Terraform-provider-helm: Metadata output contains sensitive values

Created on 26 Feb 2020  ·  3Comments  ·  Source: hashicorp/terraform-provider-helm

Terraform Version


0.12.17

Affected Resource(s)


helm_release

Terraform Configuration Files

resource "helm_release" "my-release" {
  ...  
  values       = [file("values.yaml")]

  set {
    name  = "image.version"
    value = file("app.version")
  }

  set_sensitive {
    name  = "variables.secrets.DB_PASSWORD"
    value = "pa$$word"
  }
}

Expected Behavior


when I do terrafrom apply it shows update plan with changes. In that plan metadata output is exposed and that metadata contains previous values and additional sets. I expect that sensitive keys are somehow obfuscated and don't show in the logs.

Actual Behavior


The problem is that sensitive values are in plain text.
helm_release.hello-cloud will be updated in-place

  ~ resource "helm_release" "my-release" {
        ....
        metadata              = [
            {
                ...
                values    = jsonencode(
                    {
                            ........
                            secrets = {
                                DB_PASSWORD = "pa$$word"
                            }
                        }
                    }
                )
        ]

       set_sensitive {
            name  = "variables.secrets.DB_PASSWORD"
            value = (sensitive value)
        }
....
}

Steps to Reproduce

  1. terraform apply

Most helpful comment

Any plans to get a change into a future release that would fix this? I've been using a custom built helm provider based off of https://github.com/terraform-providers/terraform-provider-helm/pull/340 but it would be great to have proper support for hiding secrets in the metadata.

All 3 comments

I found this https://github.com/terraform-providers/terraform-provider-helm/pull/340 but it's still not merged, and similar issue https://github.com/terraform-providers/terraform-provider-helm/issues/333 is closed even though problem is still there.

Any plans to get a change into a future release that would fix this? I've been using a custom built helm provider based off of https://github.com/terraform-providers/terraform-provider-helm/pull/340 but it would be great to have proper support for hiding secrets in the metadata.

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

utx0 picture utx0  ·  11Comments

alexkreidler picture alexkreidler  ·  71Comments

dangarthwaite picture dangarthwaite  ·  19Comments

pdecat picture pdecat  ·  14Comments

ukphillips picture ukphillips  ·  12Comments