object bucket: reading `project_id` crashes when unauthorized #2403

Mia-Cross · 2024-02-16T17:32:05Z

Terraform Version

2.35.0

Affected Resource(s)

scaleway_object_bucket
scaleway_object_bucket_policy

Terraform Configuration Files

# A bucket for the devices data.
resource "scaleway_object_bucket" "dr_device_data" {
  name          = "dr-media-device-data"
  region        = "fr-par"
  force_destroy = false

}

# Another bucket for the user data.
resource "scaleway_object_bucket" "dr_user_data" {
  name          = "dr-media-user-data"
  region        = "fr-par"
  force_destroy = false
}

# An IAM app planned to access these two buckets.
resource "scaleway_iam_application" "dr_media_storage_app" {
  name = "dr-measurement-media-storage"
}

# Right to read/write to buckets for that app.
resource "scaleway_iam_policy" "dr_buckets_access" {
  name           = "dr-media-storage-buckets-rw-access"
  description    = "Gives read write access to s3 objects for dr-media buckets"
  application_id = scaleway_iam_application.dr_media_storage_app.id
  rule {
    project_ids          = [data.scaleway_account_project.this.id]
    permission_set_names = ["ObjectStorageObjectsWrite"]
  }
}

# Restrict access to the devices data bucket to that app.
resource "scaleway_object_bucket_policy" "dr_devices_buckets_policy" {
  bucket = scaleway_object_bucket.dr_device_data.id
  policy = jsonencode(
    {
      Version = "2023-04-17",
      Statement = [
        {
          Sid    = "Filter application",
          Effect = "Allow",
          Principal = {
            SCW = [
              "user_id:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx",
              "user_id:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx",
              "user_id:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx",
              "application_id:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx",
              "application_id:${scaleway_iam_application.dr_media_storage_app.id}"
            ]
          },
          Action = ["*"]
          Resource = [
            "${scaleway_object_bucket.dr_device_data.name}",
            "${scaleway_object_bucket.dr_device_data.name}/*",
            "${scaleway_object_bucket.dr_user_data.name}",
            "${scaleway_object_bucket.dr_user_data.name}/*"
          ]
        }
      ]
    }
  )
}

Panic Output

Stack trace from the terraform-provider-scaleway_v2.35.0 plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x8 pc=0x10301f628]

goroutine 98 [running]:
github.com/scaleway/terraform-provider-scaleway/v2/scaleway.resourceScalewayObjectBucketRead({0x103760040, 0x1400044af50}, 0x14000b0c600, {0x10354e420, 0x140004f9c70})
        github.com/scaleway/terraform-provider-scaleway/v2/scaleway/resource_object_bucket.go:466 +0x228
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).read(0x140005708c0, {0x10375ff98, 0x14000b01a10}, 0xd?, {0x10354e420, 0x140004f9c70})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.30.0/helper/schema/resource.go:795 +0xe8
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).RefreshWithoutUpgrade(0x140005708c0, {0x10375ff98, 0x14000b01a10}, 0x14000b64000, {0x10354e420, 0x140004f9c70})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.30.0/helper/schema/resource.go:1089 +0x430
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ReadResource(0x14000728018, {0x10375ff98?, 0x14000b01920?}, 0x14000b0e4c0)
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.30.0/helper/schema/grpc_provider.go:661 +0x3e4
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ReadResource(0x14000120960, {0x10375ff98?, 0x14000b01170?}, 0x14000b04360)
        github.com/hashicorp/terraform-plugin-go@v0.19.0/tfprotov5/tf5server/server.go:789 +0x390
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ReadResource_Handler({0x10370b360?, 0x14000120960}, {0x10375ff98, 0x14000b01170}, 0x1400044a7e0, 0x0)
        github.com/hashicorp/terraform-plugin-go@v0.19.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:431 +0x164
google.golang.org/grpc.(*Server).processUnaryRPC(0x140004c4000, {0x103764e40, 0x14000900340}, 0x14000b350e0, 0x140006dfe60, 0x103f87768, 0x0)
        google.golang.org/grpc@v1.57.1/server.go:1358 +0xc04
google.golang.org/grpc.(*Server).handleStream(0x140004c4000, {0x103764e40, 0x14000900340}, 0x14000b350e0, 0x0)
        google.golang.org/grpc@v1.57.1/server.go:1735 +0x7cc
google.golang.org/grpc.(*Server).serveStreams.func1.1()
        google.golang.org/grpc@v1.57.1/server.go:970 +0xb4
created by google.golang.org/grpc.(*Server).serveStreams.func1 in goroutine 51
        google.golang.org/grpc@v1.57.1/server.go:981 +0x160

Error: The terraform-provider-scaleway_v2.35.0 plugin crashed!

Steps to Reproduce

terraform apply

The text was updated successfully, but these errors were encountered:

Mia-Cross added bug object Object storage issues, bugs and feature requests priority:highest Bugs filled by customers, security issues labels Feb 16, 2024

Mia-Cross self-assigned this Feb 16, 2024

Mia-Cross mentioned this issue Feb 20, 2024

fix(object): read project_id only when authorized #2408

Merged

remyleone closed this as completed in #2408 Feb 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

object bucket: reading `project_id` crashes when unauthorized #2403

object bucket: reading `project_id` crashes when unauthorized #2403

Mia-Cross commented Feb 16, 2024 •

edited

Loading

object bucket: reading project_id crashes when unauthorized #2403

object bucket: reading project_id crashes when unauthorized #2403

Comments

Mia-Cross commented Feb 16, 2024 • edited Loading

Terraform Version

Affected Resource(s)

Terraform Configuration Files

Panic Output

Steps to Reproduce

object bucket: reading `project_id` crashes when unauthorized #2403

object bucket: reading `project_id` crashes when unauthorized #2403

Mia-Cross commented Feb 16, 2024 •

edited

Loading