Outposts not properly created from terraform provider

[spacemule]

Describe the bug
When creating a proxy outpost or updating a proxy outpost with the terraform provider, changes reflect in authentik, but are not seen in the cluster.

To Reproduce
Steps to reproduce the behavior:

Try to apply terraform like this:

resource "authentik_outpost" "proxy" {
  name = "proxy"
  type = "proxy"
  config = jsonencode(
    {
      refresh_interval               = "minutes=5"
      authentik_host                 = "https://authentik.a-cooler-domain-than-yours.net"
      authentik_host_browser         = "https://authentik.a-cooler-domain-than-yours.net"
      authentik_host_insecure        = false
      container_image                = null
      docker_labels                  = null
      docker_map_ports               = false
      docker_network                 = null
      kubernetes_disabled_components = []
      kubernetes_image_pull_secrets  = []
      kubernetes_ingress_annotations = {"cert-manager.io/cluster-issuer": "letsencrypt"}
      kubernetes_ingress_class_name  = null
      kubernetes_ingress_secret_name = "authentik-outpost-tls-secret"
      kubernetes_namespace           = "authentik"
      kubernetes_replicas            = 3
      kubernetes_service_type        = "ClusterIP"
      log_level                      = "info"
      object_naming_template         = "ak-outpost-%(name)s"
      kubernetes_json_patches        = yamldecode(<<-EOT
        deployment:
          - op: add
            path: "/spec/template/metadata"
            value:
              labels:
                a-cooler-domain-than-yours.net/ingress: consumer
                a-cooler-domain-than-yours.net/authentik: consumer
                a-cooler-domain-than-yours.net/dns: consumer
          - op: add
            path: "/spec/template/spec/affinity"
            value:
              podAntiAffinity:
                requiredDuringSchedulingIgnoredDuringExecution:
                  - labelSelector:
                      matchExpressions:
                        - key: app.kubernetes.io/name
                          operator: In
                          values:
                            - authentik-proxy
                    topologyKey: kubernetes.io/hostname
        EOT
      )
    }
  )
  service_connection = authentik_service_connection_kubernetes.local.id
  protocol_providers = [
    authentik_provider_proxy.test-provider.id,
  ]
}

See that the resource is created in authentik, but not the cluster. Manually creating the resource via the web UI will create the resources in kubernetes.

Alternately, adjust values in the proxy provider. Some apply, some don't. In my experience, changing the kubernetes labels applies, but leads to the outposts failing when recreated.

Expected behavior
Changes in terraform and the webui should be reflected identically in kubernetes

Logs
I did not see anything relevant in the logs. It seems the worker and server think the outposts are just fine.

Version and Deployment

authentik version: 2024.12.3
Deployment: helm
Terraform provider: Tested with 2024.12.0 and 2024.12.1

[spacemule]

I noticed this seems to occur only when I have postgres read replicas configured. It seems that terraform cannot get a consistent state.

I disabled read replicas, and now the provider works as expected with all changes propagating and remaining functional.