Conditional exec plugin statement fails execution

[gberenice]

Hey!

We're building a reusable module and trying to support multiple Kubernetes authentication methods based on user's preferences. This includes the exec plugin. Currently the provider configuration for the exec plugin looks like this:

    exec = {
      api_version = "client.authentication.k8s.io/v1beta1"
      command     = "aws"
      args = concat(local.exec_profile, [
        "eks", "get-token", "--cluster-name", var.eks_cluster_name
      ], local.exec_role)
    }

When we add a conditional statement like

exec = local.kube_exec_auth_enabled && length(local.cluster_ca_certificate) > 0 ? { <EXEC_PLUGIN_CONFIG>} : null

this error is thrown:

    │ Error: Value Conversion Error
    │
    │   with provider["registry.terraform.io/fluxcd/flux"],
    │   on providers.tf line 54, in provider "flux":
    │   54: provider "flux" {
    │
    │ An unexpected error was encountered trying to build a value. This is always an error in the provider. Please report the following
    │ to the provider developer:
    │
    │ Received unknown value, however the target type cannot handle unknown values. Use the corresponding `types` package type or a
    │ custom type that handles unknown values.
    │
    │ Path: kubernetes.exec
    │ Target Type: *provider.KubernetesExec
    │ Suggested Type: basetypes.ObjectValue

Provider version: v1.0.1

[swade1987]

Hello @gberenice ,

I hope you're doing well! I'm the newest contributor to this repository, and I'm currently in the process of issue grooming to ensure that all concerns are addressed promptly and efficiently.

I noticed this issue you reported and wanted to check in with you to see if it's still affecting your work. Your feedback is invaluable to us, and any additional insights or updates you can share would be greatly appreciated to help us understand and solve the problem more effectively.

If this issue has been resolved, could you please share how it was fixed? This information could be incredibly helpful to others in the community facing similar problems. It would also allow us to close this issue with a clear resolution. In case the issue is still open and troubling you, let's work together to find a solution. Your satisfaction and the smooth functioning of our project are our top priorities.

Thank you for your time and contributions to our community. Looking forward to your response!

Best regards,

Steve

[gberenice]

Hey @swade1987! We haven't touched this functionality for a while, so I can't confirm whether it reproduces with newer provider versions at this point. Our workaround was to avoid conditional statements for the exec.

[swade1987]

Hey @gberenice, no problem at all. Are you happy for this issue to be closed, and can you re-open it if/when the time comes?

[gberenice]

I'm not sure how to handle this correctly because:

1. There are upvotes from other community members on this issue, so I guess they've faced the same issue.
2. I see a similar problem here https://github.com/fluxcd/terraform-provider-flux/issues/558, but for git.ssh.

I can try to spin up an environment and reproduce this error a bit later.

[swade1987]

@gberenice sounds good can I please recommend you use the latest version of the terraform provider to run your test.

[swade1987]

@gberenice how did you get on when using the latest version of the provider?

[swade1987]

Closing due to the lack of activity on the issue. If this issue is still important to you, please feel free to raise another one.

[tomaaron]

@swade1987 can you reopen this issue? We're interested in this feature and we're using the latest provider.

[tomaaron]

Here is an example on how to use the Kubernetes provider with conditional exec:

provider "kubernetes" {
  # Use the Kubernetes cluster, created by the Cluster module
  host               = var.kubernetes_host
  client_certificate = var.kubernetes_client_certificate

  client_key             = var.kubernetes_client_key
  cluster_ca_certificate = var.kubernetes_cluster_ca_certificate

  dynamic "exec" {
    for_each = var.aws_cluster_name != null ? [1] : []

    content {
      api_version = "client.authentication.k8s.io/v1"
      args        = ["eks", "get-token", "--cluster-name", var.aws_cluster_name]
      command     = "aws"
      env = {
        AWS_PROFILE = var.kubernetes_cluster_name
      }
    }
  }
}

And this is what I have been trying with the flux provider v1.3.0:

provider "flux" {
  kubernetes = {
    host = var.kubernetes_host
    client_certificate     = var.kubernetes_client_certificate
    client_key             = var.kubernetes_client_key
    cluster_ca_certificate = var.kubernetes_cluster_ca_certificate
  exec = length(var.aws_cluster_name) > 0 ? { 
    api_version = "client.authentication.k8s.io/v1"
    args        = ["eks", "get-token", "--cluster-name", var.aws_cluster_name]
    command     = "aws"
    env = {
      AWS_PROFILE = var.kubernetes_cluster_name
    }
   } : null
  }
...
}

But as @gberenice already reported it's throwing the following error

╷
│ Error: Value Conversion Error
│ 
│   with provider["registry.opentofu.org/fluxcd/flux"],
│   on main.tf line 20, in provider "flux":
│   20: provider "flux" {
│ 
│ An unexpected error was encountered trying to build a value. This is always an error in the provider. Please report the following to the provider developer:
│ 
│ Received unknown value, however the target type cannot handle unknown values. Use the corresponding `types` package type or a custom type that handles unknown
│ values.
│ 
│ Path: kubernetes.exec
│ Target Type: *provider.KubernetesExec
│ Suggested Type: basetypes.ObjectValue

[guipace]

I'm also facing this exact problem. Was anyone able to find a workaround?

[tomaaron]

yes, double maintenance work and maintain two types of definitions.