[Bug]: aws_lb_trust_store_revocation - panic with invalid CRL file

[Dave-EMIS]

Terraform Core Version

1.8.2

AWS Provider Version

5.56.1

Affected Resource(s)

aws_lb_trust_store_revocation

Expected Behavior

AWS Error returned to the consumer to know about the problem and that they need to correct their CRL.

Actual Behavior

Crashes

Relevant Error/Panic Output Snippet

╷
│ Error: Plugin did not respond
│ 
│   with module.alb.aws_lb_trust_store_revocation.mtls,
│   on ../modules/elb/public.tf line 48, in resource "aws_lb_trust_store_revocation" "mtls":
│   48: resource "aws_lb_trust_store_revocation" "mtls" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵

Stack trace from the terraform-provider-aws_v5.56.1_x5 plugin:

panic: runtime error: index out of range [0] with length 0

goroutine 69 [running]:
github.com/hashicorp/terraform-provider-aws/internal/service/elbv2.resourceTrustStoreRevocationCreate({0x15f99248, 0xc002fe9da0}, 0xc001139d80, {0x13f3a9c0, 0xc0047c5ba0})
        github.com/hashicorp/terraform-provider-aws/internal/service/elbv2/trust_store_revocation.go:104 +0x994
github.com/hashicorp/terraform-provider-aws/internal/provider.New.(*wrappedResource).Create.interceptedHandler[...].func8(0xc001139d80?, {0x13f3a9c0?, 0xc0047c5ba0})
        github.com/hashicorp/terraform-provider-aws/internal/provider/intercept.go:113 +0x283
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x15f99248?, {0x15f99248?, 0xc002fe8f30?}, 0xd?, {0x13f3a9c0?, 0xc0047c5ba0?})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.34.0/helper/schema/resource.go:801 +0x7a
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc0018d9c00, {0x15f99248, 0xc002fe8f30}, 0xc0044f0000, 0xc001139c00, {0x13f3a9c0, 0xc0047c5ba0})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.34.0/helper/schema/resource.go:937 +0xa89
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0xc0047cc300, {0x15f99248?, 0xc002fe8e70?}, 0xc004c31630)
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.34.0/helper/schema/grpc_provider.go:1153 +0xd5c
github.com/hashicorp/terraform-plugin-mux/tf5muxserver.(*muxServer).ApplyResourceChange(0xc001570540, {0x15f99248?, 0xc002fe8ba0?}, 0xc004c31630)
        github.com/hashicorp/terraform-plugin-mux@v0.16.0/tf5muxserver/mux_server_ApplyResourceChange.go:36 +0x193
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0xc0001f0f00, {0x15f99248?, 0xc002db1e90?}, 0xc000e42e70)
        github.com/hashicorp/terraform-plugin-go@v0.23.0/tfprotov5/tf5server/server.go:865 +0x3d0
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x13d02140, 0xc0001f0f00}, {0x15f99248, 0xc002db1e90}, 0xc001139300, 0x0)
        github.com/hashicorp/terraform-plugin-go@v0.23.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:518 +0x1a6
google.golang.org/grpc.(*Server).processUnaryRPC(0xc001244200, {0x15f99248, 0xc002db1e00}, {0x15fef8a0, 0xc000002780}, 0xc001e21560, 0xc000762330, 0x1f3e48d8, 0x0)
        google.golang.org/grpc@v1.63.2/server.go:1369 +0xdf8
google.golang.org/grpc.(*Server).handleStream(0xc001244200, {0x15fef8a0, 0xc000002780}, 0xc001e21560)
        google.golang.org/grpc@v1.63.2/server.go:1780 +0xe8b
google.golang.org/grpc.(*Server).serveStreams.func2.1()
        google.golang.org/grpc@v1.63.2/server.go:1019 +0x8b
created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 56
        google.golang.org/grpc@v1.63.2/server.go:1030 +0x125

Error: The terraform-provider-aws_v5.56.1_x5 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Terraform Configuration Files

Attempting to create the resource via

resource "aws_lb_trust_store_revocation" "mtls" {
  trust_store_arn       = aws_lb_trust_store.mtls.arn
  revocations_s3_bucket = var.mtls_truststore_bucket
  revocations_s3_key    = var.mtls_revocations_key
}

The S3 bucket, object and trust store already exist.

Steps to Reproduce

Use an invalid format CRL file in the S3 bucket and then terraform apply.

As is seen in the debug logs (below) there was an error returned from AWS, but we cannot see it in terraform.

Debug Output

2024-07-12T14:16:32.591Z [DEBUG] provider.terraform-provider-aws_v5.56.1_x5: HTTP Response Received: http.response.header.date="Fri, 12 Jul 2024 14:16:32 GMT" rpc.method=AddTrustStoreRevocations tf_mux_provider="*schema.GRPCProviderServer" http.duration=316 http.response.header.content_type=text/xml rpc.system=aws-api tf_aws.sdk=aws-sdk-go @module=aws aws.region=eu-west-2
  http.response.body=
  | <ErrorResponse xmlns="http://elasticloadbalancing.amazonaws.com/doc/2015-12-01/">
  |   <Error>
  |     <Type>Sender</Type>
  |     <Code>InvalidRevocationContent</Code>
  |     <Message>Provided revocation file is not in the correct format</Message>
  |   </Error>
  |   <RequestId>a504642b-39c3-4515-b028-b1e212f5a694</RequestId>
  | </ErrorResponse>
   http.response.header.x_amzn_requestid=a504642b-39c3-4515-b028-b1e212f5a694 http.status_code=400 rpc.service="Elastic Load Balancing v2" tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.55/logger.go:157 http.response_content_length=325 tf_req_id=6af32b05-41bc-f50a-0d17-dbc99a7adfa6 tf_resource_type=aws_lb_trust_store_revocation timestamp=2024-07-12T14:16:32.591Z

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[Dave-EMIS]

I'm not going to raise a PR, but I think the issue is a missing return on line 101:

https://github.com/hashicorp/terraform-provider-aws/blob/67a4dcc2d1e84ec7c6fed6d2ff266e0424b15b14/internal/service/elbv2/trust_store_revocation.go#L98-L104

Without a return it carries on expecting output.TrustStoreRevocations[0] to be there on 104 and crashes.

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions[bot]]

This functionality has been released in v5.62.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!