Adding a "data" block to a "check" stores the data in the state

[wonko]

OpenTofu Version

OpenTofu v1.6.1
on darwin_arm64

OpenTofu Configuration Files

check "app_pods_running" {
  data "kubernetes_resources" "app_pods" {
    api_version    = "v1"
    kind           = "Pod"
    namespace      = "appnamespace"
    field_selector = "status.phase=Running"
    label_selector = "app.kubernetes.io/name=appname"
  }
  assert {
    condition     = length(data.kubernetes_resources.app_pods.objects) > 1
    error_message = "Not enough application pods running"
  }
}

Debug Output

(none needed, there's nothing going wrong)

Expected Behavior

As the data is only used during the checking/assertion, I would assume the data lived in memory for the time needed and was discarded afterwards. There is no way to assess the checks afterwards, as there is no tofu check alike tofu output ... (this would be a good addition btw).

Actual Behavior

The data is saved to the state. This seems wrong to me, as the data is only used during the checks, and is useless afterwards.

In this specific case, this results in a new state change on every plan/apply, as the data from "kubernetes_resources" with the specific selectors is changing very often (due to kubernetes scaling, kubernetes-state changes...).

Steps to Reproduce

Use the above check against a recent kubernetes cluster, and apply a couple of times. Each run gives differences on the data object.

Additional Context

none

References

none

[snowsky]

I can reproduce the issue, and it seems data is saved in state file as well if it is outside of check block.

[snowsky]

Both have the similar state file:

{
  "version": 4,
  "terraform_version": "1.6.4",
  "serial": 5,
  "lineage": "53e91562-2a4c-adaf-2ea1-61ed5a161356",
  "outputs": {},
  "resources": [
    {
      "mode": "data",
      "type": "kubernetes_resources",
      "name": "app_pods",
      "provider": "provider[\"registry.terraform.io/hashicorp/kubernetes\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "api_version": "v1",
            "field_selector": "status.phase=Running",
            "kind": "Pod",
            "label_selector": null,
            "limit": null,
            "namespace": "kube-system",
            "objects": null
          },
          "sensitive_attributes": []
        }
      ]
    }
  ],
  "check_results": [
    {
      "object_kind": "check",
      "config_addr": "check.app_pods_running",
      "status": "fail",
      "objects": [
        {
          "object_addr": "check.app_pods_running",
          "status": "fail",
          "failure_messages": [
            "Failed to save resource state: AttributeName(\"metadata\").AttributeName(\"managedFields\"): [AttributeName(\"metadata\").AttributeName(\"managedFields\")] incompatible tuple types"
          ]
        }
      ]
    }
  ]
}

[snowsky]

Will this function parse data into state file, https://github.com/hashicorp/hcl/blob/main/hclsyntax/parser_traversal.go#L15?

[janosdebugs]

Hey folks, thank you for this issue. We discussed this with the core team and the data sources work as intended. They are and should be recorded in the state in order for OpenTofu to function correctly. If you do not want to record information in the state, please use provider-defined functions and ask provider authors to add functions to their providers.

Note, that configured provider functions are currently only available in OpenTofu, but not Terraform.