Issue with generate_name in kubernetes_role_binding and kubernetes_cluster_role_binding

[wasfree]

Terraform Version

Terraform v0.12.5

Affected Resource(s)

Please list the resources as a list, for example:

• kubernetes_role_binding
• kubernetes_cluster_role_binding

Terraform Configuration Files

resource "kubernetes_role_binding" "role_binding" {
  count           = var.role_binding_name != "" ? 1 : 0
  metadata {
    name          = var.role_binding_name
    annotations   = var.annotations
    generate_name = var.generate_name
    labels        = var.labels
    namespace     = var.namespace
  }

  dynamic "role_ref" {
    for_each = var.role_ref
    content {
        name      = lookup(role_ref.value, "name")
        kind      = lookup(role_ref.value, "kind")
        api_group = lookup(role_ref.value, "api_group")
    }
  }

  dynamic "subject" {
    for_each = var.subject
    content {
        name      = lookup(subject.value, "name")
        namespace = lookup(subject.value, "namespace")
        kind      = lookup(subject.value, "kind")
        api_group = lookup(subject.value, "api_group")
    }
  }
}

Expected Behavior

# kubernetes_role_binding.role_binding[0] will be created
  + resource "kubernetes_role_binding" "role_binding" {
      + id = (known after apply)

      + metadata {
          + generate_name    = "foo"
          + generation       = (known after apply)
          + name             = (known after apply)
          + namespace        = "default"
          + resource_version = (known after apply)
          + self_link        = (known after apply)
          + uid              = (known after apply)
        }

      + role_ref {
          + api_group = "rbac.authorization.k8s.io"
          + kind      = "Role"
          + name      = "foo"
        }

      + subject {
          + api_group = "rbac.authorization.k8s.io"
          + kind      = "User"
          + name      = "foo"
          + namespace = "default"
        }
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

kubernetes_role.role: Creating...
kubernetes_role_binding.role_binding[0]: Creating...
kubernetes_role.role: Creation complete after 0s [id=default/fooslxgc]
kubernetes_role_binding.role_binding[0]: Creation complete after 0s [id=default/foo72h2v]

Actual Behavior

Error: Unsupported argument

  on main.tf line 26, in resource "kubernetes_role_binding" "role_binding":
  26:     generate_name = var.generate_name

An argument named "generate_name" is not expected here.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. create an kubernetes_role_binding or kubernetes_cluster_role_binding resource and set generate_name in metadata

References

• As per provider documentation this should be possible
  https://www.terraform.io/docs/providers/kubernetes/r/role_binding.html
  https://www.terraform.io/docs/providers/kubernetes/r/cluster_role_binding.html

It seems there is only a typo in arg for schema definition, so this should easy to be fixed.

diff --git a/kubernetes/resource_kubernetes_cluster_role_binding.go b/kubernetes/resource_kubernetes_cluster_role_binding.go
index 10e6b2b5..08516e6c 100644
--- a/kubernetes/resource_kubernetes_cluster_role_binding.go
+++ b/kubernetes/resource_kubernetes_cluster_role_binding.go
@@ -24,7 +24,7 @@ func resourceKubernetesClusterRoleBinding() *schema.Resource {
                },
 
                Schema: map[string]*schema.Schema{
-                       "metadata": metadataSchema("clusterRoleBinding", false),
+                       "metadata": metadataSchema("clusterRoleBinding", true),
                        "role_ref": {
                                Type:        schema.TypeList,
                                Description: "RoleRef references the Cluster Role for this binding",
diff --git a/kubernetes/resource_kubernetes_role_binding.go b/kubernetes/resource_kubernetes_role_binding.go
index 6128590f..398a3087 100644
--- a/kubernetes/resource_kubernetes_role_binding.go
+++ b/kubernetes/resource_kubernetes_role_binding.go
@@ -23,7 +23,7 @@ func resourceKubernetesRoleBinding() *schema.Resource {
                },
 
                Schema: map[string]*schema.Schema{
-                       "metadata": namespacedMetadataSchema("roleBinding", false),
+                       "metadata": namespacedMetadataSchema("roleBinding", true),
                        "role_ref": {
                                Type:        schema.TypeList,
                                Description: "RoleRef references the Role for this binding",

[hashibot]

This issue has been open 180 days with no activity. If this issue is reproducible with the latest version of the provider and with Terraform 0.12, please comment. Otherwise this issue will be closed in 30 days.

[cowlingj]

+1 still a problem with Terraform 0.12 and provider version 1.11.2

[dsonck92]

It is still present with version 1.11.4 and Terraform 0.13 (I have reasons for requiring this version) but that should not matter much as it's the plugin that gives an error.

Personally, I don't yet mind as I prefix it anyways and require just 1 name for the governing cluster role but it was unusual to see it unsupported while all other resource types support it, and even the docs claim it is.

[ismailyenigul]

this issue is still exist with terraform version 1.0 and kubernetes provider version 2.6.1

variable "eks_cluster_role_mapping" {
  type = map(object({
    role_ref_api_group     = string
    role_ref_kind          = string
    role_ref_name          = string
    role_subject_api_group = string
    role_subject_kind      = string
    role_subject_name      = string
    metadata_name          = string
    })
  )
  default = {
    "reporter" = {
      role_ref_api_group     = "rbac.authorization.k8s.io"
      role_ref_kind          = "ClusterRole"
      role_ref_name          = "view"
      role_subject_api_group = "rbac.authorization.k8s.io"
      role_subject_kind      = "Group"
      role_subject_name      = "reporter"
      metadata_name          = "reporter"
    },
    "contributor" = {
      role_ref_api_group     = "rbac.authorization.k8s.io"
      role_ref_kind          = "ClusterRole"
      role_ref_name          = "edit"
      role_subject_api_group = "rbac.authorization.k8s.io"
      role_subject_kind      = "Group"
      role_subject_name      = "contributor"
   metadata_name          = "contributor"
    }
  }
}


resource "kubernetes_cluster_role_binding" "eks_role_binding" {
  
  for_each = var.eks_cluster_role_mapping
   metadata {
      generate_name = each.value.metadata_name
   }
  role_ref {
   
    name      = each.value.role_ref_name
    kind      = each.value.role_ref_kind
    api_group = each.value.role_ref_api_group
  }

  subject {
    name      = each.value.role_subject_name
    kind      = each.value.role_subject_kind
    api_group = each.value.role_subject_api_group
  }

}

and got

An argument named "generate_name" is not expected here.

provider details:

provider "registry.terraform.io/hashicorp/kubernetes" {
  version     = "2.6.1"
  constraints = ">= 1.11.1, ~> 2.0"
  hashes = [ 
    "h1:DWgawNO2C7IuXC2v9IjTSsqs1vZHSAbP4ilWQ0LdbwI=",
  ]
}

[aidanmelen]

This is an issue with your module and not the resource. Let me explain why I think this issue should be closed...

The documentation describes the SOLUTON:

Prefix, used by the server, to generate a unique name ONLY IF the name field has not been provided. This value will also be combined with a unique suffix.

https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_v1#generate_name

To comply with the field you must set your module variables to be nullable like so:

variable "generate_name" {
  description = <<-EOT
    Prefix, used by the server, to generate a unique name. This value will also be combined with a unique suffix.
    Only one of `name` or `generate_name` can be provide.
    EOT
  type        = string
  default     = null
  nullable    = true
}

variable "name" {
  description = "Name of the resource, must be unique. Only one of `name` or `generate_name` can be provide."
  type        = string
  default     = null
  nullable    = true
}

...

resource "kubernetes_role_v1" "r" {
  metadata {
    annotations   = var.annotations
    generate_name = var.generate_name # pass null be default
    labels        = var.labels
    name          = var.name          # pass null be default
    namespace     = var.role_namespace
  }
  ...
}

Then you have two distinct ways to call the module:

module "name_example" {
  source = "../../modules/role"
  name = "pod-reader"
  ...
}

This will result in a Role with the name: pod-reader

module "generate_name_example" {
  source = "../../modules/role"
  generate_name = "pod-reader"
  ...
}

This will result in a Role with the name: pod-readerlwfvm

---

You will still get an error if the user calls the module -> resource incorrectly i.e. by providing both name and generate_name

module "generate_name_example" {
  source = "../../modules/role"
  name = "pod-reader"
  generate_name = "pod-reader"
  ...
}

will result in this error from the resource

An argument named "generate_name" is not expected here.

[aidanmelen]

interesting. Thekubernetes_role_v1 resource is exempt from this issue. The issue can be reproduced with the following reosurces: kubernetes_cluster_role_v1, kubernetes_role_binding_v1 and kubernetes_cluster_role_binding_v1

[aidanmelen]

I suppose a workaround could be to use the random data resource to have terraform generate the random suffix. Not ideal, but that would look something like this:

variable "generate_name" {
  description = <<-EOT
    Prefix, used by the server, to generate a unique name. This value will also be combined with a unique suffix.
    Only one of `name` or `generate_name` can be provide.
    EOT
  type        = string
  default     = null
  nullable    = true
}

variable "name" {
  description = "Name of the resource, must be unique. Only one of `name` or `generate_name` can be provide."
  type        = string
  default     = null
  nullable    = true
}

resource "random_string" "generate_name_suffix" {
  length  = 5
  special = false
  lower   = true
  number  = false
}

resource "kubernetes_role_v1" "r" {
  metadata {
    annotations   = var.annotations
    generate_name = var.generate_name # https://github.com/hashicorp/terraform-provider-kubernetes/issues/588
    labels        = var.labels
    name          = var.name != null ? var.name : "${var.generate_name}${random_string.generate_name_suffix.id}"
    namespace     = var.role_namespace
  }
  ...
}

[vanniszsu]

interesting. Thekubernetes_role_v1 resource is exempt from this issue. The issue can be reproduced with the following reosurces: kubernetes_cluster_role_v1, kubernetes_role_binding_v1 and kubernetes_cluster_role_binding_v1

can kubernetes_cluster_role_v1, kubernetes_role_binding_v1 and kubernetes_cluster_role_binding_v1 support generate_name now ?

[multani]

I'll provide a fix for these 3 resource: #1899

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.