[BUG] AWS SSO causes provider plugin to crash

arichtman-srt commented 1 year ago

What is the bug?

When using AWS SSO profiles the provider crashes.

How can one reproduce the bug?

Attempt to apply changes using AWS SSO profiles that rely on sso_session.

What is the expected behavior?

Graceful shutdown

What is your host/environment?

aarch64-darwin

$ uname -a

Darwin bne-nb-ariel 22.5.0 Darwin Kernel Version 22.5.0: Thu Jun  8 22:21:34 PDT 2023; root:xnu-8796.121.3~7/RELEASE_ARM64_T8112 arm64 arm Darwin

$ terraform -version

Terraform v1.3.9
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.7.0
+ provider registry.terraform.io/opensearch-project/opensearch v1.0.0

Do you have any screenshots?

│ Error: Plugin did not respond
│
│   with opensearch_index.test,
│   on opensearch.tf line 10, in resource "opensearch_index" "test":
│   10: resource "opensearch_index" "test" {
│
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵

Stack trace from the terraform-provider-opensearch_v1.0.0 plugin:

panic: profile "Search.Dev.EngineeringAccess" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

goroutine 39 [running]:
github.com/aws/aws-sdk-go/aws/session.Must(...)
        github.com/aws/aws-sdk-go@v1.43.21/aws/session/session.go:381
github.com/opensearch-project/terraform-provider-opensearch/provider.awsSession({0x1400030e2f0, 0xe}, 0x14000728b40)
        github.com/opensearch-project/terraform-provider-opensearch/provider/provider.go:525 +0x340
github.com/opensearch-project/terraform-provider-opensearch/provider.awsHttpClient({0x1400030e2f0, 0xe}, 0x14000728b40, 0x1008daf74?)
        github.com/opensearch-project/terraform-provider-opensearch/provider/provider.go:529 +0x38
github.com/opensearch-project/terraform-provider-opensearch/provider.getClient(0x14000728b40)
        github.com/opensearch-project/terraform-provider-opensearch/provider/provider.go:303 +0x6d4
github.com/opensearch-project/terraform-provider-opensearch/provider.resourceOpensearchIndexCreate(0x14000877238?, {0x1015a9800?, 0x14000728b40})
        github.com/opensearch-project/terraform-provider-opensearch/provider/resource_opensearch_index.go:526 +0x9b0
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x1017c69c0?, {0x1017c69c0?, 0x140002ec900?}, 0xd?, {0x1015a9800?, 0x14000728b40?})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/resource.go:330 +0x138
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0x140002b0c40, {0x1017c69c0, 0x140002ec900}, 0x140008385b0, 0x140002f6c80, {0x1015a9800, 0x14000728b40})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/resource.go:472 +0x714
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0x1400019d8d8, {0x1017c6918?, 0x140002b28c0?}, 0x140002f2230)
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/grpc_provider.go:1021 +0xb5c
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0x1400078f9a0, {0x1017c69c0?, 0x140002ec030?}, 0x140002ee000)
        github.com/hashicorp/terraform-plugin-go@v0.8.0/tfprotov5/tf5server/server.go:812 +0x38c
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x101740400?, 0x1400078f9a0}, {0x1017c69c0, 0x140002ec030}, 0x1400061a120, 0x0)
        github.com/hashicorp/terraform-plugin-go@v0.8.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:385 +0x174
google.golang.org/grpc.(*Server).processUnaryRPC(0x1400027c700, {0x1017c9660, 0x14000318680}, 0x140004a5560, 0x1400078a540, 0x101f33f40, 0x0)
        google.golang.org/grpc@v1.45.0/server.go:1282 +0xb3c
google.golang.org/grpc.(*Server).handleStream(0x1400027c700, {0x1017c9660, 0x14000318680}, 0x140004a5560, 0x0)
        google.golang.org/grpc@v1.45.0/server.go:1619 +0x840
google.golang.org/grpc.(*Server).serveStreams.func1.2()
        google.golang.org/grpc@v1.45.0/server.go:921 +0x88
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/grpc@v1.45.0/server.go:919 +0x298

Error: The terraform-provider-opensearch_v1.0.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Do you have any additional context?

I believe sso_session is unsupported by the AWS GoLang SDK.

peterzhuamazon commented 1 year ago

[Triage] Adding @prudhvigodithi to take a look on this. Thanks.

prudhvigodithi commented 1 year ago

Hey @arichtman-sr, can you please test with the latest version of the provider? Thank you Adding @phillbaker @bbarani @peterzhuamazon

AlessandroFazio commented 7 months ago

Hello @peterzhuamazon, I'm getting a 403 Forbidden error when using aws-sso-login-generated tmp credentials. The provider verison is the latest available. I export the env var AWS_PROFILE=admin_profile and configure the provider as the following:

provider "opensearch" { url = "https://${module.opensearch.opensearch_domain_endpoint}" healthcheck = false aws_profile = "${var.aws_profile}" }

It seems to be a problem with this provider, since everything else works fine. Any help or suggestion is welcome.

The error: │ Error: HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster. │ │ with module.opensearch_ops.opensearch_ism_policy.otel_ism_policies["otel-v1-metrics-ism-policy"], │ on modules/opensearch-ops/main.tf line 14, in resource "opensearch_ism_policy" "otel_ism_policies": │ 14: resource "opensearch_ism_policy" "otel_ism_policies" {

opensearch-project / terraform-provider-opensearch