Gone from our sight, but never from our hearts.
– Unknown
Category: Misc
Terraform: Handling Errors with try(…)
PROBLEM
Given the following output block:-
output "subnet_uc1" {
description = "Subnets in `us-central1` region for all 3 products"
value = {
artifactory = module.subnet_uc1_artifactory.subnets.name
xray = module.subnet_uc1_xray.subnets.name
mc = module.subnet_uc1_mc.subnets.name
}
}
Sometimes, during an apply or destroy, we may get this error:-
Error: Attempt to get attribute from null value
on outputs.tf line 40, in output "subnet_uc1":
40: artifactory = module.subnet_uc1_artifactory.subnets.name
|----------------
| module.subnet_uc1_artifactory.subnets is null
This value is null, so it does not have any attributes.
Error: Attempt to get attribute from null value
on outputs.tf line 41, in output "subnet_uc1":
41: xray = module.subnet_uc1_xray.subnets.name
|----------------
| module.subnet_uc1_xray.subnets is null
This value is null, so it does not have any attributes.
Error: Attempt to get attribute from null value
on outputs.tf line 42, in output "subnet_uc1":
42: mc = module.subnet_uc1_mc.subnets.name
|----------------
| module.subnet_uc1_mc.subnets is null
This value is null, so it does not have any attributes.
One way to fix this is to do conditional expressions like this, but it’s not pretty:-
output "subnet_uc1" {
description = "Subnets in `us-central1` region for all 3 products"
value = {
artifactory = module.subnet_uc1_artifactory.subnets != null ? module.subnet_uc1_artifactory.subnets.name: ""
xray = module.subnet_uc1_xray.subnets != null ?module.subnet_uc1_xray.subnets.name: ""
mc = module.subnet_uc1_mc.subnets != null ? module.subnet_uc1_mc.subnets.name: ""
}
}
SOLUTION
Since Terraform v0.12.20, we can solve this with try and achieve the same outcome:-
output "subnet_uc1" {
description = "Subnets in `us-central1` region for all 3 products"
value = {
artifactory = try(module.subnet_uc1_artifactory.subnets.name, "")
xray = try(module.subnet_uc1_xray.subnets.name, "")
mc = try(module.subnet_uc1_mc.subnets.name, "")
}
}
Design Pattern: Re-accommodate
WHAT
Forcefully evict a random entity from the system due to overcapacity problem caused by own fault. Then, spend countless of hours cleaning up the mess.
USAGE
Let’s assume your system has heap size problems and it is about to run out of memory because you implemented endless recursions or have too many running threads.
- Randomly select 4 entities (running processes) from the system.
- Ask each selected entity to voluntarily quit.
- If the chosen entity does not comply, forcefully evict it from the system.
- Clean up any data corruption.
WHEN TO USE IT
Only use this design pattern when building any software systems for United Airlines.
Java + SAML: Illegal Key Size
PROBLEM
When attempting to decrypt the SAML response from IdP, the following exception occurs:-
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size Original Exception was java.security.InvalidKeyException: Illegal key size at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1822) at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:596) at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(Decrypter.java:795) at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(Decrypter.java:535) at org.opensaml.xml.encryption.Decrypter.decryptDataToList(Decrypter.java:453) at org.opensaml.xml.encryption.Decrypter.decryptData(Decrypter.java:414) at org.opensaml.saml2.encryption.Decrypter.decryptData(Decrypter.java:141) at org.opensaml.saml2.encryption.Decrypter.decrypt(Decrypter.java:69) at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:199) at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
SOLUTION
When inspecting the SAML response payload below, the data is encrypted with AES-256:-
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://server/my-app/saml/SSO"
ID="_370d6ba5-177c-494b-9147-2eafd9ecb6c9"
InResponseTo="a5c5dja1i5fgb2bf2e66f6g9g5398gj"
IssueInstant="2016-02-18T15:28:43.473Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs-server/adfs/services/trust</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
</e:EncryptionMethod>
<KeyInfo>
<ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=server</ds:X509IssuerName>
<ds:X509SerialNumber>1822784706</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</KeyInfo>
<e:CipherData>
<e:CipherValue>isG83fVk50fJRIcg...</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>+b2o6HNxaxsse7rkB...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</EncryptedAssertion>
</samlp:Response>
By default, Java’s keysize is limited to 128-bit key due to US export laws and a few countries’ import laws.
To fix this…
There are no Limits…
Bruce had me up to three miles a day, really at a good pace. We’d run the three miles in twenty-one or twenty-two minutes. Just under eight minutes a mile [Note: when running on his own in 1968, Lee would get his time down to six-and-a-half minutes per mile].
So this morning he said to me “We’re going to go five.”
I said, “Bruce, I can’t go five. I’m a helluva lot older than you are, and I can’t do five.”
He said, “When we get to three, we’ll shift gears and it’s only two more and you’ll do it.”
I said “Okay, hell, I’ll go for it.”
So we get to three, we go into the fourth mile and I’m okay for three or four minutes, and then I really begin to give out.
I’m tired, my heart’s pounding, I can’t go any more and so I say to him, “Bruce if I run any more,” — and we’re still running — “if I run any more I’m liable to have a heart attack and die.” He said, “Then die.” It made me so mad that I went the full five miles.
Afterward I went to the shower and then I wanted to talk to him about it. I said, you know, “Why did you say that?” He said, “Because you might as well be dead. Seriously, if you always put limits on what you can do, physical or anything else, it’ll spread over into the rest of your life. It’ll spread into your work, into your morality, into your entire being. There are no limits. There are plateaus, but you must not stay there, you must go beyond them. If it kills you, it kills you. A man must constantly exceed his level.”
– The Art of Expressing the Human Body by Bruce Lee and John Little
