Provider produced inconsistent result after apply

[pleasure-rhythmos]

Terraform Version, Provider Version and Kubernetes Version Terraform version: v1.5.0 Kubernetes provider version: 2.4.1 Kubernetes version: 1.24.12

Affected Resource(s)

• kubernetes_secret
• kubernetes_service_account

Terraform Configuration Files

resource "kubernetes_service_account" "hapi_pod_k8s_service_account" { metadata { name = "hapi-pod-service-account" namespace = local.namespace annotations = { "iam.gke.io/gcp-service-account" = "${google_service_account.sa_hapi_pods.email}" } } secret { name = "${kubernetes_secret.hapi_pod_k8s_service_account_secret.metadata.0.name}" } }

resource "kubernetes_secret" "hapi_pod_k8s_service_account_secret" { metadata { name = "hapi-pod-service-account-token" namespace = local.namespace annotations = { "kubernetes.io/service-account.name" = "hapi-pod-service-account" } } type = "kubernetes.io/service-account-token" }

Steps to Reproduce

Expected Behavior What should have happened? kubernetes service account and secret created

Actual Behavior What actually happened?

Error: Provider produced inconsistent result after apply When applying changes to kubernetes_secret.hapi_pod_k8s_service_account_secret, provider "provider["registry.terraform.io/hashicorp/kubernetes"]" produced an unexpected new value: Root resource was present, but now absent.

This is a bug in the provider, which should be reported in the provider's own issue tracker.

References

• https://github.com/hashicorp/terraform-provider-kubernetes/issues/2136
• https://github.com/hashicorp/terraform-provider-kubernetes/issues/1943#issuecomment-1369546028

After referring to issues/1943/#issuecomment-1369546028 above with my configuration updated as below

resource "kubernetes_secret" "hapi_pod_k8s_service_account_secret" { metadata { annotations = { "kubernetes.io/service-account.name" = kubernetes_service_account.hapi_pod_k8s_service_account.metadata.0.name } namespace = local.namespace generate_name = "${kubernetes_service_account.hapi_pod_k8s_service_account.metadata.0.name}-token-" }

type = "kubernetes.io/service-account-token" wait_for_service_account_token = true }

resource "kubernetes_service_account" "hapi_pod_k8s_service_account" { metadata { name = "hapi-pod-service-account" namespace = local.namespace } }

I get the error below

Error: Unsupported argument on main.tf line 221, in resource "kubernetes_secret" "hapi_pod_k8s_service_account_secret": wait_for_service_account_token = true An argument named "wait_for_service_account_token" is not expected here.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[BBBmau]

Hello @pleasure-rhythmos, I attempted this on the latest release and I was able to do terraform apply with no inconsistent result. You may want to use the latest release since I've noticed you are using an older version of the terraform provider.

You'll want to make sure that you apply the tfconfig using only the service account first, then apply the kubernetes_secret resource. This is the intended flow when it comes to making a service account with a secret.

[github-actions[bot]]

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!