search

splunk / terraform-provider-splunk

Terraform Provider for Splunk
Mozilla Public License 2.0
102 stars 75 forks source link

panic: runtime error: index out of range [0] with length 0 #171

Open yaroslav-nakonechnikov opened 1 year ago

yaroslav-nakonechnikov commented 1 year ago

Hello,

we tried to use that provider and got issue:

erraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # splunk_saved_searches.saved_search will be created
  + resource "splunk_saved_searches" "saved_search" {
      + action_email                            = (known after apply)
      + action_email_auth_password              = (known after apply)
      + action_email_auth_username              = (known after apply)
      + action_email_bcc                        = (known after apply)
      + action_email_cc                         = (known after apply)
      + action_email_command                    = (known after apply)
      + action_email_format                     = (known after apply)
      + action_email_from                       = (known after apply)
      + action_email_hostname                   = (known after apply)
      + action_email_include_results_link       = 0
      + action_email_include_search             = (known after apply)
      + action_email_include_trigger            = (known after apply)
      + action_email_include_trigger_time       = (known after apply)
      + action_email_include_view_link          = 0
      + action_email_inline                     = true
      + action_email_mailserver                 = (known after apply)
      + action_email_max_results                = (known after apply)
      + action_email_max_time                   = (known after apply)
      + action_email_message_alert              = "Report for CyberArk PTA unmanaged privileged access accounts."
      + action_email_message_report             = (known after apply)
      + action_email_pdfview                    = (known after apply)
      + action_email_preprocess_results         = (known after apply)
      + action_email_report_cid_font_list       = (known after apply)
      + action_email_report_include_splunk_logo = (known after apply)
      + action_email_report_paper_orientation   = (known after apply)
      + action_email_report_paper_size          = (known after apply)
      + action_email_report_server_enabled      = (known after apply)
      + action_email_report_server_url          = (known after apply)
      + action_email_send_csv                   = 1
      + action_email_send_pdf                   = (known after apply)
      + action_email_send_results               = true
      + action_email_subject                    = "Splunk Report: P4 - $name$"
      + action_email_to                         = "splunk@splunk.com"
      + action_email_track_alert                = true
      + action_email_ttl                        = (known after apply)
      + action_email_use_ssl                    = (known after apply)
      + action_email_use_tls                    = (known after apply)
      + action_email_width_sort_columns         = (known after apply)
      + action_populate_lookup                  = (known after apply)
      + action_populate_lookup_command          = (known after apply)
      + action_populate_lookup_dest             = (known after apply)
      + action_populate_lookup_hostname         = (known after apply)
      + action_populate_lookup_max_results      = (known after apply)
      + action_populate_lookup_max_time         = (known after apply)
      + action_populate_lookup_track_alert      = (known after apply)
      + action_populate_lookup_ttl              = (known after apply)
      + action_rss                              = (known after apply)
      + action_rss_command                      = (known after apply)
      + action_rss_hostname                     = (known after apply)
      + action_rss_max_results                  = (known after apply)
      + action_rss_max_time                     = (known after apply)
      + action_rss_track_alert                  = (known after apply)
      + action_rss_ttl                          = (known after apply)
      + action_script                           = (known after apply)
      + action_script_command                   = (known after apply)
      + action_script_filename                  = (known after apply)
      + action_script_hostname                  = (known after apply)
      + action_script_max_results               = (known after apply)
      + action_script_max_time                  = (known after apply)
      + action_script_track_alert               = (known after apply)
      + action_script_ttl                       = (known after apply)
      + action_slack_param_attachment           = "none"
      + action_snow_event_param_account         = (known after apply)
      + action_snow_event_param_additional_info = (known after apply)
      + action_snow_event_param_ci_identifier   = (known after apply)
      + action_snow_event_param_custom_fields   = (known after apply)
      + action_snow_event_param_description     = (known after apply)
      + action_snow_event_param_node            = (known after apply)
      + action_snow_event_param_resource        = (known after apply)
      + action_snow_event_param_severity        = (known after apply)
      + action_snow_event_param_type            = (known after apply)
      + action_summary_index                    = (known after apply)
      + action_summary_index_command            = (known after apply)
      + action_summary_index_hostname           = (known after apply)
      + action_summary_index_inline             = (known after apply)
      + action_summary_index_max_results        = (known after apply)
      + action_summary_index_max_time           = (known after apply)
      + action_summary_index_name               = (known after apply)
      + action_summary_index_track_alert        = (known after apply)
      + action_summary_index_ttl                = (known after apply)
      + actions                                 = "email"
      + alert_comparator                        = (known after apply)
      + alert_condition                         = (known after apply)
      + alert_digest_mode                       = false
      + alert_expires                           = (known after apply)
      + alert_severity                          = (known after apply)
      + alert_suppress                          = true
      + alert_suppress_fields                   = "user,Client_Entity"
      + alert_suppress_period                   = "86400s"
      + alert_threshold                         = (known after apply)
      + alert_track                             = (known after apply)
      + alert_type                              = (known after apply)
      + allow_skew                              = (known after apply)
      + auto_summarize                          = (known after apply)
      + auto_summarize_command                  = (known after apply)
      + auto_summarize_cron_schedule            = (known after apply)
      + auto_summarize_dispatch_earliest_time   = (known after apply)
      + auto_summarize_dispatch_latest_time     = (known after apply)
      + auto_summarize_dispatch_time_format     = (known after apply)
      + auto_summarize_dispatch_ttl             = (known after apply)
      + auto_summarize_max_disabled_buckets     = (known after apply)
      + auto_summarize_max_summary_ratio        = (known after apply)
      + auto_summarize_max_summary_size         = (known after apply)
      + auto_summarize_max_time                 = (known after apply)
      + auto_summarize_suspend_period           = (known after apply)
      + auto_summarize_timespan                 = (known after apply)
      + cron_schedule                           = "5 4 * * 1"
      + description                             = "This UC should detect if a connection to a machine or a cloud service is made with a privileged account that is not stored in the Vault."
      + disabled                                = true
      + dispatch_buckets                        = (known after apply)
      + dispatch_earliest_time                  = "-7d"
      + dispatch_index_earliest                 = (known after apply)
      + dispatch_index_latest                   = (known after apply)
      + dispatch_indexed_realtime               = (known after apply)
      + dispatch_indexed_realtime_minspan       = (known after apply)
      + dispatch_indexed_realtime_offset        = (known after apply)
      + dispatch_latest_time                    = "now"
      + dispatch_lookups                        = (known after apply)
      + dispatch_max_count                      = (known after apply)
      + dispatch_max_time                       = (known after apply)
      + dispatch_reduce_freq                    = (known after apply)
      + dispatch_rt_backfill                    = true
      + dispatch_rt_maximum_span                = (known after apply)
      + dispatch_spawn_process                  = (known after apply)
      + dispatch_time_format                    = (known after apply)
      + dispatch_ttl                            = (known after apply)
      + display_view                            = (known after apply)
      + id                                      = (known after apply)
      + is_scheduled                            = (known after apply)
      + is_visible                              = true
      + max_concurrent                          = (known after apply)
      + name                                    = "Threat - 0811_Unmanaged_Privileged_Access - Rule"
      + realtime_schedule                       = (known after apply)
      + request_ui_dispatch_app                 = "SplunkEnterpriseSecuritySuite"
      + request_ui_dispatch_view                = (known after apply)
      + restart_on_searchpeer_add               = (known after apply)
      + run_on_startup                          = (known after apply)
      + schedule_priority                       = (known after apply)
      + schedule_window                         = "auto"
      + search                                  = <<-EOT
            `indexes_live_cyberark` sourcetype="cyberark:pta:json" signature_id="22" signature="Unmanaged privileged access" \
            |stats values(src) as src_ip values(dst) as dest max(_time) as _time  values(index) as index values(signature) as message values(signature_id) as signature_id values(ba_sys_id) as ba_sys_id by duser client_entity\
            |rename _time as event_time dest as hostname duser as user client_entity as Client_Entity\
            | eval event_time=strftime(event_time,"%Y-%m-%d %H:%M:%S")\
            | table event_time Client_Entity index src_ip  hostname user message signature_id ba_sys_id
        EOT
      + vsid                                    = (known after apply)
      + workload_pool                           = (known after apply)

      + acl {
          + app              = "launcher"
          + can_change_perms = (known after apply)
          + can_share_app    = (known after apply)
          + can_share_global = (known after apply)
          + can_share_user   = (known after apply)
          + can_write        = (known after apply)
          + owner            = "admin"
          + read             = (known after apply)
          + removable        = (known after apply)
          + sharing          = "app"
          + write            = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.
splunk_saved_searches.saved_search: Creating...
╷
│ Error: Plugin did not respond
│ 
│   with splunk_saved_searches.saved_search,
│   on main.tf line 6, in resource "splunk_saved_searches" "saved_search":
│    6: resource "splunk_saved_searches" "saved_search" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵

Stack trace from the terraform-provider-splunk_v1.4.19 plugin:

panic: runtime error: index out of range [0] with length 0

goroutine 34 [running]:
github.com/splunk/terraform-provider-splunk/splunk.getSavedSearchesConfigByName({0x40000350b0, 0x30}, 0x4000226ab0)
    github.com/splunk/terraform-provider-splunk/splunk/resource_splunk_saved_searches.go:1886 +0x220
github.com/splunk/terraform-provider-splunk/splunk.savedSearchesRead(0x4000232000, {0x76c920?, 0x400023ac50})
    github.com/splunk/terraform-provider-splunk/splunk/resource_splunk_saved_searches.go:1159 +0x164
github.com/splunk/terraform-provider-splunk/splunk.savedSearchesCreate(0x7c9a00?, {0x76c920?, 0x400023ac50})
    github.com/splunk/terraform-provider-splunk/splunk/resource_splunk_saved_searches.go:1144 +0x1b8
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).Apply(0x40004b6090, 0x4000[280](https://code.rbi.tech/raiffeisen/rcdc-splunk-tf-savedsearches/actions/runs/624997/jobs/1941269#step:4:288)370, 0x40005ea720, {0x76c920, 0x400023ac50})
    github.com/hashicorp/terraform-plugin-sdk@v1.15.0/helper/schema/resource.go:310 +0x3cc
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Provider).Apply(0x400017c980, 0x4000299940, 0x8bf15c?, 0xf?)
    github.com/hashicorp/terraform-plugin-sdk@v1.15.0/helper/schema/provider.go:294 +0x6c
github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ApplyResourceChange(0x400000ed38, {0x40002323f0?, 0x0?}, 0x40002323f0)
    github.com/hashicorp/terraform-plugin-sdk@v1.15.0/internal/helper/plugin/grpc_provider.go:885 +0x69c
github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x88ba20?, 0x400000ed38}, {0xa57190, 0x400072a1e0}, 0x4000684120, 0x0)
    github.com/hashicorp/terraform-plugin-sdk@v1.15.0/internal/tfplugin5/tfplugin5.pb.go:3305 +0x16c
google.golang.org/grpc.(*Server).processUnaryRPC(0x4000378480, {0xa5aac0, 0x4000378600}, 0x400021e400, 0x40004d3920, 0xf3e760, 0x0)
    google.golang.org/grpc@v1.27.1/server.go:1024 +0xb4c
google.golang.org/grpc.(*Server).handleStream(0x4000378480, {0xa5aac0, 0x4000378600}, 0x400021e400, 0x0)
    google.golang.org/grpc@v1.27.1/server.go:1313 +0x890
google.golang.org/grpc.(*Server).serveStreams.func1.1()
    google.golang.org/grpc@v1.27.1/server.go:722 +0x84
created by google.golang.org/grpc.(*Server).serveStreams.func1
    google.golang.org/grpc@v1.27.1/server.go:720 +0xe4

Error: The terraform-provider-splunk_v1.4.19 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Error: Process completed with exit code 1.

resource definition:

resource "splunk_saved_searches" "saved_search" {
  name                              = "Threat - 0811_Unmanaged_Privileged_Access - Rule"
  search                            = file("${path.module}/ss_queries/0811_Unmanaged_Priviledged_Access_Rule.query")
  actions                           = "email"
  action_email_send_results         = "1"
  action_email_subject              = "Splunk Report: P4 - $name$"
  action_email_to                   = "splunk@splunk.com"
  action_email_track_alert          = "1"
  dispatch_earliest_time            = "-7d"
  dispatch_latest_time              = "now"
  cron_schedule                     = "5 4 * * 1"
  alert_suppress                    = "1"
  alert_suppress_fields             = "user,Client_Entity"
  alert_suppress_period             = "86400s"
  description                       = "This UC should detect if a connection to a machine or a cloud service is made with a privileged account that is not stored in the Vault."
  action_email_include_results_link = "0"
  action_email_include_view_link    = "0"
  action_email_inline               = "1"
  action_email_message_alert        = "Report for CyberArk PTA unmanaged privileged access accounts."
  action_email_send_csv             = "1"
  alert_digest_mode                 = "0"
  disabled                          = "1"
  dispatch_rt_backfill              = "1"
  request_ui_dispatch_app           = "SplunkEnterpriseSecuritySuite"
  schedule_window                   = "auto"
  acl {
    owner   = "admin"
    sharing = "app"
    app     = "launcher"
  }
}

so we would like to know what is wrong?

ticket looks relevant to #128, but there is no any meaningful answer on what it could be.