Crash when creating resource ibm_kms_key_policies with HPCS

[triceam]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Affected Resource(s)

ibm_kms_key_policies crashes when using an instance of Hyper Protect Crypto Services as the kms.
This occurs in the following code, where kms_id is the id of the HPCS instance:

Example:

resource ibm_kms_key root_key {
  depends_on = [null_resource.print_values]
  count = var.provision ? 1 : 0

  instance_id  = var.kms_id
  key_name     = local.name
  standard_key = false
  force_delete = var.force_delete
}

resource ibm_kms_key_policies root_key_policy {
  count = var.provision ? 1 : 0
  instance_id = var.kms_id
  key_id = ibm_kms_key.root_key[0].key_id
  rotation {
    interval_month = var.rotation_interval
  }
  dual_auth_delete {
    enabled = var.dual_auth_delete
  }
}

This is repeatable by running the terraform automation at https://github.com/IBM/ibm-cloud-reference-architectures using an existing instance of HPCS.

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please share a link to the ZIP file.

Debug Output

╷
│ Error: Plugin did not respond
│
│   with module.kms-key.ibm_kms_key_policies.root_key_policy[0],
│   on .terraform/modules/kms-key/main.tf line 23, in resource "ibm_kms_key_policies" "root_key_policy":
│   23: resource ibm_kms_key_policies root_key_policy {
│
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵

Stack trace from the terraform-provider-ibm_v1.48.0 plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x187081b]

goroutine 404 [running]:
github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex.FlattenKeyIndividualPolicy({0x38043ce, 0x8}, {0xc00131c900, 0x2, 0x24?})
    github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex/structures.go:2815 +0x69b
github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/kms.resourceIBMKmsKeyPolicyRead({0x3f577a8, 0xc002027ec0}, 0xc000567000, {0x37eef20, 0xc0014f7200})
    github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/kms/resource_ibm_kms_key_policies.go:255 +0x7df
github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/kms.resourceIBMKmsKeyPolicyCreate({0x3f577a8, 0xc002027ec0}, 0x0?, {0x37eef20, 0xc0014f7200})
    github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/kms/resource_ibm_kms_key_policies.go:205 +0x3b8
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0xc000d110a0, {0x3f577e0, 0xc0013b82d0}, 0xd?, {0x37eef20, 0xc0014f7200})
    github.com/hashicorp/terraform-plugin-sdk/v2@v2.24.0/helper/schema/resource.go:707 +0x12e
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc000d110a0, {0x3f577e0, 0xc0013b82d0}, 0xc0007e7040, 0xc000566e80, {0x37eef20, 0xc0014f7200})
    github.com/hashicorp/terraform-plugin-sdk/v2@v2.24.0/helper/schema/resource.go:837 +0xa7a
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0xc000502678, {0x3f577e0?, 0xc0013b81b0?}, 0xc001c92190)
    github.com/hashicorp/terraform-plugin-sdk/v2@v2.24.0/helper/schema/grpc_provider.go:1021 +0xe3c
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0xc00068aaa0, {0x3f577e0?, 0xc0013cd440?}, 0xc00040e700)
    github.com/hashicorp/terraform-plugin-go@v0.14.0/tfprotov5/tf5server/server.go:818 +0x574
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x369c820?, 0xc00068aaa0}, {0x3f577e0, 0xc0013cd440}, 0xc00040e690, 0x0)
    github.com/hashicorp/terraform-plugin-go@v0.14.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:385 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0000001e0, {0x3f5e1a0, 0xc000ec2820}, 0xc001a83d40, 0xc000ea2f90, 0x56ed980, 0x0)
    google.golang.org/grpc@v1.48.0/server.go:1295 +0xb0b
google.golang.org/grpc.(*Server).handleStream(0xc0000001e0, {0x3f5e1a0, 0xc000ec2820}, 0xc001a83d40, 0x0)
    google.golang.org/grpc@v1.48.0/server.go:1636 +0xa1b
google.golang.org/grpc.(*Server).serveStreams.func1.2()
    google.golang.org/grpc@v1.48.0/server.go:932 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
    google.golang.org/grpc@v1.48.0/server.go:930 +0x28a

Error: The terraform-provider-ibm_v1.48.0 plugin crashed!

Panic Output

Expected Behavior

The provider should not have crashed. The root key policy should have been created without any issue.

Actual Behavior

Terraform crashes when running terraform apply.

Steps to Reproduce

1. create and initialize an instance of Hyper Protect Crypto Services to be used as the KMS
2. Execute the layered terraform automation at https://github.com/IBM/ibm-cloud-reference-architectures using that instance of HPCS. Add these to the generated terraform.tfvars file to reference the existing instance:

   kms_provision=false
   kms_name="crypto-hsm-kyok"    #(this should be the name given to your HPCS instance)

3. Run the apply-all.sh script from the /workspaces/current directory (follow the instructions in the README in the terraform repo).
4. This crash will happen when processing the 110-ibm-fs-edge-vpc layer

[triceam]

I added a workaround in our kms-key module here: https://github.com/terraform-ibm-modules/terraform-ibm-toolkit-kms-key/pull/22/files

This crash now won't happen unless you also set the provision_key_rotation_policy variable to true on the kms-key module instance(s).

[priyanknarvekar]

Looks like the crash is happening since v1.48 and still happening in 1.49

appears to be working in 1.47

any eta on the fix ?

Stack trace from the terraform-provider-ibm_v1.49.0 plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x24e991b]

goroutine 128 [running]:
github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex.FlattenKeyIndividualPolicy({0x44d0e3c, 0x8}, {0xc00061cc00, 0x2, 0x24?})
        github.com/IBM-Cloud/terraform-provider-ibm/ibm/flex/structures.go:2772 +0x69b
github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/kms.resourceIBMKmsKeyPolicyRead({0x4c2d168, 0xc0019fbb60}, 0xc0019f8480, {0x44bba20, 0xc001a71200})
        github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/kms/resource_ibm_kms_key_policies.go:255 +0x7df
github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/kms.resourceIBMKmsKeyPolicyCreate({0x4c2d168, 0xc0019fbb60}, 0x0?, {0x44bba20, 0xc001a71200})
        github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/kms/resource_ibm_kms_key_policies.go:205 +0x3b8
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0xc000db9ce0, {0x4c2d1a0, 0xc00166b200}, 0xd?, {0x44bba20, 0xc001a71200})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.24.0/helper/schema/resource.go:707 +0x12e
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc000db9ce0, {0x4c2d1a0, 0xc00166b200}, 0xc000d2cc30, 0xc0019f8300, {0x44bba20, 0xc001a71200})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.24.0/helper/schema/resource.go:837 +0xa7a
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0xc0005af578, {0x4c2d1a0?, 0xc00166b0e0?}, 0xc001489130)
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.24.0/helper/schema/grpc_provider.go:1021 +0xe3c
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0xc0004c06e0, {0x4c2d1a0?, 0xc00160fe60?}, 0xc001b3b110)
        github.com/hashicorp/terraform-plugin-go@v0.14.0/tfprotov5/tf5server/server.go:818 +0x574
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x4368be0?, 0xc0004c06e0}, {0x4c2d1a0, 0xc00160fe60}, 0xc001b3b0a0, 0x0)
        github.com/hashicorp/terraform-plugin-go@v0.14.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:385 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0000001e0, {0x4c33be0, 0xc0007b6680}, 0xc00161c120, 0xc000f4f6b0, 0x6562c20, 0x0)
        google.golang.org/grpc@v1.48.0/server.go:1295 +0xb0b
google.golang.org/grpc.(*Server).handleStream(0xc0000001e0, {0x4c33be0, 0xc0007b6680}, 0xc00161c120, 0x0)
        google.golang.org/grpc@v1.48.0/server.go:1636 +0xa1b
google.golang.org/grpc.(*Server).serveStreams.func1.2()
        google.golang.org/grpc@v1.48.0/server.go:932 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/grpc@v1.48.0/server.go:930 +0x28a

Error: The terraform-provider-ibm_v1.49.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

[hkantare]

@dinesh-venkatraman Can some one from the team look into this