Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why doesn kubernetes provider's data block behavior on nonexistent resources differs from other terraform providers #2672

Open
L1ghtman2k opened this issue Jan 17, 2025 · 1 comment
Open

Why doesn kubernetes provider's data block behavior on nonexistent resources differs from other terraform providers #2672

L1ghtman2k opened this issue Jan 17, 2025 · 1 comment
Assignees
@arybolovlev
Labels
question

Comments

@L1ghtman2k
Copy link

L1ghtman2k commented Jan 17, 2025
edited
Loading

Based on the discussion: hashicorp/terraform#16380

The expectation is that terraform provider should fail on the data block if the resource addressed by the data block doesn't exist.
This is not the behavior of terraform kubernetes provider. As a result, I can no longer assume data blocks could be used as assertions that the referenced infrastructure exists. Could there be an opt-in feature on the provider to allow for this behavior?

terraform plan for the following block

data "kubernetes_service_account" "my_svc" {
  metadata {
    name      = "my_svc"
    namespace = "kafka"
  }
}

output "instance_ip_addr" {
  value = data.kubernetes_service_account.my_svc
}

yields following output:

  + instance_ip_addr = {
      + automount_service_account_token = null
      + default_secret_name             = null
      + id                              = "/"
      + image_pull_secret               = null
      + metadata                        = [
          + {
              + annotations      = {}
              + generation       = 0
              + labels           = {}
              + name             = "my_svc"
              + namespace        = "kafka"
              + resource_version = ""
              + uid              = ""
            },
        ]
      + secret                          = null

even though the SA doesn't exist.

Terraform version, Kubernetes provider version and Kubernetes version

Terraform version: OpenTofu v1.8.1
Kubernetes Provider version: v2.30.0
Kubernetes version: 1.25.12

Edit: seems like overtime there has been a number of other providers that had similar issues, though, the general consensus is that data blocks should return an error, and some providers have since fixed the incorrect behavior: hashicorp/terraform-provider-azurerm#1223
@pacorreia
Copy link

pacorreia commented Jan 20, 2025
edited
Loading

And I want to add on top of this one, that using your generic data provider we get the expected behavior:

data "kubernetes_resource" "namespace" {
  api_version = "v1"
  kind        = "Namespace"
  metadata {
    name = var.aks.service_account_namespace
  }
}

Although the error can be misleading and shouyld be improved

Planning failed. Terraform encountered an error while generating this plan.


│ Error: Provider produced null object

│ Provider "provider["registry.terraform.io/hashicorp/kubernetes"]" produced a null value for module.this.data.kubernetes_resource.namespace.

│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

In this case clearly is not a bug, because the resource doesn't exist.

So why using a dedicated data source for namespace we still get an object with just the name we provided in it, when it doesn't exist?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arybolovlev arybolovlev

Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@arybolovlev @L1ghtman2k @pacorreia