Open yaroslav-nakonechnikov opened 1 year ago
Hello,
we tried to use that provider and got issue:
erraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # splunk_saved_searches.saved_search will be created + resource "splunk_saved_searches" "saved_search" { + action_email = (known after apply) + action_email_auth_password = (known after apply) + action_email_auth_username = (known after apply) + action_email_bcc = (known after apply) + action_email_cc = (known after apply) + action_email_command = (known after apply) + action_email_format = (known after apply) + action_email_from = (known after apply) + action_email_hostname = (known after apply) + action_email_include_results_link = 0 + action_email_include_search = (known after apply) + action_email_include_trigger = (known after apply) + action_email_include_trigger_time = (known after apply) + action_email_include_view_link = 0 + action_email_inline = true + action_email_mailserver = (known after apply) + action_email_max_results = (known after apply) + action_email_max_time = (known after apply) + action_email_message_alert = "Report for CyberArk PTA unmanaged privileged access accounts." + action_email_message_report = (known after apply) + action_email_pdfview = (known after apply) + action_email_preprocess_results = (known after apply) + action_email_report_cid_font_list = (known after apply) + action_email_report_include_splunk_logo = (known after apply) + action_email_report_paper_orientation = (known after apply) + action_email_report_paper_size = (known after apply) + action_email_report_server_enabled = (known after apply) + action_email_report_server_url = (known after apply) + action_email_send_csv = 1 + action_email_send_pdf = (known after apply) + action_email_send_results = true + action_email_subject = "Splunk Report: P4 - $name$" + action_email_to = "splunk@splunk.com" + action_email_track_alert = true + action_email_ttl = (known after apply) + action_email_use_ssl = (known after apply) + action_email_use_tls = (known after apply) + action_email_width_sort_columns = (known after apply) + action_populate_lookup = (known after apply) + action_populate_lookup_command = (known after apply) + action_populate_lookup_dest = (known after apply) + action_populate_lookup_hostname = (known after apply) + action_populate_lookup_max_results = (known after apply) + action_populate_lookup_max_time = (known after apply) + action_populate_lookup_track_alert = (known after apply) + action_populate_lookup_ttl = (known after apply) + action_rss = (known after apply) + action_rss_command = (known after apply) + action_rss_hostname = (known after apply) + action_rss_max_results = (known after apply) + action_rss_max_time = (known after apply) + action_rss_track_alert = (known after apply) + action_rss_ttl = (known after apply) + action_script = (known after apply) + action_script_command = (known after apply) + action_script_filename = (known after apply) + action_script_hostname = (known after apply) + action_script_max_results = (known after apply) + action_script_max_time = (known after apply) + action_script_track_alert = (known after apply) + action_script_ttl = (known after apply) + action_slack_param_attachment = "none" + action_snow_event_param_account = (known after apply) + action_snow_event_param_additional_info = (known after apply) + action_snow_event_param_ci_identifier = (known after apply) + action_snow_event_param_custom_fields = (known after apply) + action_snow_event_param_description = (known after apply) + action_snow_event_param_node = (known after apply) + action_snow_event_param_resource = (known after apply) + action_snow_event_param_severity = (known after apply) + action_snow_event_param_type = (known after apply) + action_summary_index = (known after apply) + action_summary_index_command = (known after apply) + action_summary_index_hostname = (known after apply) + action_summary_index_inline = (known after apply) + action_summary_index_max_results = (known after apply) + action_summary_index_max_time = (known after apply) + action_summary_index_name = (known after apply) + action_summary_index_track_alert = (known after apply) + action_summary_index_ttl = (known after apply) + actions = "email" + alert_comparator = (known after apply) + alert_condition = (known after apply) + alert_digest_mode = false + alert_expires = (known after apply) + alert_severity = (known after apply) + alert_suppress = true + alert_suppress_fields = "user,Client_Entity" + alert_suppress_period = "86400s" + alert_threshold = (known after apply) + alert_track = (known after apply) + alert_type = (known after apply) + allow_skew = (known after apply) + auto_summarize = (known after apply) + auto_summarize_command = (known after apply) + auto_summarize_cron_schedule = (known after apply) + auto_summarize_dispatch_earliest_time = (known after apply) + auto_summarize_dispatch_latest_time = (known after apply) + auto_summarize_dispatch_time_format = (known after apply) + auto_summarize_dispatch_ttl = (known after apply) + auto_summarize_max_disabled_buckets = (known after apply) + auto_summarize_max_summary_ratio = (known after apply) + auto_summarize_max_summary_size = (known after apply) + auto_summarize_max_time = (known after apply) + auto_summarize_suspend_period = (known after apply) + auto_summarize_timespan = (known after apply) + cron_schedule = "5 4 * * 1" + description = "This UC should detect if a connection to a machine or a cloud service is made with a privileged account that is not stored in the Vault." + disabled = true + dispatch_buckets = (known after apply) + dispatch_earliest_time = "-7d" + dispatch_index_earliest = (known after apply) + dispatch_index_latest = (known after apply) + dispatch_indexed_realtime = (known after apply) + dispatch_indexed_realtime_minspan = (known after apply) + dispatch_indexed_realtime_offset = (known after apply) + dispatch_latest_time = "now" + dispatch_lookups = (known after apply) + dispatch_max_count = (known after apply) + dispatch_max_time = (known after apply) + dispatch_reduce_freq = (known after apply) + dispatch_rt_backfill = true + dispatch_rt_maximum_span = (known after apply) + dispatch_spawn_process = (known after apply) + dispatch_time_format = (known after apply) + dispatch_ttl = (known after apply) + display_view = (known after apply) + id = (known after apply) + is_scheduled = (known after apply) + is_visible = true + max_concurrent = (known after apply) + name = "Threat - 0811_Unmanaged_Privileged_Access - Rule" + realtime_schedule = (known after apply) + request_ui_dispatch_app = "SplunkEnterpriseSecuritySuite" + request_ui_dispatch_view = (known after apply) + restart_on_searchpeer_add = (known after apply) + run_on_startup = (known after apply) + schedule_priority = (known after apply) + schedule_window = "auto" + search = <<-EOT `indexes_live_cyberark` sourcetype="cyberark:pta:json" signature_id="22" signature="Unmanaged privileged access" \ |stats values(src) as src_ip values(dst) as dest max(_time) as _time values(index) as index values(signature) as message values(signature_id) as signature_id values(ba_sys_id) as ba_sys_id by duser client_entity\ |rename _time as event_time dest as hostname duser as user client_entity as Client_Entity\ | eval event_time=strftime(event_time,"%Y-%m-%d %H:%M:%S")\ | table event_time Client_Entity index src_ip hostname user message signature_id ba_sys_id EOT + vsid = (known after apply) + workload_pool = (known after apply) + acl { + app = "launcher" + can_change_perms = (known after apply) + can_share_app = (known after apply) + can_share_global = (known after apply) + can_share_user = (known after apply) + can_write = (known after apply) + owner = "admin" + read = (known after apply) + removable = (known after apply) + sharing = "app" + write = (known after apply) } } Plan: 1 to add, 0 to change, 0 to destroy. splunk_saved_searches.saved_search: Creating... ╷ │ Error: Plugin did not respond │ │ with splunk_saved_searches.saved_search, │ on main.tf line 6, in resource "splunk_saved_searches" "saved_search": │ 6: resource "splunk_saved_searches" "saved_search" { │ │ The plugin encountered an error, and failed to respond to the │ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may │ contain more details. ╵ Stack trace from the terraform-provider-splunk_v1.4.19 plugin: panic: runtime error: index out of range [0] with length 0 goroutine 34 [running]: github.com/splunk/terraform-provider-splunk/splunk.getSavedSearchesConfigByName({0x40000350b0, 0x30}, 0x4000226ab0) github.com/splunk/terraform-provider-splunk/splunk/resource_splunk_saved_searches.go:1886 +0x220 github.com/splunk/terraform-provider-splunk/splunk.savedSearchesRead(0x4000232000, {0x76c920?, 0x400023ac50}) github.com/splunk/terraform-provider-splunk/splunk/resource_splunk_saved_searches.go:1159 +0x164 github.com/splunk/terraform-provider-splunk/splunk.savedSearchesCreate(0x7c9a00?, {0x76c920?, 0x400023ac50}) github.com/splunk/terraform-provider-splunk/splunk/resource_splunk_saved_searches.go:1144 +0x1b8 github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).Apply(0x40004b6090, 0x4000[280](https://code.rbi.tech/raiffeisen/rcdc-splunk-tf-savedsearches/actions/runs/624997/jobs/1941269#step:4:288)370, 0x40005ea720, {0x76c920, 0x400023ac50}) github.com/hashicorp/terraform-plugin-sdk@v1.15.0/helper/schema/resource.go:310 +0x3cc github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Provider).Apply(0x400017c980, 0x4000299940, 0x8bf15c?, 0xf?) github.com/hashicorp/terraform-plugin-sdk@v1.15.0/helper/schema/provider.go:294 +0x6c github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ApplyResourceChange(0x400000ed38, {0x40002323f0?, 0x0?}, 0x40002323f0) github.com/hashicorp/terraform-plugin-sdk@v1.15.0/internal/helper/plugin/grpc_provider.go:885 +0x69c github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x88ba20?, 0x400000ed38}, {0xa57190, 0x400072a1e0}, 0x4000684120, 0x0) github.com/hashicorp/terraform-plugin-sdk@v1.15.0/internal/tfplugin5/tfplugin5.pb.go:3305 +0x16c google.golang.org/grpc.(*Server).processUnaryRPC(0x4000378480, {0xa5aac0, 0x4000378600}, 0x400021e400, 0x40004d3920, 0xf3e760, 0x0) google.golang.org/grpc@v1.27.1/server.go:1024 +0xb4c google.golang.org/grpc.(*Server).handleStream(0x4000378480, {0xa5aac0, 0x4000378600}, 0x400021e400, 0x0) google.golang.org/grpc@v1.27.1/server.go:1313 +0x890 google.golang.org/grpc.(*Server).serveStreams.func1.1() google.golang.org/grpc@v1.27.1/server.go:722 +0x84 created by google.golang.org/grpc.(*Server).serveStreams.func1 google.golang.org/grpc@v1.27.1/server.go:720 +0xe4 Error: The terraform-provider-splunk_v1.4.19 plugin crashed! This is always indicative of a bug within the plugin. It would be immensely helpful if you could report the crash with the plugin's maintainers so that it can be fixed. The output above should help diagnose the issue. Error: Process completed with exit code 1.
resource definition:
resource "splunk_saved_searches" "saved_search" { name = "Threat - 0811_Unmanaged_Privileged_Access - Rule" search = file("${path.module}/ss_queries/0811_Unmanaged_Priviledged_Access_Rule.query") actions = "email" action_email_send_results = "1" action_email_subject = "Splunk Report: P4 - $name$" action_email_to = "splunk@splunk.com" action_email_track_alert = "1" dispatch_earliest_time = "-7d" dispatch_latest_time = "now" cron_schedule = "5 4 * * 1" alert_suppress = "1" alert_suppress_fields = "user,Client_Entity" alert_suppress_period = "86400s" description = "This UC should detect if a connection to a machine or a cloud service is made with a privileged account that is not stored in the Vault." action_email_include_results_link = "0" action_email_include_view_link = "0" action_email_inline = "1" action_email_message_alert = "Report for CyberArk PTA unmanaged privileged access accounts." action_email_send_csv = "1" alert_digest_mode = "0" disabled = "1" dispatch_rt_backfill = "1" request_ui_dispatch_app = "SplunkEnterpriseSecuritySuite" schedule_window = "auto" acl { owner = "admin" sharing = "app" app = "launcher" } }
so we would like to know what is wrong?
ticket looks relevant to #128, but there is no any meaningful answer on what it could be.
Hello,
we tried to use that provider and got issue:
resource definition:
so we would like to know what is wrong?
ticket looks relevant to #128, but there is no any meaningful answer on what it could be.