kubernetes_manifest: Conversion from Unstructured to tftypes.Value failed

[adam-dej]

Terraform Version, Provider Version and Kubernetes Version

Terraform version: Terraform v1.1.7
Kubernetes provider version: v2.8.0
Kubernetes version: v1.23.3

Affected Resource(s)

• kubernetes_manifest

Terraform Configuration Files

terraform {
}

provider "kubernetes" {
  config_path = "~/.kube/config"
  config_context = "minikube"

}

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
    config_context = "minikube"
  }
}

resource "helm_release" "calico" {
  name = "calico"
  repository = "https://projectcalico.docs.tigera.io/charts"
  chart = "tigera-operator"
  version = "v3.22.1"
}

resource "kubernetes_manifest" "global_network_policy" {
  manifest = {
    "apiVersion" = "projectcalico.org/v3"
    "kind" = "GlobalNetworkPolicy"
    "metadata" = {
      "name" = "deny-app-policy"
    }
    "spec" = {
      "egress" = [
        {
          "action" = "Allow"
          "destination" = {
            "ports" = [
              53,
            ]
            "selector" = "k8s-app == \"kube-dns\""
          }
          "protocol" = "UDP"
        },
      ]
      "namespaceSelector" = "has(projectcalico.org/name) && projectcalico.org/name not in {\"kube-system\", \"calico-system\"}"
      "types" = [
        "Ingress",
        "Egress",
      ]
    }
  }
}

Debug Output

https://gist.github.com/adam-dej/d9082be1508f475015cbcefa87686f18

Steps to Reproduce

1. minikube start
2. terraform apply -target helm_release.calico
3. Wait until Calico starts
4. terraform apply

Expected Behavior

The GlobalNetworkPolicy resource should be created, and Terraform should exit without error.

Actual Behavior

The GlobalNetworkPolicy resource is created correctly (verified with kubectl get globalnetworkpolicy/deny-app-policy -o yaml), but Terraform exits with the following error:

kubernetes_manifest.global_network_policy: Creating...
╷
│ Error: Conversion from Unstructured to tftypes.Value failed
│ 
│   with kubernetes_manifest.global_network_policy,
│   on main.tf line 24, in resource "kubernetes_manifest" "global_network_policy":
│   24: resource "kubernetes_manifest" "global_network_policy" {
│ 
│ AttributeName("spec"): [AttributeName("spec")] cannot convert map element value: AttributeName("spec").AttributeName("egress"):
│ [AttributeName("spec").AttributeName("egress")] cannot convert map element value: AttributeName("spec").AttributeName("egress").ElementKeyInt(0):
│ [AttributeName("spec").AttributeName("egress").ElementKeyInt(0)] cannot convert list element value:
│ AttributeName("spec").AttributeName("egress").ElementKeyInt(0).AttributeName("destination"):
│ [AttributeName("spec").AttributeName("egress").ElementKeyInt(0).AttributeName("destination")] cannot convert map element value:
│ AttributeName("spec").AttributeName("egress").ElementKeyInt(0).AttributeName("destination").AttributeName("ports"):
│ [AttributeName("spec").AttributeName("egress").ElementKeyInt(0).AttributeName("destination").AttributeName("ports")] cannot convert map element value:
│ AttributeName("spec").AttributeName("egress").ElementKeyInt(0).AttributeName("destination").AttributeName("ports").ElementKeyInt(0):
│ [AttributeName("spec").AttributeName("egress").ElementKeyInt(0).AttributeName("destination").AttributeName("ports").ElementKeyInt(0)] cannot convert list element value:
│ AttributeName("spec").AttributeName("egress").ElementKeyInt(0).AttributeName("destination").AttributeName("ports").ElementKeyInt(0):
│ [AttributeName("spec").AttributeName("egress").ElementKeyInt(0).AttributeName("destination").AttributeName("ports").ElementKeyInt(0)] cannot convert payload from "in64" to
│ "tftypes.String"

Important Factoids

I have a cluster where Calico was installed using Helm (via Terraform). I'm trying to deploy a default-deny policy example from docs. I used tfk8s to convert the yaml to Terraform config.

If I omit ports array from the above configuration, Terraform creates the resource and exits without error.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[alexsomesan]

I was able to reproduce this and can confirm this is indeed a valid issue. Looking into it.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.