Terraform-provider-kubernetes: Cannot Import Kubernetes Namespace

Same for storage class.
Terraform v0.13.2

Same with Terraform v0.13.2.
Have anyone tried to do some workaround on this, like providing some config file?

Don't have this issue with terraform 0.12 but I had to recreate/reimport my state file.

Don't have this issue with terraform 0.12 but I had to recreate/reimport my state file.

But won't v0.12 say that the state file has been created by v0.13? How do you recreate it? Do you inmport all the resources again with v0.12?

Same issue here. I'm able to run Apply and Plan, but I cannot import any Kubernetes resource with version 0.13.2.

I have this provider config:

provider "kubernetes" {
  load_config_file       = false
  host                   = var.main_cluster_gke_host
  cluster_ca_certificate = var.main_cluster_gke_cluster_ca_certificate
  token                  = var.main_cluster_access_token
  version                = "~> 1.13"
}

So if I just use load_config_file:

provider "kubernetes" {
  load_config_file       = true
  # host                   = var.main_cluster_gke_host
  # cluster_ca_certificate = var.main_cluster_gke_cluster_ca_certificate
  # token                  = var.main_cluster_access_token
  # version                = "~> 1.13"
}

It works setting local instead of remote on Terraform cloud, just for Import purposes.

I cannot reproduce this. Here's how I tried and managed to import the namespace:

» kubectl create ns namespace

namespace/namespace created
-----------------------------------------------------------------------------------------------------------------------------
» kubectl get ns

NAME              STATUS   AGE
default           Active   45m
kube-node-lease   Active   45m
kube-public       Active   45m
kube-system       Active   45m
namespace         Active   8m7s
-----------------------------------------------------------------------------------------------------------------------------
» terraform import kubernetes_namespace.namespace namespace

kubernetes_namespace.namespace: Importing from ID "namespace"...
kubernetes_namespace.namespace: Import prepared!
  Prepared kubernetes_namespace for import
kubernetes_namespace.namespace: Refreshing state... [id=namespace]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

-----------------------------------------------------------------------------------------------------------------------------
» terraform version

Terraform v0.13.2
+ provider registry.terraform.io/hashicorp/kubernetes v1.12.0
-----------------------------------------------------------------------------------------------------------------------------
» cat main.tf 

provider "kubernetes" {
  version = "=1.12.0"

  load_config_file = false

  host = "https://4EFCE701699E0E3596FA5462C69FD982.gr7.eu-west-1.eks.amazonaws.com"

  cluster_ca_certificate = base64decode("...CA_data_base64=")

  exec {
    api_version = "client.authentication.k8s.io/v1alpha1"
    command = "aws-iam-authenticator"
    args = ["token", "-i", "k8s-acc-d060"]
  }

}

resource "kubernetes_namespace" "namespace" {
  metadata {
    annotations = {
      name = "namespace"
    }

    labels = {
      istio-injection = "enabled"
    }

    name = "namespace"
  }
}
-----------------------------------------------------------------------------------------------------------------------------

My provider config

provider "kubernetes" {
  host                   = module.gke-cluster.endpoint
  cluster_ca_certificate = base64decode(module.gke-cluster.ca_certificate)
  token                  = data.google_client_config.current.access_token
}

I get access token directly from provider.

When dealing with EKS it's recommended to not use the static token. Instead use the exec auth plugin mechanism (either the auth plugin binary or the aws CLI binary).
This ensures that a fresh token is automatically retrieved every time.

provider "kubernetes" {
  version = "=1.12.0"

  load_config_file = false

  host = "https://4EFCE701699E0E3596FA5462C69FD982.gr7.eu-west-1.eks.amazonaws.com"

  cluster_ca_certificate = base64decode("...CA_data_base64=")

  exec {
    api_version = "client.authentication.k8s.io/v1alpha1"
    command = "aws-iam-authenticator"
    args = ["token", "-i", "k8s-acc-d060"]
  }

}

Don't have this issue with terraform 0.12 but I had to recreate/reimport my state file.

But won't v0.12 say that the state file has been created by v0.13? How do you recreate it? Do you inmport all the resources again with v0.12?

I had to clear 0.13 state file and import reimport everything to 0.12.

My provider config

provider "kubernetes" {
  host                   = module.gke-cluster.endpoint
  cluster_ca_certificate = base64decode(module.gke-cluster.ca_certificate)
  token                  = data.google_client_config.current.access_token
}

I get access token directly from provider.

I'll try it out on GKE too.

I tried @alexsomesan 's solution, but it does not work. provider config:

provider "kubernetes" {
  host                   = module.eks-cluster.cluster_endpoint
  cluster_ca_certificate = base64decode(module.eks-cluster.cluster_certificate_authority_data)
  load_config_file       = false
  version                = ">= 1.12.0"

  exec {
    api_version = "client.authentication.k8s.io/v1alpha1"
    command = "aws-iam-authenticator"
    args = ["token", "-i", "eks-cluster"]
  }
}

Tamas,

I see in the “args” attribute that you’ve used the same cluster ID as I
have I my example.

Are you sure that’s the actual ID of the EKS cluster you are using?
Check the command line help for “ aws-iam-authenticator” for details on
what arguments it requires.

On Mon, Sep 14, 2020 at 11:09 AM Tamas Juhasz notifications@github.com
wrote:

>
>

I tried @alexsomesan https://github.com/alexsomesan 's solution, but it
does not work. provider config:

provider "kubernetes" {

host = module.eks-cluster.cluster_endpoint

cluster_ca_certificate = base64decode(module.eks-cluster.cluster_certificate_authority_data)

load_config_file = false

version = ">= 1.12.0"

exec {

api_version = "client.authentication.k8s.io/v1alpha1"

command = "aws-iam-authenticator"

args = ["token", "-i", "k8s-acc-d060"]

}

}

—
You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub
https://github.com/hashicorp/terraform-provider-kubernetes/issues/980#issuecomment-691926619,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAIL5G5BJ5H7HNWL3GAMYEDSFXMVNANCNFSM4QTBYB7A
.

--

— Sent from my phone.

Hi @alexsomesan ,

I updated my comment. I initialized aws-iam-authenticator with the command

aws-iam-authenticator init -i eks-cluster

Then tried to import, but I got the same error.
My biggest problem is, that Terraform does not tell me what is missing. Kind of hard to debug like this.

Try running the same Terraform commands with the environment variable
“TF_LOG=trace”. This will show you the actual API calls being made to the
cluster and you might get a better idea what’s missing. If you have any
sensitive data in them and want to redact it out paste them here so I can
have a look myself.

On Mon, Sep 14, 2020 at 12:35 PM Tamas Juhasz notifications@github.com
wrote:

>
>

Hi @alexsomesan https://github.com/alexsomesan ,

I updated my comment. I initialized aws-iam-authenticator with the command

aws-iam-authenticator init -i eks-cluster

Then tried to import, but I got the same error.

My biggest problem is, that Terraform does not tell me what is missing.
Kind of hard to debug like this.

—
You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub
https://github.com/hashicorp/terraform-provider-kubernetes/issues/980#issuecomment-691969289,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAIL5G6US7JTMLYK5JAIMXLSFXWXZANCNFSM4QTBYB7A
.

--

— Sent from my phone.

Are you also using the exec block in the provider like in my example?

Hi @alexsomesan ,

I updated my comment. I initialized aws-iam-authenticator with the command

aws-iam-authenticator init -i eks-cluster

Then tried to import, but I got the same error.
My biggest problem is, that Terraform does not tell me what is missing. Kind of hard to debug like this.

Unfortunately no luck. But honestly, I don't understand why the import does not work the same way and credentials that I can apply changes to the cluster

It should work with the same credentials. I think there is some other issue
hiding here.

Can you share a trace log with us?

You can generate a trace log by setting “TF_LOG=trace” as an environment
variable.

On Fri, Sep 18, 2020 at 1:23 PM Tamas Juhasz notifications@github.com
wrote:

>
>

Unfortunately no luck. But honestly, I don't understand why the import
does not work the same way and credentials that I can apply changes to the
cluster

—
You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub
https://github.com/hashicorp/terraform-provider-kubernetes/issues/980#issuecomment-694787415,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAIL5GZZQDHFXCFOJXSEEM3SGMYKXANCNFSM4QTBYB7A
.

--

— Sent from my phone.

Hello,

I uploaded the trace logs to gist:
https://gist.github.com/CSimpiFoN/53fa0a6b23795db8548832af0b954679

I have the same issue with importing Google KMS Keyrings:

$ terraform import google_kms_key_ring.keyring_global europe/keyring
Error: Invalid provider configuration

  on backend.tf line 20:
  20: provider "google" {

The configuration for provider["registry.terraform.io/hashicorp/google"]
depends on values that cannot be determined until apply.

Then it seems this is a more common issue, affects multiple providers

@CSimpiFoN @ews99 your issues seem to be unrelated to this one based on the information provided. Please create a separate issue with the information requested in the issue template so we can investigate. Thanks!

@aareet , what you wrote here just makes no sense. Why do you say my issue is not related to my issue and just closed the ticket? Does this want to be a solution? Shall I open the same ticket again?
The fact that terraform import does not work and drops the error message stated in the description still stays, and it is confirmed by multiple users. Would you please reopen this ticket as this is not solved whatsoever?

Thanks

My mistake, reopened.

Thank you :)

@CSimpiFoN The logs you share show that the API request to read the Kubernetes namespace succeeds as expected and returns the namespace to the provider. Something else then causes the failure.

Can you please share the EXACT sequence of terraform commands you are running when you get this issue.
Also, please share the EXACT provider "kubernetes" { block with all of its configuration. You've mentioned multiple versions of it since the initial report and I can't pinpoint the issue without that exact configuration.

If you can also share the terraform TF files you are running this on, it'd be great.

this is not a provider kubernetes issue, it's something core to terraform. I'm seeing this error in almost every provider, including the base google ones.

Core issue:
https://github.com/hashicorp/terraform/issues/26211

Related:
https://github.com/hashicorp/terraform/issues/26258

Closing since this is being tracked upstream in issue https://github.com/hashicorp/terraform/issues/26211

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!