search

hashicorp / terraform-provider-helm

Terraform Helm provider
https://www.terraform.io/docs/providers/helm/
Mozilla Public License 2.0
998 stars 368 forks source link

Repository Password Stored in Plan #1333

Open CSimpiFoN opened 7 months ago

CSimpiFoN commented 7 months ago

Terraform, Provider, Kubernetes and Helm Versions

Terraform version: 1.7.3
Provider version: 2.12.1
Kubernetes version: N/A

Affected Resource(s)

Terraform Configuration Files

resource "helm_release" "shared" {
  name                = join("-", compact([var.product, "shared"]))
  repository          = "https://gitlab.com/api/v4/projects/{ProjectID}/packages/helm/stable"
  chart               = "shared"
  version             = var.shared_chart_version
  namespace           = join("-", compact([var.product, var.environment]))
  repository_username = "ce-automation"
  repository_password = var.helm_repo_pass
  wait                = true
  set {
    name  = "global.namespace"
    value = join("-", compact([var.product, var.environment]))
  }
  lint = true

  depends_on = [kubernetes_namespace_v1.namespace]
}

Steps to Reproduce

  1. terraform plan -out=tfplan in GitLab automation job one with CI_JOB_TOKEN var.helm_repo_pass
  2. terraform apply tfplan in GitLab automation job two with CI_JOB_TOKEN as var.helm_repo_pass

Expected Behavior

Terraform should be able to access the Helm repository

Actual Behavior

Terraform gets permission denied from the Helm repository because job 2 would reuse the CI_JOB_TOKEN of job 1 which already is expired

Important Factoids

Helm repo password is stored in the plan file

CSimpiFoN commented 6 months ago

Also, in this type of automated setup, the plan always shows the helm releases to be updated because the password always changes

theadzik commented 4 months ago

We pull the password from azure key vault using:

data "azurerm_key_vault_secret" "helm_password" {
  key_vault_id = "some-id"
  name         = "helm-password"
}

then we apply it with:

resource "helm_release" "twistlock-defender" {
  ...
  repository_password = data.azurerm_key_vault_secret.helm_password.value
  ...
}

The password is updated in tfstate for the "azurerm_key_vault_secret" data object, but not for "helm_release".

When we run tf plan -> tf apply our account gets locked. I assume when read happens before apply it tries to use the old password which is expired.

I had to manually update the password in tf state after unlocking our account.

CSimpiFoN commented 3 months ago

The ephemeral_values experimental feature in TF v1.10.0 might solve this issue in the future: https://github.com/hashicorp/terraform/releases/tag/v1.10.0-alpha20240606