The kubernetes_secret_v1 is created without data using data_wo parameter #2833
Description
Terraform Version, Provider Version and Kubernetes Version
Terraform version: v1.14.3
Kubernetes provider version: v3.0.1
Kubernetes version:
Client Version: v1.34.0
Kustomize Version: v5.7.1
Server Version: v1.33.5-gke.2072000
Affected Resource(s)
Terraform Configuration Files
provider "kubernetes" {
config_path = "~/.kube/config"
config_context = "cluster"
}
resource "kubernetes_secret_v1" "app" {
metadata {
name = "test-secret"
namespace = "default"
}
type = "Opaque"
data_wo = {
username = "appuser"
}
}
# tried to create kubernetes_secret_v1 with data from ephemeral resource but secret was created without any data
# so tried to create secret with plain data but secret was created without any data too
ephemeral "random_password" "app_password" {
length = 24
special = true
}Steps to Reproduce
- Run
terraform apply
terraform apply
ephemeral.random_password.app_password: Opening...
ephemeral.random_password.app_password: Opening complete after 0s
ephemeral.random_password.app_password: Closing...
ephemeral.random_password.app_password: Closing complete after 0s
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# kubernetes_secret_v1.app will be created
+ resource "kubernetes_secret_v1" "app" {
+ binary_data_wo = (write-only attribute)
+ data = (sensitive value)
+ data_wo = (write-only attribute)
+ id = (known after apply)
+ type = "Opaque"
+ wait_for_service_account_token = true
+ metadata {
+ generation = (known after apply)
+ name = "test-secret"
+ namespace = "default"
+ resource_version = (known after apply)
+ uid = (known after apply)
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
ephemeral.random_password.app_password: Opening...
ephemeral.random_password.app_password: Opening complete after 0s
kubernetes_secret_v1.app: Creating...
kubernetes_secret_v1.app: Creation complete after 2s [id=default/test-secret]
ephemeral.random_password.app_password: Closing...
ephemeral.random_password.app_password: Closing complete after 0s
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
- get secret data after
terraform apply. There is nousernamekey in secret, no data at all
kubectl get secret test-secret -o yaml
apiVersion: v1
kind: Secret
metadata:
creationTimestamp: "2026-01-28T13:26:33Z"
name: test-secret
namespace: default
resourceVersion: "1769606793996751020"
uid: d76416f1-e7b7-4e47-957d-980bbdbd23a3
type: OpaqueExpected Behavior
k8s secret must contain data field with correct keys as per data_wo parameter
Actual Behavior
k8s secret is created without data at all
Important Factoids
References
- ephemeral resource: Add write-only data fields to kubernetes_secret and kubernetes_secret_v1 #2795
- Add write-only attributes
data_woandbinary_data_woto kubernetes_secret_v1 #2692
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment