Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Setting override_policy_documents = [""] in aws_iam_policy_document causes crash #27022

Closed
lewyh opened this issue Sep 29, 2022 · 3 comments · Fixed by #27055
Closed

[Bug]: Setting override_policy_documents = [""] in aws_iam_policy_document causes crash #27022

lewyh opened this issue Sep 29, 2022 · 3 comments · Fixed by #27055
Labels
bug Addresses a defect in current functionality. crash Results from or addresses a Terraform crash or kernel panic. service/iam Issues and PRs that pertain to the iam service. service/s3 Issues and PRs that pertain to the s3 service.
Milestone
v4.34.0

Comments

@lewyh
Copy link

lewyh commented Sep 29, 2022

Terraform Core Version

1.2.8

AWS Provider Version

4.32

Affected Resource(s)

  • aws_iam_policy_document

Expected Behavior

I created a policy document that looked like this:

data aws_iam_policy_document bucket_policy {
  override_policy_documents = [""]

  statement {
    actions = [
      "s3:*"
    ]

    condition {
      test = "Bool"
      values = [
        "false"
      ]
      variable = "aws:SecureTransport"
    }
    effect = "Deny"

    principals {
      identifiers = [
        "*"
      ]
      type = "AWS"
    }

    resources = [
      aws_s3_bucket.bucket.arn,
      "${aws_s3_bucket.bucket.arn}/*"
    ]

    sid = "DenyUnsecuredTransport"
  }
}

This is incorrect on my part, I should have set override_policy_documents = null (in my code the value is determined by a ternary operator, so I couldn't leave override_policy_documents out completely).

I would expect this to throw a meaningful error along the lines of "invalid IAM policy supplied" or "empty IAM policy supplied".

Actual Behavior

The provider crashes entirely when terraform plan is executed, with an error message that is not very helpful.

All resources return errors that say either "Plugin did not respond" or "Request cancelled".

The only change needed to trigger this behaviour is to set override_policy_documents = [""].

Relevant Error/Panic Output Snippet

Error: Plugin did not respond

  with module.bucket.aws_s3_bucket_public_access_block.bucket_public_access,
  on .terraform/modules/bucket/s3.tf line 30, in resource "aws_s3_bucket_public_access_block" "bucket_public_access":
  30: resource aws_s3_bucket_public_access_block bucket_public_access {

The plugin encountered an error, and failed to respond to the
plugin.(*GRPCProvider).UpgradeResourceState call. The plugin logs may contain
more details.

Error: Request cancelled

  with module.bucket.aws_s3_bucket_server_side_encryption_configuration.bucket,
  on .terraform/modules/bucket/s3.tf line 41, in resource "aws_s3_bucket_server_side_encryption_configuration" "bucket":
  41: resource aws_s3_bucket_server_side_encryption_configuration bucket {

The plugin.(*GRPCProvider).UpgradeResourceState request was cancelled.

Stack trace from the terraform-provider-aws_v4.32.0_x5 plugin:

panic: interface conversion: interface {} is nil, not string

goroutine 3921 [running]:
github.com/hashicorp/terraform-provider-aws/internal/service/iam.dataSourcePolicyDocumentRead(0x0?, {0x0?, 0x0?})
    github.com/hashicorp/terraform-provider-aws/internal/service/iam/policy_document_data_source.go:260 +0x5cd
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).read(0xaf00920?, {0xaf00920?, 0xc002595980?}, 0xd?, {0x8df3100?, 0xc000f5ea80?})
    github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:712 +0x178
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).ReadDataApply(0xc0006a6e00, {0xaf00920, 0xc002595980}, 0xc002f88580, {0x8df3100, 0xc000f5ea80})
    github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:943 +0x145
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ReadDataSource(0xc00011c948, {0xaf00920?, 0xc002595860?}, 0xc003ebfa60)
    github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:1179 +0x38f
github.com/hashicorp/terraform-plugin-mux/tf5muxserver.muxServer.ReadDataSource({0xc001f0dc20, 0xc001f0dc80, {0xc002e150a0, 0x2, 0x2}, 0xc001f0dc50, 0xc001f44520, 0xc0029c5610, 0xc001f0dcb0}, {0xaf00920, ...}, ...)
    github.com/hashicorp/[email protected]/tf5muxserver/mux_server_ReadDataSource.go:27 +0x142
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ReadDataSource(0xc00177e6e0, {0xaf00920?, 0xc002595050?}, 0xc001742190)
    github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:658 +0x3ef
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ReadDataSource_Handler({0x9e887a0?, 0xc00177e6e0}, {0xaf00920, 0xc002595050}, 0xc001483730, 0x0)
    github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:421 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0000012c0, {0xaf061c0, 0xc002e8ad00}, 0xc002bac120, 0xc002e7b320, 0x1061ddd0, 0x0)
    google.golang.org/[email protected]/server.go:1295 +0xb0b
google.golang.org/grpc.(*Server).handleStream(0xc0000012c0, {0xaf061c0, 0xc002e8ad00}, 0xc002bac120, 0x0)
    google.golang.org/[email protected]/server.go:1636 +0xa1b
google.golang.org/grpc.(*Server).serveStreams.func1.2()
    google.golang.org/[email protected]/server.go:932 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
    google.golang.org/[email protected]/server.go:930 +0x28a

Error: The terraform-provider-aws_v4.32.0_x5 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Terraform Configuration Files

terraform {
  backend s3 {}

  required_version = ">= 1.2"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.28"
    }
  }
}

Steps to Reproduce

Set override_policy_documents = [""] in an IAM policy document and run terraform plan. The policy in question is already deployed, and is attached to an S3 bucket.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No response
@lewyh lewyh added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels Sep 29, 2022
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added crash Results from or addresses a Terraform crash or kernel panic. service/iam Issues and PRs that pertain to the iam service. service/s3 Issues and PRs that pertain to the s3 service. labels Sep 29, 2022
@mtt88 mtt88 mentioned this issue Oct 2, 2022
Merged
@github-actions github-actions bot removed the needs-triage Waiting for first response or review from a maintainer. label Oct 3, 2022
@github-actions github-actions bot added this to the v4.34.0 milestone Oct 3, 2022
@github-actions
Copy link

github-actions bot commented Oct 6, 2022

This functionality has been released in v4.34.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

github-actions bot commented Nov 6, 2022

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 6, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. crash Results from or addresses a Terraform crash or kernel panic. service/iam Issues and PRs that pertain to the iam service. service/s3 Issues and PRs that pertain to the s3 service.
Projects
None yet
Milestone
v4.34.0
Development

Successfully merging a pull request may close this issue.

data/aws_iam_policy_document - additional json validation mtt88/terraform-provider-aws
1 participant
@lewyh