Crash creating plan with service endpoints

alarobric commented 1 year ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

terraform 1.5.2 hashicorp/aws 4.67.0 microsoft/azuredevops 0.6.0

I've found the same issue with 0.5.0 as well.

Affected Resource(s)

azuredevops_serviceendpoint_aws

Terraform Configuration Files

resource "azuredevops_serviceendpoint_aws" "aws_service_connection" {
  project_id            = var.azdo_project_id
  service_endpoint_name = "aws-terraform"
  access_key_id         = var.terraform_user_access_key
  secret_access_key     = var.terraform_user_access_secret
  description           = "Managed by Terraform"
  role_to_assume        = var.terraform_provisioning_role_to_assume
  role_session_name     = "terraform-provisioning"
}

resource "azuredevops_serviceendpoint_aws" "aws_dev_service_connection" {
  project_id            = var.azdo_project_id
  service_endpoint_name = "aws-dev-terraform"
  access_key_id         = var.terraform_user_access_key
  secret_access_key     = var.terraform_user_access_secret
  description           = "Managed by Terraform"
  role_to_assume        = var.dev_terraform_provisioning_role_to_assume
  role_session_name     = "terraform-dev-provisioning"
}

resource "azuredevops_serviceendpoint_aws" "aws_service_terraform_state_connection" {
  project_id            = var.azdo_project_id
  service_endpoint_name = "aws-terraform-state"
  access_key_id         = var.terraform_user_access_key
  secret_access_key     = var.terraform_user_access_secret
  description           = "Managed by Terraform"
  role_to_assume        = var.terraform_state_role_to_assume
  role_session_name     = "terraform-state"
}

Debug Output

Panic Output

panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xc10bf1]

goroutine 54 [running]: github.com/microsoft/terraform-provider-azuredevops/azuredevops/internal/service/serviceendpoint.doBaseFlattening(0x0?, 0xc0003a17a0, 0xc0002e06f0) github.com/microsoft/terraform-provider-azuredevops/azuredevops/internal/service/serviceendpoint/commons.go:119 +0x151 github.com/microsoft/terraform-provider-azuredevops/azuredevops/internal/service/serviceendpoint.flattenServiceEndpointAws(0xc0000ee400?, 0xc0003a17a0, 0xc00012c1f0?) github.com/microsoft/terraform-provider-azuredevops/azuredevops/internal/service/serviceendpoint/resource_serviceendpoint_aws.go:82 +0x27 github.com/microsoft/terraform-provider-azuredevops/azuredevops/internal/service/serviceendpoint.genServiceEndpointReadFunc.func1(0xc000099080, {0xcae620?, 0xc000398280}) github.com/microsoft/terraform-provider-azuredevops/azuredevops/internal/service/serviceendpoint/commons.go:233 +0x2ef github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(Resource).read(0xfa07e0?, {0xfa07e0?, 0xc00017d0b0?}, 0xd?, {0xcae620?, 0xc000398280?}) github.com/hashicorp/terraform-plugin-sdk/v2@v2.23.0/helper/schema/resource.go:712 +0x178 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(Resource).RefreshWithoutUpgrade(0xc0003ca460, {0xfa07e0, 0xc00017d0b0}, 0xc0000acea0, {0xcae620, 0xc000398280}) github.com/hashicorp/terraform-plugin-sdk/v2@v2.23.0/helper/schema/resource.go:1015 +0x585 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(GRPCProviderServer).ReadResource(0xc0003969d8, {0xfa07e0?, 0xc00010c900?}, 0xc0004e6f80) github.com/hashicorp/terraform-plugin-sdk/v2@v2.23.0/helper/schema/grpc_provider.go:613 +0x497 github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(server).ReadResource(0xc000360fa0, {0xfa07e0?, 0xc0002352f0?}, 0xc00007c960) github.com/hashicorp/terraform-plugin-go@v0.14.0/tfprotov5/tf5server/server.go:748 +0x49e github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ReadResource_Handler({0xe0b0a0?, 0xc000360fa0}, {0xfa07e0, 0xc0002352f0}, 0xc0000b61c0, 0x0) github.com/hashicorp/terraform-plugin-go@v0.14.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:349 +0x170 google.golang.org/grpc.(Server).processUnaryRPC(0xc00026a1e0, {0xfa3440, 0xc0003eba00}, 0xc0002a8b40, 0xc0003e7140, 0x14ca890, 0x0) google.golang.org/grpc@v1.48.0/server.go:1295 +0xb0b google.golang.org/grpc.(Server).handleStream(0xc00026a1e0, {0xfa3440, 0xc0003eba00}, 0xc0002a8b40, 0x0) google.golang.org/grpc@v1.48.0/server.go:1636 +0xa1b google.golang.org/grpc.(Server).serveStreams.func1.2() google.golang.org/grpc@v1.48.0/server.go:932 +0x98 created by google.golang.org/grpc.(Server).serveStreams.func1 google.golang.org/grpc@v1.48.0/server.go:930 +0x28a

Error: The terraform-provider-azuredevops_v0.5.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely helpful if you could report the crash with the plugin's maintainers so that it can be fixed. The output above should help diagnose the issue.

Expected Behavior

Pipeline was previously working as expected. A separate module creates the AWS account and role and passes that to this module. This creates the service connection in AzDO for our other terraform pipelines to make use of. This was now extended to include a third service connection. The only changes inside this module are the aws_dev_service_connection and a new variable var.dev_terraform_provisioning_role_to_assume

Actual Behavior

Terraform works correctly from my developer machine. Service connection is created or updated as expected. From Azure DevOps pipeline, it fails with the panic pasted above.

Steps to Reproduce

terraform plan within the AzDO pipeline

Important Factoids

References

alarobric commented 1 year ago

It turns out after much debugging, that this was due to the PAT being used (the build service account) not having access. This account was in Endpoint Creators group and so could create service connections, but not edit them. In the previous connections the build service account had been given explicit access to administer those service connections.

Resolved for me now, but I still believe this should produce a better user error instead of crashing.

xuzhang3 commented 1 year ago

@alarobric This kind issue is hard to locate and return a proper error message. Service will not return the resource if it does not have the read permission. One way to circumvent this error is defensive coding.

microsoft / terraform-provider-azuredevops