SIGSEGV applying awscc_servicecatalogappregistry_application

[aslatter]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Terraform v1.7.3
on linux_amd64

Affected Resource(s)

• awscc_servicecatalogappregistry_application

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "awscc_servicecatalogappregistry_application" "main" {
  name = local.group_name
}

I'm applying this with a role which only has resource-groups:* and cloudformation:CreateResource (among other likely unrelated permissions). I was attempting to iteratively perform applies and see what permissions were missing. I had just added the cloudformation:CreateResource permission when I got this crash. I expect I'm missing more permissions - my backup plan is to read documentation.

Debug Output

Panic Output

Stack trace from the terraform-provider-awscc_v0.70.0_x5 plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0xae1ef2]

goroutine 23 [running]:
github.com/hashicorp/terraform-provider-awscc/internal/generic.(*genericResource).Create(0xc00149e460, {0x2c3faf8?, 0xc00244a780?}, {{{{0x2c447f8, 0xc00244b050}, {0x1dd8b20, 0xc00244af90}}, {0x2c65138, 0xc0021066e0}}, {{{0x2c447f8, ...}, ...}, ...}, ...}, ...)
    github.com/hashicorp/terraform-provider-awscc/internal/generic/resource.go:416 +0x7b2
github.com/hashicorp/terraform-plugin-framework/internal/fwserver.(*Server).CreateResource(0xc0003e4000, {0x2c3faf8, 0xc00244a780}, 0xc00249b318, 0xc00249b2b8)
    github.com/hashicorp/terraform-plugin-framework@v1.5.0/internal/fwserver/server_createresource.go:101 +0x578
github.com/hashicorp/terraform-plugin-framework/internal/fwserver.(*Server).ApplyResourceChange(0xc00068f470?, {0x2c3faf8, 0xc00244a780}, 0xc00245b680, 0xc00249b470)
    github.com/hashicorp/terraform-plugin-framework@v1.5.0/internal/fwserver/server_applyresourcechange.go:57 +0x4a5
github.com/hashicorp/terraform-plugin-framework/internal/proto6server.(*Server).ApplyResourceChange(0xc0003e4000, {0x2c3faf8?, 0xc00244a660?}, 0xc00245b5e0)
    github.com/hashicorp/terraform-plugin-framework@v1.5.0/internal/proto6server/server_applyresourcechange.go:55 +0x3e5
github.com/hashicorp/terraform-plugin-go/tfprotov6/tf6server.(*server).ApplyResourceChange(0xc000338140, {0x2c3faf8?, 0xc00246bc80?}, 0xc002420230)
    github.com/hashicorp/terraform-plugin-go@v0.20.0/tfprotov6/tf6server/server.go:857 +0x56b
github.com/hashicorp/terraform-plugin-go/tfprotov6/internal/tfplugin6._Provider_ApplyResourceChange_Handler({0x1ee3760?, 0xc000338140}, {0x2c3faf8, 0xc00246bc80}, 0xc00241fb80, 0x0)
    github.com/hashicorp/terraform-plugin-go@v0.20.0/tfprotov6/internal/tfplugin6/tfplugin6_grpc.pb.go:503 +0x169
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0001f8960, {0x2c3faf8, 0xc00246bbf0}, {0x2c62e60, 0xc00048a1a0}, 0xc00246eea0, 0xc000337f80, 0x39d4578, 0x0)
    google.golang.org/grpc@v1.60.0/server.go:1372 +0xe03
google.golang.org/grpc.(*Server).handleStream(0xc0001f8960, {0x2c62e60, 0xc00048a1a0}, 0xc00246eea0)
    google.golang.org/grpc@v1.60.0/server.go:1783 +0xfec
google.golang.org/grpc.(*Server).serveStreams.func2.1()
    google.golang.org/grpc@v1.60.0/server.go:1016 +0x59
created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 36
    google.golang.org/grpc@v1.60.0/server.go:1027 +0x115

Error: The terraform-provider-awscc_v0.70.0_x5 plugin crashed!

Expected Behavior

Not a SIGSEGV.

Actual Behavior

Panic etc.

Steps to Reproduce

1. terraform apply

Important Factoids

As described above - I am likely missing permissions required to perform the action.

References

• 0000

[kadrach]

You are missing permissions for a few actions here. The minimum set of actions you need is

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "resource-groups:*", // probably not minimal
                "cloudformation:CreateResource",
                "cloudformation:GetResourceRequestStatus",
                "servicecatalog:CreateApplication",
                "cloudformation:GetResource",
                "servicecatalog:GetApplication"
            ],
            "Resource": "*" // not minimal
        }
    ]
}

The requirement for cloudformation:GetResourceRequestStatus is currently somewhat hidden. The other actions you can find by rinse-and-repeat terraform apply until you have all of the permissions :)

The waiter err is not checked right away, this looks like an edge-case we haven't come across. At a quick glance this is also happening in the delete handler.

diff --git a/internal/generic/resource.go b/internal/generic/resource.go
index 8dcd9cb4a..e60166ee9 100644
--- a/internal/generic/resource.go
+++ b/internal/generic/resource.go
@@ -413,7 +413,11 @@ func (r *genericResource) Create(ctx context.Context, request resource.CreateReq

    err = waiter.Wait(ctx, &cloudcontrol.GetResourceRequestStatusInput{RequestToken: output.ProgressEvent.RequestToken}, r.createTimeout)

-   id := aws.ToString(progressEvent.Identifier)
+   var id string
+   if progressEvent != nil {
+       // progressEvent may be nil if the user does not have permissions to evaluate resource request status
+       id = aws.ToString(progressEvent.Identifier)
+   }

    if err != nil {
        response.Diagnostics.Append(ServiceOperationWaiterErrorDiag("Cloud Control API", "CreateResource", err))

[aslatter]

Thanks! I was able to debug the permissions issue by setting the provider debug flag.

Further down the process I ran into a different error (not a crash) where my state file got corrupted because I was missing permissions to tag either the service catalog resources or the resource group.