-
Notifications
You must be signed in to change notification settings - Fork 360
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
the provider continues to reveal sensitive variables during destroy or update in-place #1287
Comments
It is my understanding that sensitive values should be passed with set_sensitive, not the standard values input... https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release#set_sensitive |
@daniel-butler-irl interesting, I did not get that impression, but I will test that theory out if I get some time today |
Not sure if it's supposed to work like that, but it's how I handle it. It would be better if it could respect the sensitive field... |
The problem is that this field doesn't work with Whereas it's very common to use one values file with Helm rather than a multitude of sets |
Thank you for bringing this to our attention @cdtzabra, based off of the comment from a previous issue this is more due to how Terraform handles metadata information and thus treats it all as is regardless of whether it's sensitive or not. The fix for this would be to implement a |
Hi @BBBmau Do you know if this issue has been selected for development? Thank you 🙏 |
A potential hacky workaround to this is to add metadata to lifecycle ignore_changes, however this will spit out a warning indicating it's decided by the provider and not an argument set so it's redundant. Also unaware of any issues that may come from this if you're outputting anything from the metadata block , and then there's drift going unnoticed. Before # helm_release.release will be updated in-place
~ resource "helm_release" "release" {
id = "my-chart"
~ metadata = [
- {
- chart = "my-chart"
....
- values = jsonencode(
{
- config = {
- password = <redacted>
- name = "my-config"
}
}
)
},
] -> (known after apply)
name = "my-chart-name"
~ values = [
- (sensitive value),
+ (sensitive value),
]
# (26 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy. After lifecycle {
ignore_changes = [metadata]
} Terraform will perform the following actions:
# helm_release.release will be updated in-place
~ resource "helm_release" "release" {
id = "my-chart"
name = "my-chart-name"
~ values = [
- (sensitive value),
+ (sensitive value),
]
# (27 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
╷
│ Warning: Redundant ignore_changes element
│
│ on ../../../my_helm_chart/0.1.0/main.tf line 6, in resource "helm_release" "release":
│ 6: resource "helm_release" "release" {
│
│ Adding an attribute name to ignore_changes tells Terraform to ignore future changes to the argument in configuration after the object has been created, retaining the value originally configured.
│
│ The attribute metadata is decided by the provider alone and therefore there can be no configured value to compare with. Including this attribute in ignore_changes has no effect. Remove the attribute from
│ ignore_changes to quiet this warning.
╵ |
Terraform, Provider, Kubernetes and Helm Versions
Affected Resource(s)
Terraform Configuration Files
files/vsphere-csi-values.yaml.tpl
looks likeDebug Output
NOTE: In addition to Terraform debugging, please set HELM_DEBUG=1 to enable debugging info from helm.
Panic Output
terraform destroy
orterraform plan
--with some changes (update in place)Expected Behavior
Sensitive variable should not be revelead in metatadata field
Issue already reported here: #793
With fix explanations from terraform
Actual Behavior
Sensitive data get display in metadata fields
More info https://github.com/hashicorp/terraform-provider-helm/issues/new?assignees=&labels=bug&projects=&template=bug-report.md&title=
The text was updated successfully, but these errors were encountered: