Provider crashes when creating ServiceAccounts

[jessebye]

Terraform Version, Provider Version and Kubernetes Version

Terraform version: `1.0.7`
Kubernetes provider version: `2.11.0`
Kubernetes version: `1.21`

Affected Resource(s)

• kubernetes_service_account

Terraform Configuration Files

data "aws_eks_cluster" "this" {
  name = var.eks_cluster_name
}

data "aws_eks_cluster_auth" "this" {
  name = var.eks_cluster_name
}

provider "kubernetes" {
  host                   = data.aws_eks_cluster.this.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority.0.data)
  token                  = data.aws_eks_cluster_auth.this.token
}

resource "kubernetes_service_account" "this" {
  count                           = var.create_service_account ? 1 : 0
  automount_service_account_token = true
  metadata {
    annotations = {
      "eks.amazonaws.com/role-arn" = module.iam_assumable_role_admin.iam_role_arn
    }
    name      = local.service_account_name
    namespace = var.service_account_namespace
  }
  image_pull_secret {
    name = var.enable_image_pull_secret ? "docker-config-json" : null
  }
}

Debug Output

https://gist.github.com/jessebye/1dc2ad48b3addbddb3183eeecd7232eb

Panic Output

n/a

Steps to Reproduce

1. terraform apply

Expected Behavior

ServiceAccount is created and the TF state is updated correctly.

Actual Behavior

ServiceAccount is created, but the TF state is not updated.

Important Factoids

n/a

References

n/a

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[hahewlet]

Isn't this a duplicate of #1724?

[jessebye]

@hahewlet I don't think so - that issue is with Kubernetes 1.24. We are using 1.21. Also, the error messages are different in that issue compared to what I'm seeing here.

[BBBmau]

Hello! Thank you for opening this issue. This seems to be a problem with how the provider handles image_pull_secret having name be null

[jrhouston]

I think a better way to do this might be to use a dynamic block here to omit the image_pull_secret block entirely. Like this:

  dynamic "image_pull_secret" {
    for_each = var.enable_image_pull_secret ? [1] : []
    content {
      name = "docker-config-json"
    }
  }

Having an image_pull_secret block with the name attribute set to null seems kind of weird, but is technically allowed by the API.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.