Fix kubernetes_node_taint so that taints are unique over key and effect and not just key

.changelog/2611.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+`resource/kubernetes_node_taint`: Fix taint uniqueness check so it is enforced over key and effect and not solely key alone.
+```

examples/resources/node_taint/example_2.tf

@@ -0,0 +1,15 @@
+resource "kubernetes_node_taint" "example" {
+  metadata {
+    name = "my-node.my-cluster.k8s.local"
+  }
+  taint {
+    key    = "node-role.kubernetes.io/example"
+    value  = "dedicated"
+    effect = "NoSchedule"
+  }
+  taint {
+    key    = "node-role.kubernetes.io/example"
+    value  = "dedicated"
+    effect = "NoExecute"
+  }
+}

kubernetes/resource_kubernetes_node_taint.go

@@ -6,6 +6,7 @@ package kubernetes
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -33,11 +34,14 @@ func resourceKubernetesNodeTaint() *schema.Resource {
 			for _, t := range rd.Get("taint").([]interface{}) {
 				taint := t.(map[string]interface{})
 				key := taint["key"].(string)
-				taintkeys[key] = taintkeys[key] + 1
+				effect := taint["effect"].(string)
+				taintkey := fmt.Sprintf("%s:%s", key, effect)
+				taintkeys[taintkey] = taintkeys[taintkey] + 1
 			}
 			for k, v := range taintkeys {
 				if v > 1 {
-					return fmt.Errorf("taint: duplicate taint key %q: taint keys must be unique", k)
+					s := strings.Split(k, ":")
+					return fmt.Errorf("taint: duplicate taint for key %q and effect %q; taints must be unique over key and effect.", s[0], s[1])
 				}
 			}
 			return nil

kubernetes/resource_kubernetes_node_taint_test.go

@@ -6,6 +6,7 @@ package kubernetes
 import (
 	"context"
 	"fmt"
+	"regexp"
 	"strings"
 	"testing"
 
@@ -106,6 +107,50 @@ func TestAccKubernetesResourceNodeTaint_MultipleBasic(t *testing.T) {
 	})
 }
 
+func TestAccKubernetesResourceNodeTaint_MultipleSameKeyDifferentEffect(t *testing.T) {
+	resourceName := "kubernetes_node_taint.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		IDRefreshName:     resourceName,
+		ProviderFactories: testAccProviderFactories,
+		CheckDestroy:      testAccKubernetesNodeTaintDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccKubernetesNodeTaintConfig_multipleSameKeyDifferentEffect(),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccKubernetesNodeTaintExists(resourceName),
+					resource.TestCheckResourceAttrSet(resourceName, "metadata.0.name"),
+					resource.TestCheckResourceAttr(resourceName, "taint.0.key", taintKey),
+					resource.TestCheckResourceAttr(resourceName, "taint.0.value", taintValue),
+					resource.TestCheckResourceAttr(resourceName, "taint.0.effect", "NoSchedule"),
+					resource.TestCheckResourceAttr(resourceName, "taint.1.key", taintKey),
+					resource.TestCheckResourceAttr(resourceName, "taint.1.value", taintValue),
+					resource.TestCheckResourceAttr(resourceName, "taint.1.effect", "NoExecute"),
+				),
+			},
+		},
+	})
+}
+
+func TestAccKubernetesResourceNodeTaint_DuplicateTaintKeyAndEffectExpectError(t *testing.T) {
+	resourceName := "kubernetes_node_taint.test"
+
+	expectPattern := "duplicate taint for key .* and effect \"\\w*\"; taints must be unique over key and effect"
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { testAccPreCheck(t) },
+		IDRefreshName:     resourceName,
+		ProviderFactories: testAccProviderFactories,
+		CheckDestroy:      testAccKubernetesNodeTaintDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccKubernetesNodeTaintConfig_duplicateKeyAndEffect(),
+				ExpectError: regexp.MustCompile(expectPattern),
+			},
+		},
+	})
+}
+
 func testAccKubernetesCheckNodeTaint(rs *terraform.ResourceState) error {
 	nodeName, taint, err := idToNodeTaint(rs.Primary.ID)
 	if err != nil {
@@ -169,6 +214,50 @@ resource "kubernetes_node_taint" "test" {
 `, taintKey, taintValue, taintEffect, fieldManager)
 }
 
+func testAccKubernetesNodeTaintConfig_multipleSameKeyDifferentEffect() string {
+	return fmt.Sprintf(`data "kubernetes_nodes" "test" {}
+
+resource "kubernetes_node_taint" "test" {
+  metadata {
+    name = data.kubernetes_nodes.test.nodes.0.metadata.0.name
+  }
+  taint {
+    key    = %q
+    value  = %q
+    effect = %q
+  }
+  taint {
+    key    = %q
+    value  = %q
+    effect = %q
+  }
+  field_manager = %q
+}
+`, taintKey, taintValue, "NoSchedule", taintKey, taintValue, "NoExecute", fieldManager)
+}
+
+func testAccKubernetesNodeTaintConfig_duplicateKeyAndEffect() string {
+	return fmt.Sprintf(`data "kubernetes_nodes" "test" {}
+
+resource "kubernetes_node_taint" "test" {
+  metadata {
+    name = data.kubernetes_nodes.test.nodes.0.metadata.0.name
+  }
+  taint {
+    key    = %q
+    value  = %q
+    effect = %q
+  }
+  taint {
+    key    = %q
+    value  = %q
+    effect = %q
+  }
+  field_manager = %q
+}
+`, taintKey, taintValue, "NoSchedule", taintKey, "dedicated", "NoSchedule", fieldManager)
+}
+
 func testAccKubernetesNodeTaintConfig_multipleBasic() string {
 	return fmt.Sprintf(`data "kubernetes_nodes" "test" {}
 

templates/resources/node_taint.md.tmpl

@@ -13,8 +13,14 @@ description: |-
 
 ## Example Usage
 
+### Single Taint
+
 {{tffile "examples/resources/node_taint/example_1.tf"}}
 
+### Multiple Taints Using the Same Key and Different Effects
+
+{{tffile "examples/resources/node_taint/example_2.tf"}}
+
 ## Import
 
 This resource does not support the `import` command. As this resource operates on Kubernetes resources that already exist, creating the resource is equivalent to importing it.