terraform-provider-helm
terraform-provider-helm copied to clipboard
hashicorp
Suppress metadata changes at terraform plan?
Older helm provider versions didn't show this metadata changes when terraform detected a change/run plan, and the new helm provider versions are posting a wall of text of metadata changes which have no real value (to me) and just clog up my tf plan output.
example doing a tf plan on a helm resource where we only updated the image tag var:
# module.api-eks.helm_release.app will be updated in-place
~ resource "helm_release" "app" {
id = "api"
~ metadata = [
- {
- app_version = "latest"
- chart = "api"
- name = "api"
- namespace = "production"
- revision = 1420
- values = jsonencode(
{
- appConfig = {
- apiBackendReplicationTaskId = "none"
- applicationMode = "none"
- baseApiUrl = "none"
- something = "else"
- foo = "bar"
-
< it goes on for many >
< many >
< lines >
< and it's of no value >
< just noise on tf plan >
let's say we only have a field deploymentTimestamp updated. We'd rather see the changed field only on terraform plan, and suppress the whole metadata update, e.g. terraform plan should only show
# module.api-eks.helm_release.app will be updated in-place
~ resource "helm_release" "app" {
id = "api"
[...]
# (25 unchanged attributes hidden)
+ set {
+ name = "deploymentTimestamp"
+ value = "19012024-225905"
}
# (62 unchanged blocks hidden)
This way the terraform plan is clear and concise, more human (easier to read/follow) without the metadata removal. Does it make sense?
Terraform version, Kubernetes provider version and Kubernetes version
Terraform version: v1.6.5
Helm Provider version: v2.12.0 (same on v2.12.1)
Kubernetes version: v2.24.0
Terraform configuration
resource "helm_release" "app" {
namespace = var.namespace != "" ? var.namespace : terraform.workspace
chart = var.chart_name
version = var.chart_version
name = var.app_name
timeout = var.deployment_timeout
cleanup_on_fail = var.helm_cleanup_on_fail
atomic = var.helm_atomic_creation
max_history = var.helm_max_history
wait = var.helm_wait_for_completion
dynamic "set" {
for_each = local.k8s_app
content {
name = set.key
value = set.value
}
}
values = var.some_ingress_values
}
Question
Is there any way to suppress the metadata changes at terraform plan?
I'm really curious if this is possible to do, as I'm using the https://registry.terraform.io/providers/hashicorp/helm/latest/docs#manifest experiment.
Would also be very interested in this, we have a fairly hefty internal helm chart with a few dependencies and a large values input spread across multiple files. When a single values file is updated (even just adding a space), the entire metadata is recomputed and showing as changed, although the value is not known as it's computed.
From a recent plan, the metadata takes up 2183 lines of a total 2392, we're currently forced to redirect stdout of apply/plan runs to a text to then read the plan, and in CI it causes huge job logs which is completely unnecessary.
For us, the metadata of the helm chart is useless and we'd like to disable the computation if possible (or at least hide it from output).
We already mark the values file as sensitive because the output is similarly huge, it outputs the entire text file before/after instead of just showing the values which have changed/added/removed. For large values files this is useless for comparison, so we compare changes using the manifest experiment instead which works very well.
We're in the same situation, we managed to silence the values diff, but now were back at square one with a huge and useless diff in our terraform plans
~ values = (sensitive value)
Another point which is probably of more serious concern, the metatadata output will show sensitive values.
When changing any values in the helm_release resource the entire metadata output is shown, even if sensitive values aren't changed.
Another point which is probably of more serious concern, the metatadata output will show sensitive values.
When changing any values in the helm_release resource the entire metadata output is shown, even if sensitive values aren't changed.
I don't believe this is (at least 100%) accurate, at least on the latest version 2.12.1.
Shows that some values that were set using set_sensitive are being properly hidden
Apologies, @BenB196 is correct, I was mistaken as we do not use set_sensitive to set sensitive variables, therefore they're displayed.
It would be useful to have a values_sensitive parameter so that we can set sensitive values using freeform YAML, but that's another issue.
Interestingly, I find
lifecycle {
ignore_changes = [
metadata
]
}
successfully suppressed the metadata junk. However, the following (erroneous) warning ensues:
│ Adding an attribute name to ignore_changes tells Terraform to ignore future changes to the argument in
│ configuration after the object has been created, retaining the value originally configured.
│
│ The attribute metadata is decided by the provider alone and therefore there can be no configured value to compare
│ with. Including this attribute in ignore_changes has no effect. Remove the attribute from ignore_changes to quiet
│ this warning.
This does have an effect, despite the warning.
Hello folks, if you run into this issue and want a temporary fix, you can use my script detailed here: https://gist.github.com/imranismail/3364db5b49200247ca8cb675c96589fe
