[BUG] panic: set item just set doesn't exist

[clibup]

11:45:17 Stack trace from the terraform-provider-opensearch_v2.2.1 plugin:
11:45:17
11:45:17 panic: set item just set doesn't exist
11:45:17
11:45:17 goroutine 452 [running]:
11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*MapFieldWriter).setSet(0xc000bb2bb8, {0xc000bb1490, 0x1, 0x1}, {0xe894e0, 0xc000bb2c00}, 0xc0001c9b80)
11:45:17 github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/field_writer_map.go:327 +0x992
11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*MapFieldWriter).set(0xc000bb2bb8, {0xc000bb1490, 0x1, 0x1}, {0xe894e0, 0xc000bb2c00})
11:45:17 github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/field_writer_map.go:107 +0x14c
11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*MapFieldWriter).WriteField(0xc000bb2bb8, {0xc000bb1490, 0x1, 0x1}, {0xe894e0, 0xc000bb2c00})
11:45:17 github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/field_writer_map.go:89 +0x3f9
11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*ResourceData).Set(0xc0002ecf00, {0x103b47a, 0x12}, {0xe894e0, 0xc000bb2c00})
11:45:17 github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource_data.go:227 +0x210
11:45:17 github.com/opensearch-project/terraform-provider-opensearch/provider.resourceOpensearchOpenDistroRoleRead(0xc0002ecf00, {0xe74a80, 0xc0001542c0})
11:45:17 github.com/opensearch-project/terraform-provider-opensearch/provider/resource_opensearch_role.go:156 +0x4cd
11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).read(0x139bfa8?, {0x139bfa8?, 0xc0002c6210?}, 0xd?, {0xe74a80?, 0xc0001542c0?})
11:45:17 github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:347 +0x178
11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).RefreshWithoutUpgrade(0xc000225880, {0x139bfa8, 0xc0002c6210}, 0xc0006e76c0, {0xe74a80, 0xc0001542c0})
11:45:17 github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:650 +0x47b
11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ReadResource(0xc000118348, {0x139bf00?, 0xc00069ddc0?}, 0xc00069de40)
11:45:17 github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:613 +0x45f
11:45:17 github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ReadResource(0xc0000cf400, {0x139bfa8?, 0xc0009177d0?}, 0xc0001f61e0)
11:45:17 github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:746 +0x438
11:45:17 github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ReadResource_Handler({0xfd4ca0?, 0xc0000cf400}, {0x139bfa8, 0xc0009177d0}, 0xc0001f6180, 0x0)
11:45:17 github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:349 +0x170
11:45:17 google.golang.org/grpc.(*Server).processUnaryRPC(0xc0001fca80, {0x139ecc8, 0xc000288d00}, 0xc000c7db00, 0xc0001daab0, 0x1a830b0, 0x0)
11:45:17 google.golang.org/[email protected]/server.go:1282 +0xccf
11:45:17 google.golang.org/grpc.(*Server).handleStream(0xc0001fca80, {0x139ecc8, 0xc000288d00}, 0xc000c7db00, 0x0)
11:45:17 google.golang.org/[email protected]/server.go:1619 +0xa1b
11:45:17 google.golang.org/grpc.(*Server).serveStreams.func1.2()
11:45:17 google.golang.org/[email protected]/server.go:921 +0x98
11:45:17 created by google.golang.org/grpc.(*Server).serveStreams.func1
11:45:17 google.golang.org/[email protected]/server.go:919 +0x28a
11:45:17
11:45:17 Error: The terraform-provider-opensearch_v2.2.1 plugin crashed!
11:45:17
11:45:17 This is always indicative of a bug within the plugin. It would be immensely
11:45:17 helpful if you could report the crash with the plugin's maintainers so that it
11:45:17 can be fixed. The output above should help diagnose the issue.

How can one reproduce the bug?

We've used python to create roles in OpenSeach, some roles doesn't have tenant permissions and then we've uploaded tenant permissins in this way:

"tenant_permissions": [
  {
    "tenant_patterns": [],
    "allowed_actions": []
  }

When I created new role with opensearch terraform provider without any tennat_permissions settings, I can see tenant_permission set by plugin just like

"tenant_permissions": [],

The problem occurs when I want to use terraform to create a role that was previously created using API and python scripts. Additionally, when such a problem occurs, I have to delete terraform.tfstate and re-import all the resources so that I can do anything with terraform.

What is your host/environment?

Ubuntu 22.04
OpenSearch 2.14

[rblcoder]

@PhilippReinke Would it be possible for you to look into the query above regarding tenant permission?

[rblcoder]

An earlier issue on tenant permissions
#38
@clibup could you please share terraform code, python scripts calling APIs and steps to follow, so we can reproduce the issue?

[clibup]

My terraform code

resource "opensearch_role" "appgroups_roles_write" {
  role_name = "pm_name_write"

  cluster_permissions = ["example_permission"]

  index_permissions {
    index_patterns = ["example_index-*"]
    allowed_actions = ["read"]
  }
}


resource "opensearch_roles_mapping" "appgroups_mapper_write" {
 
  role_name     = "pm_name_write"
  backend_roles ="pm_example_write"
}

and JSON which are uploaded with REST

_upload = {
     "cluster_permissions": ["example_permission"],
     "index_permissions": [{
         "index_patterns": "example_index-*",
         "dls": "",
         "fls": [],
         "masked_fields": [],
         "allowed_actions": [
             "read"
         ]
     }],
     "tenant_permissions": [{
         "tenant_patterns": [],
         "allowed_actions": []
     }],
 }

[rblcoder]

Creating role using using the API call

PUT _plugins/_security/api/roles/movies_role
{
  "cluster_permissions": ["*"],
  "index_permissions": [{
    "index_patterns": [
      "movies*"
    ],
    "dls": "",
    "fls": [],
    "masked_fields": [],
    "allowed_actions": [
      "read"
    ]
  }],
  "tenant_permissions": [{
    "tenant_patterns": [],
    "allowed_actions": []
  }]
}

GET _plugins/_security/api/roles/movies_role

gives

{
  "movies_role": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [
      "*"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "movies*"
        ],
        "dls": "",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [],
        "allowed_actions": []
      }
    ],
    "static": false
  }
}

Creating using terraform code

terraform {
  required_providers {
    opensearch = {
      source = "opensearch-project/opensearch"
      version = "2.2.1"
    }
  }
}

provider "opensearch" {
  url = "https://localhost:9200"
  username          = "admin"
  password          = "myStrongPassword123@456"
  healthcheck = "false"
  insecure = "true"  
  version_ping_timeout = "10"

}

resource "opensearch_role" "movies_role" {
  role_name   = "movies_role"
  description = "Logs writer role"

  cluster_permissions = ["*"]

  index_permissions {
    index_patterns  = ["movies*"]
    allowed_actions = ["read"]
  }

}


resource "opensearch_roles_mapping" "mapper" {
  role_name   = "movies_role"
  description = "Mapping AWS IAM roles to ES role"
  backend_roles = [
    "arn:aws:iam::123456789012:role/lambda-call-opensearch",
    "arn:aws:iam::123456789012:role/run-containers",
  ]

  depends_on = [opensearch_role.movies_role]
}

GET _plugins/_security/api/roles/movies_role

{
  "movies_role": {
    "reserved": false,
    "hidden": false,
    "description": "Logs writer role",
    "cluster_permissions": [
      "*"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "movies*"
        ],
        "dls": "",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  }
}

Creating the role using the API call

PUT _plugins/_security/api/roles/movies_role
{
  "cluster_permissions": ["*"],
  "index_permissions": [{
    "index_patterns": [
      "movies*"
    ],
    "dls": "",
    "fls": [],
    "masked_fields": [],
    "allowed_actions": [
      "read"
    ]
  }],
  "tenant_permissions": []
}

Now GET _plugins/_security/api/roles/movies_role
gives

{
  "movies_role": {
    "reserved": false,
    "hidden": false,
    "description": "Logs writer role",
    "cluster_permissions": [
      "*"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "movies*"
        ],
        "dls": "",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  }
}

With this API call, I don't see the error.

[clibup]

OK, thx for info, maybe reason is that we have about 300 roles, but the only difference I see are tenant_permissions settings and I don't have depends_on = [opensearch_role.xxxxxxx] in my terraform code.
I use terraform v1.1.5 because we have to use etcdv3 as a backend.

[prudhvigodithi]

Thanks @rblcoder, @clibup I assume the issue is resolved, I'm closing this but please feel-free to re-open or add a comment of required.
Thanks