Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

data.tls_certificate.this.certificates is empty list of object #244

Closed
1 task done
henkka opened this issue Jul 22, 2022 · 9 comments · Fixed by #246
Closed
1 task done

data.tls_certificate.this.certificates is empty list of object #244

henkka opened this issue Jul 22, 2022 · 9 comments · Fixed by #246
Assignees
@bflad
Labels
bug

Comments

@henkka
Copy link

henkka commented Jul 22, 2022
edited
Loading

Terraform CLI and Provider Versions

terraform 1.2.5
hashicorp/tls 4.0.0
hashicorp/aws 4.23.0

Terraform Configuration

data "tls_certificate" "this" {
  url = aws_eks_cluster.this.identity[0].oidc[0].issuer
}

resource "aws_iam_openid_connect_provider" "this" {
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = [data.tls_certificate.this.certificates[0].sha1_fingerprint]
  url             = aws_eks_cluster.this.identity[0].oidc[0].issuer
}

Expected Behavior

terraform plan should work normally

Actual Behavior

terraform plan fails with the following error

╷
│ Error: Invalid index
│
│   on ../../../eksv2/cluster/oidcp.tf line 7, in resource "aws_iam_openid_connect_provider" "this":
│    7:   thumbprint_list = [data.tls_certificate.this.certificates[0].sha1_fingerprint]
│     ├────────────────
│     │ data.tls_certificate.this.certificates is empty list of object
│
│ The given key does not identify an element in this collection value: the collection has no elements.

Steps to Reproduce

Add

data "tls_certificate" "this" {
  url = aws_eks_cluster.this.identity[0].oidc[0].issuer
}

resource "aws_iam_openid_connect_provider" "this" {
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = [data.tls_certificate.this.certificates[0].sha1_fingerprint]
  url             = aws_eks_cluster.this.identity[0].oidc[0].issuer
}

to your state and run terraform plan

How much impact is this issue causing?

High

Logs

No response

Additional Information

Works with downgrading hashicorp/tls provider version to 3.4.0.

This use-case is also shown as an example in https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/certificate

Code of Conduct

  • I agree to follow this project's Code of Conduct
@henkka henkka added the bug label Jul 22, 2022
@absa-rsuarez
Copy link

This is affecting us as well...

@FernandoMiguel FernandoMiguel mentioned this issue Jul 22, 2022
Closed
@bryantbiggs bryantbiggs mentioned this issue Jul 22, 2022
Merged
3 tasks
@ghost
Copy link

ghost commented Jul 22, 2022

I have faced this bug too. Pinning TLS provider version to 3.4 also helps me.

This was referenced Jul 22, 2022
Closed
Merged
@kailashsridharan
Copy link

I am facing this issue too

hashicorp/terraform#31497

@fsalum
Copy link

fsalum commented Jul 22, 2022

Same here and pinning TLS provider to 3.4 works.

@tohid-acc
Copy link

can anyone explain or provide code for pinning tls provider to 3.4 ?

@wrsuarez
Copy link

can anyone explain or provide code for pinning tls provider to 3.4 ?

terraform {
required_providers {
tls = {
source = "hashicorp/tls"
version = "3.4.0"
}
}
}

@bflad bflad self-assigned this Jul 22, 2022
@bflad
Copy link
Contributor

bflad commented Jul 22, 2022
edited
Loading

Hi folks 👋 Thank you for the report and sorry you are running into this frustrating behavior right now.

My team has done some investigation on this and we have some leads on what the underlying issue might be, however it is going to take some additional time to sort out a potential solution. This issue appears to occur only when the data source has an "(known after apply)" (unknown) value for the url attribute. You may be able to workaround this issue by applying any configuration up to the unknown value for the url, e.g. the aws_eks_cluster.this resource in the original issue configuration, via the terraform plan or terraform apply command -target` flag, or switching it to a "hardcoded" string value temporarily.

As an easier fix in your environment, pinning to TLS provider version 3.4.0 using the Terraform configuration recommended in the above comments will ensure your Terraform runs continue as before without the special workaround, e.g.

terraform {
  required_providers {
    tls = {
      source = "hashicorp/tls"
      version = "3.4.0"
    }
  }
}

We will post an additional update when we have information to report. Thank you for your patience.

pst added a commit to kbst/terraform-kubestack that referenced this issue Jul 23, 2022
@pst
Lock tls provider version
e606b6e 
Upstream issue: hashicorp/terraform-provider-tls#244
@bryantbiggs bryantbiggs mentioned this issue Jul 23, 2022
Closed
@Nuru Nuru mentioned this issue Jul 25, 2022
Merged
detro pushed a commit that referenced this issue Jul 25, 2022
Define certificates in tls_certificate data source, as a List o…
d48f2b8 
…f `Object`, instead of a blocks' list

This is necessary. so that we can express to Terraform that the attribute is indeed `Computed` and it can't be expected to be populated, until the data source is read.

This was creating an issue (see #244), as Terraform protocol doesn't support expressing that a Block is Computed: only attributes can be.

This approach avoids the use of `NestedAttributes`, and as such is compatible with Protocol v5 (i.e. TF >= 0.12).
@detro detro mentioned this issue Jul 25, 2022
Merged
detro pushed a commit that referenced this issue Jul 25, 2022
@bflad
BUGFIX: use ListType of ObjectType for Computed attributes inst…
648f27e 
…ead of `Blocks` (#246)

* Define `certificates` in `tls_certificate` data source, as a `List` of `Object`, instead of a blocks' list

This is necessary. so that we can express to Terraform that the attribute is indeed `Computed` and it can't be expected to be populated, until the data source is read.

This was creating an issue (see #244), as Terraform protocol doesn't support expressing that a Block is Computed: only attributes can be.

This approach avoids the use of `NestedAttributes`, and as such is compatible with Protocol v5 (i.e. TF >= 0.12).

* Preparing CHANGELOG for v4.0.1

* Adding acceptance test for `tls_certificate` data source, exercising a scenario where "computed certificates are unknown until applied"

* Apply suggestions from code review

Co-authored-by: Brian Flad <[email protected]>
@detro
Copy link
Contributor

detro commented Jul 25, 2022

Hi all, and apologies for the inconveniences caused by this issue.

Version v4.0.1 of the provider has been released, that addresses this issue with the tls_certificate data source.

Any feedback will be very appreciated.
Thank you

@bflad bflad mentioned this issue Jul 25, 2022
Closed
This was referenced Jul 25, 2022
Closed
Merged
@KarstenSiemer KarstenSiemer mentioned this issue Aug 25, 2022
Merged
3 tasks
@ZoeSecondmind ZoeSecondmind mentioned this issue Oct 2, 2023
Open
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bflad bflad

Labels
bug
Projects
None yet
Milestone
No milestone
8 participants
@detro @bflad @henkka @fsalum @wrsuarez @kailashsridharan @absa-rsuarez @tohid-acc