terraform-provider-helm: Values modified outside of terraform not detected as changes

Terraform Version

Terraform v0.12.12

Helm provider Version

~> 0.10

Affected Resource(s)

  • helm_resource

Terraform Configuration Files

resource "helm_release" "service" {
  name       = "service"
  chart      = "service"
  version    = "0.1.7"
  repository = module.k8s.helm_repository_name

  set {
    name  = "image.tag"
    value = "latest"
  }
}

Expected Behaviour

A diff should be detected if settings of the release are modified outside of Terraform.

Actual Behavior

The helm provider does not detect changes to the release done outside of Terraform.

Steps to Reproduce

  1. terraform apply
    
$ helm get values service
image:
  tag: latest # <-- Value as set in terraform
  2. helm upgrade service service --reuse-values --set image.tag=test
    
$ helm get values service
image:
  tag: test # <-- Value in the deployed release changed
  3. terraform apply (Should detect the change done on the release when refreshing the state)
    ...
helm_release.service: Refreshing state... [id=service]
...
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

About this issue

  • Original URL
  • State: open
  • Created 5 years ago
  • Reactions: 39
  • Comments: 20 (1 by maintainers)

Most upvoted comments

Just ran into this, and it is very annoying. For a workaround, I did this:

  set {
    name = "valuesChecksum"
    value = filemd5("${path.module}/values-production.yaml") 
  }
+14
ianks on Apr 9, 2020

We found this issue as well. Is there any plan to allow Terraform to override any changes applied outside of the helm_release resource?

+5
mmf55 on Sep 27, 2022

I’d also like to “bump” this issue because it’s also impacting us as well.

+4
maxres-ch on Mar 9, 2022

Thanks @lukli11. One interesting thing i found reading the code is that the provider seems to have implemented this functionality as an experimental feature. I’ll definitely use your workaround with my project and give the experimental feature a try and see if it compares to it. Thanks for sharing.

Code reference: https://github.com/hashicorp/terraform-provider-helm/blob/main/helm/resource_release.go#L738-L818 Reference: https://registry.terraform.io/providers/hashicorp/helm/latest/docs#experiments

+3
drexler on Feb 17, 2022

@drexler We currently use this workaround in our project.

First, we create a file hash across all yaml files in the chart directory (set in variable var.chart_path)…

locals {
  # This hash forces Terraform to redeploy if a new template file is added or changed, or values are updated
  chart_hash = sha1(join("", [for f in fileset(var.chart_path, "**/*.yaml"): filesha1("${var.chart_path}/${f}")]))
}

… and then add this hash as a value in the helm_release resource:

# used to force update for changes in the chart
    set {
      name  = "chart-hash"
      value = local.chart_hash
    }

Hope this helps 😃

Edit: Oh, and we added reset_values = true in the helm release resource as well, so far that combination has worked quite nicely.

+3
lukli11 on Feb 17, 2022

I’ve found today it’s not detecting if a service was deleted. Not sure if that’s helm issue though.

+2
marcinkubica on Jul 25, 2023

I ran into this issue today. Adding a checksum for the values.yaml file was my workaround:

  set {
    name = "valuesChecksum"
    value = filemd5("${path.module}/values-production.yaml") 
  }
+2
lisenet on Jul 6, 2023

If edit resources created by helm directly, they also will be skipped, because values/release file not changed

+2
nefelim4ag on Jan 6, 2021

The experimental manifest feature didn’t work as expected but @lukli11 workaround is useful for detecting chart changes. Slick hack! 💯

+1
drexler on Feb 18, 2022
Read more comments on GitHub
← terraform-provider-helm: v0.10.5 is failing due to stable repo move
terraform-provider-helm: `.version` field causes `Error: Provider produced inconsistent final plan` →