Skip to content

helm_release resource is always created when provider can't list the secrets in GKE cluster #1716

New issue
New issue
Open
Open
helm_release resource is always created when provider can't list the secrets in GKE cluster#1716
Labels
bug
@august-feng

Description

@august-feng
august-feng
opened on Oct 28, 2025

Terraform, Provider, Kubernetes and Helm Versions

Terraform version: 1.13.3
Provider version: 3.0.2
Kubernetes version: 1.33.5-gke.1080000

Affected Resource(s)

  • helm_release

Terraform Configuration Files

resource "helm_release" "airbyte" {
  name       = "airbyte"
  namespace  = kubernetes_namespace.airbyte.metadata[0].name
  repository = "https://airbytehq.github.io/charts"
  chart      = "airbyte"
  version    = "2.0.18"

  timeout = 900

  values = [<<-YAML
    // XXX: REDACTED
    YAML
  ]
}

Debug Output

2025-10-28T18:20:58.830Z [DEBUG] provider.terraform-provider-helm_v3.0.2_x5: Could not get release query: failed to query with labels: secrets is forbidden: User "terraform-plan@REDACTED.iam.gserviceaccount.com" cannot list resource "secrets" in API group "" in the namespace "airbyte": requires one of ["container.secrets.list"] permission(s).: tf_req_id=d2cd5410-8086-36e6-8bfa-d2eea2f65991 @caller=github.com/hashicorp/terraform-provider-helm/helm/resource_helm_release.go:1708 @module=helm tf_provider_addr=registry.terraform.io/hashicorp/helm tf_resource_type=helm_release tf_rpc=ReadResource timestamp=2025-10-28T18:20:58.830Z
Error: -28T18:20:58.830Z [ERROR] provider.terraform-provider-helm_v3.0.2_x5: query: failed to query with labels: secrets is forbidden: User "terraform-plan@REDACTED.iam.gserviceaccount.com" cannot list resource "secrets" in API group "" in the namespace "airbyte": requires one of ["container.secrets.list"] permission(s).: tf_resource_type=helm_release tf_rpc=ReadResource tf_provider_addr=registry.terraform.io/hashicorp/helm tf_req_id=d2cd5410-8086-36e6-8bfa-d2eea2f65991 @caller=github.com/hashicorp/terraform-provider-helm/helm/resource_helm_release.go:1709 @module=helm timestamp=2025-10-28T18:20:58.830Z

Steps to Reproduce

  1. terraform plan

Expected Behavior

I expect terraform to error instead of assuming the release doesn't exist and creating it. This would communicate to the developer that the principal is missing permissions for proper functionalities.

Actual Behavior

Terraform assumes the release doesn't and tries to create a new resource, even when the resource exists already in the state file (terraform state list).

helm_release.airbyte: Refreshing state... [id=airbyte]
kubernetes_manifest.airbyte_frontendconfig: Refreshing state...
kubernetes_manifest.airbyte_managed_cert: Refreshing state...
kubernetes_manifest.airbyte_backendconfig: Refreshing state...
kubernetes_manifest.airbyte_ingress: Refreshing state...

// XXX: redacted

  # helm_release.airbyte will be created
  + resource "helm_release" "airbyte" {
      + atomic                     = false
      + chart                      = "airbyte"
// XXX: redacted

Once I granted the roles/container.developer role (includes the container.secrets.list permission) to the service account, terraform no longer wanted to re-create the deployment.

Important Factoids

We're using GKE.

References

Community Note

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions