kubernetes_secret_v1 switch from data to data_wo does not delete data

[matthiasreichinger-glitch]

kubernetes_secret_v1: I have moved my data fields (conaining secrets) to the data_wo fields. After plan and apply the data field is still populated with the old values.

Terraform Version, Provider Version and Kubernetes Version

Terraform version: 1.11
Kubernetes provider version: 3.0.1
Kubernetes version: 1.33.6

Affected Resource(s)

• kubernetes_secret_v1

Terraform Configuration Files

resource "kubernetes_secret_v1" "minio_auth_secret" {
  metadata {
    name      = "minio-auth-secret"
    namespace = kubernetes_namespace_v1.minio.metadata[0].name
  }
  type = "Opaque"
  data_wo = {
    MINIO_ROOT_USER     = var.auth.root_user
    MINIO_ROOT_PASSWORD = var.auth.root_password
  }
  data_wo_revision = 1
}

Expected Behavior

data: null

Actual Behavior

plan was:

# module.minio.kubernetes_secret_v1.minio_auth_secret will be updated in-place
  ~ resource "kubernetes_secret_v1" "minio_auth_secret" {
      ~ binary_data_wo                 = (write-only attribute)
      ~ data_wo                        = (write-only attribute)
      + data_wo_revision               = 1
        id                             = "infrastructure-minio/minio-auth-secret"
        # (4 unchanged attributes hidden)
        # (1 unchanged block hidden)
    }

data is still populated:
(extract from the state file)

...
 "attributes": {
            "binary_data": null,
            "binary_data_wo": null,
            "binary_data_wo_revision": null,
            "data": {
              "MINIO_ROOT_PASSWORD": "asdf****",
              "MINIO_ROOT_USER": "admin"
            },
            "data_wo": null,
            "data_wo_revision": null,
            "id": "infrastructure-minio/minio-auth-secret",
            "immutable": false,
...

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[brandon-gradient]

The addition of the write-only fields doesn't seem to support the previous intention of allowing both data and binary_data fields to be used at the same time. I've noticed that when using binary_data and data_wo with data_wo_revision = 1 only the keys in binary_data end up in the final secret.

  binary_data = {
    githubAppID = base64encode("appID")
    githubAppInstallationID = base64encode("installID")
  }
  data_wo_revision = 1
  data_wo = {
    githubAppPrivateKey = ephemeral.aws_secretsmanager_secret_version.github_app_key.secret_binary
  }

This could also be updated in the schema if using a write-only field should precludes all other data fields. Of course it would be ideal if all 4 fields could be used together.

[matthiasreichinger-glitch]

I understand the limitations regarding mixing wo and non-wo fields; I encountered that as well and agree it's expected behavior. However, the specific issue I’m reporting occurs when using only the data_wo field. Even in this case, the data field is not being cleared or synchronized—it persists in the state unexpectedly.