Terraform Crash

[Bibz87]

Terraform Version

Terraform v1.9.5
on windows_amd64
+ provider registry.terraform.io/hashicorp/random v3.6.2

Terraform Configuration Files

terraform {
  backend "kubernetes" {
    config_path="~/.kube/config"
    namespace="terraform-tests"
    secret_suffix="test-01"
  }
}

resource "random_string" "test" {
  length = 8
  special = false
}

Debug Output

https://gist.github.com/Bibz87/2c68fea5383e932e99451051d1bc10d9

Expected Behavior

Terraform doesn't crash during initialisation

Actual Behavior

Attempting to initialise Terraform configuration results in crash

Steps to Reproduce

1. terraform init

Additional Context

After some testing, it looks like ending the secret suffix with a number causes the crash. Changing secret_suffix from test-01 to test makes the initialisation work properly without crashing.

Note: Terraform does create the Kubernetes secret before crashing.

References

No response

[Bibz87]

I definitely don't feel comfortable downloading and installing random patches from untrusted sources.

[crw]

Looks like spam. Will report to GitHub.

[crw]

@Bibz87 Thanks for your report!

[Bibz87]

Let me know if you need anything from me to help with debugging. 😀

[Saschl]

Looks like spam. Will report to GitHub.

Very sorry about that (one of the comments came from my account). Account got compromised and posted this malicious stuff. Should not happen again

[bschaatsbergen]

Similar to #33995 cc @crw

[bschaatsbergen]

When the secret_suffix is "test-44", the backend attempts to retrieve a secret named "<secret>-test-44". It then uses the Atoi function to parse the last segment of the name, assuming it's an integer index. This is what leads to errors if the suffix isn't actually an index, resulting in the out of bound error.

This assumption seems to be related to how the backend manages Terraform state files. Since state files can be too large to fit into a single Kubernetes secret, the backend chunks the state into multiple secrets, see this part of the secret creation implementation. This chunking mechanism leads to the use of numeric suffixes to differentiate between chunks. However, relying on the assumption that the last part of the secret name is potentially an index can cause issues if the suffix is not intended to be an index when set by the user.

Given the complexity introduced by the existing chunking mechanism, supporting secret suffixes with a trailing -<int> becomes extremely challenging. To avoid potential issues, I recommend not allowing trailing -<int> values in the secret_suffix moving forward.

[bschaatsbergen]

I’ve opened a PR (#35666) to add extra validation for the secret_suffix, preventing it from ending with a trailing -<number>. This helps avoid conflicts with the backend’s chunking mechanism, which appends numeric indices to secret names.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.