Terraform-provider-kubernetes: Cannot import existing kubernetes object into terraform state
Hi there,
Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.
Terraform Version
Terraform v0.12.19
Affected Resource(s)
kubernetes_config_map (presumably any kubernetes resource)
If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.
Terraform Configuration Files
data "aws_eks_cluster" "cluster" {
name = module.eks.cluster_id
}
data "aws_eks_cluster_auth" "cluster" {
name = module.eks.cluster_id
}
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
version = "1.10" # i have tried with 1.9, 1.10, 1.11.0, 1.11.1 all with the exact same result
}
resource "kubernetes_config_map" "aws_auth" {
metadata {
name = "aws-auth"
namespace = "kube-system"
}
data = {
mapRoles = templatefile("files/aws_config_map.yml", {
ENVIRONMENT : var.environmentKey
WORKSPACE : terraform.workspace
TEAM : var.team_name
REGION : var.region
ACCOUNT : data.aws_caller_identity.current.account_id
WORKER_ROLE_NAME : module.eks.worker_iam_role_name
})
}
depends_on = [module.eks.cluster_certificate_authority_data]
}
Debug Output
kubernetes_config_map.aws_auth: Importing from ID "kube-system/aws-auth"...
kubernetes_config_map.aws_auth: Import prepared!
Prepared kubernetes_config_map for import
kubernetes_config_map.aws_auth: Refreshing state... [id=kube-system/aws-auth]
Error: Get http://localhost/api/v1/namespaces/kube-system/configmaps/aws-auth: dial tcp [::1]:80: connect: connection refused
Expected Behavior
The resource should be imported successfully.
Actual Behavior
the resource failed to be imported, the kubernetes provider did not try to reach the correct cluster
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform initterraform import kubernetes_config_map.aws_auth kube-system/aws-auth
Important Factoids
Using eks terraform module, trying to upgrade from 7.x.x to 8.x.x or greater. we have tried managing the config map ourselves and letting the module continue to manage it, with the same result.
This TODO statement doesnt inspire confidence....
https://github.com/terraform-providers/terraform-provider-kubernetes/blob/master/vendor/github.com/hashicorp/terraform-plugin-sdk/terraform/eval_import_state.go
References
- GH-759
- GH-708
nothingofuse
All 9 comments
If i set host to a static value in the provider config, it properly points to the correct host on import, so it seems that the providers configuration is not being properly loaded when using data elements?
provider "kubernetes" {
host = "https://NSADJLASFOEKEA.gr7.us-east-1.eks.amazonaws.com"
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
token = data.aws_eks_cluster_auth.cluster.token
load_config_file = false
version = "1.11.1"
}
Error: Get https://NSADJLASFOEKEA.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/configmaps/aws-auth: x509: certificate signed by unknown authority
I get the same issue on using GCP
Terraform version: 0.12.21
Kubernetes version: 1.11.1
Get the following error when I try import a deployment:
Error: Cannot import non-existent remote object
The object definitely exists
emmaLP
on 17 Apr 2020
TL;DR; This looks like a misconfiguration of the Kubernetes provider (invalid endpoint).
The import operation itself works as it should. I was able to confirm using (and adaptation of) the supplied example in the issue description. Here's the how I did it:
ยป terraform import kubernetes_config_map.aws_auth kube-system/aws-auth alex@alex-macbook
kubernetes_config_map.aws_auth: Importing from ID "kube-system/aws-auth"...
kubernetes_config_map.aws_auth: Import prepared!
Prepared kubernetes_config_map for import
kubernetes_config_map.aws_auth: Refreshing state... [id=kube-system/aws-auth]
Import successful!
The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.
However, the error originally reported hints towards the provider not getting configured properly.
To confirm that this, can you please add outputs that display the values passed into host, token and cluster_ca_certificate.
FWIW there is no version parameter on the Kubernetes provider block (documentation here), so not sure why that was added in there.
alexsomesan
on 17 Apr 2020
provider "kubernetes" {
load_config_file = false
host = aws_eks_cluster.mycluster.endpoint
token = data.aws_eks_cluster_auth.gitlab-runner.token
cluster_ca_certificate = base64decode(aws_eks_cluster.mycluster.certificate_authority.0.data)
}
.
โโโ provider.aws
โโโ provider.cloudflare
โโโ provider.kubernetes <--- this is the one thats being called
โโโ provider.terraform
โโโ module.services
โโโ provider.kubernetes
Experiencing the same thing here when importing:
kubernetes_config_map.gitlab-runner: Importing from ID "kube-system/aws-auth"...
kubernetes_config_map.gitlab-runner: Import prepared!
Prepared kubernetes_config_map for import
kubernetes_config_map.gitlab-runner: Refreshing state... [id=kube-system/aws-auth]
Error: Unauthorized
If I run a terraform apply (untargetted)
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
kubernetes_config_map.gitlab-runner: Creating...
Error: configmaps "aws-auth" already exists
on eks-gitlab-setup.tf line 12, in resource "kubernetes_config_map" "gitlab-runner":
12: resource "kubernetes_config_map" "gitlab-runner" {
then, after that failure, I can go back in and do an import:
kubernetes_config_map.gitlab-runner: Importing from ID "kube-system/aws-auth"...
kubernetes_config_map.gitlab-runner: Import prepared!
Prepared kubernetes_config_map for import
kubernetes_config_map.gitlab-runner: Refreshing state... [id=kube-system/aws-auth]
Import successful!
The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.
BrianMusson
on 6 May 2020
I ran into the same thing today. If I comment out the config options for the kubernetes provider then it will use my shell KUBECONFIG which allows the import to work. Apply has no issues.
FriedCircuits
on 14 May 2020
Hit the same. @FriedCircuits's workaround works!
EDIT: actually seems like a terraform import limitation: https://www.terraform.io/docs/commands/import.html#provider-configuration
tomaspinho
on 26 May 2020
I'm running into the same issue, the fix is to set load_config_file to true before running terraform import [...]. After importing set it back to false.
vincentonderwaater
on 1 Jun 2020
As @tomaspinho mentioned, this is a limitation in the import command. Specifically, a provider configuration cannot depend on a data source. So I'm going to close the issue.
dak1n1
on 23 Jul 2020
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error ๐ค ๐ , please reach out to my human friends ๐ [email protected]. Thanks!
![hashibot[bot] picture](https://avatars.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 22 Aug 2020
Related issues
rehevkor5
ยท
3Comments
landorg
ยท
3Comments
ragelo
ยท
3Comments
heidemn
ยท
4Comments
hashibot[bot]
ยท
4Comments
Most helpful comment
Hit the same. @FriedCircuits's workaround works!
EDIT: actually seems like a
terraform importlimitation: https://www.terraform.io/docs/commands/import.html#provider-configuration