Terraform-provider-kubernetes: Trying to retrieve data in the 'refresh' phase when using computed values

Created on 10 May 2019  路  8Comments  路  Source: hashicorp/terraform-provider-kubernetes

I'm having trouble working around an issue with kubernetes data not existing yet, and TF complaining because I reference it from output variables.

resource "kubernetes_service_account" "ci" {
  metadata {
    name = "ci"
  }
}

data "kubernetes_secret" "ci" {
  metadata {
    name = "${kubernetes_service_account.ci.default_secret_name}"
  }
}

output "ci_token" {
  value = "${data.kubernetes_secret.ci.data.token}"
}

output "ci_crt" {
  value = "${data.kubernetes_secret.ci.data.ca.crt}"
}

Terraform Version

Terraform v0.11.12

  • provider.kubernetes v1.6.2

Affected Resource(s)

  • kubernetes_service_account
  • data.kubernetes_secret

Terraform Configuration Files

provider "kubernetes" {}

Debug Output

Too much exposed data to redact. Can supply something more specific if required.

Actual Behavior

This error appears on an initial terraform apply when nothing is created yet, but if I comment out the output section, apply, then uncomment the output, it works how I expect it to.

Error: Error running plan: 2 error(s) occurred:

* output.ci_token: Resource 'data.kubernetes_secret.ci' does not have attribute 'data.token' for variable 'data.kubernetes_secret.ci.data.token'
* output.ci_crt: Resource 'data.kubernetes_secret.ci' does not have attribute 'data.ca.crt' for variable 'data.kubernetes_secret.ci.data.ca.crt'

Expected Behavior

Shouldn't TF know that there's a dependency that needs to be created (kubernetes_service_account.ci) before any inference made about whether data.kubernetes_secret.ci contains the data.token attributes? There should be a dependency link because kubernetes_service_account.ci.default_secret_name is used in the data block.

Steps to Reproduce

  • terraform apply
picture flyte
👍1

All 8 comments

It looks like perhaps the data source should be

deferred until the "apply" phase

according to https://www.terraform.io/docs/configuration-0-11/data-sources.html#data-source-lifecycle

flyte picture flyte on 10 May 2019

I've also asked a question on SO and added a bounty in case someone wants to pick it up.

flyte picture flyte on 14 May 2019

Ok, I've answered :p

pdecat picture pdecat on 14 May 2019
🎉1

FTR, here's the solution:

resource "kubernetes_service_account" "ci" {
  metadata {
    name = "ci"
  }
}

data "kubernetes_secret" "ci" {
  metadata {
    name = "${kubernetes_service_account.ci.default_secret_name}"
  }
}

output "ci_token" {
  value = "${lookup(data.kubernetes_secret.ci.data, "token")}"
}
pdecat picture pdecat on 15 May 2019
👍1

Hey @pdecat thanks for the answer. Unfortunately to simplify the question I didn't include the other output I need, which this doesn't work with:

* output.ci_crt: lookup: lookup failed to find 'ca.crt' in:

${lookup(data.kubernetes_secret.ci.data, "ca.crt")}

I've updated the question - sorry for the bait and switch!

flyte picture flyte on 15 May 2019

Even when I try to output the whole CA map, it doesn't work:

output "ci_ca" {
  value = "${lookup(data.kubernetes_secret.ci.data, "ca")}"
}

* output.ci_ca: lookup: lookup() may only be used with flat maps, this map contains elements of type map in:

${lookup(data.kubernetes_secret.ci.data, "ca")}
flyte picture flyte on 15 May 2019

Thanks for the referenced issue. I've accepted your answer on SO and I'll close this issue in favour of the referenced one.

flyte picture flyte on 15 May 2019
1

Thanks!

I've posted another solution in the other issue: https://github.com/terraform-providers/terraform-provider-kubernetes/issues/334#issuecomment-492662466

pdecat picture pdecat on 15 May 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

burdiyan picture burdiyan  路  4Comments
joe-a-t picture joe-a-t  路  3Comments
ZachGoldberg picture ZachGoldberg  路  3Comments
bdronneau picture bdronneau  路  4Comments
pdecat picture pdecat  路  4Comments