Double escaping necessary for values supplied to set and set_sensitive

[stemann]

Terraform, Provider, Kubernetes and Helm Versions

Terraform version: 1.9.5
Provider version: 2.15.0
Kubernetes version: 2.32.0

Affected Resource(s)

• helm_release

Terraform Configuration Files

terraform {
  required_providers {
    helm = {
      source  = "hashicorp/helm"
      version = "~> 2.0"
    }
  }

  required_version = "~> 1.0"
}

provider "helm" {
  kubernetes {
    host                   = var.cluster_endpoint
    cluster_ca_certificate = base64decode(var.cluster_certificate_authority_data)
    token                  = var.cluster_token
  }
}

resource "helm_release" "jupyterhub" {
  name = "jupyterhub"

  repository = "https://hub.jupyter.org/helm-chart/"
  chart      = "jupyterhub"
  version    = "3.3.8" # I.e., JupyterHub version 4.1.6

  cleanup_on_fail  = true
  create_namespace = true
  namespace        = "jupyterhub"

  values = [
    jsonencode(yamldecode(file("${path.module}/jupyterhub_values.yaml")))
  ]

  set_sensitive {
    name  = "hub.config.GenericOAuthenticator.client_secret"
    value = var.client_secret
  }
}

Debug Output

N/A

Panic Output

N/A

Steps to Reproduce

1. Supply a value to helm_release set_sensitive (or set) containing an escape sequence e.g. "\\(", e.g. as client_secret in the example above.
2. terraform apply

Workaround:

  set_sensitive {
    name  = "hub.config.GenericOAuthenticator.client_secret"
    value = replace(var.client_secret, "\\", "\\\\") # HACK workaround for "\\" in client_secret being replaced
  }

Expected Behavior

Value is set to value provided to set.

Or optionally, the double-escape necessary for set and set_sensitive is documented, also for simple (string) values.

Actual Behavior

Given the value "\\(", "\\" is replaced with "\" which yields the string "\(", which is then replaced with "(".

Important Factoids

N/A

References

• GH-612
• GH-1070, in particular https://github.com/hashicorp/terraform-provider-helm/issues/1070#issuecomment-1452442070

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[arybolovlev]

Hi @stemann,

Escaping special characters is mandatory when they pass a value, here is a long discussion with the Helm authors. It seems to be addressed with --set-literal option, however, it is not implemented yet in this provider.