Fix panic when reading unconfigured PKI mount URLs (#641)

hashicorp · Jan 7, 2020 · 1a7114f · 1a7114f
1 parent 4615137
commit 1a7114f
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 5 deletions.
diff --git a/vault/resource_pki_secret_backend_config_urls.go b/vault/resource_pki_secret_backend_config_urls.go
@@ -82,9 +82,13 @@ func pkiSecretBackendConfigUrlsRead(d *schema.ResourceData, meta interface{}) er
 	config, err := client.Logical().Read(path)
 
 	if err != nil {
-		log.Printf("[WARN] Removing path %q its ID is invalid", path)
+		return fmt.Errorf("error reading URL config on PKI secret backend %q: %s", path, err)
+	}
+
+	if config == nil {
+		log.Printf("[WARN] Removing URL config path %q as its ID is invalid", path)
 		d.SetId("")
-		return fmt.Errorf("invalid path ID %q: %s", path, err)
+		return nil
 	}
 
 	d.Set("issuing_certificates", config.Data["issuing_certificates"])

diff --git a/vault/resource_pki_secret_backend_config_urls_test.go b/vault/resource_pki_secret_backend_config_urls_test.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/terraform"
 	"github.com/hashicorp/vault/api"
 )
@@ -24,6 +25,11 @@ func TestPkiSecretBackendConfigUrls_basic(t *testing.T) {
 		PreCheck:     func() { testAccPreCheck(t) },
 		CheckDestroy: testPkiSecretBackendConfigUrlsDestroy,
 		Steps: []resource.TestStep{
+			{
+				// Test that reading from an unconfigured mount succeeds
+				Config: testPkiSecretBackendCertConfigUrlsConfig_rootOnly(rootPath),
+				Check:  testPkiSecretBackendConfigUrlsEmptyRead,
+			},
 			{
 				Config: testPkiSecretBackendCertConfigUrlsConfig_basic(rootPath, issuingCertificates, crlDistributionPoints, ocspServers),
 				Check: resource.ComposeTestCheckFunc(
@@ -36,12 +42,41 @@ func TestPkiSecretBackendConfigUrls_basic(t *testing.T) {
 	})
 }
 
+func testPkiSecretBackendConfigUrlsEmptyRead(s *terraform.State) error {
+	paths, err := listPkiPaths(s)
+	if err != nil {
+		return err
+	}
+	for _, path := range paths {
+		d := &schema.ResourceData{}
+		d.SetId(path)
+		if err := pkiSecretBackendConfigUrlsRead(d, testProvider.Meta()); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func testPkiSecretBackendConfigUrlsDestroy(s *terraform.State) error {
+	paths, err := listPkiPaths(s)
+	if err != nil {
+		return err
+	}
+	for _, path := range paths {
+		return fmt.Errorf("mount %q still exists", path)
+	}
+
+	return nil
+}
+
+func listPkiPaths(s *terraform.State) ([]string, error) {
+	var paths []string
+
 	client := testProvider.Meta().(*api.Client)
 
 	mounts, err := client.Sys().ListMounts()
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	for _, rs := range s.RootModule().Resources {
@@ -52,11 +87,23 @@ func testPkiSecretBackendConfigUrlsDestroy(s *terraform.State) error {
 			path = strings.Trim(path, "/")
 			rsPath := strings.Trim(rs.Primary.Attributes["path"], "/")
 			if mount.Type == "pki" && path == rsPath {
-				return fmt.Errorf("mount %q still exists", path)
+				paths = append(paths, path)
 			}
 		}
 	}
-	return nil
+
+	return paths, nil
+}
+
+func testPkiSecretBackendCertConfigUrlsConfig_rootOnly(rootPath string) string {
+	return fmt.Sprintf(`
+resource "vault_pki_secret_backend" "test-root" {
+  path = "%s"
+  description = "test root"
+  default_lease_ttl_seconds = "8640000"
+  max_lease_ttl_seconds = "8640000"
+}
+`, rootPath)
 }
 
 func testPkiSecretBackendCertConfigUrlsConfig_basic(rootPath string, issuingCertificates string, crlDistributionPoints string, ocspServers string) string {