search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.3k stars 9.49k forks source link

Terraform Crash #35641

Open Bibz87 opened 2 weeks ago

Bibz87 commented 2 weeks ago

Terraform Version

Terraform v1.9.5
on windows_amd64
+ provider registry.terraform.io/hashicorp/random v3.6.2

Terraform Configuration Files

terraform {
  backend "kubernetes" {
    config_path="~/.kube/config"
    namespace="terraform-tests"
    secret_suffix="test-01"
  }
}

resource "random_string" "test" {
  length = 8
  special = false
}

Debug Output

https://gist.github.com/Bibz87/2c68fea5383e932e99451051d1bc10d9

Expected Behavior

Terraform doesn't crash during initialisation

Actual Behavior

Attempting to initialise Terraform configuration results in crash

Steps to Reproduce

  1. terraform init

Additional Context

After some testing, it looks like ending the secret suffix with a number causes the crash. Changing secret_suffix from test-01 to test makes the initialisation work properly without crashing.

Note: Terraform does create the Kubernetes secret before crashing.

References

No response

Bibz87 commented 2 weeks ago

I definitely don't feel comfortable downloading and installing random patches from untrusted sources.

crw commented 2 weeks ago

Looks like spam. Will report to GitHub.

crw commented 2 weeks ago

@Bibz87 Thanks for your report!

Bibz87 commented 2 weeks ago

Let me know if you need anything from me to help with debugging. 😀

Saschl commented 2 weeks ago

Looks like spam. Will report to GitHub.

Very sorry about that (one of the comments came from my account). Account got compromised and posted this malicious stuff. Should not happen again

bschaatsbergen commented 2 weeks ago

Similar to #33995 cc @crw

bschaatsbergen commented 1 week ago

When the secret_suffix is "test-44", the backend attempts to retrieve a secret named "<secret>-test-44". It then uses the Atoi function to parse the last segment of the name, assuming it's an integer index. This is what leads to errors if the suffix isn't actually an index, resulting in the out of bound error.

This assumption seems to be related to how the backend manages Terraform state files. Since state files can be too large to fit into a single Kubernetes secret, the backend chunks the state into multiple secrets, see this part of the secret creation implementation. This chunking mechanism leads to the use of numeric suffixes to differentiate between chunks. However, relying on the assumption that the last part of the secret name is potentially an index can cause issues if the suffix is not intended to be an index when set by the user.

Given the complexity introduced by the existing chunking mechanism, supporting secret suffixes with a trailing -<int> becomes extremely challenging. To avoid potential issues, I recommend not allowing trailing -<int> values in the secret_suffix moving forward.

bschaatsbergen commented 1 week ago

I’ve opened a PR (#35666) to add extra validation for the secret_suffix, preventing it from ending with a trailing -<number>. This helps avoid conflicts with the backend’s chunking mechanism, which appends numeric indices to secret names.