Data source azurerm_key_vault_certificate crashes

sebastianhutter commented 4 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.12.29
+ provider.azurerm v2.21.0
+ provider.null v2.1.2

Affected Resource(s)

azurerm_key_vault_certificate (data)

Terraform Configuration Files

provider "azurerm" {
  version = "~>2.21"

  subscription_id = var.tf_azure_subscription
  client_id = var.tf_service_principal_id
  client_secret = var.tf_service_principal_secret
  tenant_id = var.tf_azure_tenant

  features {}
}

provider "azurerm" {
  alias = "azure_global"
  version = "~>2.21"

  subscription_id = "e9a62d8f-8fc7-40a7-b85e-657553c9f9e1"
  client_id       = var.tf_service_principal_id
  client_secret   = var.tf_service_principal_secret
  tenant_id       = var.tf_azure_tenant

  features {}
}

# get acmebot keyvault details
data "azurerm_key_vault" "acmebot" {
  provider = azurerm.azure_global

  name = "common-global-certificat" # thanks you 24 char limit ...
  resource_group_name = "common-global-certificates"
}

# get acmebot keyvault details
data "azurerm_key_vault_certificate" "certificate_portal" {
  provider = azurerm.azure_global

  name         = local.apim_portal_certificate_name
  key_vault_id = data.azurerm_key_vault.acmebot.id
}

Debug Output

potential sensitive information - debug output not added

Panic Output

https://gist.github.com/sebastianhutter/b22086492bb9314e478ef1b9afd7c760

Expected Behavior

Terraform plan can retrieve information about certificate

Actual Behavior

Terraform crashed during execution

Steps to Reproduce

terraform plan

Important Factoids

The terraform plan is executed inside a docker container. The certificates which I try to retrieve are created with https://github.com/shibayan/keyvault-acmebot

References

0000

sebastianhutter commented 4 years ago

It seems like selfsigned certificates can be retrieved without an issue, while certificates created by acmebot cause the terraform provider to crash.

debug output self signed

2020-08-05T13:17:55.479Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: [DEBUG] AzureRM Request: 
2020-08-05T13:17:55.479Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: GET /certificates/api-portal-dev-catalog-geberit-com/?api-version=2016-10-01 HTTP/1.1
2020-08-05T13:17:55.479Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: Host: common-global-certificat.vault.azure.net
2020-08-05T13:17:55.479Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: User-Agent: Go/go1.14.5 (amd64-linux) go-autorest/v14.0.0 Azure-SDK-For-Go/v44.1.0 keyvault/2016-10-01 HashiCorp Terraform/0.12.29 (+https://www.terraform.io) Terraform Plugin SDK/1.13.1 terraform-provider-azurerm/2.21.0 pid-222c6c49-1b0a-5959-a213-6608f9eb8820
2020-08-05T13:17:55.479Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: X-Ms-Correlation-Request-Id: ff465f49-ec42-21f3-0eb1-4fa00ed47976
2020-08-05T13:17:55.479Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: Accept-Encoding: gzip
2020-08-05T13:17:55.479Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: 
2020-08-05T13:17:55.479Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: 
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: [DEBUG] AzureRM Response for https://common-global-certificat.vault.azure.net/certificates/sebistest/?api-version=2016-10-01: 
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: HTTP/2.0 200 OK
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: Content-Length: 2353
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: Cache-Control: no-cache
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: Content-Type: application/json; charset=utf-8
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: Date: Wed, 05 Aug 2020 13:17:55 GMT
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: Expires: -1
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: Pragma: no-cache
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: Strict-Transport-Security: max-age=31536000;includeSubDomains
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: X-Aspnet-Version: 4.0.30319
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: X-Content-Type-Options: nosniff
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: X-Ms-Keyvault-Network-Info: conn_type=Ipv4;addr=212.51.159.16;act_addr_fam=InterNetwork;
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: X-Ms-Keyvault-Region: westeurope
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: X-Ms-Keyvault-Service-Version: 1.1.10.0
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: X-Ms-Request-Id: 337bae38-0774-40cc-adaf-1287b741bbac
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: X-Powered-By: ASP.NET
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: 
2020-08-05T13:17:55.500Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: {"id":"https://common-global-certificat.vault.azure.net/certificates/sebistest/5aa4f7ff9bd94162a4b6a1af9d71ce1f","kid":"https://common-global-certificat.vault.azure.net/keys/sebistest/5aa4f7ff9bd94162a4b6a1af9d71ce1f","sid":"https://common-global-certificat.vault.azure.net/secrets/sebistest/5aa4f7ff9bd94162a4b6a1af9d71ce1f","x5t":"S0Yq5Rp42PGUCJF2bmLjhvGEmtM","cer":"MIIDNjCCAh6gAwIBAgIQF9Lt/adAQxulw91pWD1T4TANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDEw1zZWJpc3Rlc3QuY29tMB4XDTIwMDgwNTEzMDYwOFoXDTIxMDgwNTEzMTYwOFowGDEWMBQGA1UEAxMNc2ViaXN0ZXN0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOOojy25DdTGGVVZDtpW9mxqTnQzhFwenDj8IjIjKleDuqKVLY1EsyQQThaJaXX0OKM87/Zm7rnbWRT4iSEwDgwl9FZuTs0U4MMD2M5ZjOWqYKlkGCWa9jPbLdJE9K+OnA8x1Q69mtuK8/BZp2WEGFZJZa4SdaYn+9/DCnhk+EbGnyJZ1RTuCntma4GD2dqNGHnNw0NbAgH1A44aTnIkxwFypo2/7oGvyvyGrpPP0f2hKUUQKmrisAs2eUuzbsliGsNJ6mE4dvKIrBj40sH1WSise3V4+j2h6JciWemn32mE7dkvr2qIZgBOo8Wmdi7WQix6brJBkqHruXZtriRplGMCAwEAAaN8MHowDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFG7AXatkTI4uEa0N9SI9+KzSO9+HMB0GA1UdDgQWBBRuwF2rZEyOLhGtDfUiPfis0jvfhzANBgkqhkiG9w0BAQsFAAOCAQEAc+EOpY9l+qYc6NCwSf8DipPF+Jg0qhWWO3kLI6GewZCT/2iUWrg0CK1TLt0aFGsGlNx0KFqQ9ygBoYeHrP3tnTVvRUCzcFude9U+pQi8FVb6Dk3RPjX99QWYU7svZ6tzffumDN+ROJ9VQmxpKbZ3QoVzyluLG3tnvh3mkHd6jZyWKYB8EFBQwtJQjgtS6p+ltGiRJ0cjcWSSOOcRqWCMt+YIL5cGfn3pUpecTJq0mklOYyHgAr8/cvpH3dg1WP9FHIToFrHSZ8NKFGbeFBZX15RCV5VjXaaLrESbGMY0MjCiTszL8DkUofBsFB1C5MP5sKHUPEbgepVq0FvEmoD74g==","attributes":{"enabled":true,"nbf":1596632768,"exp":1628169368,"created":1596633369,"updated":1596633369,"recoveryLevel":"Purgeable"},"policy":{"id":"https://common-global-certificat.vault.azure.net/certificates/sebistest/policy","key_props":{"exportable":true,"kty":"RSA","key_size":2048,"reuse_key":false},"secret_props":{"contentType":"application/x-pkcs12"},"x509_props":{"subject":"CN=sebistest.com","sans":{"dns_names":[]},"ekus":["1.3.6.1.5.5.7.3.1","1.3.6.1.5.5.7.3.2"],"key_usage":["digitalSignature","keyEncipherment"],"validity_months":12,"basic_constraints":{"ca":false}},"lifetime_actions":[{"trigger":{"lifetime_percentage":80},"action":{"action_type":"AutoRenew"}}],"issuer":{"name":"Self"},"attributes":{"enabled":true,"created":1596633354,"updated":1596633354}},"pending":{"id":"https://common-global-certificat.vault.azure.net/certificates/sebistest/pending"}}
2020/08/05 13:17:55 [TRACE] <root>: eval: *terraform.EvalIf
2020/08/05 13:17:55 [TRACE] <root>: eval: *terraform.EvalSequence
2020/08/05 13:17:55 [TRACE] <root>: eval: *terraform.EvalWriteState
2020/08/05 13:17:55 [TRACE] EvalWriteState: writing current state object for data.azurerm_key_vault_certificate.selfsigned
2020/08/05 13:17:55 [TRACE] <root>: eval: *terraform.EvalUpdateStateHook
2020/08/05 13:17:55 [TRACE] [walkRefresh] Exiting eval tree: data.azurerm_key_vault_certificate.selfsigned
2020/08/05 13:17:55 [TRACE] vertex "data.azurerm_key_vault_certificate.selfsigned": visit complete
2020/08/05 13:17:55 [TRACE] vertex "data.azurerm_key_vault_certificate.selfsigned": dynamic subgraph completed successfully
2020/08/05 13:17:55 [TRACE] vertex "data.azurerm_key_vault_certificate.selfsigned": visit complete

debug output acmebot

2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: [DEBUG] AzureRM Response for https://common-global-certificat.vault.azure.net/certificates/api-portal-dev-catalog-geberit-com/?api-version=2016-10-01: 
2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: HTTP/2.0 200 OK
2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: Content-Length: 3347
2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: Cache-Control: no-cache
2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: Content-Type: application/json; charset=utf-8
2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: Date: Wed, 05 Aug 2020 13:17:55 GMT
2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: Expires: -1
2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: Pragma: no-cache
2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: Strict-Transport-Security: max-age=31536000;includeSubDomains
2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: X-Aspnet-Version: 4.0.30319
2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: X-Content-Type-Options: nosniff
2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: X-Ms-Keyvault-Network-Info: conn_type=Ipv4;addr=212.51.159.16;act_addr_fam=InterNetwork;
2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: X-Ms-Keyvault-Region: westeurope
2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: X-Ms-Keyvault-Service-Version: 1.1.10.0
2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: X-Ms-Request-Id: 033e0049-9231-49e0-8a22-bd6ed0798ea8
2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: X-Powered-By: ASP.NET
2020-08-05T13:17:55.568Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: 
2020-08-05T13:17:55.569Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: {"id":"https://common-global-certificat.vault.azure.net/certificates/api-portal-dev-catalog-geberit-com/19256ecdc6ff4c3c991f766c05fa5269","kid":"https://common-global-certificat.vault.azure.net/keys/api-portal-dev-catalog-geberit-com/19256ecdc6ff4c3c991f766c05fa5269","sid":"https://common-global-certificat.vault.azure.net/secrets/api-portal-dev-catalog-geberit-com/19256ecdc6ff4c3c991f766c05fa5269","x5t":"vBkK8pj8gGuXOFLWsKuznvxdo7o","cer":"MIIFfDCCBGSgAwIBAgISBBsoWo12g7qiy7S8mKF/6UbFMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA4MDUwNjE1NDdaFw0yMDExMDMwNjE1NDdaMC0xKzApBgNVBAMTImFwaS1wb3J0YWwuZGV2LmNhdGFsb2cuZ2ViZXJpdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpYGgNZICuciNpwynnmMg7y0OznLYjWepJMqmTQCAhrYC13p+6S01qa+LXekcmPYZti8cbgo0CVuyOsUwKp+WeQbY49k4IL73R0Ky3N6fPqQ6OrTDkwj2/hYJfjp4hf7/2f7Vmb3nQLK8stOcE9BcUSqr/DWzIwn+1VL4KbdKkl6vnQ95QcCWKYHqqvriy4WhfSAhlK7U/4qZW7jxT6xfL9D141CoYw13NWK4/SdaGAJshS0YNCfp77l72+Sa9ZwRhFxlDhBsn+KzaNVVxFwgUTPWSVTswNwp4gwdwRjOaCRmB8sZIkqtlzKnHKKYfogiqQfmrjaN3e85f88qKye5bAgMBAAGjggJ3MIICczAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPFsqxLSo/2x5AtzCRTrffoHuw/zMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wLQYDVR0RBCYwJIIiYXBpLXBvcnRhbC5kZXYuY2F0YWxvZy5nZWJlcml0LmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABc7153+YAAAQDAEcwRQIhAKUlXgOnYiUZsexisOj5zdqAmS8QGGdcqtJebEVwueUIAiB8fvLkMqRzCS5Jf6ycZE3h2OHfe3ZvWtOBFdnTAA8jNQB2AAe3XBvlfWj/8bDGHSMVx7rmV3xXlLdq7rxhOhpp06IcAAABc7154AwAAAQDAEcwRQIgGwbC2hdP0fRKwoCOasDPG4WsKLlfTNmEVDfpQtzuXlICIQC+GPZU884LqtnzkaEVrV8fwy4d3mM8BA4xKdUM7nhi9TANBgkqhkiG9w0BAQsFAAOCAQEAfDabwiIADW9eAXg1BfEqzzTu9o80YnDhheGXBFZc234fFsqNfVjbDKvmR8P6EbzsKeuETf05esHP1XzIHuR3Z22X7eEx4QOpY9lKOsVvTcVZS1uDEI02p/OSwYgUbXFFnFtnrt40NvKOy1ZqtTpLojvRr89nvMMj5Stm7I8yLf850jmTDTPW5sYQ5h1C9Q42mOybo2Dy+As3o7TbkBcQmQfqnvZvl6CpiTeC8+jEfQgjpW8uyMrTpT8T2BT9rA9hoGh4dC5p+UHObl78jzQc2++AXimgI4Sl3n0jNmTVILbRUC3RDTiQIMScgrrBmlwVt3NmpQcYDHuZn9706Ytmiw==","attributes":{"enabled":true,"nbf":1596608147,"exp":1604384147,"created":1596611748,"updated":1596611748,"recoveryLevel":"Purgeable"},"tags":{"Issuer":"Acmebot","Endpoint":"https://acme-v02.api.letsencrypt.org/"},"policy":{"id":"https://common-global-certificat.vault.azure.net/certificates/api-portal-dev-catalog-geberit-com/policy","key_props":{"exportable":true,"kty":"RSA","key_size":2048,"reuse_key":false},"secret_props":{"contentType":"application/x-pkcs12"},"x509_props":{"sans":{"dns_names":["api-portal.dev.catalog.geberit.com"]},"ekus":["1.3.6.1.5.5.7.3.1","1.3.6.1.5.5.7.3.2"],"key_usage":["digitalSignature","keyEncipherment"],"validity_months":12,"basic_constraints":{"ca":false}},"lifetime_actions":[{"trigger":{"lifetime_percentage":80},"action":{"action_type":"EmailContacts"}}],"issuer":{"name":"Unknown"},"attributes":{"enabled":true,"created":1596611746,"updated":1596611746}},"pending":{"id":"https://common-global-certificat.vault.azure.net/certificates/api-portal-dev-catalog-geberit-com/pending"}}
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: panic: runtime error: invalid memory address or nil pointer dereference
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x395458e]
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: 
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: goroutine 147 [running]:
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/keyvault.flattenKeyVaultCertificatePolicyForDataSource(0xc001d68340, 0x45b94cf, 0x4, 0x3e75940)
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5:  /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/keyvault/key_vault_certificate_data_source.go:372 +0x57e
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/keyvault.dataSourceArmKeyVaultCertificateRead(0xc000a70380, 0x3f6e960, 0xc00028e000, 0x0, 0x0)
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5:  /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/keyvault/key_vault_certificate_data_source.go:262 +0x7fe
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).ReadDataApply(0xc000ab23f0, 0xc0011ca360, 0x3f6e960, 0xc00028e000, 0xc000f8b688, 0x1, 0x0)
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5:  /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-azurerm/vendor/github.com/hashicorp/terraform-plugin-sdk/helper/schema/resource.go:403 +0x88
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Provider).ReadDataApply(0xc0012be280, 0xc00186dad0, 0xc0011ca360, 0xc0011ca360, 0x0, 0x0)
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5:  /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-azurerm/vendor/github.com/hashicorp/terraform-plugin-sdk/helper/schema/provider.go:451 +0x8f
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ReadDataSource(0xc00011c600, 0x4df0480, 0xc000f2a330, 0xc0017800c0, 0xc00011c600, 0xc000f2a330, 0xc000835b78)
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5:  /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-azurerm/vendor/github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin/grpc_provider.go:1036 +0x45d
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ReadDataSource_Handler(0x4366700, 0xc00011c600, 0x4df0480, 0xc000f2a330, 0xc001786060, 0x0, 0x4df0480, 0xc000f2a330, 0xc00178c160, 0x152)
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5:  /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-azurerm/vendor/github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5/tfplugin5.pb.go:3341 +0x217
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: google.golang.org/grpc.(*Server).processUnaryRPC(0xc0006c3680, 0x4e2d4c0, 0xc000703380, 0xc001788000, 0xc000b35590, 0x7c18b70, 0x0, 0x0, 0x0)
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5:  /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-azurerm/vendor/google.golang.org/grpc/server.go:1024 +0x501
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: google.golang.org/grpc.(*Server).handleStream(0xc0006c3680, 0x4e2d4c0, 0xc000703380, 0xc001788000, 0x0)
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5:  /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-azurerm/vendor/google.golang.org/grpc/server.go:1313 +0xd3d
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: google.golang.org/grpc.(*Server).serveStreams.func1.1(0xc000a6a110, 0xc0006c3680, 0x4e2d4c0, 0xc000703380, 0xc001788000)
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5:  /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-azurerm/vendor/google.golang.org/grpc/server.go:722 +0xa1
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: created by google.golang.org/grpc.(*Server).serveStreams.func1
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5:  /opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-azurerm/vendor/google.golang.org/grpc/server.go:720 +0xa1
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: runtime: note: your Linux kernel may be buggy
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: runtime: note: see https://golang.org/wiki/LinuxKernelSignalVectorBug
2020-08-05T13:17:55.571Z [DEBUG] plugin.terraform-provider-azurerm_v2.21.0_x5: runtime: note: mlock workaround for kernel bug failed with errno 12
2020/08/05 13:17:55 [ERROR] <root>: eval: *terraform.EvalReadData, err: rpc error: code = Unavailable desc = transport is closing
2020/08/05 13:17:55 [ERROR] <root>: eval: *terraform.EvalSequence, err: rpc error: code = Unavailable desc = transport is closing

sebastianhutter commented 4 years ago

OK, I think I know whats going on :-)

Acmebot is not setting the "subject" but only dns_names:

"x509_props": {                                                                                                                  
      "sans": {                                                                                                                      
        "dns_names": [                                                                                                               
          "api-portal.dev.catalog.geberit.com"                                                                                       
        ]                                                                                                                            
      },                                                                                                                             
      "ekus": [                                                                                                                      
        "1.3.6.1.5.5.7.3.1",                                                                                                         
        "1.3.6.1.5.5.7.3.2"                                                                                                          
      ],             
      "key_usage": [
        "digitalSignature",                                                                                                          
        "keyEncipherment"
      ],                                                          
      "validity_months": 12,                                      
      "basic_constraints": {                                                                                                         
        "ca": false                                               
      }                                                                                                                              
    },

The azurerm data provider tries to get the subject from the properties though: https://github.com/terraform-providers/terraform-provider-azurerm/blob/master/azurerm/internal/services/keyvault/key_vault_certificate_data_source.go#L372

And here the corresponding acmebot code: https://github.com/shibayan/keyvault-acmebot/blob/master/KeyVault.Acmebot/SharedFunctions.cs#L272-L275

As the key vault allows certificates without subject set, the key vault data source should also work without a subject.

njuCZ commented 4 years ago

@sebastianhutter thanks for your pointing out this issue and invesatigation. I have submitted a PR, hopes it could unblock you soon. Sorry for the inconvenience

sebastianhutter commented 4 years ago

@njuCZ Thanks a lot ! No worries - I am working around the issue with a custom external data source until the fix arrives in the provider.

If anyone is interested here the powershell code to retrieve the secret and key id from keyvault.

# disable any warning messages
$WarningPreference = 'SilentlyContinue'

# https://thegrayzone.co.uk/blog/2017/03/external-terraform-provider-powershell/
$payload = [Console]::In.ReadLine()
$json = ConvertFrom-Json $payload

try { 
    # login and switch to correct subscription 
    $secret = ConvertTo-SecureString -String $json.serviceprincipal_secret -AsPlainText -Force
    $credentials = New-Object pscredential($json.serviceprincipal_id,$secret)
    # need to assign variables for cmdlets else output is parsed by the external data source which leads to invalid json errors
    $void = Connect-AzAccount -Credential $credentials -Tenant $json.tenant_id -ServicePrincipal
    $void = Select-AzSubscription $json.keyvault_subscription_id

    $certificate = Get-AzKeyVaultCertificate -VaultName $json.keyvault_name -Name $json.certificate_name 
    # return json object 
    @{keyId=$certificate.KeyId;secretId=$certificate.SecretId} | ConvertTo-Json -Compress -EnumsAsStrings | Write-Output

} catch {
  Write-Error "An error occurred:"
  Write-Error $_.Exception.Message
  Write-Error $_.ScriptStackTrace

  exit 1
}

ghost commented 4 years ago

This has been released in version 2.22.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.22.0"
}
# ... other configuration ...

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

hashicorp / terraform-provider-azurerm