pputman-clabs
commented
2 years ago A little more information here, I tried creating the access role in the gui, and then importing it via it's name, which worked, but then running a plan to modify it afterwards caused the provider to crash:
patrick@R90XQ0G937 admin % terraform import module.access_role_okta_akeyless_admins.akeyless_role.access_role 'admin/okta/clabs-prod/akeyless-admins'
2022-09-07T17:44:55.646-0500 [ERROR] AttachSchemaTransformer: No provider config schema available for provider["terraform.io/builtin/terraform"]
module.access_role_okta_akeyless_admins.akeyless_role.access_role: Importing from ID "admin/okta/clabs-prod/akeyless-admins"...
module.access_role_okta_akeyless_admins.akeyless_role.access_role: Import prepared!
Prepared akeyless_role for import
module.access_role_okta_akeyless_admins.akeyless_role.access_role: Refreshing state... [id=admin/okta/clabs-prod/akeyless-admins]
Import successful!
The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.
patrick@R90XQ0G937 admin % terraform apply
2022-09-07T17:45:04.492-0500 [ERROR] AttachSchemaTransformer: No provider config schema available for provider["terraform.io/builtin/terraform"]
2022-09-07T17:45:04.689-0500 [ERROR] AttachSchemaTransformer: No provider config schema available for provider["terraform.io/builtin/terraform"]
data.terraform_remote_state.auth_methods: Reading...
akeyless_auth_method_api_key.admin: Refreshing state... [id=admin/api-key/admin-api-key]
akeyless_role.admin_api_key: Refreshing state... [id=admin/api-key/admin-api-key]
module.gcp_iam_role_gateway.data.google_iam_testable_permissions.unsupported_permissions: Reading...
data.terraform_remote_state.auth_methods: Read complete after 1s
module.access_role_okta_akeyless_admins.akeyless_role.access_role: Refreshing state... [id=admin/okta/clabs-prod/akeyless-admins]
module.access_role_github_celo_org_akeyless.akeyless_role.access_role: Refreshing state... [id=admin/github/celo-org/akeyless-repo]
module.gcp_iam_role_gateway.data.google_iam_testable_permissions.unsupported_permissions: Read complete after 7s [id=//cloudresourcemanager.googleapis.com/projects/clabs-secrets-and-permissions]
module.gcp_iam_role_gateway.google_project_iam_custom_role.project-custom-role[0]: Refreshing state... [id=projects/clabs-secrets-and-permissions/roles/akeyless_gcp_auth]
time_sleep.wait_10_seconds: Refreshing state... [id=2022-08-31T20:46:53Z]
module.gcp_iam_service_account_gateway.google_service_account.service_accounts["auth-gcp-gce-gateway"]: Refreshing state... [id=projects/clabs-secrets-and-permissions/serviceAccounts/akeyless-auth-gcp-gce-gateway@clabs-secrets-and-permissions.iam.gserviceaccount.com]
module.gcp_iam_service_account_gateway.google_project_iam_member.project-roles["auth-gcp-gce-gateway-clabs-secrets-and-permissions=>projects/clabs-secrets-and-permissions/roles/akeyless_gcp_auth"]: Refreshing state... [id=clabs-secrets-and-permissions/projects/clabs-secrets-and-permissions/roles/akeyless_gcp_auth/serviceAccount:akeyless-auth-gcp-gce-gateway@clabs-secrets-and-permissions.iam.gserviceaccount.com]
module.gcp_iam_service_account_gateway.google_service_account_key.keys["auth-gcp-gce-gateway"]: Refreshing state... [id=projects/clabs-secrets-and-permissions/serviceAccounts/akeyless-auth-gcp-gce-gateway@clabs-secrets-and-permissions.iam.gserviceaccount.com/keys/096c71540c5d1f48ee2d529d7b6fd1a7e0f41fa4]
module.gcp_gce_gateway_auth.akeyless_auth_method_gcp.gcp_auth: Refreshing state... [id=admin/gcp/gce-gateway-auth]
module.access_role_gcp_gce_gateway.akeyless_role.access_role: Refreshing state... [id=admin/gcp/gce-gateway-auth]
2022-09-07T17:45:14.155-0500 [ERROR] AttachSchemaTransformer: No provider config schema available for provider["terraform.io/builtin/terraform"]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# module.access_role_okta_akeyless_admins.akeyless_role.access_role will be updated in-place
~ resource "akeyless_role" "access_role" {
+ analytics_access = "all"
+ audit_access = "all"
+ comment = "Access role for akeyless admins"
+ gw_analytics_access = "all"
id = "admin/okta/clabs-prod/akeyless-admins"
name = "admin/okta/clabs-prod/akeyless-admins"
+ sra_reports_access = "all"
+ assoc_auth_method {
+ am_name = "okta/clabs-prod"
+ case_sensitive = "true"
+ sub_claims = {
+ "groups" = "akeyless-admins"
}
}
+ rules {
+ capability = [
+ "create",
+ "delete",
+ "list",
+ "read",
+ "update",
]
+ path = "/*"
+ rule_type = "auth-method-rule"
}
+ rules {
+ capability = [
+ "create",
+ "delete",
+ "list",
+ "read",
+ "update",
]
+ path = "/*"
+ rule_type = "target-rule"
}
+ rules {
+ capability = [
+ "create",
+ "delete",
+ "list",
+ "read",
+ "update",
]
+ path = "/*"
+ rule_type = "item-rule"
}
+ rules {
+ capability = [
+ "create",
+ "delete",
+ "list",
+ "read",
+ "update",
]
+ path = "/*"
+ rule_type = "role-rule"
}
}
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
2022-09-07T17:45:19.873-0500 [ERROR] AttachSchemaTransformer: No provider config schema available for provider["terraform.io/builtin/terraform"]
module.access_role_okta_akeyless_admins.akeyless_role.access_role: Modifying... [id=admin/okta/clabs-prod/akeyless-admins]
2022-09-07T17:45:22.057-0500 [ERROR] plugin.(*GRPCProvider).ApplyResourceChange: error="rpc error: code = Unavailable desc = transport is closing"
2022-09-07T17:45:22.058-0500 [ERROR] vertex "module.access_role_okta_akeyless_admins.akeyless_role.access_role" error: Plugin did not respond
╷
│ Error: Plugin did not respond
│
│ with module.access_role_okta_akeyless_admins.akeyless_role.access_role,
│ on ../../terraform-modules/akeyless-access-role-admin/main.tf line 2, in resource "akeyless_role" "access_role":
│ 2: resource "akeyless_role" "access_role" {
│
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵
Stack trace from the terraform-provider-akeyless_v1.1.11 plugin:
panic: interface conversion: interface {} is nil, not string
goroutine 14 [running]:
github.com/akeylesslabs/terraform-provider-akeyless/akeyless.deleteRoleAuthMethods({0x103cf8f90, 0x14000036088}, {0x140000b3248?, 0x1036f4584?}, {0x140005da2e0, 0x1, 0x14000040750?}, {0x103bd8fc0?, 0x1400032ef20?})
github.com/akeylesslabs/terraform-provider-akeyless/akeyless/resource_role.go:548 +0x324
github.com/akeylesslabs/terraform-provider-akeyless/akeyless.assocRoleAuthMethod({0x103cf8f90, 0x14000036088}, {0x14000040750, 0x25}, {0x140005da2e0?, 0x14000036088?, 0x14000040750?}, {0x0, 0x0, 0x0}, ...)
github.com/akeylesslabs/terraform-provider-akeyless/akeyless/resource_role.go:521 +0x58
github.com/akeylesslabs/terraform-provider-akeyless/akeyless.resourceRoleUpdate.func1()
github.com/akeylesslabs/terraform-provider-akeyless/akeyless/resource_role.go:267 +0x70
github.com/akeylesslabs/terraform-provider-akeyless/akeyless.resourceRoleUpdate(0x140002b5360?, {0x103bd8fc0, 0x1400032ef20})
github.com/akeylesslabs/terraform-provider-akeyless/akeyless/resource_role.go:311 +0x59c
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).update(0x103b8e2c0?, {0x103cf8f58?, 0x140002d2900?}, 0x24?, {0x103bd8fc0?, 0x1400032ef20?})
github.com/hashicorp/terraform-plugin-sdk/v2@v2.7.0/helper/schema/resource.go:352 +0x134
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0x140000fbdc0, {0x103cf8f58, 0x140002d2900}, 0x14000728310, 0x140002b5360, {0x103bd8fc0, 0x1400032ef20})
github.com/hashicorp/terraform-plugin-sdk/v2@v2.7.0/helper/schema/resource.go:464 +0x480
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0x1400000d4b8, {0x103cf8f58, 0x140002d2900}, 0x140002fa410)
github.com/hashicorp/terraform-plugin-sdk/v2@v2.7.0/helper/schema/grpc_provider.go:955 +0x868
github.com/hashicorp/terraform-plugin-go/tfprotov5/server.(*server).ApplyResourceChange(0x140004c8140, {0x103cf9000?, 0x140004c0270?}, 0x1400017b200?)
github.com/hashicorp/terraform-plugin-go@v0.3.0/tfprotov5/server/server.go:332 +0x64
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x103c6e4e0?, 0x140004c8140}, {0x103cf9000, 0x140004c0270}, 0x1400010c2a0, 0x0)
github.com/hashicorp/terraform-plugin-go@v0.3.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:380 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0x140002fea80, {0x103cfcda0, 0x1400027c000}, 0x140004c4120, 0x140004ca780, 0x1044d4140, 0x0)
google.golang.org/grpc@v1.37.0/server.go:1217 +0xadc
google.golang.org/grpc.(*Server).handleStream(0x140002fea80, {0x103cfcda0, 0x1400027c000}, 0x140004c4120, 0x0)
google.golang.org/grpc@v1.37.0/server.go:1540 +0x82c
google.golang.org/grpc.(*Server).serveStreams.func1.2()
google.golang.org/grpc@v1.37.0/server.go:878 +0x84
created by google.golang.org/grpc.(*Server).serveStreams.func1
google.golang.org/grpc@v1.37.0/server.go:876 +0x290
Error: The terraform-provider-akeyless_v1.1.11 plugin crashed!
This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.
I'm trying to create an access role (saml through okta) with terraform. The plan succeeds, but then it fails, because it can't find the role to delete it. Since it doesn't exist yet, it can't find it, can't delete it, and it fails to create it. Not sure why its trying to delete something to create it, since it doesn't already exist and isn't being replaced. This did exist under a different name before, but was deleted manually in the gui. It also doesn't exist in the state: