Normalize automount_service_account_token to be in line with the K8s …

…API (#1054)
hashicorp · Nov 13, 2020 · 7cc826c · 7cc826c
1 parent 5ceadb9
commit 7cc826c
Show file tree

Hide file tree

Showing 14 changed files with 49 additions and 30 deletions.
diff --git a/kubernetes/data_source_kubernetes_service_account.go b/kubernetes/data_source_kubernetes_service_account.go
@@ -2,6 +2,7 @@ package kubernetes
 
 import (
 	"context"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

diff --git a/kubernetes/data_source_kubernetes_service_account_test.go b/kubernetes/data_source_kubernetes_service_account_test.go
@@ -24,7 +24,7 @@ func TestAccKubernetesDataSourceServiceAccount_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("kubernetes_service_account.test", "metadata.0.labels.TestLabel", "label"),
 					resource.TestCheckResourceAttr("kubernetes_service_account.test", "secret.0.name", name+"-secret"),
 					resource.TestCheckResourceAttr("kubernetes_service_account.test", "image_pull_secret.0.name", name+"-image-pull-secret"),
-					resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "false"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "true"),
 					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "default_secret_name"),
 				),
 			},
@@ -37,7 +37,7 @@ func TestAccKubernetesDataSourceServiceAccount_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("data.kubernetes_service_account.test", "metadata.0.labels.TestLabel", "label"),
 					resource.TestCheckResourceAttr("data.kubernetes_service_account.test", "secret.0.name", name+"-secret"),
 					resource.TestCheckResourceAttr("data.kubernetes_service_account.test", "image_pull_secret.0.name", name+"-image-pull-secret"),
-					resource.TestCheckResourceAttr("data.kubernetes_service_account.test", "automount_service_account_token", "false"),
+					resource.TestCheckResourceAttr("data.kubernetes_service_account.test", "automount_service_account_token", "true"),
 					resource.TestCheckResourceAttrSet("data.kubernetes_service_account.test", "default_secret_name"),
 				),
 			},

diff --git a/kubernetes/resource_kubernetes_pod.go b/kubernetes/resource_kubernetes_pod.go
@@ -3,10 +3,11 @@ package kubernetes
 import (
 	"context"
 	"fmt"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"log"
 	"time"
 
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	api "k8s.io/api/core/v1"
@@ -17,10 +18,7 @@ import (
 
 func resourceKubernetesPod() *schema.Resource {
 	podSpecFields := podSpecFields(false, false, false)
-	// Setting this default to false prevents a perpetual diff caused by volume_mounts
-	// being mutated on the server side as Kubernetes automatically adds a mount
-	// for the service account token
-	podSpecFields["automount_service_account_token"].Default = false
+
 	return &schema.Resource{
 		CreateContext: resourceKubernetesPodCreate,
 		ReadContext:   resourceKubernetesPodRead,

diff --git a/kubernetes/resource_kubernetes_pod_test.go b/kubernetes/resource_kubernetes_pod_test.go
@@ -1146,6 +1146,8 @@ resource "kubernetes_pod" "test" {
   }
 
   spec {
+	automount_service_account_token = false
+
     container {
       image = "%s"
       name  = "containername"
@@ -1211,7 +1213,9 @@ func testAccKubernetesPodConfigWithInitContainer(podName string, image string) s
   }
 
   spec {
-    container {
+	automount_service_account_token = false
+
+	container {
       name  = "nginx"
       image = "nginx"
 
@@ -1501,7 +1505,9 @@ resource "kubernetes_pod" "test" {
   }
 
   spec {
-    container {
+	automount_service_account_token = false
+	
+	container {
       image = "%s"
       name  = "containername"
 
@@ -1545,6 +1551,8 @@ resource "kubernetes_pod" "test" {
   }
 
   spec {
+	automount_service_account_token = false
+
     container {
       image = "%s"
       name  = "containername"
@@ -1597,7 +1605,8 @@ resource "kubernetes_pod" "test" {
   }
 
   spec {
-    restart_policy = "Never"
+	restart_policy = "Never"
+	automount_service_account_token = false
 
     container {
       image = "%s"
@@ -1726,7 +1735,8 @@ resource "kubernetes_pod" "test" {
   }
 
   spec {
-    restart_policy = "Never"
+	restart_policy = "Never"
+	automount_service_account_token = false
 
     container {
       image = "%s"
@@ -1846,6 +1856,8 @@ func testAccKubernetesPodConfigWithEmptyDirVolumes(podName, imageName string) st
   }
 
   spec {
+	automount_service_account_token = false
+
     container {
       image = "%s"
       name  = "containername"
@@ -1879,6 +1891,8 @@ func testAccKubernetesPodConfigWithEmptyDirVolumesSizeLimit(podName, imageName s
   }
 
   spec {
+	automount_service_account_token = false
+
     container {
       image = "%s"
       name  = "containername"
@@ -2104,8 +2118,7 @@ resource "kubernetes_pod" "test" {
 }
 
 func testAccKubernetesPodConfigReadinessGate(secretName, configMapName, podName, imageName string) string {
-	return fmt.Sprintf(`
-resource "kubernetes_secret" "test" {
+	return fmt.Sprintf(`resource "kubernetes_secret" "test" {
   metadata {
     name = "%s"
   }
@@ -2157,6 +2170,8 @@ resource "kubernetes_pod" "test" {
   }
 
   spec {
+	automount_service_account_token = false
+
     readiness_gate {
       condition_type = "haha"
     }
@@ -2226,6 +2241,8 @@ func testAccKubernetesPod_regression(provider, name, imageName string) string {
   }
 
   spec {
+	automount_service_account_token = false
+
     container {
       image = %[3]q
       name  = "containername"

diff --git a/kubernetes/resource_kubernetes_service_account.go b/kubernetes/resource_kubernetes_service_account.go
@@ -3,13 +3,14 @@ package kubernetes
 import (
 	"context"
 	"fmt"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"log"
 	"strings"
 	"time"
 
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
 	api "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -63,8 +64,9 @@ func resourceKubernetesServiceAccount() *schema.Resource {
 			},
 			"automount_service_account_token": {
 				Type:        schema.TypeBool,
-				Description: "True to enable automatic mounting of the service account token",
+				Description: "Enable automatic mounting of the service account token",
 				Optional:    true,
+				Default:     true,
 			},
 			"default_secret_name": {
 				Type:     schema.TypeString,

diff --git a/kubernetes/resource_kubernetes_service_account_test.go b/kubernetes/resource_kubernetes_service_account_test.go
@@ -44,7 +44,7 @@ func TestAccKubernetesServiceAccount_basic(t *testing.T) {
 					resource.TestCheckResourceAttrSet(resourceName, "metadata.0.uid"),
 					resource.TestCheckResourceAttr(resourceName, "secret.#", "2"),
 					resource.TestCheckResourceAttr(resourceName, "image_pull_secret.#", "2"),
-					resource.TestCheckResourceAttr(resourceName, "automount_service_account_token", "false"),
+					resource.TestCheckResourceAttr(resourceName, "automount_service_account_token", "true"),
 					testAccCheckServiceAccountImagePullSecrets(&conf, []*regexp.Regexp{
 						regexp.MustCompile("^" + name + "-three$"),
 						regexp.MustCompile("^" + name + "-four$"),
@@ -96,7 +96,7 @@ func TestAccKubernetesServiceAccount_automount(t *testing.T) {
 					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.uid"),
 					resource.TestCheckResourceAttr("kubernetes_service_account.test", "secret.#", "2"),
 					resource.TestCheckResourceAttr("kubernetes_service_account.test", "image_pull_secret.#", "2"),
-					resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "true"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "false"),
 					testAccCheckServiceAccountImagePullSecrets(&conf, []*regexp.Regexp{
 						regexp.MustCompile("^" + name + "-three$"),
 						regexp.MustCompile("^" + name + "-four$"),
@@ -142,7 +142,7 @@ func TestAccKubernetesServiceAccount_update(t *testing.T) {
 					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.uid"),
 					resource.TestCheckResourceAttr("kubernetes_service_account.test", "secret.#", "2"),
 					resource.TestCheckResourceAttr("kubernetes_service_account.test", "image_pull_secret.#", "2"),
-					resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "false"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "true"),
 					testAccCheckServiceAccountImagePullSecrets(&conf, []*regexp.Regexp{
 						regexp.MustCompile("^" + name + "-three$"),
 						regexp.MustCompile("^" + name + "-four$"),
@@ -173,7 +173,7 @@ func TestAccKubernetesServiceAccount_update(t *testing.T) {
 					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.uid"),
 					resource.TestCheckResourceAttr("kubernetes_service_account.test", "secret.#", "1"),
 					resource.TestCheckResourceAttr("kubernetes_service_account.test", "image_pull_secret.#", "3"),
-					resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "true"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "false"),
 					testAccCheckServiceAccountImagePullSecrets(&conf, []*regexp.Regexp{
 						regexp.MustCompile("^" + name + "-three$"),
 						regexp.MustCompile("^" + name + "-four$"),
@@ -199,7 +199,7 @@ func TestAccKubernetesServiceAccount_update(t *testing.T) {
 					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.uid"),
 					resource.TestCheckResourceAttr("kubernetes_service_account.test", "secret.#", "0"),
 					resource.TestCheckResourceAttr("kubernetes_service_account.test", "image_pull_secret.#", "0"),
-					resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "false"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "true"),
 					testAccCheckServiceAccountImagePullSecrets(&conf, []*regexp.Regexp{}),
 					testAccCheckServiceAccountSecrets(&conf, []*regexp.Regexp{
 						regexp.MustCompile("^" + name + "-token-[a-z0-9]+$"),
@@ -234,7 +234,7 @@ func TestAccKubernetesServiceAccount_generatedName(t *testing.T) {
 					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.resource_version"),
 					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.self_link"),
 					resource.TestCheckResourceAttrSet("kubernetes_service_account.test", "metadata.0.uid"),
-					resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "false"),
+					resource.TestCheckResourceAttr("kubernetes_service_account.test", "automount_service_account_token", "true"),
 					testAccCheckServiceAccountImagePullSecrets(&conf, []*regexp.Regexp{}),
 					testAccCheckServiceAccountSecrets(&conf, []*regexp.Regexp{
 						regexp.MustCompile("^" + prefix + "[a-z0-9]+-token-[a-z0-9]+$"),
@@ -446,7 +446,7 @@ func testAccKubernetesServiceAccountConfig_modified(name string) string {
     name = "${kubernetes_secret.four.metadata.0.name}"
   }
 
-  automount_service_account_token = "true"
+  automount_service_account_token = false
 }
 
 resource "kubernetes_secret" "one" {
@@ -526,7 +526,7 @@ func testAccKubernetesServiceAccountConfig_automount(name string) string {
     name = "${kubernetes_secret.four.metadata.0.name}"
   }
 
-  automount_service_account_token = true
+  automount_service_account_token = false
 }
 
 resource "kubernetes_secret" "one" {

diff --git a/kubernetes/schema_pod_spec.go b/kubernetes/schema_pod_spec.go
@@ -31,6 +31,7 @@ func podSpecFields(isUpdatable, isDeprecated, isComputed bool) map[string]*schem
 		"automount_service_account_token": {
 			Type:        schema.TypeBool,
 			Optional:    true,
+			Default:     true,
 			Description: "AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.",
 		},
 		"container": {

diff --git a/website/docs/d/pod.html.markdown b/website/docs/d/pod.html.markdown
@@ -52,7 +52,7 @@ The following arguments are supported:
 
 * `affinity` - A group of affinity scheduling rules. If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler.
 * `active_deadline_seconds` - Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.
-* `automount_service_account_token` - Indicates whether a service account token should be automatically mounted. Defaults to false for Pods.
+* `automount_service_account_token` - Indicates whether a service account token should be automatically mounted. Defaults to true for Pods.
 * `container` - List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/containers)
 * `init_container` - List of init containers belonging to the pod. Init containers always run to completion and each must complete successfully before the next is started. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/workloads/pods/init-containers)/
 * `dns_policy` - Set DNS policy for containers within the pod. Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'. Optional: Defaults to 'ClusterFirst', see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy).

diff --git a/website/docs/guides/getting-started.html.markdown b/website/docs/guides/getting-started.html.markdown
@@ -251,7 +251,7 @@ Terraform will perform the following actions:
         }
 
       + spec {
-          + automount_service_account_token  = false
+          + automount_service_account_token  = true
           + dns_policy                       = "ClusterFirst"
           + enable_service_links             = false
           + host_ipc                         = false

diff --git a/website/docs/r/daemonset.html.markdown b/website/docs/r/daemonset.html.markdown
@@ -142,7 +142,7 @@ The following arguments are supported:
 
 * `affinity` - (Optional) A group of affinity scheduling rules. If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler.
 * `active_deadline_seconds` - (Optional) Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.
-* `automount_service_account_token` - (Optional) Indicates whether a service account token should be automatically mounted. Defaults to `false`.
+* `automount_service_account_token` - (Optional) Indicates whether a service account token should be automatically mounted. Defaults to `true`.
 * `container` - (Optional) List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/containers)
 * `init_container` - (Optional) List of init containers belonging to the pod. Init containers always run to completion and each must complete successfully before the next is started. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/workloads/pods/init-containers)/
 * `dns_policy` - (Optional) Set DNS policy for containers within the pod. Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'. Optional: Defaults to 'ClusterFirst', see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy).

diff --git a/website/docs/r/default_service_account.html.markdown b/website/docs/r/default_service_account.html.markdown
@@ -37,7 +37,7 @@ The following arguments are supported:
 * `metadata` - (Required) Standard service account's metadata. For more info see [Kubernetes reference](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
 * `image_pull_secret` - (Optional) A list of references to secrets in the same namespace to use for pulling any images in pods that reference this Service Account. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/secrets#manually-specifying-an-imagepullsecret)
 * `secret` - (Optional) A list of secrets allowed to be used by pods running using this Service Account. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/secrets)
-* `automount_service_account_token` - (Optional) Boolean, `true` to enable automatic mounting of the service account token
+* `automount_service_account_token` - (Optional) Boolean, `true` to enable automatic mounting of the service account token. Defaults to `true`.
 
 ## Nested Blocks
 

diff --git a/website/docs/r/deployment.html.markdown b/website/docs/r/deployment.html.markdown
@@ -147,7 +147,7 @@ The following arguments are supported:
 
 * `affinity` - (Optional) A group of affinity scheduling rules. If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler.
 * `active_deadline_seconds` - (Optional) Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.
-* `automount_service_account_token` - (Optional) Indicates whether a service account token should be automatically mounted. Defaults to `false`.
+* `automount_service_account_token` - (Optional) Indicates whether a service account token should be automatically mounted. Defaults to `true`.
 * `container` - (Optional) List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/containers)
 * `readiness_gate` - (Optional) If specified, all readiness gates will be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True". [More info](https://git.k8s.io/enhancements/keps/sig-network/0007-pod-ready++.md)
 * `init_container` - (Optional) List of init containers belonging to the pod. Init containers always run to completion and each must complete successfully before the next is started. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/workloads/pods/init-containers)/

diff --git a/website/docs/r/pod.html.markdown b/website/docs/r/pod.html.markdown
@@ -200,7 +200,7 @@ The following arguments are supported:
 
 * `affinity` - (Optional) A group of affinity scheduling rules. If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler.
 * `active_deadline_seconds` - (Optional) Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.
-* `automount_service_account_token` - (Optional) Indicates whether a service account token should be automatically mounted. Defaults to `false` for Pods.
+* `automount_service_account_token` - (Optional) Indicates whether a service account token should be automatically mounted. Defaults to `true` for Pods.
 * `container` - (Optional) List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. For more info see [Kubernetes reference](http://kubernetes.io/docs/user-guide/containers)
 * `init_container` - (Optional) List of init containers belonging to the pod. Init containers always run to completion and each must complete successfully before the next is started. For more info see [Kubernetes reference](https://kubernetes.io/docs/concepts/workloads/pods/init-containers)/
 * `dns_policy` - (Optional) Set DNS policy for containers within the pod. Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'. Optional: Defaults to 'ClusterFirst', see [Kubernetes reference](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy).