Terraform-provider-kubernetes: Secret of type service-account-token is always changed in place

Created on 24 Jun 2019  路  1Comment  路  Source: hashicorp/terraform-provider-kubernetes

Terraform Version

15:55:19 Terraform v0.12.2
15:55:21 + provider.google v2.9.0
15:55:21 + provider.kubernetes v1.7.0

Affected Resource(s)

kubernetes_secret

Terraform Configuration Files

resource "kubernetes_secret" "secret_sajenkins" {
  provider = "kubernetes.gke"
  metadata {
    name = "secret-sajenkins"
    annotations = map("kubernetes.io/service-account.name", kubernetes_service_account.sa_jenkins.metadata.0.name)
    namespace = kubernetes_namespace.kns_gkesharedprdeuw101.metadata.0.name
  }

  type = "kubernetes.io/service-account-token"
}

Debug Output

Panic Output

Expected Behavior

The secret is of type ServiceAccountToken. No data for the secret is provided because the Token Controller will create the data (https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/)

Terraform should create the secret and then leave it as it is

Actual Behavior

Terraform alway tries to update the secret in-place

```
15:56:18
15:56:18 An execution plan has been generated and is shown below.
15:56:18 Resource actions are indicated with the following symbols:
15:56:18 ~ update in-place
15:56:18
15:56:18 Terraform will perform the following actions:
15:56:18
15:56:18 # module.bootstrap_gke_gkesharedprdeuw101.kubernetes_secret.secret_sajenkins will be updated in-place15:56:18 ~ resource "kubernetes_secret" "secret_sajenkins" {
15:56:18 ~ data = (sensitive value)
15:56:18 id = "jenkins/secret-sajenkins"
15:56:18 type = "kubernetes.io/service-account-token"
15:56:18
15:56:18 metadata {
15:56:18 annotations = {
15:56:18 "kubernetes.io/service-account.name" = "sa-jenkins"
15:56:18 }
15:56:18 generation = 0
15:56:18 labels = {}
15:56:18 name = "secret-sajenkins"
15:56:18 namespace = "jenkins"
15:56:18 }
15:56:18
15:56:18 Plan: 0 to add, 1 to change, 0 to destroy.
````

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. create config with secret "type": "kubernetes.io/service-account-token" and no data
  2. terraform apply
  3. terraform apply
  4. `terraform apply

Important Factoids

References

picture mark-00

Most helpful comment

I found a solution to the problem adding an ignore for the data attribute

resource "kubernetes_secret" "secret_sajenkins" {
  provider = "kubernetes.gke"
  metadata {
    name = "secret-sajenkins"
    annotations = map("kubernetes.io/service-account.name", kubernetes_service_account.sa_jenkins.metadata.0.name)
    namespace = kubernetes_namespace.kns_gkesharedprdeuw101.metadata.0.name
  }
  type = "kubernetes.io/service-account-token"
  lifecycle { 
    ignore_changes = [data]
  }
}
picture mark-00 on 28 Jun 2019
👍3

>All comments

I found a solution to the problem adding an ignore for the data attribute

resource "kubernetes_secret" "secret_sajenkins" {
  provider = "kubernetes.gke"
  metadata {
    name = "secret-sajenkins"
    annotations = map("kubernetes.io/service-account.name", kubernetes_service_account.sa_jenkins.metadata.0.name)
    namespace = kubernetes_namespace.kns_gkesharedprdeuw101.metadata.0.name
  }
  type = "kubernetes.io/service-account-token"
  lifecycle { 
    ignore_changes = [data]
  }
}
mark-00 picture mark-00 on 28 Jun 2019
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dhild picture dhild  路  4Comments
marcincuber picture marcincuber  路  3Comments
yaman picture yaman  路  4Comments
heidemn picture heidemn  路  4Comments
burdiyan picture burdiyan  路  4Comments