Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fatal Crash on import of aws_acm_certificate.selfsignedcert resource (panic) #7103

Closed
ghost opened this issue Jan 10, 2019 · 5 comments · Fixed by #7127
Closed

Fatal Crash on import of aws_acm_certificate.selfsignedcert resource (panic) #7103

ghost opened this issue Jan 10, 2019 · 5 comments · Fixed by #7127
Assignees
@bflad
Labels
bug Addresses a defect in current functionality. crash Results from or addresses a Terraform crash or kernel panic. service/acm Issues and PRs that pertain to the acm service.
Milestone
v1.56.0

Comments

@ghost
Copy link

ghost commented Jan 10, 2019

This issue was originally opened by @queerbsd as hashicorp/terraform#19957. It was migrated here as a result of the provider split. The original body of the issue is below.

Terraform Version

$ terraform -v
Terraform v0.11.11
+ provider.aws v1.54.0
+ provider.template v1.0.0

Terraform Configuration Files

resource "aws_acm_certificate" "selfsignedcert" {
  validation_method = "NONE"
  tags = {
    Environment = "${var.vpc_env}"
    Owner = "${var.vpc_owner}"
  }
}

Debug Output

https://gist.github.com/queerbsd/e1b4a5cf9361bc65cdb56a9a368c1e2a

Crash Output

Same, basically.
https://gist.github.com/queerbsd/e1b4a5cf9361bc65cdb56a9a368c1e2a

Expected Behavior

Import should have completed and the certificate reference should exist in the state file.

Actual Behavior

Crashed.

Steps to Reproduce

  1. Import a self-signed x509 SHA1 certificate (private and public key) with an IP address as CN to ACM
  2. Create a simple resource entry as above (with or without domain_name value, result is the same)
  3. terraform import aws_acm_certificate.selfsignedcert <arn of just-imported ACM cert>

Additional Context

This is using MFA authenticated chain-role sessions to a member account when accessing the remote state file, via environment variables. Other than that it's quite vanilla.

References
@ghost ghost mentioned this issue Jan 10, 2019
Closed
@bflad bflad added bug Addresses a defect in current functionality. service/acm Issues and PRs that pertain to the acm service. crash Results from or addresses a Terraform crash or kernel panic. labels Jan 10, 2019
@bflad
Copy link
Contributor

bflad commented Jan 12, 2019

Relevant portion of crash log:

2019-01-10T11:45:31.682+0100 [DEBUG] plugin.terraform-provider-aws_v1.54.0_x4: 2019/01/10 11:45:31 [DEBUG] [aws-sdk-go] {"Certificate":{"CertificateArn":"arn:aws:acm:eu-central-1:123456789012:certificate/a1bcde23-4f5a-678b-9012-34c56d789e01","ExtendedKeyUsages":[],"ImportedAt":1.547111497E9,"InUseBy":[],"Issuer":"XXXX Group","KeyAlgorithm":"RSA-2048","KeyUsages":[{"Name":"ANY"}],"NotAfter":1.776602483E9,"NotBefore":1.461242483E9,"Options":{"CertificateTransparencyLoggingPreference":"DISABLED"},"RenewalEligibility":"INELIGIBLE","Serial":"fc:1f:d1:74:22:54:0a:a3","SignatureAlgorithm":"SHA1WITHRSA","Status":"ISSUED","Subject":"C=GB,ST=England,L=London,O=XXXX Group,OU=xxxx,CN=1.2.3.4","Type":"IMPORTED"}}
2019-01-10T11:45:31.685+0100 [DEBUG] plugin.terraform-provider-aws_v1.54.0_x4: �[31m
�[1m�[31mError: �[0m�[0m�[1maws_acm_certificate.selfsignedcert (import id: arn:aws:acm:eu-central-1:123456789012:certificate/a1bcde23-4f5a-678b-9012-34c56d789e01): 1 error(s) occurred:

* import aws_acm_certificate.selfsignedcert result: arn:aws:acm:eu-central-1:123456789012:certificate/a1bcde23-4f5a-678b-9012-34c56d789e01: aws_acm_certificate.selfsignedcert: unexpected EOF�[0m

�[0m�[0m�[0m
panic: runtime error: makeslice: cap out of range
2019-01-10T11:45:31.685+0100 [DEBUG] plugin.terraform-provider-aws_v1.54.0_x4: 
2019-01-10T11:45:31.685+0100 [DEBUG] plugin.terraform-provider-aws_v1.54.0_x4: goroutine 75 [running]:
2019-01-10T11:45:31.685+0100 [DEBUG] plugin.terraform-provider-aws_v1.54.0_x4: github.com/terraform-providers/terraform-provider-aws/aws.cleanUpSubjectAlternativeNames(0xc00026fd40, 0x34d8f9a, 0x3, 0x2a05d60)
2019-01-10T11:45:31.685+0100 [DEBUG] plugin.terraform-provider-aws_v1.54.0_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-aws/aws/resource_aws_acm_certificate.go:280 +0x71
2019-01-10T11:45:31.685+0100 [DEBUG] plugin.terraform-provider-aws_v1.54.0_x4: github.com/terraform-providers/terraform-provider-aws/aws.resourceAwsAcmCertificateRead.func1(0xc0002a3450)
2019-01-10T11:45:31.685+0100 [DEBUG] plugin.terraform-provider-aws_v1.54.0_x4: 	/opt/teamcity-agent/work/5d79fe75d4460a2f/src/github.com/terraform-providers/terraform-provider-aws/aws/resource_aws_acm_certificate.go:213 +0x284

The resource is currently always expecting SubjectAlternativeNames to have at least one entry. The fix is pretty trivial and hopefully a covering acceptance test is fairly easy too using the new certificate import functionality. 👍

@bflad bflad self-assigned this Jan 12, 2019
@bflad bflad added this to the v1.56.0 milestone Jan 12, 2019
bflad added a commit that referenced this issue Jan 12, 2019
@bflad
resource/aws_acm_certificate: Prevent crash with empty SubjectAlterna…
8b70645 
…tiveNames

Reference: #7103

Its possible to import certificates into ACM with an IP address CommonName, which leaves SubjectAlternativeNames empty in the API response. The resource previously assumed there was always one element in the list (the domain name).

Previous output from acceptance testing:

```
=== CONT  TestAccAWSAcmCertificate_imported_IpAddress
panic: runtime error: makeslice: cap out of range

goroutine 437 [running]:
github.com/terraform-providers/terraform-provider-aws/aws.cleanUpSubjectAlternativeNames(0xc000962fc0, 0x48ed811, 0x3, 0x3dbe1a0)
	/Users/bflad/go/src/github.com/terraform-providers/terraform-provider-aws/aws/resource_aws_acm_certificate.go:280 +0x71
github.com/terraform-providers/terraform-provider-aws/aws.resourceAwsAcmCertificateRead.func1(0xc000872cd0)
	/Users/bflad/go/src/github.com/terraform-providers/terraform-provider-aws/aws/resource_aws_acm_certificate.go:213 +0x284
```

Output from acceptance testing:

```
--- PASS: TestAccAWSAcmCertificate_imported_IpAddress (14.29s)
--- PASS: TestAccAWSAcmCertificate_imported_DomainName (22.19s)
```
@bflad bflad mentioned this issue Jan 12, 2019
Merged
@bflad
Copy link
Contributor

bflad commented Jan 12, 2019

Pull request submitted: #7127

@bflad
Copy link
Contributor

bflad commented Jan 14, 2019

The fix for this has been merged and will release with version 1.56.0 of the Terraform AWS provider, likely middle of this week. 👍

@bflad
Copy link
Contributor

bflad commented Jan 16, 2019

This has been released in version 1.56.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@ghost
Copy link
Author

ghost commented Apr 1, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 1, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bflad bflad

Labels
bug Addresses a defect in current functionality. crash Results from or addresses a Terraform crash or kernel panic. service/acm Issues and PRs that pertain to the acm service.
Projects
None yet
Milestone
v1.56.0
1 participant
@bflad