Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Invalid allowed_roles attribute in database_secret_backend_connection causes plugin to crash #2317

Open
faseyiks opened this issue Sep 1, 2024 · 0 comments
Labels

Comments

@faseyiks
Copy link

faseyiks commented Sep 1, 2024

Terraform Core Version

1.7.5

Terraform Vault Provider Version

4.4.0

Vault Server Version

1.17.3

Affected Resource(s)

vault_database_secret_backend_connection

Expected Behavior

When any attribute is wrongly set or contains illegal settings, this should produce an error indicating what is wrong with the setting so that it can be fixed

Actual Behavior

When allowed_roles include an empty string, that is "", then the provider plugin crashes with panic`

Relevant Error/Panic Output Snippet

2024-08-31T16:42:13.248+0100 [DEBUG] Resource instance state not found for node "module.<redacted>.vault_database_secret_backend_role.dynamic_role[\"test_a9a28_0b5f4_223ac\"]", instance module.<redacted>.vault_database_secret_b
ackend_role.dynamic_role["test_a9a28_0b5f4_223ac"]
2024-08-31T16:42:13.252+0100 [DEBUG] ReferenceTransformer: "module.<redacted>.vault_database_secret_backend_role.dynamic_role[\"test_a9a28_0b5f4_223ac\"]" references: []
2024-08-31T16:42:13.252+0100 [DEBUG] refresh: module.<redacted>.vault_database_secret_backend_role.dynamic_role["test_a9a28_0b5f4_223ac"]: no state, so not refreshing
2024-08-31T16:42:13.255+0100 [DEBUG] Resource instance state not found for node "module.<redacted>.vault_database_secret_backend_static_role.schedule_role[\"test_a9a28_0b5f4_6a1a1\"]", instance module.<redacted>.vault_database_
secret_backend_static_role.schedule_role["test_a9a28_0b5f4_6a1a1"]
2024-08-31T16:42:13.256+0100 [DEBUG] ReferenceTransformer: "module.<redacted>.vault_database_secret_backend_static_role.schedule_role[\"test_a9a28_0b5f4_6a1a1\"]" references: []
2024-08-31T16:42:13.256+0100 [DEBUG] Resource instance state not found for node "module.<redacted>.vault_database_secret_backend_connection.connection[\"test_a9a28_0b5f4\"]", instance module.<redacted>.vault_database_secret_backend_connection.connection["test_a9a28_0b5f4"]
2024-08-31T16:42:13.263+0100 [DEBUG] ReferenceTransformer: "module.<redacted>.vault_database_secret_backend_connection.connection[\"test_a9a28_0b5f4\"]" references: []
2024-08-31T16:42:13.264+0100 [DEBUG] refresh: module.<redacted>.vault_database_secret_backend_connection.connection["test_a9a28_0b5f4"]: no state, so not refreshing
2024-08-31T16:42:13.266+0100 [DEBUG] refresh: module.<redacted>.vault_database_secret_backend_static_role.schedule_role["test_a9a28_0b5f4_6a1a1"]: no state, so not refreshing
2024-08-31T16:42:13.268+0100 [DEBUG] Resource instance state not found for node "module.<redacted>.vault_database_secret_backend_static_role.periodic_role[\"test_a9a28_0b5f4_9112e\"]", instance module.<redacted>.vault_database_secret_backend_static_role.periodic_role["test_a9a28_0b5f4_9112e"]
2024-08-31T16:42:13.268+0100 [DEBUG] ReferenceTransformer: "module.<redacted>.vault_database_secret_backend_static_role.periodic_role[\"test_a9a28_0b5f4_9112e\"]" references: []
2024-08-31T16:42:13.270+0100 [DEBUG] refresh: module.<redacted>.vault_database_secret_backend_static_role.periodic_role["test_a9a28_0b5f4_9112e"]: no state, so not refreshing
2024-08-31T16:42:13.304+0100 [WARN]  Provider "registry.terraform.io/hashicorp/vault" produced an invalid plan for module.<redacted>.vault_database_secret_backend_connection.connection["test_a9a28_0b5f4"], but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .oracle[0].split_statements: planned value cty.True for a non-computed attribute
      - .oracle[0].disconnect_sessions: planned value cty.True for a non-computed attribute
      - .oracle[0].max_open_connections: planned value cty.NumberIntVal(2) for a non-computed attribute

Terraform Configuration Files

//Connections
resource "vault_database_secret_backend_connection" "connection" {
  for_each                 = { for k, v in local.database_connections : k => v if var.database_secret_engine_enabled }
  namespace             = "namespace_name"
  backend                  = "path/to/backend"
  name                     = each.value.name
  plugin_name              = each.value.plugin
  allowed_roles            = distinct(concat(flatten([for role in each.value.roles: role.role_name]), each.value.additional_roles))
  root_rotation_statements = each.value.root_rotation_statements
  verify_connection        = each.value.verify_connection

  dynamic "oracle" {
    for_each = each.value.connection_type == "oracle" ? [1] : []
    content {
      connection_url          = each.value.url
      username                = each.value.username
      password                = each.value.password
      max_idle_connections    = try(var.supplementary_connection_properties[each.value.connection_type].max_idle_conn, null)
      max_open_connections    = try(var.supplementary_connection_properties[each.value.connection_type].max_open_conn, null)
      max_connection_lifetime = try(var.supplementary_connection_properties[each.value.connection_type].max_conn_age, null)
      split_statements        = try(var.supplementary_connection_properties[each.value.connection_type].split_statements, null)
    }
  }
}

Configuration File (in a tfvars file
=============
database_engines_config = {
  my-mount = {
    path              = "testdb" 
    default_lease_ttl = 86400
    max_lease_ttl     = 854000
    connections = {
      my-con = {
        connection_type   = "oracle"
        name              = "testoradb"
        url               = "192.168.1.15:1521/XEPDB1"
        plugin            = "vault-plugin-database-oracle"
        verify_connection = false
        additional_roles  = [""]
        roles = {
          my-ora-role = {
            role_name           = "my_ora_db_role"
            role_type           = "periodic"
            rotation_period     = "57600"                                                    
            rotation_statements = ["ALTER USER \"{{name}}\" IDENTIFIED BY \"{{password}}\""] 
            db_username         = "vault_admin"
          }

Steps to Reproduce

The above allowed_roles attribute should produce

allowed_roles            = [
        "my_ora_db_role",
        "",       
    ]

This is because the attribute did not use compact function to eliminate the "". Agreed that that using compact would help elimiate the rouge entry, but this should lead to an error rather than panic and crashing.

Debug Output

2024-08-31T16:42:13.248+0100 [DEBUG] Resource instance state not found for node "module.<redacted>.vault_database_secret_backend_role.dynamic_role[\"test_a9a28_0b5f4_223ac\"]", instance module.<redacted>.vault_database_secret_b
ackend_role.dynamic_role["test_a9a28_0b5f4_223ac"]
2024-08-31T16:42:13.252+0100 [DEBUG] ReferenceTransformer: "module.<redacted>.vault_database_secret_backend_role.dynamic_role[\"test_a9a28_0b5f4_223ac\"]" references: []
2024-08-31T16:42:13.252+0100 [DEBUG] refresh: module.<redacted>.vault_database_secret_backend_role.dynamic_role["test_a9a28_0b5f4_223ac"]: no state, so not refreshing
2024-08-31T16:42:13.255+0100 [DEBUG] Resource instance state not found for node "module.<redacted>.vault_database_secret_backend_static_role.schedule_role[\"test_a9a28_0b5f4_6a1a1\"]", instance module.<redacted>.vault_database_
secret_backend_static_role.schedule_role["test_a9a28_0b5f4_6a1a1"]
2024-08-31T16:42:13.256+0100 [DEBUG] ReferenceTransformer: "module.<redacted>.vault_database_secret_backend_static_role.schedule_role[\"test_a9a28_0b5f4_6a1a1\"]" references: []
2024-08-31T16:42:13.256+0100 [DEBUG] Resource instance state not found for node "module.<redacted>.vault_database_secret_backend_connection.connection[\"test_a9a28_0b5f4\"]", instance module.<redacted>.vault_database_secret_backend_connection.connection["test_a9a28_0b5f4"]
2024-08-31T16:42:13.263+0100 [DEBUG] ReferenceTransformer: "module.<redacted>.vault_database_secret_backend_connection.connection[\"test_a9a28_0b5f4\"]" references: []
2024-08-31T16:42:13.264+0100 [DEBUG] refresh: module.<redacted>.vault_database_secret_backend_connection.connection["test_a9a28_0b5f4"]: no state, so not refreshing
2024-08-31T16:42:13.266+0100 [DEBUG] refresh: module.<redacted>.vault_database_secret_backend_static_role.schedule_role["test_a9a28_0b5f4_6a1a1"]: no state, so not refreshing
2024-08-31T16:42:13.268+0100 [DEBUG] Resource instance state not found for node "module.<redacted>.vault_database_secret_backend_static_role.periodic_role[\"test_a9a28_0b5f4_9112e\"]", instance module.<redacted>.vault_database_secret_backend_static_role.periodic_role["test_a9a28_0b5f4_9112e"]
2024-08-31T16:42:13.268+0100 [DEBUG] ReferenceTransformer: "module.<redacted>.vault_database_secret_backend_static_role.periodic_role[\"test_a9a28_0b5f4_9112e\"]" references: []
2024-08-31T16:42:13.270+0100 [DEBUG] refresh: module.<redacted>.vault_database_secret_backend_static_role.periodic_role["test_a9a28_0b5f4_9112e"]: no state, so not refreshing
2024-08-31T16:42:13.304+0100 [WARN]  Provider "registry.terraform.io/hashicorp/vault" produced an invalid plan for module.<redacted>.vault_database_secret_backend_connection.connection["test_a9a28_0b5f4"], but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .oracle[0].split_statements: planned value cty.True for a non-computed attribute
      - .oracle[0].disconnect_sessions: planned value cty.True for a non-computed attribute
      - .oracle[0].max_open_connections: planned value cty.NumberIntVal(2) for a non-computed attribute

Panic Output

╷
│ Error: Plugin did not respond
│ 
│   with module.<redacted>.vault_database_secret_backend_connection.connection["test_a9a28_0b5f4"],
│   on ./modules/<redacted>/<redacted>.tf line 16, in resource "vault_database_secret_backend_connection" "connection":
│   16: resource "vault_database_secret_backend_connection" "connection" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵
╷
│ Error: Plugin did not respond
│ 
│   with module.<redacted>.vault_database_secret_backend_role.dynamic_role["test_a9a28_0b5f4_223ac"],
│   on ./modules/<redacted>/<redacted>.tf line 184, in resource "vault_database_secret_backend_role" "dynamic_role":
│  184: resource "vault_database_secret_backend_role" "dynamic_role" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵
╷
│ Error: Plugin did not respond
│ 
│   with module.<redacted>.vault_database_secret_backend_static_role.periodic_role["test_a9a28_0b5f4_9112e"],
│   on ./modules/<redacted>/<redacted>.tf line 228, in resource "vault_database_secret_backend_static_role" "periodic_role":
│  228: resource "vault_database_secret_backend_static_role" "periodic_role" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵
╷
│ Error: Plugin did not respond
│ 
│   with module.<redacted>.vault_database_secret_backend_static_role.schedule_role["test_a9a28_0b5f4_6a1a1"],
│   on ./modules/<redacted>/<redacted>.tf line 240, in resource "vault_database_secret_backend_static_role" "schedule_role":
│  240: resource "vault_database_secret_backend_static_role" "schedule_role" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵
╷

Stack trace from the terraform-provider-vault_v4.4.0 plugin:

panic: interface conversion: interface {} is nil, not string

goroutine 61 [running]:
github.com/hashicorp/terraform-provider-vault/vault.writeDatabaseSecretConfig(0xc00054fc00, 0xc000ae8580, 0x2536460, 0x0, 0x0, {0xc000174630, 0x23}, {0x14aa5a0?, 0xc0006fed00?})
                github.com/hashicorp/terraform-provider-vault/vault/resource_database_secret_backend_connection.go:1743 +0xa88
github.com/hashicorp/terraform-provider-vault/vault.databaseSecretBackendConnectionCreateOrUpdate(0xc00054fc00, {0x14aa5a0, 0xc0006fed00})
                github.com/hashicorp/terraform-provider-vault/vault/resource_database_secret_backend_connection.go:1710 +0x127
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x1b2f188?, {0x1b2f188?, 0xc000c157d0?}, 0xd?, {0x14aa5a0?, 0xc0006fed00?})
                [github.com/hashicorp/terraform-plugin-sdk/v2@v2.31.0/helper/schema/resource.go:766](mailto:github.com/hashicorp/terraform-plugin-sdk/v2@v2.31.0/helper/schema/resource.go:766) +0x15f
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc0004f1b20, {0x1b2f188, 0xc000c157d0}, 0xc000c30820, 0xc00054fa80, {0x14aa5a0, 0xc0006fed00})
                [github.com/hashicorp/terraform-plugin-sdk/v2@v2.31.0/helper/schema/resource.go:909](mailto:github.com/hashicorp/terraform-plugin-sdk/v2@v2.31.0/helper/schema/resource.go:909) +0xa89
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0xc00080ec60, {0x1b2f188?, 0xc000c15710?}, 0xc0009cfbd0)
                [github.com/hashicorp/terraform-plugin-sdk/v2@v2.31.0/helper/schema/grpc_provider.go:1074](mailto:github.com/hashicorp/terraform-plugin-sdk/v2@v2.31.0/helper/schema/grpc_provider.go:1074) +0xd5c
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0xc000289d60, {0x1b2f188?, 0xc000c14f30?}, 0xc000152c40)
                [github.com/hashicorp/terraform-plugin-go@v0.20.0/tfprotov5/tf5server/server.go:859](mailto:github.com/hashicorp/terraform-plugin-go@v0.20.0/tfprotov5/tf5server/server.go:859) +0x56f
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x14f4d40, 0xc000289d60}, {0x1b2f188, 0xc000c14f30}, 0xc00054f700, 0x0)
                [github.com/hashicorp/terraform-plugin-go@v0.20.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:503](mailto:github.com/hashicorp/terraform-plugin-go@v0.20.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:503) +0x1a6
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0005c1400, {0x1b2f188, 0xc000c14ea0}, {0x1b365e0, 0xc000772000}, 0xc0009f7e60, 0xc000814780, 0x2541158, 0x0)
                [google.golang.org/grpc@v1.61.1/server.go:1385](mailto:google.golang.org/grpc@v1.61.1/server.go:1385) +0xdd1
google.golang.org/grpc.(*Server).handleStream(0xc0005c1400, {0x1b365e0, 0xc000772000}, 0xc0009f7e60)
                [google.golang.org/grpc@v1.61.1/server.go:1796](mailto:google.golang.org/grpc@v1.61.1/server.go:1796) +0xfb8
google.golang.org/grpc.(*Server).serveStreams.func2.1()
                [google.golang.org/grpc@v1.61.1/server.go:1029](mailto:google.golang.org/grpc@v1.61.1/server.go:1029) +0x8b
created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 37
                [google.golang.org/grpc@v1.61.1/server.go:1040](mailto:google.golang.org/grpc@v1.61.1/server.go:1040) +0x125

Error: The terraform-provider-vault_v4.4.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Important Factoids

No response

References

No response

Would you like to implement a fix?

No response

@faseyiks faseyiks added the bug label Sep 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant