0.12.17
helm_release
resource "helm_release" "my-release" {
...
values = [file("values.yaml")]
set {
name = "image.version"
value = file("app.version")
}
set_sensitive {
name = "variables.secrets.DB_PASSWORD"
value = "pa$$word"
}
}
when I do terrafrom apply it shows update plan with changes. In that plan metadata output is exposed and that metadata contains previous values and additional sets. I expect that sensitive keys are somehow obfuscated and don't show in the logs.
The problem is that sensitive values are in plain text.
helm_release.hello-cloud will be updated in-place
~ resource "helm_release" "my-release" {
....
metadata = [
{
...
values = jsonencode(
{
........
secrets = {
DB_PASSWORD = "pa$$word"
}
}
}
)
]
set_sensitive {
name = "variables.secrets.DB_PASSWORD"
value = (sensitive value)
}
....
}
terraform applyI found this https://github.com/terraform-providers/terraform-provider-helm/pull/340 but it's still not merged, and similar issue https://github.com/terraform-providers/terraform-provider-helm/issues/333 is closed even though problem is still there.
Any plans to get a change into a future release that would fix this? I've been using a custom built helm provider based off of https://github.com/terraform-providers/terraform-provider-helm/pull/340 but it would be great to have proper support for hiding secrets in the metadata.
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!
Most helpful comment
Any plans to get a change into a future release that would fix this? I've been using a custom built helm provider based off of https://github.com/terraform-providers/terraform-provider-helm/pull/340 but it would be great to have proper support for hiding secrets in the metadata.