set_sensitive does not redact values if the key name contains backslash

[jjayabal23]

Terraform, Provider, Kubernetes and Helm Versions

Terraform version: 1.6.6
Provider version: 2.13.2
Kubernetes version: 1.28.9

Affected Resource(s)

• helm_release

Terraform Configuration Files

resource "helm_release" "argocd" {
  name       = "argocd"
  repository = "https://argoproj.github.io/argo-helm"
  chart      = "argo-cd"
  namespace  = kubernetes_namespace.argocd.metadata.0.name
  version    = "5.52.1"
  set_sensitive {
    name = "configs.secret.extra.accounts\\.serviceaccount\\.password"
    value = bcrypt(var.password)
  }
}

Debug Output

NOTE: In addition to Terraform debugging, please set HELM_DEBUG=1 to enable debugging info from helm.

Panic Output

Steps to Reproduce

1. terraform apply

Expected Behavior

The metadata displayed in terraform plan should have redacted the sensitive value and displayed "(sensitive value)"

configs = {
  secret = {
    extra = {
      "accounts.serviceaccount.password" = "(sensitive value)"
    }
  }
}

Actual Behavior

The metadata displays the sensitive value in clear text

configs = {
  secret = {
    extra = {
      "accounts.serviceaccount.password" = "clear-text-password"
    }
  }
}

Important Factoids

The issue does not appear when there is no backslash in the key name.

References

• helm_release metadata not cloaked when key contains "." character - revived #1004
• helm_release metadata not cloaked when key contains "." character #737
• Fix redacting sensitive values that uses backslashes #737 #746

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[michel-ea]

I believe this same issue exists when set_sensitive is used to set the value of a list item, for example in our case we're trying to set a sensitive password for the NATS helm chart:

resource "helm_release" "nats" {
  name       = "nats"
  repository = "https://nats-io.github.io/k8s/helm/charts/"
  chart      = "nats"
  namespace  = var.namespace

  set {
    name  = "config.merge.accounts.SYS.users[0].user"
    value = "administrator"
  }
  set_sensitive {
    name = "config.merge.accounts.SYS.users[0].pass"
    value = local.sys_admin_password_enc
  }
  set_sensitive {
    name  = "test.test"
    value = "2"
  }
}

This syntax works (list item rendered correctly in final values passed to helm), and our test.test value is redacted properly when changed, but config.merge.accounts.SYS.users[0].pass is not redacted when changed.

This is very frustrating, this combined with #1287 makes it very hard to hide sensitive details in complex data structures from the output using this module.

[kzap]

I can confirm the same, if I remove backslashes from my set_sensitive value, it is not exposed, but if there are backslashes, it is exposed.

Versions:

terraform --version
Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/hashicorp/helm v2.14.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.31.0

The test cases of #480 are lacking clearly for these use cases