New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hashicorp/tls provider claims it can plan destroy operations but fails when asked to plan destroy of tls_self_signed_cert #31820
Comments
I've confirmed that the provider does seem to be opting in to being asked to plan destroy, although it's the plugin framework doing it on the provider's behalf: https://github.com/hashicorp/terraform-plugin-framework/blob/7541ab15654b00837015180ecdb7f439e604c6cf/internal/fwserver/server_getproviderschema.go#L29-L31 I initially thought we were lacking a check in Terraform Core but it turns out it was just one layer deeper than I expected: terraform/internal/plugin/grpc_provider.go Lines 422 to 426 in 6706d52
Since
Right now I find myself leaning towards option 2 because it's something that can be handled totally within this codebase and avoids creating a hazard where an existing provider release isn't compatible with a new Terraform Core release, even though technically it's the provider that is "incorrect" here. However, we'll need to verify that such a change won't impact an already-released provider that does correctly implement destroy planning and will then have that support retroactively revoked from it. My sense is that the likelihood of this is low because there hasn't yet been any stable release of Terraform Core which supports provider-planned destroy, and that any existing provider relying on it would end up treating the final v1.3.0 release as if it were a v1.2.x release; providers must already be able to handle the situation where older versions of Terraform Core don't ask at all. |
The problem here appears to have been a bug in the provider framework which has since been patched. An invalid value was being passed to the plan modifier during destroy, so any attribute access within that value would result in the above error. At least within the HashiCorp associated organizations, the TLS provider appears to be the only one using this combination of functionality, so the problem is hopefully not widespread enough to warrant pulling the feature altogether. |
The maintainers of the Because of this provider bug, As @jbardin noted, we don't know of any other providers that have this problem, but we cannot see into the source code of privately-maintained providers and so it is possible that such a provider may exhibit a similar problem. If so, the resolution would be to upgrade your provider's dependency to at least Terraform Plugin Framework v0.12.0. If that doesn't resolve the problem, please open an issue in the Terraform Plugin Framework repository where we can investigate further. As far as we can tell there is no change required in this repository, since Terraform Core seems to be behaving correctly and the framework bug which caused this error has now been resolved. Therefore I'm going to close this issue. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Terraform v1.3 is intending to introduce a new provider protocol capability where a provider which opts in will be asked to plan the destruction of any of its resource types. Previous versions of Terraform just always unilaterally generated a destroy plan on a provider's behalf, which prevented the provider from failing the plan with an error or generating warnings.
To avoid exposing existing provider implementations to a new situation they weren't designed to deal with, we designed this as an opt-in capability where the provider can report as part of its
GetProviderSchema
response that it supports theplan_destroy
capability, in which case Terraform Core will callPlanResourceChange
with a null new value in order to ask a provider to produce a destroy plan for any of its resource types.Unfortunately it seems that either the
hashicorp/tls
is already opting in to this capability (even though it hasn't appeared in any Terraform CLI release yet) or Terraform Core is asking the provider to plan its destroy despite the capability not being set. This fails fortls_self_signed_cert
because its planning function is not equipped to deal with the proposed new object being null and it fails like this:From an end-user standpoint that looks something like the following:
The following configuration seems to reproduce this with
terraform apply
followed byterraform destroy
:I've not yet diagnosed the root cause of this bug. I have to possible explanations in mind here, and so the first step will be determining which of these is true.
plan_destroy
capability but Terraform Core is asking it to plan destroy anyway. This would be the most ideal situation because the fix would be localized in Terraform Core and so we can address it before shipping v1.3.0 final.plan_destroy
capability even though it isn't actually capable of planning destroy. If this is true then the situation is messier because there's already at least one TLS provider release out there which announces it and so we'd likely need to change Terraform Core to ignore that incorrect announcement and use a different capability attribute to activate this feature instead. That would mean that any existing provider already shipped would never be asked to plan destroy, but later provider releases could still do so by opting in to the new capability.The text was updated successfully, but these errors were encountered: