search

opentelekomcloud / terraform-provider-opentelekomcloud

Terraform OpenTelekomCloud provider
https://registry.terraform.io/providers/opentelekomcloud/opentelekomcloud/latest
Mozilla Public License 2.0
85 stars 77 forks source link

[CCE] `data/opentelekomcloud_cce_cluster_kubeconfig_v3` `user.client-certificate-data` validity forces replacement #2381

Open Nemental opened 9 months ago

Nemental commented 9 months ago

Terraform provider version

Terraform v1.5.7
on linux_amd64
+ provider registry.terraform.io/hashicorp/local v2.4.0
+ provider registry.terraform.io/opentelekomcloud/opentelekomcloud v1.35.12

Affected Resource(s)

Terraform Configuration Files

data "opentelekomcloud_cce_cluster_kubeconfig_v3" "k8s_config_cce-dev-shared-kubernetes-shared" {
  cluster_id = opentelekomcloud_cce_cluster_v3.cce-dev-shared-kubernetes-shared.id
}

resource "local_file" "k8s_config_cce-dev-shared-kubernetes-shared" {
  content         = data.opentelekomcloud_cce_cluster_kubeconfig_v3.k8s_config_cce-dev-shared-kubernetes-shared.kubeconfig
  filename        = "path/to/config"
  file_permission = "0644"
}

Debug Output/Panic Output

  # local_file.k8s_config_cce-dev-shared-kubernetes-shared must be replaced
-/+ resource "local_file" "k8s_config_cce-dev-shared-kubernetes-shared" {
      ~ content              = jsonencode(
          ~ {
              ~ users           = [
                  ~ {
                        name = "user"
                      ~ user = {
                          ~ client-certificate-data = "XXXXX" -> "XXXXX"
                            # (1 unchanged attribute hidden)
                        }
                    },
                ]
                # (6 unchanged attributes hidden)
            } # forces replacement
        )
      ~ content_base64sha256 = "XXXXX" -> (known after apply)
      ~ content_base64sha512 = "XXXXX" -> (known after apply)
      ~ content_md5          = "XXXXX" -> (known after apply)
      ~ content_sha1         = "XXXXX" -> (known after apply)
      ~ content_sha256       = "XXXXX" -> (known after apply)
      ~ content_sha512       = "XXXXX" -> (known after apply)
      ~ id                   = "XXXXX" -> (known after apply)
        # (3 unchanged attributes hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Steps to Reproduce

  1. terraform apply

Expected Behavior

Maybe an argument to specify absolute date instead of duration?

Actual Behavior

Kubeconfig forces replacement because of certificate validity, which is calculated based on duration-argument and current timestamp.

Important Factoids

References

anton-sidelnikov commented 9 months ago

Hi @Nemental what i figured out that client-certificate not depends on duration value it recreates each time when you request API, i'm sure that some logic beneath, based on current timestamp or maybe something else, but this is backend and we can't fix that. But you can create customer issue on helpcenter maybe we can get some updates for API.

Anyway, I can add additional parameter if you want, like expiry_date = "2024-02-01", from which we can calculate duration like:

        currentTime := time.Now()
        t, err := time.Parse(time.RFC3339, fmt.Sprintf("%sT00:00:00Z", expiryDate))
        if err != nil {
            return fmterr.Errorf("error Parsing Expiration Date: %s", err)
        }
        duration = int(t.Sub(currentTime).Hours() / 24)

this won't fix our problen, but can be usefull, what you think?

Nemental commented 9 months ago

@anton-sidelnikov I'll open a customer issue to address this topic... Maybe they'll add an API parameter to specify an absolute date or something like this. I already tried a solution approach similar to yours but couldn't finish due to lack of time... (: I'ld appreciate an additional parameter like expiry_date, because it's way better like my temporary solution ;)

  lifecycle {
    ignore_changes = [content]
  }