Provisioning a new ResourceServer results in a panic

[PatrickMilroy]

What happened?

Trying to create a new ResourceServer results in following error:

  auth0:index:ResourceServer :
    error: error reading from server: EOF

    panic: value is null
    goroutine 29 [running]:
    github.com/hashicorp/go-cty/cty.Value.AsString({{{0x1033c1810?, 0x1400003e1a1?}}, {0x0?, 0x0?}})
        /home/runner/go/pkg/mod/github.com/hashicorp/[email protected]/cty/value_ops.go:1176 +0x114
    github.com/auth0/terraform-provider-auth0/internal/auth0/resourceserver.isManagementAPI({{{0x1033c18f0?, 0x140006361a8?}}, {0x10321cd80?, 0x140009953b0?}})
        /home/runner/go/pkg/mod/github.com/auth0/[email protected]/internal/auth0/resourceserver/resource.go:299 +0x64
    github.com/auth0/terraform-provider-auth0/internal/auth0/resourceserver.expandResourceServer(0x14000357d80)
        /home/runner/go/pkg/mod/github.com/auth0/[email protected]/internal/auth0/resourceserver/resource.go:251 +0x120
    github.com/auth0/terraform-provider-auth0/internal/auth0/resourceserver.createResourceServer({0x1033c0cb0, 0x140009958c0}, 0x12b599c98?, {0x103230120?, 0x1400063fbe0?})
        /home/runner/go/pkg/mod/github.com/auth0/[email protected]/internal/auth0/resourceserver/resource.go:152 +0x5c
    github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x14000334c40, {0x1033c0c78, 0x1400003e248}, 0xd?, {0x103230120, 0x1400063fbe0})
        /home/runner/go/pkg/mod/github.com/pulumi/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:738 +0xe8
    github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0x14000334c40, {0x1033c0c78, 0x1400003e248}, 0x0, 0x14000357b80, {0x103230120, 0x1400063fbe0})
        /home/runner/go/pkg/mod/github.com/pulumi/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:869 +0x874
    github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfshim/sdk-v2.v2Provider.Apply({0x14000622b40?, {0x0?, 0x14000683570?, 0x103367da0?}}, {0x102ef0f80, 0x15}, {0x0?, 0x0}, {0x1033c71d0?, 0x14000357b80})
        /home/runner/go/pkg/mod/github.com/pulumi/pulumi-terraform-bridge/[email protected]/pkg/tfshim/sdk-v2/provider.go:100 +0x154
    github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfbridge.(*Provider).Create(0x14000632580, {0x1033c0ce8?, 0x14000994840?}, 0x14000111400)
        /home/runner/go/pkg/mod/github.com/pulumi/pulumi-terraform-bridge/[email protected]/pkg/tfbridge/provider.go:752 +0x4f8
    github.com/pulumi/pulumi/sdk/v3/proto/go._ResourceProvider_Create_Handler.func1({0x1033c0ce8, 0x14000994840}, {0x10330c600?, 0x14000111400})
        /home/runner/go/pkg/mod/github.com/pulumi/pulumi/sdk/[email protected]/proto/go/provider_grpc.pb.go:573 +0x74
    github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc.OpenTracingServerInterceptor.func1({0x1033c0ce8, 0x14000994780}, {0x10330c600, 0x14000111400}, 0x1400003ac40, 0x1400098a3c0)
        /home/runner/go/pkg/mod/github.com/grpc-ecosystem/[email protected]/go/otgrpc/server.go:57 +0x2f4
    github.com/pulumi/pulumi/sdk/v3/proto/go._ResourceProvider_Create_Handler({0x10337cc80?, 0x14000632580}, {0x1033c0ce8, 0x14000994780}, 0x140001a1180, 0x14000399d60)
        /home/runner/go/pkg/mod/github.com/pulumi/pulumi/sdk/[email protected]/proto/go/provider_grpc.pb.go:575 +0x12c
    google.golang.org/grpc.(*Server).processUnaryRPC(0x14000708000, {0x1033c7600, 0x140006d81a0}, 0x14000980fc0, 0x14000383ce0, 0x103ce30a0, 0x0)
        /home/runner/go/pkg/mod/google.golang.org/[email protected]/server.go:1337 +0xc28
    google.golang.org/grpc.(*Server).handleStream(0x14000708000, {0x1033c7600, 0x140006d81a0}, 0x14000980fc0, 0x0)
        /home/runner/go/pkg/mod/google.golang.org/[email protected]/server.go:1714 +0x80c
    google.golang.org/grpc.(*Server).serveStreams.func1.1()
        /home/runner/go/pkg/mod/google.golang.org/[email protected]/server.go:959 +0x84
    created by google.golang.org/grpc.(*Server).serveStreams.func1
        /home/runner/go/pkg/mod/google.golang.org/[email protected]/server.go:957 +0x164

Updating existing resources that were created using a previous version of the provider (2.14.0 in this instance) succeeds without issue.

Downgrading to 2.22.0 resolved this issue

Expected Behavior

A new ResourceServer to be provisioned in the applicable Auth0 Tenant

Steps to reproduce

In a pulumi project with "@pulumi/auth0": "2.24.0", Provision a new auth0 ResourceServer with the following configuration:

        const hostname = `${config.hostname}`
        const auth0ApiName = `${config.name}-api`
        const auth0Api = new auth0.ResourceServer(
            auth0ApiName,
            {
                name: `${name} API (Managed by Pulumi)`,
                identifier: hostname,
                signingAlg: 'RS256',
                allowOfflineAccess: true,
                tokenLifetime: 86400,
            },
            {
                deleteBeforeReplace: true,
                parent: this,
            },
        )

        new auth0.ResourceServerScopes(
            `${name}-api-scopes`,
            {
                resourceServerIdentifier: auth0Api.identifier,
                scopes: [
                    {
                        name: 'create:foo',
                        description: 'Create Foos',
                    },
                ],
            },
            { parent: this },
        )

Output of pulumi about

CLI          
Version      3.78.1
Go Version   go1.20.7
Go Compiler  gc

Plugins
NAME    VERSION
nodejs  unknown

Host     
OS       darwin
Version  13.3
Arch     arm64

This project is written in nodejs: executable='/Users/patrick/.nvm/versions/node/v14.19.0/bin/node' version='v14.19.0'

Additional context

Updating existing resources that were created using a previous version of the provider (2.14.0 in this instance) succeeds without issue.

Downgrading to 2.22.0 resolved this issue

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[iwahbe]

Hi @PatrickMilroy. Thanks for pointing this out.

I have successfully reproduced (without credentials) with this program:

import * as auth0 from "@pulumi/auth0";

const config = {
  hostname: "host",
  name: "name",
};

const hostname = `${config.hostname}`
const auth0ApiName = `${config.name}-api`
const name = config.name;
const auth0Api = new auth0.ResourceServer(
  auth0ApiName,
  {
    name: `${name} API (Managed by Pulumi)`,
    identifier: hostname,
    signingAlg: 'RS256',
    allowOfflineAccess: true,
    tokenLifetime: 86400,
  },
  {
    deleteBeforeReplace: true,
  },
)

new auth0.ResourceServerScopes(
  `${name}-api-scopes`,
  {
    resourceServerIdentifier: auth0Api.identifier,
    scopes: [
      {
        name: 'create:foo',
        description: 'Create Foos',
      },
    ],
  },
)

[aq17]

We will cut a release soon and see if that potentially resolves the issue Unfortunately still hitting this on the latest release, so it looks like this isn't an upstream issue. I'll see if I can root cause it in our provider

[mikhailshilkov]

I tried reproducing it with terraform and I think this issue is unique to Pulumi.

We fail on this line where the provider tries to get a name of (not yet created) server: https://github.com/auth0/terraform-provider-auth0/blob/0269a8792e08ed5d990d3d19996695d6bf144ebe/internal/auth0/resourceserver/resource.go#L299

The state comes from GetRawState here: https://github.com/auth0/terraform-provider-auth0/blob/0269a8792e08ed5d990d3d19996695d6bf144ebe/internal/auth0/resourceserver/resource.go#L251

I logged the state:

{ty:{typeImpl:{typeImplSigil:{} AttrTypes:map[allow_offline_access:{typeImpl:{typeImplSigil:{} Kind:66}} enforce_policies:{typeImpl:{typeImplSigil:{} Kind:66}} id:{typeImpl:{typeImplSigil:{} Kind:83}} identifier:{typeImpl:{typeImplSigil:{} Kind:83}} name:{typeImpl:{typeImplSigil:{} Kind:83}} scopes:{typeImpl:{typeImplSigil:{} ElementTypeT:{typeImpl:{typeImplSigil:{} AttrTypes:map[description:{typeImpl:{typeImplSigil:{} Kind:83}} value:{typeImpl:{typeImplSigil:{} Kind:83}}]}}}} signing_alg:{typeImpl:{typeImplSigil:{} Kind:83}} signing_secret:{typeImpl:{typeImplSigil:{} Kind:83}} skip_consent_for_verifiable_first_party_clients:{typeImpl:{typeImplSigil:{} Kind:66}} token_dialect:{typeImpl:{typeImplSigil:{} Kind:83}} token_lifetime:{typeImpl:{typeImplSigil:{} Kind:78}} token_lifetime_for_web:{typeImpl:{typeImplSigil:{} Kind:78}} verification_location:{typeImpl:{typeImplSigil:{} Kind:83}}]}} v:map[allow_offline_access:<nil> enforce_policies:<nil> id:<nil> identifier:<nil> name:<nil> scopes:<nil> signing_alg:<nil> signing_secret:<nil> skip_consent_for_verifiable_first_party_clients:<nil> token_dialect:<nil> token_lifetime:<nil> token_lifetime_for_web:<nil> verification_location:<nil>]}

and the name

{ty:{typeImpl:{typeImplSigil:{} Kind:83}} v:<nil>}

so it is indeed empty, which causes the provider to panic.

@t0yv0 @iwahbe Do you see a venue to fix this in the bridge?

[t0yv0]

Sure; GetRawState used to be not supported at all but with pulumi/pulumi-terraform-bridge#1314 we introduced an approximation that sends a non-nil data to GetRawState; for most simple cases this data matches what TF would send and this has improved provider reliability; however a lot of work remains to get it on par or matching identically with what TF sends to GetRawState, along the lines of pulumi/pulumi-terraform-bridge#1282

I'd also be open to look at quick resolution options here such as patching this not to panic if possible but handle the case when state.GetAttr("name") is nil if this can be made to work:

state.GetAttr("name").AsString() == auth0ManagementAPI

[mikhailshilkov]

patching this not to panic if possible

What is "this" that you suggest patching?

[t0yv0]

Apologies for lack of clarity. We can patch the upstream codebase to avoid the panic and try to recover from the missing "name" attribute. Perhaps we can go the route of time boxed attempt to fix in the bridge generically and falling back to patching temporarily if that takes longer than we can wait on the fix here.