hashicorp/boundary provider 1.2.0 unable to use recovery_kms_hcl in provider from tofu registry

[devlsc]

Thank you for reporting an issue.

First of all thanks for the nice work and the quick fix last time :)

I am currently trying to use the hashicorp/boundary provider v1.2.0 and configuring the provider via recovery_kms_hcl like this:

  addr             = <BOUNDARY_ADDR>
  recovery_kms_hcl = <<EOT
kms "transit" {
    purpose = "recovery"
    address = <VAULT_ADDR>
    token = <VAULT_TOKEN>
    key_name = <KEY_NAME>
    mount_path = <MOUNT_PATH>
}
EOT
}

unfortunately that does not seem to work with the tofu provider but works fine with the terraform provider.
It fails with the error message:

   Error: error reading wrappers from "recovery_kms_hcl": Error configuring kms: plugin is nil 
     with provider["registry.opentofu.org/hashicorp/boundary"],
     on main.tf line 14, in provider "boundary":
     14: provider "boundary" {

This issue from the hashicorp boundary provider looks a like: hashicorp/terraform-provider-boundary#209

OpenTofu Version

OpenTofu v1.9.0
on linux_amd64

OpenTofu Configuration Files

provider "boundary" {
  addr             = <BOUNDARY_ADDR>
  recovery_kms_hcl = <<EOT
kms "transit" {
    purpose = "recovery"
    address = <VAULT_ADDR>
    token = <VAULT_TOKEN>
    key_name = <KEY_NAME>
    mount_path = <MOUNT_PATH>
}
EOT
}

[cam72cam]

Hi, could you provide the output of tofu version which includes the provider information? Also TF_LOG=debug logs would be appreciated!

[devlsc]

Hi,
thanks for the response
just in case it helps: https://github.com/nitrobox/reproduce-boundary

and here the requested information:

tofu version

OpenTofu v1.9.0
on linux_amd64
+ provider registry.opentofu.org/hashicorp/boundary v1.2.0

TF_LOG=DEBUG tofu plan:

2025-01-13T15:33:02.009+0100 [INFO]  OpenTofu version: 1.9.0
2025-01-13T15:33:02.009+0100 [DEBUG] using github.com/hashicorp/go-tfe v1.36.0
2025-01-13T15:33:02.009+0100 [DEBUG] using github.com/opentofu/hcl/v2 v2.0.0-20240814143621-8048794c5c52
2025-01-13T15:33:02.009+0100 [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.1
2025-01-13T15:33:02.009+0100 [DEBUG] using github.com/zclconf/go-cty v1.14.4
2025-01-13T15:33:02.010+0100 [INFO]  Go runtime version: go1.23.4
2025-01-13T15:33:02.010+0100 [INFO]  CLI args: []string{"tofu", "plan"}
2025-01-13T15:33:02.010+0100 [DEBUG] Attempting to open CLI config file: /home/test/.tofurc
2025-01-13T15:33:02.010+0100 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2025-01-13T15:33:02.010+0100 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2025-01-13T15:33:02.010+0100 [DEBUG] ignoring non-existing provider search directory /home/test/.terraform.d/plugins
2025-01-13T15:33:02.010+0100 [DEBUG] ignoring non-existing provider search directory /home/test/.local/share/terraform/plugins
2025-01-13T15:33:02.010+0100 [DEBUG] ignoring non-existing provider search directory /home/test/.local/share/flatpak/exports/share/terraform/plugins
2025-01-13T15:33:02.010+0100 [DEBUG] ignoring non-existing provider search directory /var/lib/flatpak/exports/share/terraform/plugins
2025-01-13T15:33:02.010+0100 [DEBUG] ignoring non-existing provider search directory /usr/local/share/terraform/plugins
2025-01-13T15:33:02.010+0100 [DEBUG] ignoring non-existing provider search directory /usr/share/terraform/plugins
2025-01-13T15:33:02.010+0100 [DEBUG] Found the config directory: /home/test/.terraform.d
2025-01-13T15:33:02.010+0100 [INFO]  CLI command args: []string{"plan"}
2025-01-13T15:33:02.012+0100 [DEBUG] New state was assigned lineage "d888f202-41c9-4b20-b763-680cec4db6be"
2025-01-13T15:33:02.027+0100 [DEBUG] checking for provisioner in "."
2025-01-13T15:33:02.028+0100 [DEBUG] checking for provisioner in "/usr/bin"
2025-01-13T15:33:02.028+0100 [INFO]  backend/local: starting Plan operation
2025-01-13T15:33:02.029+0100 [DEBUG] created provider logger: level=debug
2025-01-13T15:33:02.029+0100 [INFO]  provider: configuring client automatic mTLS
2025-01-13T15:33:02.034+0100 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.opentofu.org/hashicorp/boundary/1.2.0/linux_amd64/terraform-provider-boundary args=[".terraform/providers/registry.opentofu.org/hashicorp/boundary/1.2.0/linux_amd64/terraform-provider-boundary"]
2025-01-13T15:33:02.035+0100 [DEBUG] provider: plugin started: path=.terraform/providers/registry.opentofu.org/hashicorp/boundary/1.2.0/linux_amd64/terraform-provider-boundary pid=302476
2025-01-13T15:33:02.035+0100 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.opentofu.org/hashicorp/boundary/1.2.0/linux_amd64/terraform-provider-boundary
2025-01-13T15:33:02.040+0100 [INFO]  provider.terraform-provider-boundary: configuring server automatic mTLS: timestamp="2025-01-13T15:33:02.040+0100"
2025-01-13T15:33:02.046+0100 [DEBUG] provider: using plugin: version=5
2025-01-13T15:33:02.046+0100 [DEBUG] provider.terraform-provider-boundary: plugin address: address=/tmp/plugin1592727310 network=unix timestamp="2025-01-13T15:33:02.045+0100"
2025-01-13T15:33:02.057+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2025-01-13T15:33:02.059+0100 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.opentofu.org/hashicorp/boundary/1.2.0/linux_amd64/terraform-provider-boundary pid=302476
2025-01-13T15:33:02.059+0100 [DEBUG] provider: plugin exited
2025-01-13T15:33:02.059+0100 [DEBUG] Building and walking validate graph
2025-01-13T15:33:02.059+0100 [DEBUG] ProviderTransformer: "boundary_scope.global" (*tofu.NodeValidatableResource) needs provider["registry.opentofu.org/hashicorp/boundary"]
2025-01-13T15:33:02.059+0100 [DEBUG] ReferenceTransformer: "boundary_scope.global" references: []
2025-01-13T15:33:02.059+0100 [DEBUG] ReferenceTransformer: "provider[\"registry.opentofu.org/hashicorp/boundary\"]" references: []
2025-01-13T15:33:02.059+0100 [DEBUG] Starting graph walk: walkValidate
2025-01-13T15:33:02.060+0100 [DEBUG] created provider logger: level=debug
2025-01-13T15:33:02.060+0100 [INFO]  provider: configuring client automatic mTLS
2025-01-13T15:33:02.062+0100 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.opentofu.org/hashicorp/boundary/1.2.0/linux_amd64/terraform-provider-boundary args=[".terraform/providers/registry.opentofu.org/hashicorp/boundary/1.2.0/linux_amd64/terraform-provider-boundary"]
2025-01-13T15:33:02.063+0100 [DEBUG] provider: plugin started: path=.terraform/providers/registry.opentofu.org/hashicorp/boundary/1.2.0/linux_amd64/terraform-provider-boundary pid=302488
2025-01-13T15:33:02.063+0100 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.opentofu.org/hashicorp/boundary/1.2.0/linux_amd64/terraform-provider-boundary
2025-01-13T15:33:02.067+0100 [INFO]  provider.terraform-provider-boundary: configuring server automatic mTLS: timestamp="2025-01-13T15:33:02.067+0100"
2025-01-13T15:33:02.073+0100 [DEBUG] provider: using plugin: version=5
2025-01-13T15:33:02.073+0100 [DEBUG] provider.terraform-provider-boundary: plugin address: address=/tmp/plugin4202540156 network=unix timestamp="2025-01-13T15:33:02.073+0100"
2025-01-13T15:33:02.086+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2025-01-13T15:33:02.087+0100 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.opentofu.org/hashicorp/boundary/1.2.0/linux_amd64/terraform-provider-boundary pid=302488
2025-01-13T15:33:02.087+0100 [DEBUG] provider: plugin exited
2025-01-13T15:33:02.087+0100 [INFO]  backend/local: plan calling Plan
2025-01-13T15:33:02.087+0100 [DEBUG] Building and walking plan graph for NormalMode
2025-01-13T15:33:02.087+0100 [DEBUG] ProviderTransformer: "boundary_scope.global (expand)" (*tofu.nodeExpandPlannableResource) needs provider["registry.opentofu.org/hashicorp/boundary"]
2025-01-13T15:33:02.087+0100 [DEBUG] ReferenceTransformer: "boundary_scope.global (expand)" references: []
2025-01-13T15:33:02.087+0100 [DEBUG] ReferenceTransformer: "provider[\"registry.opentofu.org/hashicorp/boundary\"]" references: []
2025-01-13T15:33:02.087+0100 [DEBUG] Starting graph walk: walkPlan
2025-01-13T15:33:02.087+0100 [DEBUG] created provider logger: level=debug
2025-01-13T15:33:02.087+0100 [INFO]  provider: configuring client automatic mTLS
2025-01-13T15:33:02.090+0100 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.opentofu.org/hashicorp/boundary/1.2.0/linux_amd64/terraform-provider-boundary args=[".terraform/providers/registry.opentofu.org/hashicorp/boundary/1.2.0/linux_amd64/terraform-provider-boundary"]
2025-01-13T15:33:02.090+0100 [DEBUG] provider: plugin started: path=.terraform/providers/registry.opentofu.org/hashicorp/boundary/1.2.0/linux_amd64/terraform-provider-boundary pid=302502
2025-01-13T15:33:02.090+0100 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.opentofu.org/hashicorp/boundary/1.2.0/linux_amd64/terraform-provider-boundary
2025-01-13T15:33:02.094+0100 [INFO]  provider.terraform-provider-boundary: configuring server automatic mTLS: timestamp="2025-01-13T15:33:02.094+0100"
2025-01-13T15:33:02.100+0100 [DEBUG] provider.terraform-provider-boundary: plugin address: address=/tmp/plugin3001697826 network=unix timestamp="2025-01-13T15:33:02.100+0100"
2025-01-13T15:33:02.100+0100 [DEBUG] provider: using plugin: version=5
2025-01-13T15:33:02.108+0100 [ERROR] provider.terraform-provider-boundary: Response contains error diagnostic: @module=sdk.proto diagnostic_detail="" tf_proto_version=5.4 tf_provider_addr=provider tf_rpc=Configure diagnostic_severity=ERROR diagnostic_summary="error reading wrappers from \"recovery_kms_hcl\": Error configuring kms: plugin is nil" tf_req_id=fbb4e2af-2332-f7cf-b785-d5cd1216ed28 @caller=/home/runner/go/pkg/mod/github.com/hashicorp/terraform-plugin-go@v0.22.0/tfprotov5/internal/diag/diagnostics.go:58 timestamp="2025-01-13T15:33:02.108+0100"
2025-01-13T15:33:02.108+0100 [ERROR] vertex "provider[\"registry.opentofu.org/hashicorp/boundary\"]" error: error reading wrappers from "recovery_kms_hcl": Error configuring kms: plugin is nil
2025-01-13T15:33:02.108+0100 [INFO]  backend/local: plan operation completed

Planning failed. OpenTofu encountered an error while generating this plan.

╷
│ Error: error reading wrappers from "recovery_kms_hcl": Error configuring kms: plugin is nil
│
│   with provider["registry.opentofu.org/hashicorp/boundary"],
│   on main.tf line 10, in provider "boundary":
│   10: provider "boundary" {
│
╵
2025-01-13T15:33:02.109+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2025-01-13T15:33:02.110+0100 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.opentofu.org/hashicorp/boundary/1.2.0/linux_amd64/terraform-provider-boundary pid=302502
2025-01-13T15:33:02.110+0100 [DEBUG] provider: plugin exited

[pwillie]

Hi @devlsc, we are experiencing the same issue. Did you find a solution or workaround?

[Yantrio]

Would you also be able to provide your configuration and platform please @pwillie , it would be very helpful in debugging this.

I suspect it's related to this: hashicorp/terraform-provider-boundary#181

[Yantrio]

I've been able to reproduce this with a local setup of boundary and the following config:

terraform {
  required_providers {
    boundary = {
      source  = "hashicorp/boundary"
      version = ">= 1.2.0"
    }
  }
}

provider "boundary" {
  addr                   = "http://127.0.0.1:9200"
  auth_method_id         = "ampw_1234567890"
  auth_method_login_name = "admin"
  auth_method_password   = "password"
  recovery_kms_hcl       = <<EOT
kms "transit" {
  purpose = "recovery"
}
EOT
}

data "boundary_account" "admin" {
  name           = "admin"
  auth_method_id = "ampw_1234567890"
}

I can see specifically that this is an issue with our built version of this provider. I'll investigate more

[Yantrio]

It seems that this is not being run for the opentofu build https://github.com/opentofu/terraform-provider-boundary/blob/main/.goreleaser.yml#L13 because we do not use this goreleaser file. We pull one in from the scripts repo. (for example: https://github.com/opentofu/scripts/blob/main/goreleaser_v3.yaml) .

I think we need the scripts repo to be aware that this file exists and it should be run as a pre-hook.

It seems that this is the only repository to be setup in this way, so we can add a small edge case handle to sort this out

[Yantrio]

I've identified a fix here: opentofu/scripts#35 but It will require some careful testing and planning. I'll co-ordinate with the rest of the maintainers and get back to you soon about this.

[pwillie]

Hi @Yantrio, great news that you have identified the issue. Please let me know if you require any further info from me.

[devlsc]

Hey,
@Yantrio is there any update on this? The PR you posted seems to be ready :)

Thanks a lot for investigating the issue!

[cam72cam]

The patch is in place, but older versions will need to be rebuilt by @Yantrio. If the linked PR works, 1.5.0 will be the first version with the fix.