nicolst
commented
11 months ago I see now that this is a duplicate of existing issue in gavinbunney's repo https://github.com/gavinbunney/terraform-provider-kubectl/issues/265
Open nicolst opened 11 months ago
nicolst
commented
11 months ago I see now that this is a duplicate of existing issue in gavinbunney's repo https://github.com/gavinbunney/terraform-provider-kubectl/issues/265
alekc
commented
11 months ago Yes, I've seen that issue as well. The diff checking mechanism is pretty much "broken" at the moment, it generates a lot of false positives (yaml_incluster has been changed xxx), and lack of positive on the real issue as yours. I am looking into it, but it's going to take some time because it would require significant refactoring.
robpearce-flux
commented
7 months ago believe we're running into this issue also, the quote on https://developer.hashicorp.com/terraform/plugin/framework/diagnostics#how-errors-affect-state suggests "When returning error diagnostics, we recommend resetting the state in the response to the prior state available in the configuration." Is that the refactoring work you're describing ?
When rolling out a change in a manifest, the state file is updated with the new yaml body even if the apply failed, e.g. due to expired credentials etc. If you run plan after this failed apply, it will report no changes, even though the actual in-cluster resources have not been updated.
More specifically I tried to apply a plan which was planned the day before, which failed because of expired credentials (for Google Kubernetes Engine). Subsequent plan showed no changes, even though the in-cluster yaml had not changed. Rolling back the statefile to the previous version and plan/apply-ing again solved the issue.
The error is
failed to create kubernetes rest client for update of resource: Unauthorized. Taking a quick look at the code where this error is emitted, it may look like it is not easily fixable..