Pod with volume is recreated on each apply

[dak1n1]

Terraform Version, Provider Version and Kubernetes Version

It's a problem in the latest release, and in the current version of master branch.

$ terraform version
Terraform v0.14.0
+ provider registry.terraform.io/hashicorp/kubernetes v1.13.3

Affected Resource(s)

kubernetes_pod

Terraform Configuration Files

resource "kubernetes_persistent_volume_claim" "test" {
  wait_until_bound = false
  metadata {
    name = "test"
  }
  spec {
    access_modes = ["ReadWriteOnce"]
    resources {
      requests = {
        storage = "1Gi"
      }
    }
  }
}

resource "kubernetes_pod" "main" {
  metadata {
    name = "test"
  }
  spec {
    automount_service_account_token = true
    container {
      name = "default"
      image = "localhost:5000/alpine:3.12.1"
      command = ["sleep", "3600s"]
      volume_mount {
        mount_path = "/etc/test"
        name = "pvc"
      }
    }
    volume {
      name = "pvc"
      persistent_volume_claim {
        claim_name = kubernetes_persistent_volume_claim.test.metadata[0].name
      }
    }
  }
}

Debug Output

https://gist.githubusercontent.com/dak1n1/3a481d1f3d7821dae229a9ceaec8351c/raw/b553996ef15702cc4ff120f670ad0659d0b0f30b/gistfile1.txt

The important part seems to be the volume and volume mount.

              ~ volume_mount { # forces replacement
                    name              = "pvc"
                    # (3 unchanged attributes hidden)
                }
              - volume_mount { # forces replacement
                  - mount_path = "/var/run/secrets/kubernetes.io/serviceaccount" -> null
                  - name       = "default-token-pf8cs" -> null
                  - read_only  = true -> null
                }
            }

          + image_pull_secrets {
              + name = (known after apply)
            }

          - volume { # forces replacement
              - name = "default-token-pf8cs" -> null

              - secret {
                  - default_mode = "0644" -> null
                  - optional     = false -> null
                  - secret_name  = "default-token-pf8cs" -> null
                }
            }

In the Pod resource, these are updated each time terraform apply is run. But in the Deployment resource, these are not updated. Somehow Deployment is working properly, but Pod is not, even though they share a lot of the same code.

Panic Output

N/A

Steps to Reproduce

1. Apply the Terraform config listed above.
2. terraform plan will show updates are needed. terraform apply will delete the resource and recreate it each time it's run.

Expected Behavior

terraform plan should be empty directly after running terraform apply.

Actual Behavior

The resource is replaced every time terraform apply is run. The state is never reconciled with the Terraform config.

Important Factoids

It only seems to be a problem in the Pod resource when volumes are used.

References

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[jrhouston]

This doesn't happen for the other resources that use the pod spec because they are templates – the token volume doesn't get mounted until a Pod is actually created, then the volume/volume_mount get injected. So I think what we can do here is in our flattener for volume check for the default-token- prefix and ignore it to stop this diff from happening.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!