kubernetes_manifest: inconsistent result after apply, [] vs null

[sdahlbac]

Terraform Version, Provider Version and Kubernetes Version

terraform -v
Terraform v1.1.9
on darwin_amd64
+ provider registry.terraform.io/anasinnyk/onepassword v1.2.1
+ provider registry.terraform.io/hashicorp/helm v2.5.1
+ provider registry.terraform.io/hashicorp/kubernetes v2.11.0

cert-manager 1.8.0 installed via helm, currently with a CA issuer as ClusterIssuer

Affected Resource(s)

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

resource "kubernetes_manifest" "kafka-0-certificate" {
  manifest = {
    apiVersion = "cert-manager.io/v1"
    kind       = "Certificate"
    metadata = {
      name      = "kafka-0-certificate"
      namespace = "core"
    }
    spec = {
      commonName = "kafka-0"
      dnsNames = concat([
        "kafka-0.kafka-headless.core",
        "kafka-0.kafka-headless.core.svc.cluster.local",
        "kafka-0.kafka-headless"
      ], var.extra-dns-SANs)
      ipAddresses = var.extra-ip-SANs
      usages = [
        "key encipherment",
        "data encipherment",
        "digital signature",
        "server auth",
        "client auth"
      ]
      secretName = "kafka-0-tls-secret"
      issuerRef = {
        name = "cert-issuer"
        kind = "ClusterIssuer"
      }
      keystores = {
        jks = {
          create = true
          passwordSecretRef = {
            name = "kafka-secret"
            key  = "broker_keystore_creds"
          }
        }
      }
    }
  }
}

if var.extra-ip-SANs is `[]`, 

if I instead set it to null it kinda works, but then idempotency is lost:

  # module.kafka.kubernetes_manifest.kafka-0-certificate will be updated in-place
  ~ resource "kubernetes_manifest" "kafka-0-certificate" {
      ~ object   = {
          ~ spec       = {
              ~ ipAddresses             = null -> (known after apply)
                # (17 unchanged elements hidden)
            }
            # (3 unchanged elements hidden)
        }
        # (1 unchanged attribute hidden)
    }

Debug Output

Panic Output

Steps to Reproduce

terraform apply

Expected Behavior

What should have happened?

Actual Behavior

What actually happened?

│ Error: Provider produced inconsistent result after apply │ │ When applying changes to module.kafka.kubernetes_manifest.kafka-0-certificate, provider "provider[\"registry.terraform.io/hashicorp/kubernetes\"]" produced an unexpected new value: .object.spec.ipAddresses: was │ cty.ListValEmpty(cty.String), but now null. │ │ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Important Factoids

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[arybolovlev]

Hi @sdahlbac,

Could you please try the following changes and let us know if it works?

resource "kubernetes_manifest" "kafka-0-certificate" {
  computed_fields = [“spec.ipAddresses”]
  manifest = {
  ...

Thank you.

[sdahlbac]

That seems to work, yes.

Thanks

From: Aleksandr Rybolovlev @.> Date: Wednesday, 1. June 2022 at 19.16 To: hashicorp/terraform-provider-kubernetes @.> Cc: Simon Dahlbacka @.>, Mention @.> Subject: Re: [hashicorp/terraform-provider-kubernetes] kubernetes_manifest: inconsistent result after apply, [] vs null (Issue #1719)

Hi @sdahlbachttps://github.com/sdahlbac,

Could you please try the following changes and let us know if it works?

resource "kubernetes_manifest" "kafka-0-certificate" {

computed_fields = [“spec.ipAddresses”]

manifest = {

...

Thank you.

— Reply to this email directly, view it on GitHubhttps://github.com/hashicorp/terraform-provider-kubernetes/issues/1719#issuecomment-1143813933, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAFA7IZXHQLHOSZG4IFAFR3VM6EEHANCNFSM5WEX3Z3Q. You are receiving this because you were mentioned.Message ID: @.***>

[vladimirtiukhtin]

@arybolovlev I hit the same issue. Adding computed_fields = ["spec.isCA"] worked