Open snowsky opened 1 week ago
there is set_sensitive
for example
resource "helm_release" "mod" {
chart = "aidbox"
create_namespace = true
name = "aidbox"
namespace = "aidbox"
repository = "https://aidbox.github.io/helm-charts"
values = [yamlencode({
host = "aidbox.local"
protocol = "http"
config = {
AIDBOX_ADMIN_ID = "admin"
AIDBOX_CLIENT_ID = "admin"
AIDBOX_FHIR_VERSION = "4.0.1"
PGDATABASE = "aidbox"
PGHOST = "aidboxdb.postgres.svc"
PGUSER = "postgres"
}
})]
set_sensitive {
name = "config.AIDBOX_ADMIN_PASSWORD"
value = "<secret-value>"
}
set_sensitive {
name = "config.AIDBOX_CLIENT_SECRET"
value = "<secret-value>"
}
set_sensitive {
name = "config.AIDBOX_LICENSE"
value = "<license-content-here>"
}
set_sensitive {
name = "config.PGPASSWORD"
value = "<secret-value>"
}
}
sample output when updating
- {
- app_version = "edge"
- chart = "aidbox"
- first_deployed = 1726221148
- last_deployed = 1726221148
- name = "aidbox"
- namespace = "aidbox"
- notes = ""
- revision = 1
- values = jsonencode(
{
- config = {
- AIDBOX_ADMIN_ID = "admin"
- AIDBOX_ADMIN_PASSWORD = "(sensitive value)"
- AIDBOX_CLIENT_ID = "admin"
- AIDBOX_CLIENT_SECRET = "(sensitive value)"
- AIDBOX_FHIR_VERSION = "4.0.1"
- AIDBOX_LICENSE = "(sensitive value)"
- PGDATABASE = "aidbox"
- PGHOST = "aidboxdb.postgres.svc"
- PGPASSWORD = "(sensitive value)"
- PGUSER = "postgres"
}
- host = "aidbox.local"
- protocol = "http"
}
)
- version = "0.1.13"
},
] -> (known after apply)
Thanks @faridco, I am using this way. I think if config
can be optional, a secret can be used directly.
When helm release is updated by Terraform,
config
section will show sensitive data in plain text. This is to allow secret to be used for required environment variables.