First of all, great work on this! I was super happy to find this after ksonnet, so thank you! Anyways..

I often find myself using hacky terraform (either splitting k8s config between terraform and yaml or suing null_resource+local-exec to coordinate kubecfg executions with related infra changes) and was contemplating mocking up a terraform-provider-kubecfg. I'm wondering if it is possible to use kubecfg programmatically today, or if this is considered an anti pattern?

An example of this use case is associating an AWS IAM role with a Kubernetes service account or provisioning Kubernetes configmaps/secrets with terraform attributes. In my head, I'm envisioning something along the lines of:

// in manifest.jsonnet
local kube = import 'https://raw.githubusercontent.com/bitnami-labs/kube-libsonnet/master/kube.libsonnet';

function(
  labels={},
  name='foo',
  namespace='default',
  role_arn=null,
) {
  // provision service account
  service_account: kube.ServiceAccount('%s-serviceaccount' % name) {
    metadata+: {
      annotations+: {
        'eks.amazonaws.com/role-arn': role_arn,
      },
      labels+: labels,
      namespace: namespace,
    },
  },

  // ...
}

# in main.tf
provider "aws" {
  region = var.region
}

provider "kubecfg" {
  // similiar config to kubernetes provider
}

resource "aws_iam_role" "example" {
  name        = var.name
  description = "iam role for k8s service account"
}

resource "kubecfg_manifest" "example" {
  manifest = "${path.module}/manifest.jsonnet"

  args {
    labels    = local.tags
    name      = var.name
    namespace = var.namespace
    role_arn  = aws_iam_role.example.arn
  }
}

I'd really appreciate any general feedback on the idea in general and thoughts on feasibility