Multiple cluster_role_selectors are ignored

[fmulero]

Terraform Version, Provider Version and Kubernetes Version

Terraform version: 1.0.0
Kubernetes provider version: 2.3.2
Kubernetes version: 1.18 (EKS)

Affected Resource(s)

resource "kubernetes_cluster_role" "example" {

  metadata {
    name   = "example"
  }

  aggregation_rule {
    cluster_role_selectors {
      match_labels = {
        "rbac.authorization.k8s.io/aggregate-to-view" = "true"
      }
    }
    cluster_role_selectors {
      match_labels = {
        "example.io/aggregregate-to-app" = "true"
      }
    }
  }
}

Expected Behavior

A role with the following aggregation rule is created:

aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
        rbac.authorization.k8s.io/aggregate-to-view: 'true'
    - matchLabels:
        example.io/aggregregate-to-app: 'true'

Actual Behavior

The second cluster_role_selectors is ignored and only the first match_label rule is created (the same happens using match_expressions )

aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
        rbac.authorization.k8s.io/aggregate-to-view: 'true'

References

• kubernetes_cluster_role aggregation_rule with multiple matchLabels #1303
• https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role#aggregation_rule

[stevehipwell]

We're seeing this same issue, how come nobody from @hashicorp has even commented on here yet?

[arybolovlev]

Hi @fmulero,

Thank you for reporting this issue. It looks like we have missed for loop here.

[stevehipwell]

@arybolovlev I'll open a PR to fix this, you can assign the issue to me.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.