Panic in vault_pki_secret_backend_root_sign_intermediate for ca_chain

[lukasz-bielinski]

Terraform Version

Terraform v1.1.6
on linux_amd64

• provider registry.terraform.io/hashicorp/vault v3.3.0

Affected Resource(s)

vault_pki_secret_backend_root_sign_intermediate

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

Code which I am using is from https://learn.hashicorp.com/tutorials/vault/pki-engine-external-ca

affected part below

resource "vault_mount" "test_org_v1_ica2_v1" {
 path                      = "test-org/v1/ica2/v1"
 type                      = "pki"
 description               = "PKI engine hosting intermediate CA2 v1 for test org"
 default_lease_ttl_seconds = local.default_1hr_in_sec
 max_lease_ttl_seconds     = local.default_1y_in_sec
}

resource "vault_pki_secret_backend_intermediate_cert_request" "test_org_v1_ica2_v1" {
 depends_on   = [vault_mount.test_org_v1_ica2_v1]
 backend      = vault_mount.test_org_v1_ica2_v1.path
 type         = "internal"
 common_name  = "Intermediate CA2 v1 "
 key_type     = "rsa"
 key_bits     = "2048"
 ou           = "test org"
 organization = "test"
 country      = "US"
 locality     = "Bethesda"
 province     = "MD"
}

resource "vault_pki_secret_backend_root_sign_intermediate" "test_org_v1_sign_ica2_v1_by_ica1_v1" {
 depends_on = [
  vault_mount.test_org_v1_ica1_v1,
  vault_pki_secret_backend_intermediate_cert_request.test_org_v1_ica2_v1,
 ]
 backend              = vault_mount.test_org_v1_ica1_v1.path
 csr                  = vault_pki_secret_backend_intermediate_cert_request.test_org_v1_ica2_v1.csr
 common_name          = "Intermediate CA2 v1.1"
 exclude_cn_from_sans = true
 ou                   = "test org"
 organization         = "test"
 country              = "US"
 locality             = "Bethesda"
 province             = "MD"
 max_path_length      = "1"
 ttl                  = local.default_1y_in_sec
}

resource "vault_pki_secret_backend_intermediate_set_signed" "test_org_v1_ica2_v1_signed_cert" {
 depends_on  = [vault_pki_secret_backend_root_sign_intermediate.test_org_v1_sign_ica2_v1_by_ica1_v1]
 backend     = vault_mount.test_org_v1_ica2_v1.path
 certificate = format("%s\n%s", vault_pki_secret_backend_root_sign_intermediate.test_org_v1_sign_ica2_v1_by_ica1_v1.certificate, file("../${path.module}/cacerts/test_org_v1_ica1_v1.crt"))
}

Debug Output

https://gist.github.com/lukasz-bielinski/6b51fd30f913778518026f514f42cbb4

Panic Output

https://gist.github.com/lukasz-bielinski/f27241de6bafd4243fa2d8287988fe6d

Expected Behavior

resource vault_pki_secret_backend_root_sign_intermediate should be created

Actual Behavior

panic error in terraform-provider-vault_v3.3.0_x4 plugin:

Steps to Reproduce

execute steps from https://learn.hashicorp.com/tutorials/vault/pki-engine-external-ca

Important Factoids

none

References

https://learn.hashicorp.com/tutorials/vault/pki-engine-external-ca

[benashz]

Thanks for reporting this issue @lukasz-bielinski . In the meantime I suggest you pin the vault provider version to 3.2.1 until we release a fix.

[benashz]

@lukasz-bielinski would you mind providing us with the vault server version that this issue happened with?

[lukasz-bielinski]

vault server details

❯ vault server -dev -dev-root-token-id root
==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Go Version: go1.17.6
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.9.3
             Version Sha: 7dbdd57243a0d8d9d9e07cd01eb657369f8e1b8a+CHANGES

==> Vault server started! Log data will stream in below:

[benashz]

Thanks @lukasz-bielinski !

It looks like this your are provisioning a test environment, so I was wondering if you would be comfortable running with TERRAFORM_VAULT_LOG_BODY=true and TF_LOG=debug? This would greatly help in our investigation.

[lukasz-bielinski]

thank you for quick reaction and fix :)