Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

data-source/aws_iam_policy_document: Prevent panic when combining single principal identifier with multiple principal identifiers #10780

Merged
merged 3 commits into from
Nov 15, 2019
Merged

data-source/aws_iam_policy_document: Prevent panic when combining single principal identifier with multiple principal identifiers #10780

merged 3 commits into from
Nov 15, 2019

Conversation

bflad
Copy link
Contributor

@bflad bflad commented Nov 7, 2019

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Closes #10777

Release note for CHANGELOG:

* data-source/aws_iam_policy_document: Prevent panic when combining single principal identifier with multiple principal identifiers

Output from acceptance testing before fix:

=== CONT  TestAccAWSDataSourceIAMPolicyDocument_Statement_Principal_Identifiers_StringAndSlice
panic: interface conversion: interface {} is string, not []string [recovered]
  panic: interface conversion: interface {} is string, not []string

goroutine 254 [running]:
encoding/json.(*encodeState).marshal.func1(0xc00158f5a8)
  /usr/local/Cellar/go/1.13.4/libexec/src/encoding/json/encode.go:305 +0x9a
panic(0x5a68a40, 0xc000d48210)
  /usr/local/Cellar/go/1.13.4/libexec/src/runtime/panic.go:679 +0x1b2
github.com/terraform-providers/terraform-provider-aws/aws.IAMPolicyStatementPrincipalSet.MarshalJSON(0xc000a17580, 0x2, 0x2, 0x100c733, 0x5a73f60, 0x591b720, 0x7178801, 0xbbd7098)
  /Users/bflad/src/github.com/terraform-providers/terraform-provider-aws/aws/iam_policy_model.go:101 +0x866

Output from acceptance testing after fix:

--- PASS: TestAccAWSDataSourceIAMPolicyDocument_Statement_Principal_Identifiers_StringAndSlice (10.23s)
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_noStatementMerge (10.26s)
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_basic (10.29s)
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_noStatementOverride (10.30s)
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_sourceConflicting (10.40s)
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_override (10.53s)
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_duplicateSid (11.02s)
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_Version_20081017 (14.87s)
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_source (15.20s)

@bflad
data-source/aws_iam_policy_document: Prevent panic when combining sin…
052b13f 
…gle principal identifer with multiple principal identifiers

Reference: #10777

Output from acceptance testing before fix:

```
=== CONT  TestAccAWSDataSourceIAMPolicyDocument_Statement_Principal_Identifiers_StringAndSlice
panic: interface conversion: interface {} is string, not []string [recovered]
  panic: interface conversion: interface {} is string, not []string

goroutine 254 [running]:
encoding/json.(*encodeState).marshal.func1(0xc00158f5a8)
  /usr/local/Cellar/go/1.13.4/libexec/src/encoding/json/encode.go:305 +0x9a
panic(0x5a68a40, 0xc000d48210)
  /usr/local/Cellar/go/1.13.4/libexec/src/runtime/panic.go:679 +0x1b2
github.com/terraform-providers/terraform-provider-aws/aws.IAMPolicyStatementPrincipalSet.MarshalJSON(0xc000a17580, 0x2, 0x2, 0x100c733, 0x5a73f60, 0x591b720, 0x7178801, 0xbbd7098)
  /Users/bflad/src/github.com/terraform-providers/terraform-provider-aws/aws/iam_policy_model.go:101 +0x866
```

Output from acceptance testing after fix:

```
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_Statement_Principal_Identifiers_StringAndSlice (10.23s)
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_noStatementMerge (10.26s)
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_basic (10.29s)
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_noStatementOverride (10.30s)
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_sourceConflicting (10.40s)
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_override (10.53s)
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_duplicateSid (11.02s)
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_Version_20081017 (14.87s)
--- PASS: TestAccAWSDataSourceIAMPolicyDocument_source (15.20s)
```
@bflad bflad added bug Addresses a defect in current functionality. crash Results from or addresses a Terraform crash or kernel panic. service/iam Issues and PRs that pertain to the iam service. labels Nov 7, 2019
@bflad bflad requested a review from a team November 7, 2019 01:25
@ghost ghost added tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. size/M Managed by automation to categorize the size of a PR. labels Nov 7, 2019
@bflad bflad mentioned this pull request Nov 7, 2019
Closed
@netproteus
Copy link

Can confirm this fixes the issue I opened as well as the more complex config which was crashing.

@netproteus
Copy link

netproteus commented Nov 9, 2019
edited
Loading

@bflad unfortunately there is still something funny going on with multiple principals

data "aws_iam_policy_document" "some-policy" {
  statement {
    effect = "Allow"

    actions = [
      "*"
    ]

    resources = [
      "*",
    ]

    principals {
      identifiers = [
        "arn:aws:iam::111111111111:root",
        "arn:aws:iam::222222222222:root",
      ]
      type = "AWS"
    }
    principals {
      identifiers = [
        "arn:aws:iam::333333333333:root",
      ]
      type = "AWS"
    }
    principals {
      identifiers = [
        "arn:aws:iam::444444444444:root",
      ]
      type = "AWS"
    }
  }
}

output "some-policy-json" {
  value = data.aws_iam_policy_document.some-policy.json
}

yields the following

some-policy-json = {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::444444444444:root",
          "arn:aws:iam::222222222222:root",
          "arn:aws:iam::111111111111:root"
        ]
      }
    }
  ]
}

@netproteus
Copy link

The following fix works for me but I'm not that proficient in go so please check it carefully

@@ -105,7 +106,17 @@ func (ps IAMPolicyStatementPrincipalSet) MarshalJSON() ([]byte, error) {
                        sort.Sort(sort.Reverse(sort.StringSlice(i)))
                        raw[p.Type] = append(raw[p.Type].([]string), i...)
                case string:
-                       raw[p.Type] = i
+                       switch v := raw[p.Type].(type) {
+                       case nil:
+                               raw[p.Type] = i
+                       case string:
+                               // Convert to []string to stop drop of principals
+                               raw[p.Type] = make([]string, 0, 2)
+                               raw[p.Type] = append(raw[p.Type].([]string), v)
+                               raw[p.Type] = append(raw[p.Type].([]string), i)
+                       case []string:
+                               raw[p.Type] = append(raw[p.Type].([]string), i)
+                       }
                default:
                        return []byte{}, fmt.Errorf("Unsupported data type %T for IAMPolicyStatementPrincipalSet", i)
                }

@netproteus netproteus mentioned this pull request Nov 12, 2019
Merged
@netproteus
Copy link

netproteus commented Nov 12, 2019
edited
Loading

Patch in previous comment is PR to this PR here with tests: #10844

@gdavison
Merge pull request #10844 from getfiit/multiple_principals_iam_policy…
46a6ae2 
…_document

data-source/aws_iam_policy_document: support multiple princiapls in iam policy document without dropping some
gdavison
gdavison approved these changes Nov 14, 2019
View reviewed changes
Copy link
Contributor

@gdavison gdavison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@bflad bflad added this to the v2.37.0 milestone Nov 14, 2019
@bflad bflad merged commit dbbe3f8 into master Nov 15, 2019
@bflad bflad deleted the b-aws_iam_policy_document-stringandslicepanic branch November 15, 2019 00:02
bflad added a commit that referenced this pull request Nov 15, 2019
@bflad
Update CHANGELOG for #10780 and #10844
f885529
@ghost
Copy link

ghost commented Nov 18, 2019

This has been released in version 2.37.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Dec 15, 2019

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Dec 15, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@gdavison gdavison gdavison approved these changes

Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. crash Results from or addresses a Terraform crash or kernel panic. service/iam Issues and PRs that pertain to the iam service. size/M Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
v2.37.0
Development

Successfully merging this pull request may close these issues.

Crash: aws_iam_policy_document multiple principals
3 participants
@bflad @netproteus @gdavison