[Bug]: Provider segfaults when certain backend conditions are met
the-maldridge opened this issue · comments
Terraform Core Version
v1.7.0
Terraform Vault Provider Version
v3.20.1
Vault Server Version
v1.15.2
Affected Resource(s)
Due to serious safety issues inherent to Vault's implementation of dynamic secrets for consul I am removing all consul integration from my vault, during plan, this leads to a segfault.
The consul cluster is already gone, so at this point to clear the issue I am going to remove the resource from my state and then handle force-unmounting the secrets engine on my own.
Expected Behavior
Terraform (and its provider plugins) should not panic.
Actual Behavior
The provider plugin panics, and the run is aborted.
Relevant Error/Panic Output Snippet
Stack trace from the terraform-provider-vault_v3.20.1_x5 plugin:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x10762f5]
goroutine 135 [running]:
github.com/hashicorp/terraform-provider-vault/vault.consulSecretBackendRead({0xc0005292f8?, 0xc000529350?}, 0xc000e58e00, {0x1335a20?, 0xc00108a100?})
github.com/hashicorp/terraform-provider-vault/vault/resource_consul_secret_backend.go:231 +0x5b5
github.com/hashicorp/terraform-provider-vault/internal/provider.ReadContextWrapper.func1({0x183b158, 0xc00106c270}, 0x7f9ec4c3b598?, {0x1335a20, 0xc00108a100})
github.com/hashicorp/terraform-provider-vault/internal/provider/provider.go:251 +0xca
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).read(0xc000384700, {0x183b190, 0xc00067d8c0}, 0xd?, {0x1335a20, 0xc00108a100})
github.com/hashicorp/terraform-plugin-sdk/v2@v2.16.0/helper/schema/resource.go:724 +0x12e
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).RefreshWithoutUpgrade(0xc000384700, {0x183b190, 0xc00067d8c0}, 0xc0009209c0, {0x1335a20, 0xc00108a100})
github.com/hashicorp/terraform-plugin-sdk/v2@v2.16.0/helper/schema/resource.go:1015 +0x585
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ReadResource(0xc0008887e0, {0x183b0e8?, 0xc000df3400?}, 0xc000ddad80)
github.com/hashicorp/terraform-plugin-sdk/v2@v2.16.0/helper/schema/grpc_provider.go:613 +0x4a5
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ReadResource(0xc0004d83c0, {0x183b190?, 0xc00067d320?}, 0xc000817500)
github.com/hashicorp/terraform-plugin-go@v0.9.0/tfprotov5/tf5server/server.go:746 +0x43d
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ReadResource_Handler({0x13fe6c0?, 0xc0004d83c0}, {0x183b190, 0xc00067d320}, 0xc00026c930, 0x0)
github.com/hashicorp/terraform-plugin-go@v0.9.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:349 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0007501e0, {0x18401a0, 0xc000928ea0}, 0xc00105e120, 0xc000b13860, 0x214ba50, 0x0)
google.golang.org/grpc@v1.50.0/server.go:1318 +0xb2b
google.golang.org/grpc.(*Server).handleStream(0xc0007501e0, {0x18401a0, 0xc000928ea0}, 0xc00105e120, 0x0)
google.golang.org/grpc@v1.50.0/server.go:1659 +0xa36
google.golang.org/grpc.(*Server).serveStreams.func1.2()
google.golang.org/grpc@v1.50.0/server.go:955 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
google.golang.org/grpc@v1.50.0/server.go:953 +0x28a
Error: The terraform-provider-vault_v3.20.1_x5 plugin crashed!
This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.Terraform Configuration Files
N/A, as above the issue is triggered by removing the resource from the file and attempting a destroy on it.
Steps to Reproduce
Provision a consul secrets backend and use it, accumulate at least 10k defunct leases (at this point vault seems to stop trying to delete them).
Realize your consul cluster is now in a bad state and reprovision it, but do not reconnect it to vault.
Attempt to terraform apply having removed the consul secrets backend from the terraform and observe the crash.
Debug Output
No response
Panic Output
Terraform itself does not appear to have panic'd.
Important Factoids
This is the final outcome of a large issue I've been working for some months now to remove the extremely broken consul secrets backends from my vault clusters. The backend has been inoperative for quite some time, but until now it merely produced a nuisance output that it couldn't remove leases.
References
No response
Would you like to implement a fix?
None