Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Repository Password Stored in Plan #1333

Open
CSimpiFoN opened this issue Feb 22, 2024 · 2 comments
Open

Repository Password Stored in Plan #1333

CSimpiFoN opened this issue Feb 22, 2024 · 2 comments
Labels
bug upstream

Comments

@CSimpiFoN
Copy link

Terraform, Provider, Kubernetes and Helm Versions

Terraform version: 1.7.3
Provider version: 2.12.1
Kubernetes version: N/A

Affected Resource(s)

  • helm_release

Terraform Configuration Files

resource "helm_release" "shared" {
  name                = join("-", compact([var.product, "shared"]))
  repository          = "https://gitlab.com/api/v4/projects/{ProjectID}/packages/helm/stable"
  chart               = "shared"
  version             = var.shared_chart_version
  namespace           = join("-", compact([var.product, var.environment]))
  repository_username = "ce-automation"
  repository_password = var.helm_repo_pass
  wait                = true
  set {
    name  = "global.namespace"
    value = join("-", compact([var.product, var.environment]))
  }
  lint = true

  depends_on = [kubernetes_namespace_v1.namespace]
}

Steps to Reproduce

  1. terraform plan -out=tfplan in GitLab automation job one with CI_JOB_TOKEN var.helm_repo_pass
  2. terraform apply tfplan in GitLab automation job two with CI_JOB_TOKEN as var.helm_repo_pass

Expected Behavior

Terraform should be able to access the Helm repository

Actual Behavior

Terraform gets permission denied from the Helm repository because job 2 would reuse the CI_JOB_TOKEN of job 1 which already is expired

Important Factoids

Helm repo password is stored in the plan file
@CSimpiFoN CSimpiFoN added the bug label Feb 22, 2024
@CSimpiFoN
Copy link
Author

Also, in this type of automated setup, the plan always shows the helm releases to be updated because the password always changes

@theadzik
Copy link

theadzik commented May 23, 2024
edited

We pull the password from azure key vault using:

data "azurerm_key_vault_secret" "helm_password" {
  key_vault_id = "some-id"
  name         = "helm-password"
}

then we apply it with:

resource "helm_release" "twistlock-defender" {
  ...
  repository_password = data.azurerm_key_vault_secret.helm_password.value
  ...
}

The password is updated in tfstate for the "azurerm_key_vault_secret" data object, but not for "helm_release".

When we run tf plan -> tf apply our account gets locked. I assume when read happens before apply it tries to use the old password which is expired.

I had to manually update the password in tf state after unlocking our account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug upstream
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@theadzik @alexsomesan @CSimpiFoN