terraform-provider-kubernetes icon indicating copy to clipboard operation
terraform-provider-kubernetes copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Inconsistent plan with kubernetes_network_policy

Open ghaering opened this issue 2 years ago • 4 comments

Terraform Version, Provider Version and Kubernetes Version

Terraform version: v1.3.9
Kubernetes provider version:  v2.18.1
Kubernetes version: v1.23.16

Affected Resource(s)

kubernetes_network_policy

Terraform Configuration Files

data "aws_network_interface" "elb_interfaces" {
  for_each = toset(var.azs)

  filter {
    name = "description"

    # This is what the description of the load balancer starts with
    values = ["ELB app/k8s-bayersatskubeflow*"]
  }
  filter {
    name   = "availability-zone"
    values = [each.value]
  }
}

resource "kubernetes_network_policy" "allow_from_load_balancer" {
  for_each = toset(var.azs)

  metadata {
    name      = format("allow-from-elb-%s", each.value)
    namespace = var.profile.name
  }

  spec {
    pod_selector {
      match_labels = {
      }
    }

    ingress {
      from {
        ip_block {
          cidr = format("%s/32", data.aws_network_interface.elb_interfaces[each.value].private_ip)
        }
      }

    }

    policy_types = ["Ingress"]
  }
}

Debug Output

Panic Output

Steps to Reproduce

apply the terraform code above multiple times. Always works first time, fails in subsequent runs.

Expected Behavior

No error message about inconsistent plan.

Actual Behavior

I get a ton of these on subsequent runs:

│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.kubeflow-profiles["kevin-coffey"].kubernetes_network_policy.allow_from_load_balancer["eu-central-1b"]
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/kubernetes" produced an invalid new value
│ for .spec[0].pod_selector[0].match_labels: was cty.MapValEmpty(cty.String),
│ but now null.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

Important Factoids

References

  • GH-1234

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

ghaering avatar Mar 15 '23 15:03 ghaering

I think what happens here is the API server "swallows" the empty match_labels values and returns nil instead. This violates some expectations of Terraform itself that user configured values do not change between plan and apply.

To work around this, may I suggest not setting match_labels at all when it's empty? Would that be an option for you?

alexsomesan avatar Apr 04 '23 14:04 alexsomesan

We have the same issue with the empty pod_selector {}. @ghaering - have you found a way how to fix the issue? Kubernetes provider version: v2.22.0

yaroslav-ddt avatar Aug 15 '23 14:08 yaroslav-ddt

Unfortunately I don't have a terraform project to test this any longer. We had to migrate to a different solution than NetworkPolicies in the meantime.

ghaering avatar Aug 16 '23 06:08 ghaering

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!

github-actions[bot] avatar Aug 16 '24 00:08 github-actions[bot]