`akp_cluster` shows in-place update on every plan with generated `kube_config.token`
morey-tech opened this issue · comments
When using the google_client_config
resource to supply a generated token to the akp_cluster
resource, it will show an in-place update on each plan for the kube_config.token
argument.
# akp_cluster.gke-01 will be updated in-place
~ resource "akp_cluster" "gke-01" {
id = "idmua4j5kt9zy9qb"
~ kube_config = {
~ token = (sensitive value)
# (4 unchanged attributes hidden)
}
~ manifests = (sensitive value)
name = "gke-01"
# (5 unchanged attributes hidden)
}
Terraform config:
resource "google_container_cluster" "gke-01" {
name = "akuity-example-gke-01"
location = var.region
remove_default_node_pool = true
initial_node_count = 1
network = google_compute_network.vpc.name
subnetwork = google_compute_subnetwork.subnet.name
master_auth {
client_certificate_config {
issue_client_certificate = true
}
}
}
data "google_client_config" "current" {}
resource "akp_cluster" "gke-01" {
instance_id = akp_instance.argocd.id
kube_config = {
host = "https://${google_container_cluster.gke-01.endpoint}"
token = data.google_client_config.current.access_token
client_certificate = "${base64decode(google_container_cluster.gke-01.master_auth.0.client_certificate)}"
client_key = "${base64decode(google_container_cluster.gke-01.master_auth.0.client_key)}"
cluster_ca_certificate = "${base64decode(google_container_cluster.gke-01.master_auth.0.cluster_ca_certificate)}"
}
name = "gke-01"
namespace = "akuity"
labels = {
provider = "gcp"
}
annotations = {
argocd-enabled = "false"
}
spec = {
description = "gcp 01 cluster"
data = {
size = "small"
}
}
}
Is this a bug with the provider or the way I have it set up?
@morey-tech I have tried to hardcode the token into the kube_config
but could not reproduce the issue, could you verifiy that the token value actually never changes?
I believe the token provided by google_client_config
(used as data.google_client_config.current.access_token
) is generated each time (not static). This is a common pattern when managing GKE clusters in Terraform
I believe the token provided by
google_client_config
(used asdata.google_client_config.current.access_token
) is generated each time (not static). This is a common pattern when managing GKE clusters in Terraform
In this case, it is expected behavior to show in-place update since the token does change every time?