Crash when using plan with vault provider

[fcantournet]

Terraform Version

Terraform v0.8.0-rc1 (aac47ec)

Affected Resource(s)

• vault_generic_secret

Terraform Configuration Files

provider "vault" {
	address = "https://127.0.0.1:8200"
}
data "vault_generic_secret" "example" {
  path = "secret/foo"
  data_json = <<EOT
{
 "foo":   "bar",
 "pizza": "cheese"
}
EOT
}

Panic Output

https://gist.github.com/fcantournet/e63ee73bc926ee4a0ad147dbfd8de9f5

Expected Behavior

terraform should have made a plan and reported that it was going to create missing secret
OR
yell at me because I screwed up

Actual Behavior

Crash

Steps to Reproduce

1. have a vault instance running on localhost with ssl
2. terraform plan

Important Factoids

terraform prompted me for :

• provider.vault.ca_cert_dir
• provider.vault.ca_cert_file

I answer with enter and I supposed it would default to vault behavior which is to use the system's CAs

[apparentlymart]

2016/12/02 17:04:56 [DEBUG] plugin: terraform: panic: Unknown type for input: 5
2016/12/02 17:04:56 [DEBUG] plugin: terraform: 
2016/12/02 17:04:56 [DEBUG] plugin: terraform: goroutine 50 [running]:
2016/12/02 17:04:56 [DEBUG] plugin: terraform: panic(0x2cbf280, 0xc4201ef4f0)
2016/12/02 17:04:56 [DEBUG] plugin: terraform: 	/opt/go/src/runtime/panic.go:500 +0x1a1
2016/12/02 17:04:56 [DEBUG] plugin: terraform: github.com/hashicorp/terraform/helper/schema.schemaMap.Input(0xc4201a6d20, 0x50d1160, 0xc420394298, 0xc420384ab0, 0x301f900, 0xc420391a01, 0xc420394298)
2016/12/02 17:04:56 [DEBUG] plugin: terraform: 	/opt/gopath/src/github.com/hashicorp/terraform/helper/schema/schema.go:503 +0x420
2016/12/02 17:04:56 [DEBUG] plugin: terraform: github.com/hashicorp/terraform/helper/schema.(*Provider).Input(0xc42033e360, 0x50d1160, 0xc420394298, 0xc420384ab0, 0xc420382410, 0x0, 0x0)
2016/12/02 17:04:56 [DEBUG] plugin: terraform: 	/opt/gopath/src/github.com/hashicorp/terraform/helper/schema/provider.go:145 +0x4c
2016/12/02 17:04:56 [DEBUG] plugin: terraform: github.com/hashicorp/terraform/plugin.(*ResourceProviderServer).Input(0xc4201ae6c0, 0xc420378470, 0xc420378610, 0x0, 0x0)
2016/12/02 17:04:56 [DEBUG] plugin: terraform: 	/opt/gopath/src/github.com/hashicorp/terraform/plugin/resource_provider.go:436 +0x1cc
2016/12/02 17:04:56 [DEBUG] plugin: terraform: reflect.Value.call(0xc420376660, 0xc420394088, 0x13, 0x3587585, 0x4, 0xc420391ee0, 0x3, 0x3, 0x0, 0x0, ...)
2016/12/02 17:04:56 [DEBUG] plugin: terraform: 	/opt/go/src/reflect/value.go:434 +0x5c8
2016/12/02 17:04:56 [DEBUG] plugin: terraform: reflect.Value.Call(0xc420376660, 0xc420394088, 0x13, 0xc420391ee0, 0x3, 0x3, 0x0, 0xc4203760c0, 0x4d8554)
2016/12/02 17:04:56 [DEBUG] plugin: terraform: 	/opt/go/src/reflect/value.go:302 +0xa4
2016/12/02 17:04:56 [DEBUG] plugin: terraform: net/rpc.(*service).call(0xc420374200, 0xc4203741c0, 0xc4203781a0, 0xc42038a980, 0xc42037c240, 0x2bb0520, 0xc420378470, 0x16, 0x2bb0560, 0xc420378610, ...)
2016/12/02 17:04:56 [DEBUG] plugin: terraform: 	/opt/go/src/net/rpc/server.go:383 +0x148
2016/12/02 17:04:56 [DEBUG] plugin: terraform: created by net/rpc.(*Server).ServeCodec
2016/12/02 17:04:56 [DEBUG] plugin: terraform: 	/opt/go/src/net/rpc/server.go:477 +0x421

[apparentlymart]

I didn't dig in deep to this one yet but from some initial digging it feels like a helper/schema bug, or something in that neighborhood. This error is saying that TypeList is not supported for the "input" operation.

I suspect the relevant TypeList attribute is the client_auth block on the provider. At first blush it seems like this is just a bug in helper/schema that would fail for any list attribute within a provider's own config, though it'd be surprising to me that we would never have had a list attribute in a provider config before.

I will try to dig into this some more over the weekend, if I have some time. If it's what I think it is then I think the fix is pretty easy.

In the mean time @fcantournet, you should be able to work around this by running Terraform with the -input=false flag to prevent it from going through the "input" phase. This is the phase where it'll show an interactive prompt for any provider attributes that are not set, so this should work as long as you weren't depending on any such interactive prompts for other provider configurations.

[mtougeron]

I ran into the same problem with 0.8.0-rc3 and the -input=false make it work for me. Thanks!

[AndreaCrotti]

Ah yes same problem for me, and input=false fixes it actually, however it's still a problem I guess specially since the provider is set to use

  skip_tls_verify = true

And now even if it does not crash badly it still doesn't work with this error
x509: certificate signed by unknown authority which I guess means the skip_tls_verify is not being used properly..

[cblecker]

I'm seeing this too, building off of master.

Terraform v0.8.3-dev (fc6e2a1b790f8a2d875c2afc74899eb18ef81b23)

[moritzheiber]

If skip_tls_verify is set the provider shouldn't require me to enter either ca_cert_dir or ca_cert_file or even try to use it (which, I'd wager, this crash is originating from).

[cblecker]

FWIW, I'm not using skip_tls_verify in my configuration.

[c4milo]

I'm running into this problem as well, the Vault datasource is just unusable in its current state. My Vault service has publicly valid certificates and despite it, Terraform prompts me for the optional arguments of the provider.

[moritzheiber]

Well, it does work (beautifully so) once you use -input=false but I'd wager that's not comforting 😅

[c4milo]

It seems like a reasonable workaround, the provider still needs to be fixed, though.

[apparentlymart]

Sorry I've been slacking a bit on this... my time to spend on Terraform has been shorter over the last few weeks with the ramp up to the holidays. It's still on my list, though.

[EugeneK6S]

Just stumbled upon this while googling on "terraform vault unexpected EOF".
Will try my luck here, although I understand this issue is a different one.
I'm trying to read a secret from Vault.

provider "vault" {
  address = "http://samssuper02-eng.rpega.com:8200"
}

data "vault_generic_secret" "some_pwd" {
  path = "secret/docker"
}

output "secret" {
	value = "${data.vault_generic_secret.docker.data["pwd"]}"
}

Resulting in

* data.vault_generic_secret.docker: unexpected EOF
panic: runtime error: invalid memory address or nil pointer dereference

A secret (secret/docker/pwd) is there, easily readable with curl.
Docs are not very helpful. Any help/discussion would be appreciated, @apparentlymart!

[apparentlymart]

Hi @IevgenKabanets! Sorry for this additional issue...

Would you mind opening a new issue for that one? It looks like a different problem and the information requested by the new issue template would help to debug it.

[moritzheiber]

I can confirm this bug is fixed with #11082.

[apparentlymart]

Great! Thanks @moritzheiber, and @Mongey! 😀

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.