mutating_webhook_configuration and validation_webhook_configuration error with no rules

[onwsk8r]

Terraform Version, Provider Version and Kubernetes Version

❯ terraform -v
Terraform v1.1.7
on linux_amd64
+ provider registry.terraform.io/hashicorp/kubernetes v2.8.0
Kubernetes Version: 1.21.6

Affected Resource(s)

• kubernetes_mutating_webhook_configuration
• kubernetes_validating_webhook_configuration

Terraform Configuration Files

resource "kubernetes_mutating_webhook_configuration" "example" {
  metadata {
    name = "foo"
  }

  webhook {
    name = "foo"

    client_config {
      service {
        namespace = "default"
        name      = "foo-webhook"
      }
    }

    failure_policy            = "Fail"
    side_effects              = "None"
    timeout_seconds           = 2
    admission_review_versions = ["v1beta1"]
  }
}

resource "kubernetes_validating_webhook_configuration" "example" {
  metadata {
    name = "foo"
  }

  webhook {
    name = "foo"

    client_config {
      service {
        namespace = "default"
        name      = "foo-webhook"
      }
    }

    failure_policy            = "Fail"
    side_effects              = "None"
    timeout_seconds           = 2
    admission_review_versions = ["v1beta1"]
  }
}

Debug Output

tl;dr

2022-03-15T05:48:58.906-0500 [TRACE] vertex "kubernetes_validating_webhook_configuration.example": starting visit (*terraform.NodeValidatableResource)
2022-03-15T05:48:58.906-0500 [TRACE] vertex "kubernetes_mutating_webhook_configuration.example": starting visit (*terraform.NodeValidatableResource)
2022-03-15T05:48:58.906-0500 [ERROR] vertex "kubernetes_validating_webhook_configuration.example" error: Insufficient rule blocks
2022-03-15T05:48:58.906-0500 [TRACE] vertex "kubernetes_validating_webhook_configuration.example": visit complete, with errors
2022-03-15T05:48:58.906-0500 [ERROR] vertex "kubernetes_mutating_webhook_configuration.example" error: Insufficient rule blocks
2022-03-15T05:48:58.906-0500 [TRACE] vertex "kubernetes_mutating_webhook_configuration.example": visit complete, with errors

See the whole thing here.

Steps to Reproduce

1. Put the sample HCl code above into a file
2. Run terraform init
3. Run terraform apply
4. $Profit (or not)

Expected Behavior

The Terraform provider is expected to demonstrate similar behavior to the Kubernetes API. HCl code and terraform apply should produce the same result as YAML and kubectl apply.

Actual Behavior

Terraform indicates that At least 1 "rule" blocks are required (is that proper Engrish?), which is not the case when running kubectl apply with the YAML version of the code. Moreover, the documentation lists rule blocks as optional.

Important Factoids

The resource documentation shows rule as being optional, which is how the Kubernetes API works as well. But wait! The Dynamic Admission Controllers documentation says that [e]ach webhook must specify a list of rules! Case closed, you say - the documentation supports the requirement. Indeed it does not, because an empty list is a valid list, and the API docs for each resource do not specify a minimum length for the list!

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[arybolovlev]

Hi @onwsk8r,

Thank you for reporting this issue. It seems to be a duplicate of this one. There is PR that addresses this issue. Please keep an eye on our release notes.

Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.