Terraform-provider-kubernetes: sensitive = true forces resource to update

Created on 26 May 2021 · 3Comments · Source: hashicorp/terraform-provider-kubernetes

Terraform version, Kubernetes provider version and Kubernetes version

Terraform version: 0.15.3
Kubernetes Provider version:     kubernetes = "~> 2.2"
Kubernetes version:

➜ kubectl version                                             
Client Version: version.Info{Major:"1", Minor:"18+", GitVersion:"v1.18.9-eks-d1db3c", GitCommit:"d1db3c46e55f95d6a7d3e5578689371318f95ff9", GitTreeState:"clean", BuildDate:"2020-10-20T22:21:03Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"19+", GitVersion:"v1.19.6-eks-49a6c0", GitCommit:"49a6c0bf091506e7bafcdb1b142351b69363355a", GitTreeState:"clean", BuildDate:"2020-12-23T22:10:21Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}

Question

I have a resource kubernetes_secret, that terraform is trying to update constantly, yet the data has NO changes.

resource

resource "kubernetes_secret" "argocd" {
  count = var.ci.runner == "tekton" ? 1 : 0

  type = "Opaque"
  metadata {
    name      = "${var.cd.argocd_application}-argocd-secret"
    namespace = var.ci.tekton_kubernetes_namespace
    labels = {
      client             = var.project_config.client
      argocd_project     = var.project_config.project
      argocd_application = var.cd.argocd_application
    }
  }
  data = {
    ARGOCD_USERNAME = var.cd.argocd_cluster.username
    ARGOCD_PASSWORD = var.cd.argocd_cluster.password
  }
}

plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.backend-dev-build.kubernetes_secret.argocd[0] will be updated in-place
  ~ resource "kubernetes_secret" "argocd" {
      ~ data = (sensitive value)
        id   = "ci/fbmm-backend-dev-argocd-secret"
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }

var.cd.argocd_cluster.password is an object with values coming from the following two variables:

variable "rocks_argocd_password" {
  description = "Rocks argocd password (deploy.saritasa.rocks)"
  type        = string
  default     = ""
  sensitive   = true
}

variable "cloud_argocd_password" {
  description = "Cloud argocd password (deploy.saritasa.cloud)"
  type        = string
  default     = ""
  sensitive   = true
}

So again these password values are not changing, yet terraform shows "update" is required. If I set sensitive = false in both - then terraform plan shows NO updates.

Any ideas why it behaves this way?

question upstream-terraform

Source

dmitry-mightydevops

All 3 comments

I am experiencing this as well.

I am pretty concerned/hesitant to apply because I am scared that it will change the values. And if that happens on my cluster, _a lot_ can/will go wrong.

esn89 on 27 May 2021

I tried this out on other providers too and got the same issue. If you try this on a field that isn't set to sensitive in its schema you get this warning in the diff even if the value hasn't changed:

# Warning: this attribute value will be marked as sensitive and will
# not display in UI output after applying this change

I suspect this shows up in the diff because although the value hasn't changed the state is being updated to add the "sensitive_attributes" field to the resource.

I would propose opening this question on the core terraform repo. Having tried it I can see nothing is actually going to change as the values are the same, but I agree that this is a bit confusing.