - creates error chain
+- Join errors: `errors.Join(errUtils.ErrFoo, err)` - combines independent errors
+- Multiple wrapping: `fmt.Errorf("%w: context: %w", errUtils.ErrBase, err)` (valid Go 1.20+)
 - Check: `errors.Is(err, target)`
 - Never dynamic errors or string comparison
 
+**Important distinction:**
+- **`fmt.Errorf` with single `%w`**: Creates error **chain** - `errors.Unwrap()` returns next error. Use when error context builds sequentially through call stack. **Prefer this when error chain matters.**
+- **`errors.Join`**: Creates **flat list** - `errors.Unwrap()` returns `nil`, must use `Unwrap() []error` interface. Use for independent errors (parallel operations, multiple validations).
+- **`fmt.Errorf` with multiple `%w`**: Like `errors.Join` but adds format string. Valid Go 1.20+, returns `Unwrap() []error`.
+
 ### Testing Strategy (MANDATORY)
 - **Prefer unit tests with mocks** over integration tests
 - Use interfaces + dependency injection for testability

cmd/auth_console.go

@@ -91,10 +91,16 @@ func executeAuthConsoleCommand(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("%w: %w", errUtils.ErrAuthConsole, err)
 	}
 
+	// Resolve session duration (flag takes precedence over provider config).
+	sessionDuration, err := resolveConsoleDuration(cmd, authManager, whoami.Provider)
+	if err != nil {
+		return fmt.Errorf("%w: %w", errUtils.ErrAuthConsole, err)
+	}
+
 	// Generate console URL.
 	options := types.ConsoleURLOptions{
 		Destination:     consoleDestination,
-		SessionDuration: consoleDuration,
+		SessionDuration: sessionDuration,
 		Issuer:          consoleIssuer,
 		OpenInBrowser:   !consoleSkipOpen && !consolePrintOnly,
 	}
@@ -258,6 +264,39 @@ func retrieveCredentials(whoami *types.WhoamiInfo) (types.ICredentials, error) {
 	}
 }
 
+// resolveConsoleDuration resolves console session duration from flag or provider config.
+// Flag takes precedence over provider configuration.
+func resolveConsoleDuration(cmd *cobra.Command, authManager types.AuthManager, providerName string) (time.Duration, error) {
+	defer perf.Track(nil, "cmd.resolveConsoleDuration")()
+
+	// Check if flag was explicitly set by user.
+	if cmd.Flags().Changed("duration") {
+		return consoleDuration, nil
+	}
+
+	// Get provider configuration.
+	providers := authManager.GetProviders()
+	provider, exists := providers[providerName]
+	if !exists {
+		// No provider config found, use default from flag.
+		return consoleDuration, nil
+	}
+
+	// Check if provider has console configuration.
+	if provider.Console == nil || provider.Console.SessionDuration == "" {
+		// No console config, use default from flag.
+		return consoleDuration, nil
+	}
+
+	// Parse provider's session duration.
+	duration, err := time.ParseDuration(provider.Console.SessionDuration)
+	if err != nil {
+		return 0, fmt.Errorf("invalid session_duration in provider %q console config: %w", providerName, err)
+	}
+
+	return duration, nil
+}
+
 func init() {
 	authConsoleCmd.Flags().StringVar(&consoleDestination, "destination", "",
 		"Console page to navigate to. Supports full URLs or shorthand aliases like 's3', 'ec2', 'lambda', etc.")

cmd/auth_console_test.go

@@ -10,6 +10,7 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"go.uber.org/mock/gomock"
 
 	errUtils "github.com/cloudposse/atmos/errors"
 	"github.com/cloudposse/atmos/pkg/auth/types"
@@ -724,3 +725,96 @@ func (m *mockAuthManagerForIdentity) LogoutProvider(ctx context.Context, provide
 func (m *mockAuthManagerForIdentity) LogoutAll(ctx context.Context) error {
 	return errors.New("not implemented")
 }
+
+func TestResolveConsoleDuration(t *testing.T) {
+	_ = NewTestKit(t)
+
+	tests := []struct {
+		name             string
+		flagSet          bool
+		flagValue        time.Duration
+		providerConfig   *schema.ConsoleConfig
+		expectedDuration time.Duration
+		expectError      bool
+	}{
+		{
+			name:             "flag explicitly set takes precedence",
+			flagSet:          true,
+			flagValue:        4 * time.Hour,
+			providerConfig:   &schema.ConsoleConfig{SessionDuration: "12h"},
+			expectedDuration: 4 * time.Hour,
+			expectError:      false,
+		},
+		{
+			name:             "provider config used when flag not set",
+			flagSet:          false,
+			flagValue:        1 * time.Hour, // default flag value
+			providerConfig:   &schema.ConsoleConfig{SessionDuration: "8h"},
+			expectedDuration: 8 * time.Hour,
+			expectError:      false,
+		},
+		{
+			name:             "default flag value when no provider config",
+			flagSet:          false,
+			flagValue:        1 * time.Hour,
+			providerConfig:   nil,
+			expectedDuration: 1 * time.Hour,
+			expectError:      false,
+		},
+		{
+			name:             "default flag value when provider config empty",
+			flagSet:          false,
+			flagValue:        1 * time.Hour,
+			providerConfig:   &schema.ConsoleConfig{SessionDuration: ""},
+			expectedDuration: 1 * time.Hour,
+			expectError:      false,
+		},
+		{
+			name:           "invalid provider config duration",
+			flagSet:        false,
+			flagValue:      1 * time.Hour,
+			providerConfig: &schema.ConsoleConfig{SessionDuration: "invalid"},
+			expectError:    true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_ = NewTestKit(t)
+
+			// Create test command with duration flag.
+			cmd := &cobra.Command{}
+			cmd.Flags().DurationVar(&consoleDuration, "duration", 1*time.Hour, "duration flag")
+
+			// Set flag value and simulate whether user explicitly set it.
+			consoleDuration = tt.flagValue
+			if tt.flagSet {
+				require.NoError(t, cmd.Flags().Set("duration", tt.flagValue.String()))
+			}
+
+			// Create mock auth manager using gomock.
+			ctrl := gomock.NewController(t)
+			mockManager := types.NewMockAuthManager(ctrl)
+
+			// Setup expectation for GetProviders.
+			providers := map[string]schema.Provider{
+				"test-provider": {
+					Kind:    "aws/iam-identity-center",
+					Console: tt.providerConfig,
+				},
+			}
+			mockManager.EXPECT().GetProviders().Return(providers).AnyTimes()
+
+			// Call resolveConsoleDuration.
+			duration, err := resolveConsoleDuration(cmd, mockManager, "test-provider")
+
+			if tt.expectError {
+				assert.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+			assert.Equal(t, tt.expectedDuration, duration)
+		})
+	}
+}