search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42k stars 9.47k forks source link

Panic in Terraform 0.15.0-beta2 with sensitive attributes/arguments #28244

Closed alisdair closed 3 years ago

alisdair commented 3 years ago

Terraform Version

Terraform v0.15.0-beta2
on darwin_amd64

Terraform Configuration Files

From the AWS provider tests:

provider "aws" {
  region = "us-east-1"
}

data "aws_partition" "current" {}

resource "aws_iam_role" "test" {
  name               = "tf-acc-test-12345"
  assume_role_policy = data.aws_iam_policy_document.assume.json
}

data "aws_iam_policy_document" "assume" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["glue.amazonaws.com"]
    }
  }
}

data "aws_iam_policy" "AWSGlueServiceRole" {
  arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AWSGlueServiceRole"
}

resource "aws_iam_role_policy_attachment" "test-AWSGlueServiceRole" {
  policy_arn = data.aws_iam_policy.AWSGlueServiceRole.arn
  role       = aws_iam_role.test.name
}

resource "aws_iam_role_policy" "LakeFormationDataAccess" {
  role = aws_iam_role.test.name

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "LakeFormationDataAccess",
      "Effect": "Allow",
      "Action": [
        "lakeformation:GetDataAccess"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}

data "aws_availability_zones" "available" {
  state = "available"

  filter {
    name   = "opt-in-status"
    values = ["opt-in-not-required"]
  }
}

resource "aws_vpc" "test" {
  cidr_block = "10.0.0.0/16"

  tags = {
    Name = "terraform-testacc-glue-connection-base"
  }
}

resource "aws_security_group" "test" {
  name   = "tf-acc-test-12345s"
  vpc_id = aws_vpc.test.id

  ingress {
    from_port = 1
    protocol  = "tcp"
    self      = true
    to_port   = 65535
  }
}

resource "aws_subnet" "test" {
  count = 2

  availability_zone = data.aws_availability_zones.available.names[count.index]
  cidr_block        = "10.0.${count.index}.0/24"
  vpc_id            = aws_vpc.test.id

  tags = {
    Name = "terraform-testacc-glue-connection-base"
  }
}

resource "aws_glue_catalog_database" "test" {
  name = "tf-acc-test-12345s"
}

resource "aws_glue_connection" "test" {
  connection_properties = {
    JDBC_ENFORCE_SSL = false
  }

  connection_type = "NETWORK"

  name = "tf-acc-test-12345s"

  physical_connection_requirements {
    availability_zone      = aws_subnet.test[0].availability_zone
    security_group_id_list = [aws_security_group.test.id]
    subnet_id              = aws_subnet.test[0].id
  }
}

resource "aws_glue_crawler" "test" {
  depends_on = [aws_iam_role_policy_attachment.test-AWSGlueServiceRole]

  database_name = aws_glue_catalog_database.test.name
  name          = "tf-acc-test-12345s"
  role          = aws_iam_role.test.name

  s3_target {
    connection_name = aws_glue_connection.test.name
    path            = "s3://bucket1"
  }
}

Debug Output

Crash Output

        panic: value is marked, so must be unmarked first

        goroutine 156 [running]:
        github.com/zclconf/go-cty/cty.Value.assertUnmarked(...)
            /go/pkg/mod/github.com/zclconf/go-cty@v1.8.1/cty/marks.go:123
        github.com/zclconf/go-cty/cty.Value.LengthInt(0x2c020f0, 0xc0005a97c0, 0x24bce60, 0xc001345ef0, 0x2c02001)
            /go/pkg/mod/github.com/zclconf/go-cty@v1.8.1/cty/value_ops.go:1045 +0x4f
        github.com/zclconf/go-cty/cty.transform(0xc0005a9970, 0x1, 0x1, 0x2c020f0, 0xc0005a97c0, 0x24bce60, 0xc001345ef0, 0x2bcbb48, 0xc001345f20, 0xc001345ef0, ...)
            /go/pkg/mod/github.com/zclconf/go-cty@v1.8.1/cty/walk.go:175 +0x8f9
        github.com/zclconf/go-cty/cty.transform(0x0, 0x0, 0x0, 0x2c02128, 0xc0005a9940, 0x23cfa00, 0xc001e2e120, 0x2bcbb48, 0xc001345f20, 0x1, ...)
            /go/pkg/mod/github.com/zclconf/go-cty@v1.8.1/cty/walk.go:209 +0x10ed
        github.com/zclconf/go-cty/cty.TransformWithTransformer(...)
            /go/pkg/mod/github.com/zclconf/go-cty@v1.8.1/cty/walk.go:125
        github.com/zclconf/go-cty/cty.Value.MarkWithPaths(0x2c02128, 0xc0005a9940, 0x23cfa00, 0xc001e2e120, 0x0, 0x0, 0x0, 0x23cfa00, 0xc001e2e120, 0x0, ...)
            /go/pkg/mod/github.com/zclconf/go-cty@v1.8.1/cty/marks.go:215 +0xc5
        github.com/hashicorp/terraform/terraform.(*evaluationStateData).GetResource(0xc000598cf0, 0x4d, 0xc000054618, 0x13, 0xc0000588c8, 0x4, 0xc00013e6a8, 0x18, 0x76, 0x17, ...)
            /home/circleci/project/project/terraform/evaluate.go:765 +0xab4
        github.com/hashicorp/terraform/lang.(*Scope).evalContext(0xc0005e6b90, 0xc001345e48, 0x3, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x30)
            /home/circleci/project/project/lang/eval.go:360 +0x206d
        github.com/hashicorp/terraform/lang.(*Scope).EvalContext(...)
            /home/circleci/project/project/lang/eval.go:238
        github.com/hashicorp/terraform/lang.(*Scope).EvalBlock(0xc0005e6b90, 0x2c00bb8, 0xc001ebb200, 0xc0010bc720, 0x1, 0x1, 0x0, 0x0, 0x0, 0x0, ...)
            /home/circleci/project/project/lang/eval.go:51 +0xf3
        github.com/hashicorp/terraform/terraform.(*BuiltinEvalContext).EvaluateBlock(0xc002541520, 0x2c00e58, 0xc001ebb200, 0xc0010bc720, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
            /home/circleci/project/project/terraform/eval_context_builtin.go:273 +0x1ad
        github.com/hashicorp/terraform/terraform.(*NodeAbstractResourceInstance).plan(0xc0002996c0, 0x2c37770, 0xc002541520, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
            /home/circleci/project/project/terraform/node_resource_abstract_instance.go:585 +0x3d5
        github.com/hashicorp/terraform/terraform.(*NodePlannableResourceInstance).managedResourceExecute(0xc0023c7e20, 0x2c37770, 0xc002541520, 0xc000000001, 0xc000061578, 0xc002753c80)
            /home/circleci/project/project/terraform/node_resource_plan_instance.go:145 +0x4f4
        github.com/hashicorp/terraform/terraform.(*NodePlannableResourceInstance).Execute(0xc0023c7e20, 0x2c37770, 0xc002541520, 0xc000132002, 0xc002753d18, 0x40bb05, 0x2418a80)
            /home/circleci/project/project/terraform/node_resource_plan_instance.go:41 +0xb3
        github.com/hashicorp/terraform/terraform.(*ContextGraphWalker).Execute(0xc0002a2480, 0x2c37770, 0xc002541520, 0x7fc548f50110, 0xc0023c7e20, 0x0, 0x0, 0x0)
            /home/circleci/project/project/terraform/graph_walk_context.go:127 +0xbf
        github.com/hashicorp/terraform/terraform.(*Graph).walk.func1(0x2745d00, 0xc0023c7e20, 0x0, 0x0, 0x0)
            /home/circleci/project/project/terraform/graph.go:59 +0xba2
        github.com/hashicorp/terraform/dag.(*Walker).walkVertex(0xc0007d5f20, 0x2745d00, 0xc0023c7e20, 0xc000985b00)
            /home/circleci/project/project/dag/walk.go:381 +0x288
        created by github.com/hashicorp/terraform/dag.(*Walker).Update
            /home/circleci/project/project/dag/walk.go:304 +0x1246

Expected Behavior

Terraform works

Actual Behavior

Terraform does not work!!!

Steps to Reproduce

  1. terraform init
  2. terraform plan

This results in a crash.

Additional Context

Reported in the AWS provider.

References

https://github.com/hashicorp/terraform-provider-aws/issues/18485

ghost commented 3 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.