[Bug]: vault_kv_secret_v2 panics when no payload is provided (neither data_json nor data_json_wo) #2586
Description
Terraform Core Version
1.12.2
Terraform Vault Provider Version
5.2.1
Vault Server Version
1.20.2
Affected Resource(s)
- resource_kv_secret_v2
Expected Behavior
vault_kv_secret_v2 crashes with a panic when neither data_json nor data_json_wo is provided. The panic occurs in kvSecretV2Write when calling .AsString() on a null/unknown value read from raw config. This should be handled as an input validation error instead of crashing the provider.
resource "vault_kv_secret_v2" "kv_example" {
name = "test-123"
mount = "secret"
}Actual Behavior
❯ terraform apply
Terraform used the selected providers to generate the
following execution plan. Resource actions are
indicated with the following symbols:
+ create
Terraform will perform the following actions:
# vault_kv_secret_v2.kv_engine will be created
+ resource "vault_kv_secret_v2" "kv_engine" {
+ data = (sensitive value)
+ data_json_wo = (write-only attribute)
+ delete_all_versions = false
+ disable_read = false
+ id = (known after apply)
+ metadata = (known after apply)
+ mount = "secret"
+ name = "name"
+ path = (known after apply)
+ custom_metadata (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
vault_kv_secret_v2.kv_engine: Creating...
╷
│ Error: Request cancelled
│
│ with vault_kv_secret_v2.kv_engine,
│ on main.tf line 16, in resource "vault_kv_secret_v2" "kv_engine":
│ 16: resource "vault_kv_secret_v2" "kv_engine" {
│
│ The plugin.(*GRPCProvider).ApplyResourceChange
│ request was cancelled.
╵
Stack trace from the terraform-provider-vault_v5.2.1_x5 plugin:
panic: value is null
..... Relevant Error/Panic Output Snippet
goroutine 65 [running]:
github.com/hashicorp/go-cty/cty.Value.AsString({{{0x105b3dc78?, 0x1400000e6e9?}}, {0x0?, 0x0?}})
github.com/hashicorp/[email protected]/cty/value_ops.go:1184 +0x114
github.com/hashicorp/terraform-provider-vault/vault.kvSecretV2Write({0x105b3d640, 0x140004cd0a0}, 0x14000962bd0, {0x105a7de40, 0x14000a96080})
github.com/hashicorp/terraform-provider-vault/vault/resource_kv_secret_v2.go:226 +0x2c4
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x1400070e100, {0x105b3d598, 0x14000a08ed0}, 0x14000962bd0, {0x105a7de40, 0x14000a96080})
github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:849 +0xe4
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0x1400070e100, {0x105b3d598, 0x14000a08ed0}, 0x140009369c0, 0x14000962ab0, {0x105a7de40, 0x14000a96080})
github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:980 +0x8e8
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0x1400000db48, {0x105b3d598?, 0x14000a08e10?}, 0x140006605f0)
github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:1484 +0xd48
github.com/hashicorp/terraform-plugin-mux/tf5muxserver.(*muxServer).ApplyResourceChange(0x14000695f00, {0x105b3d598?, 0x14000a08b40?}, 0x140006605f0)
github.com/hashicorp/[email protected]/tf5muxserver/mux_server_ApplyResourceChange.go:36 +0x17c
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0x140006b0320, {0x105b3d598?, 0x14000a08030?}, 0x14000136200)
github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:941 +0x294
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x105af3660, 0x140006b0320}, {0x105b3d598, 0x14000a08030}, 0x14000136180, 0x0)
github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:687 +0x1c0
google.golang.org/grpc.(*Server).processUnaryRPC(0x140001a8800, {0x105b3d598, 0x140009b8720}, 0x14000ab9200, 0x14000628840, 0x10668c6c8, 0x0)
google.golang.org/[email protected]/server.go:1405 +0xc9c
google.golang.org/grpc.(*Server).handleStream(0x140001a8800, {0x105b3def0, 0x1400073d380}, 0x14000ab9200)
google.golang.org/[email protected]/server.go:1815 +0x900
google.golang.org/grpc.(*Server).serveStreams.func2.1()
google.golang.org/[email protected]/server.go:1035 +0x84
created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 28
google.golang.org/[email protected]/server.go:1046 +0x138
Error: The terraform-provider-vault_v5.2.1_x5 plugin crashed!
This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.Terraform Configuration Files
terraform {
required_providers {
vault = {
source = "hashicorp/vault"
version = ">= 5.2.1"
}
}
}
provider "vault" {
address = "http://127.0.0.1:8200"
token = var.token
}
variable "token" {
description = "The token to access Vault"
type = string
}
resource "vault_kv_secret_v2" "kv_example" {
name = "test_123" # Try with a secret name that didn't exist
mount = "secret"
}Steps to Reproduce
Use the following terraform configuration
terraform {
required_providers {
vault = {
source = "hashicorp/vault"
version = ">= 5.2.1"
}
}
}
provider "vault" {
address = "http://127.0.0.1:8200"
token = var.token
}
variable "token" {
description = "The token to access Vault"
type = string
}
resource "vault_kv_secret_v2" "kv_engine" {
name = "name" # Try with a secret name that didn't exist
mount = "secret"
}Then run
$ terraform init
$ terraform apply -var="token=<VAULT_TOKEN>"Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
Yes