hashicorp / terraform-provider-helm

Terraform Helm provider
https://www.terraform.io/docs/providers/helm/
Mozilla Public License 2.0
998 stars 369 forks source link

Double escaping necessary for values supplied to set and set_sensitive #1474

Open stemann opened 1 month ago

stemann commented 1 month ago

Terraform, Provider, Kubernetes and Helm Versions

Terraform version: 1.9.5
Provider version: 2.15.0
Kubernetes version: 2.32.0

Affected Resource(s)

Terraform Configuration Files

terraform {
  required_providers {
    helm = {
      source  = "hashicorp/helm"
      version = "~> 2.0"
    }
  }

  required_version = "~> 1.0"
}

provider "helm" {
  kubernetes {
    host                   = var.cluster_endpoint
    cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data)
    token                  = var.cluster_token
  }
}

resource "helm_release" "jupyterhub" {
  name = "jupyterhub"

  repository = "https://hub.jupyter.org/helm-chart/"
  chart      = "jupyterhub"
  version    = "3.3.8" # I.e., JupyterHub version 4.1.6

  cleanup_on_fail  = true
  create_namespace = true
  namespace        = "jupyterhub"

  values = [
    jsonencode(yamldecode(file("${path.module}/jupyterhub_values.yaml")))
  ]

  set_sensitive {
    name  = "hub.config.GenericOAuthenticator.client_secret"
    value = var.client_secret
  }
}

Debug Output

N/A

Panic Output

N/A

Steps to Reproduce

  1. Supply a value to helm_release set_sensitive (or set) containing an escape sequence e.g. "\\(", e.g. as client_secret in the example above.
  2. terraform apply

Workaround:

  set_sensitive {
    name  = "hub.config.GenericOAuthenticator.client_secret"
    value = replace(var.client_secret, "\\", "\\\\") # HACK workaround for "\\" in client_secret being replaced
  }

Expected Behavior

Value is set to value provided to set.

Or optionally, the double-escape necessary for set and set_sensitive is documented, also for simple (string) values.

Actual Behavior

Given the value "\\(", "\\" is replaced with "\" which yields the string "\(", which is then replaced with "(".

Important Factoids

N/A

References

Community Note

arybolovlev commented 1 month ago

Hi @stemann,

Escaping special characters is mandatory when they pass a value, here is a long discussion with the Helm authors. It seems to be addressed with --set-literal option, however, it is not implemented yet in this provider.