`akp_cluster` shows in-place update on every plan with generated `kube_config.token`

Question

`akp_cluster` shows in-place update on every plan with generated `kube_config.token`

morey-tech opened this issue a year ago · comments

When using the google_client_config resource to supply a generated token to the akp_cluster resource, it will show an in-place update on each plan for the kube_config.token argument.

  # akp_cluster.gke-01 will be updated in-place
  ~ resource "akp_cluster" "gke-01" {
        id          = "idmua4j5kt9zy9qb"
      ~ kube_config = {
          ~ token                  = (sensitive value)
            # (4 unchanged attributes hidden)
        }
      ~ manifests   = (sensitive value)
        name        = "gke-01"
        # (5 unchanged attributes hidden)
    }

Terraform config:

resource "google_container_cluster" "gke-01" {
  name     = "akuity-example-gke-01"
  location = var.region

  remove_default_node_pool = true
  initial_node_count       = 1

  network    = google_compute_network.vpc.name
  subnetwork = google_compute_subnetwork.subnet.name

  master_auth {
    client_certificate_config {
      issue_client_certificate = true
    }
  }
}

data "google_client_config" "current" {}

resource "akp_cluster" "gke-01" {
  instance_id = akp_instance.argocd.id
  kube_config = {
    host                   = "https://${google_container_cluster.gke-01.endpoint}"
    token                  = data.google_client_config.current.access_token
    client_certificate     = "${base64decode(google_container_cluster.gke-01.master_auth.0.client_certificate)}"
    client_key             = "${base64decode(google_container_cluster.gke-01.master_auth.0.client_key)}"
    cluster_ca_certificate = "${base64decode(google_container_cluster.gke-01.master_auth.0.cluster_ca_certificate)}"
  }
  name      = "gke-01"
  namespace = "akuity"
  labels = {
    provider = "gcp"
  }
  annotations = {
    argocd-enabled = "false"
  }
  spec = {
    description = "gcp 01 cluster"
    data = {
      size = "small"
    }
  }
}

Is this a bug with the provider or the way I have it set up?

Jiacheng Xu · Answer 1 · Wed Aug 09 2023 00:26:51 GMT+0800 (China Standard Time)

@morey-tech I have tried to hardcode the token into the kube_config but could not reproduce the issue, could you verifiy that the token value actually never changes?

Nicholas Morey · Answer 2 · Wed Aug 09 2023 00:35:33 GMT+0800 (China Standard Time)

I believe the token provided by google_client_config (used as data.google_client_config.current.access_token) is generated each time (not static). This is a common pattern when managing GKE clusters in Terraform

Jiacheng Xu · Answer 3 · Wed Aug 09 2023 00:39:41 GMT+0800 (China Standard Time)

I believe the token provided by google_client_config (used as data.google_client_config.current.access_token) is generated each time (not static). This is a common pattern when managing GKE clusters in Terraform

In this case, it is expected behavior to show in-place update since the token does change every time?