cloudposse · shirkevich · Jul 31, 2025 · Aug 6, 2025 · Aug 6, 2025 · Aug 6, 2025
@@ -51,6 +51,10 @@ var (
 	ErrLoadAwsConfig                    = errors.New("failed to load AWS config")
 	ErrGetObjectFromS3                  = errors.New("failed to get object from S3")
 	ErrReadS3ObjectBody                 = errors.New("failed to read S3 object body")
+	ErrCreateGCSClient                  = errors.New("failed to create GCS client")
+	ErrGetObjectFromGCS                 = errors.New("failed to get object from GCS")
+	ErrReadGCSObjectBody                = errors.New("failed to read GCS object body")
+	ErrInvalidBackendConfig             = errors.New("invalid backend configuration")
 
 	ErrReadFile    = errors.New("error reading file")
 	ErrInvalidFlag = errors.New("invalid flag")

@@ -1269,7 +1269,7 @@ func ProcessStackConfig(
 				// If it does not, use the component name instead
 				// https://developer.hashicorp.com/terraform/language/settings/backends/gcs
 				// https://developer.hashicorp.com/terraform/language/settings/backends/gcs#prefix
-				if finalComponentBackendType == "gcs" {
+				if finalComponentBackendType == cfg.BackendTypeGCS {
 					if p, ok := finalComponentBackend["prefix"].(string); !ok || p == "" {
 						prefix := component
 						if baseComponentName != "" {
@@ -1283,7 +1283,7 @@ func ProcessStackConfig(
 				// Check if component `backend` section has `key` for `azurerm` backend type
 				// If it does not, use the component name instead and format it with the global backend key name to auto generate a unique Terraform state key
 				// The backend state file will be formatted like so: {global key name}/{component name}.terraform.tfstate
-				if finalComponentBackendType == "azurerm" {
+				if finalComponentBackendType == cfg.BackendTypeAzurerm {
 					if componentAzurerm, componentAzurermExists := componentBackendSection["azurerm"].(map[string]any); !componentAzurermExists {
 						if _, componentAzurermKeyExists := componentAzurerm["key"].(string); !componentAzurermKeyExists {
 							azureKeyPrefixComponent := component

@@ -10,6 +10,7 @@ import (
 
 	cfg "github.com/cloudposse/atmos/pkg/config"
 	u "github.com/cloudposse/atmos/pkg/utils"
+	errUtils "github.com/cloudposse/atmos/errors"
 )
 
 // ExecuteTerraformGenerateBackendCmd executes `terraform generate backend` command
@@ -78,12 +79,19 @@ func ExecuteTerraformGenerateBackendCmd(cmd *cobra.Command, args []string) error
 	log.Debug("Component backend", "config", componentBackendConfig)
 
 	// Check if the `backend` section has `workspace_key_prefix` when `backend_type` is `s3`
-	if info.ComponentBackendType == "s3" {
+	if info.ComponentBackendType == cfg.BackendTypeS3 {
 		if _, ok := info.ComponentBackendSection["workspace_key_prefix"].(string); !ok {
 			return fmt.Errorf("backend config for the '%s' component is missing 'workspace_key_prefix'", component)
 		}
 	}
 
+	// Check if the `backend` section has `bucket` when `backend_type` is `gcs`
+	if info.ComponentBackendType == cfg.BackendTypeGCS {
+		if _, ok := info.ComponentBackendSection["bucket"].(string); !ok {
+			return fmt.Errorf(errUtils.ErrStringWrappingFormat, errUtils.ErrInvalidBackendConfig, fmt.Sprintf("backend config for the '%s' component is missing 'bucket'", component))
+		}
+	}
+
 	// Write the backend config to a file
 	backendFilePath := filepath.Join(
 		atmosConfig.BasePath,

@@ -0,0 +1,66 @@
+package gcp
+
+import (
+	"strings"
+
+	"google.golang.org/api/option"
+)
+
+// AuthOptions contains configuration for Google Cloud authentication.
+type AuthOptions struct {
+	// Credentials can be either:
+	// - JSON content (if starts with "{")
+	// - File path to service account JSON file
+	// - Empty string to use Application Default Credentials (ADC)
+	Credentials string
+
+	// TODO: Add support for service account impersonation
+	// ImpersonateServiceAccount string
+}
+
+// GetClientOptions returns Google Cloud client options based on the provided authentication configuration.
+// This function provides unified authentication handling across all Google Cloud services in Atmos.
+//
+// Authentication precedence:
+// 1. Explicit credentials (JSON content or file path)
+// 2. Application Default Credentials (ADC) which automatically handles:
+//   - GOOGLE_APPLICATION_CREDENTIALS environment variable
+//   - Compute Engine metadata service
+//   - Cloud Shell credentials
+//   - gcloud user credentials (from `gcloud auth application-default login`)
+//   - Workload Identity (in GKE)
+func GetClientOptions(opts AuthOptions) []option.ClientOption {
+	var clientOpts []option.ClientOption
+
+	if opts.Credentials != "" {
+		// Determine if credentials are JSON content or file path
+		if strings.HasPrefix(strings.TrimSpace(opts.Credentials), "{") {
+			// JSON content
+			clientOpts = append(clientOpts, option.WithCredentialsJSON([]byte(opts.Credentials)))
+		} else {
+			// File path
+			clientOpts = append(clientOpts, option.WithCredentialsFile(opts.Credentials))
+		}
+	}
+	// If no explicit credentials, Google Cloud client libraries will automatically use ADC
+
+	return clientOpts
+}
+
+// GetCredentialsFromBackend extracts credentials from a Terraform backend configuration.
+// This is used by the GCS Terraform backend.
+func GetCredentialsFromBackend(backend map[string]any) string {
+	if credentials, ok := backend["credentials"].(string); ok {
+		return credentials
+	}
+	return ""
+}
+
+// GetCredentialsFromStore extracts credentials from a store configuration.
+// This is used by the Google Secret Manager store.
+func GetCredentialsFromStore(credentials *string) string {
+	if credentials != nil {
+		return *credentials
+	}
+	return ""
+}
@@ -0,0 +1,178 @@
+package gcp
+
+import (
+	"testing"
+
+	"google.golang.org/api/option"
+)
+
+func TestGetClientOptions(t *testing.T) {
+	tests := []struct {
+		name     string
+		opts     AuthOptions
+		expected int // number of client options returned
+	}{
+		{
+			name: "no credentials - use ADC",
+			opts: AuthOptions{
+				Credentials: "",
+			},
+			expected: 0, // ADC uses no explicit options
+		},
+		{
+			name: "JSON credentials",
+			opts: AuthOptions{
+				Credentials: `{"type": "service_account", "project_id": "test"}`,
+			},
+			expected: 1, // WithCredentialsJSON
+		},
+		{
+			name: "file path credentials",
+			opts: AuthOptions{
+				Credentials: "/path/to/service-account.json",
+			},
+			expected: 1, // WithCredentialsFile
+		},
+		{
+			name: "JSON with whitespace",
+			opts: AuthOptions{
+				Credentials: `  {"type": "service_account"}  `,
+			},
+			expected: 1, // WithCredentialsJSON
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			clientOpts := GetClientOptions(tt.opts)
+			if len(clientOpts) != tt.expected {
+				t.Errorf("GetClientOptions() returned %d options, expected %d", len(clientOpts), tt.expected)
+			}
+		})
+	}
+}
+
+func TestGetCredentialsFromBackend(t *testing.T) {
+	tests := []struct {
+		name     string
+		backend  map[string]any
+		expected string
+	}{
+		{
+			name: "credentials present",
+			backend: map[string]any{
+				"credentials": "/path/to/creds.json",
+				"bucket":      "test-bucket",
+			},
+			expected: "/path/to/creds.json",
+		},
+		{
+			name: "JSON credentials",
+			backend: map[string]any{
+				"credentials": `{"type": "service_account"}`,
+			},
+			expected: `{"type": "service_account"}`,
+		},
+		{
+			name: "no credentials",
+			backend: map[string]any{
+				"bucket": "test-bucket",
+			},
+			expected: "",
+		},
+		{
+			name:     "empty backend",
+			backend:  map[string]any{},
+			expected: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := GetCredentialsFromBackend(tt.backend)
+			if result != tt.expected {
+				t.Errorf("GetCredentialsFromBackend() = %v, expected %v", result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestGetCredentialsFromStore(t *testing.T) {
+	tests := []struct {
+		name        string
+		credentials *string
+		expected    string
+	}{
+		{
+			name:        "credentials present",
+			credentials: stringPtr("/path/to/creds.json"),
+			expected:    "/path/to/creds.json",
+		},
+		{
+			name:        "JSON credentials",
+			credentials: stringPtr(`{"type": "service_account"}`),
+			expected:    `{"type": "service_account"}`,
+		},
+		{
+			name:        "empty credentials",
+			credentials: stringPtr(""),
+			expected:    "",
+		},
+		{
+			name:        "nil credentials",
+			credentials: nil,
+			expected:    "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := GetCredentialsFromStore(tt.credentials)
+			if result != tt.expected {
+				t.Errorf("GetCredentialsFromStore() = %v, expected %v", result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestClientOptionsCreation(t *testing.T) {
+	// Test that we can actually create valid client options without errors
+	tests := []struct {
+		name        string
+		credentials string
+		expectType  string
+	}{
+		{
+			name:        "JSON credentials create WithCredentialsJSON option",
+			credentials: `{"type": "service_account", "project_id": "test"}`,
+			expectType:  "JSON",
+		},
+		{
+			name:        "file path creates WithCredentialsFile option",
+			credentials: "/path/to/service-account.json",
+			expectType:  "File",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			opts := GetClientOptions(AuthOptions{
+				Credentials: tt.credentials,
+			})
+
+			// We can't easily inspect the actual option type without reflection,
+			// but we can verify that an option was created
+			if len(opts) != 1 {
+				t.Errorf("Expected 1 client option, got %d", len(opts))
+			}
+
+			// Verify the option is of type option.ClientOption
+			var _ option.ClientOption = opts[0]
+		})
+	}
+}
+
+// Helper function to create string pointers for tests
+func stringPtr(s string) *string {
+	return &s
+}