search

opensearch-project / terraform-provider-opensearch

https://registry.terraform.io/providers/opensearch-project/opensearch
Apache License 2.0
73 stars 55 forks source link

[BUG] panic: set item just set doesn't exist #194

Open clibup opened 1 month ago

clibup commented 1 month ago

11:45:17 Stack trace from the terraform-provider-opensearch_v2.2.1 plugin: 11:45:17
11:45:17 panic: set item just set doesn't exist 11:45:17
11:45:17 goroutine 452 [running]: 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(MapFieldWriter).setSet(0xc000bb2bb8, {0xc000bb1490, 0x1, 0x1}, {0xe894e0, 0xc000bb2c00}, 0xc0001c9b80) 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/field_writer_map.go:327 +0x992 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(MapFieldWriter).set(0xc000bb2bb8, {0xc000bb1490, 0x1, 0x1}, {0xe894e0, 0xc000bb2c00}) 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/field_writer_map.go:107 +0x14c 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(MapFieldWriter).WriteField(0xc000bb2bb8, {0xc000bb1490, 0x1, 0x1}, {0xe894e0, 0xc000bb2c00}) 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/field_writer_map.go:89 +0x3f9 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(ResourceData).Set(0xc0002ecf00, {0x103b47a, 0x12}, {0xe894e0, 0xc000bb2c00}) 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/resource_data.go:227 +0x210 11:45:17 github.com/opensearch-project/terraform-provider-opensearch/provider.resourceOpensearchOpenDistroRoleRead(0xc0002ecf00, {0xe74a80, 0xc0001542c0}) 11:45:17 github.com/opensearch-project/terraform-provider-opensearch/provider/resource_opensearch_role.go:156 +0x4cd 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(Resource).read(0x139bfa8?, {0x139bfa8?, 0xc0002c6210?}, 0xd?, {0xe74a80?, 0xc0001542c0?}) 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/resource.go:347 +0x178 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(Resource).RefreshWithoutUpgrade(0xc000225880, {0x139bfa8, 0xc0002c6210}, 0xc0006e76c0, {0xe74a80, 0xc0001542c0}) 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/resource.go:650 +0x47b 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(GRPCProviderServer).ReadResource(0xc000118348, {0x139bf00?, 0xc00069ddc0?}, 0xc00069de40) 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/grpc_provider.go:613 +0x45f 11:45:17 github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(server).ReadResource(0xc0000cf400, {0x139bfa8?, 0xc0009177d0?}, 0xc0001f61e0) 11:45:17 github.com/hashicorp/terraform-plugin-go@v0.8.0/tfprotov5/tf5server/server.go:746 +0x438 11:45:17 github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ReadResource_Handler({0xfd4ca0?, 0xc0000cf400}, {0x139bfa8, 0xc0009177d0}, 0xc0001f6180, 0x0) 11:45:17 github.com/hashicorp/terraform-plugin-go@v0.8.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:349 +0x170 11:45:17 google.golang.org/grpc.(Server).processUnaryRPC(0xc0001fca80, {0x139ecc8, 0xc000288d00}, 0xc000c7db00, 0xc0001daab0, 0x1a830b0, 0x0) 11:45:17 google.golang.org/grpc@v1.45.0/server.go:1282 +0xccf 11:45:17 google.golang.org/grpc.(Server).handleStream(0xc0001fca80, {0x139ecc8, 0xc000288d00}, 0xc000c7db00, 0x0) 11:45:17 google.golang.org/grpc@v1.45.0/server.go:1619 +0xa1b 11:45:17 google.golang.org/grpc.(Server).serveStreams.func1.2() 11:45:17 google.golang.org/grpc@v1.45.0/server.go:921 +0x98 11:45:17 created by google.golang.org/grpc.(Server).serveStreams.func1 11:45:17 google.golang.org/grpc@v1.45.0/server.go:919 +0x28a 11:45:17
11:45:17 Error: The terraform-provider-opensearch_v2.2.1 plugin crashed! 11:45:17
11:45:17 This is always indicative of a bug within the plugin. It would be immensely 11:45:17 helpful if you could report the crash with the plugin's maintainers so that it 11:45:17 can be fixed. The output above should help diagnose the issue.

How can one reproduce the bug?

We've used python to create roles in OpenSeach, some roles doesn't have tenant permissions and then we've uploaded tenant permissins in this way:

"tenant_permissions": [
  {
    "tenant_patterns": [],
    "allowed_actions": []
  }

When I created new role with opensearch terraform provider without any tennat_permissions settings, I can see tenant_permission set by plugin just like

"tenant_permissions": [],

The problem occurs when I want to use terraform to create a role that was previously created using API and python scripts. Additionally, when such a problem occurs, I have to delete terraform.tfstate and re-import all the resources so that I can do anything with terraform.

What is your host/environment?

Ubuntu 22.04 OpenSearch 2.14

rblcoder commented 4 weeks ago

@PhilippReinke Would it be possible for you to look into the query above regarding tenant permission?

rblcoder commented 3 weeks ago

An earlier issue on tenant permissions https://github.com/opensearch-project/terraform-provider-opensearch/issues/38 @clibup could you please share terraform code, python scripts calling APIs and steps to follow, so we can reproduce the issue?

clibup commented 3 weeks ago

My terraform code

resource "opensearch_role" "appgroups_roles_write" {
  role_name = "pm_name_write"

  cluster_permissions = ["example_permission"]

  index_permissions {
    index_patterns = ["example_index-*"]
    allowed_actions = ["read"]
  }
}

resource "opensearch_roles_mapping" "appgroups_mapper_write" {

  role_name     = "pm_name_write"
  backend_roles ="pm_example_write"
}

and JSON which are uploaded with REST

_upload = {
        "cluster_permissions": ["example_permission"],
        "index_permissions": [{
            "index_patterns": "example_index-*",
            "dls": "",
            "fls": [],
            "masked_fields": [],
            "allowed_actions": [
                "read"
            ]
        }],
        "tenant_permissions": [{
            "tenant_patterns": [],
            "allowed_actions": []
        }],
    }
rblcoder commented 2 weeks ago

Creating role using using the API call 

PUT _plugins/_security/api/roles/movies_role
{
  "cluster_permissions": ["*"],
  "index_permissions": [{
    "index_patterns": [
      "movies*"
    ],
    "dls": "",
    "fls": [],
    "masked_fields": [],
    "allowed_actions": [
      "read"
    ]
  }],
  "tenant_permissions": [{
    "tenant_patterns": [],
    "allowed_actions": []
  }]
}

GET _plugins/_security/api/roles/movies_role

gives

{
  "movies_role": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [
      "*"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "movies*"
        ],
        "dls": "",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [],
        "allowed_actions": []
      }
    ],
    "static": false
  }
}

Creating using terraform code 

terraform {
  required_providers {
    opensearch = {
      source = "opensearch-project/opensearch"
      version = "2.2.1"
    }
  }
}

provider "opensearch" {
  url = "https://localhost:9200"
  username          = "admin"
  password          = "myStrongPassword123@456"
  healthcheck = "false"
  insecure = "true"  
  version_ping_timeout = "10"

}

resource "opensearch_role" "movies_role" {
  role_name   = "movies_role"
  description = "Logs writer role"

  cluster_permissions = ["*"]

  index_permissions {
    index_patterns  = ["movies*"]
    allowed_actions = ["read"]
  }

}

resource "opensearch_roles_mapping" "mapper" {
  role_name   = "movies_role"
  description = "Mapping AWS IAM roles to ES role"
  backend_roles = [
    "arn:aws:iam::123456789012:role/lambda-call-opensearch",
    "arn:aws:iam::123456789012:role/run-containers",
  ]

  depends_on = [opensearch_role.movies_role]
}

GET _plugins/_security/api/roles/movies_role

{
  "movies_role": {
    "reserved": false,
    "hidden": false,
    "description": "Logs writer role",
    "cluster_permissions": [
      "*"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "movies*"
        ],
        "dls": "",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  }
}

Creating the role using the API call

PUT _plugins/_security/api/roles/movies_role
{
  "cluster_permissions": ["*"],
  "index_permissions": [{
    "index_patterns": [
      "movies*"
    ],
    "dls": "",
    "fls": [],
    "masked_fields": [],
    "allowed_actions": [
      "read"
    ]
  }],
  "tenant_permissions": []
}

Now GET _plugins/_security/api/roles/movies_role gives 

{
  "movies_role": {
    "reserved": false,
    "hidden": false,
    "description": "Logs writer role",
    "cluster_permissions": [
      "*"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "movies*"
        ],
        "dls": "",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  }
}

With this API call, I don't see the error.

clibup commented 2 weeks ago

OK, thx for info, maybe reason is that we have about 300 roles, but the only difference I see are tenant_permissions settings and I don't have depends_on = [opensearch_role.xxxxxxx] in my terraform code. I use terraform v1.1.5 because we have to use etcdv3 as a backend.