## Description Three functions in the OSS and Consul backends perform unchecked type assertions on data from external sources (ECS metadata endpoint, Alibaba Cloud config files, Consul KV store). When the external data is missing expected fields, terraform panics instead of returning a meaningful error. ### 1. `backend/oss`: `getAuthCredentialByEcsRoleName` panics on unexpected ECS metadata response **File:** `internal/backend/remote-state/oss/backend.go:684` `jmespath.Search("Code", data)` returns `(nil, nil)` when the `"Code"` key is absent from the JSON response. The subsequent `code.(string)` type assertion panics: ```go code, err := jmespath.Search("Code", data) if err != nil { // only catches JMESPath parse errors, NOT missing keys } if code.(string) != "Success" { // panics: interface conversion: interface {} is nil, not string ``` The same pattern repeats for `AccessKeyId`, `AccessKeySecret`, `SecurityToken`, and `Expiration` extractions in the same function. **Trigger:** Configure the OSS backend with `ecs_role_name`. If the ECS metadata endpoint (`http://100.100.100.200/latest/meta-data/Ram/security-credentials/`) returns JSON without the expected fields (service degradation, API version change, proxy interference), terraform panics. **Introduced:** bfae627112e (2019-11-02, He Guimin) ### 2. `backend/oss`: `getConfigFromProfile` panics on incomplete aliyun config **File:** `internal/backend/remote-state/oss/backend.go:597` ```go for _, v := range config["profiles"].([]interface{}) { // panics if "profiles" key missing if current == v.(map[string]interface{})["name"] { // panics if element is not a map ``` **Trigger:** The `~/.aliyun/config.json` file is valid JSON but lacks a `"profiles"` array (e.g., created by a different Alibaba Cloud tool version, or manually edited). **Introduced:** b69c0b41990 (2019-08-06, yuanye) ### 3. `backend/consul`: `chunkedMode` panics on corrupt chunked state **File:** `internal/backend/remote-state/consul/client.go:687` ```go hash, ok := d["current-hash"] if ok { for _, c := range d["chunks"].([]interface{}) { // panics if "chunks" key missing ``` The code checks if `"current-hash"` exists but blindly asserts `d["chunks"].([]interface{})` without checking. Called from `Get()`, `Put()`, and `Delete()`, affecting all Consul state operations. **Trigger:** Consul KV data contains `"current-hash"` but not `"chunks"` (partial write during network interruption, manual editing in Consul UI). **Introduced:** e680211bc07 (2020-08-14, Rémi Lapeyre) ## Proposed Fix Convert all unchecked type assertions to comma-ok form with descriptive error messages. No behavioral change on valid inputs. The fix is ready on our fork: [`SebTardif/terraform:fix-backend-nil-panics`](https://github.com/SebTardif/terraform/compare/main...SebTardif:terraform:fix-backend-nil-panics) We are happy to submit a PR if the team would like us to. ## AI Disclosure Developed with AI assistance (Grok by xAI) in a human-in-the-loop workflow. The bug patterns were identified by AI-assisted code audit; all code has been reviewed, understood, and verified by the human author.