Terraform Kubernetes Secrets not applying due to Namespace

Question

I am learning terraform and trying to translate kubernetes infrastructure over to terraform.

I have a terraform script which creates a given namespace, and then creates secrets from local files. Most of the files do not create properly due to the namespace not being created fast enough.

Is there a correct method to create and wait for confirmation of the name space before continuing within the terraform script? Such as depends_on, etc.?

My current approach:

resource "kubernetes_namespace" "namespace" {
  metadata {
    name = "specialNamespace"
  }
}

resource "kubernetes_secret" "api-env" {
  metadata {
    name      = var.k8s_name_api_env
    namespace = "specialNamespace"
  }

  data = {
    ".api" = file("${path.cwd},${var.local_dir_path_api_env_file}")
  }
}

resource "kubernetes_secret" "password-env" {
  metadata {
    name      = var.k8s_name_password_env
    namespace = "specialNamespace"
  }

  data = {
    ".password" = file("${path.cwd},${var.local_dir_path_password_env_file}")
  }
}

resource "kubernetes_secret" "tls-crt-env" {
  metadata {
    name      = var.k8s_name_tls_crt_env
    namespace = "specialNamespace"
  }

  data = {
    "server.crt" = file("${path.cwd},${var.local_dir_path_tls_crt_env_file}")
  }
}

resource "kubernetes_secret" "tls-key-env" {
  metadata {
    name      = var.k8s_name_tls_key_env
    namespace = "specialNamespace"
  }

  data = {
    "server.key" = file("${path.cwd},${var.local_dir_path_tls_key_env_file}")
  }
}

Answer 1

Since there is a way to get the name property of the metadata from the kubernetes_namespace resource, I would advise going with that. For example, for the kubernetes_secret resource:

resource "kubernetes_secret" "api-env" {
  metadata {
    name      = var.k8s_name_api_env
    namespace = kubernetes_namespace.namespace.metadata[0].name
  }

  data = {
    ".api" = file("${path.cwd},${var.local_dir_path_api_env_file}")
  }
}

Also, note that most of the resources also have the _v1 version (e.g., namespace [1], secret [2] etc.), so I would strongly suggest going with those ones.

---

[1] https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1

[2] https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1

Answer 2

Such as depends_on, etc.?

Exactly. Here, you should use depends_on:

resource "kubernetes_secret" "api-env" {
  depends_on = [resource.kubernetes_namespace.namespace]
  ...
}
...