feat: updated required helm provider to >= 3.0.0, <4.0.0 (#136)

kierramarie · web-flow · commit 186e45b26323 · 2025-08-26T22:17:49.000+01:00
diff --git a/README.md b/README.md
@@ -50,7 +50,7 @@ provider "ibm" {
 }
 
 provider "helm" {
-  kubernetes {
+  kubernetes = {
     host                   = data.ibm_container_cluster_config.cluster_config.host
     token                  = data.ibm_container_cluster_config.cluster_config.token
     cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
@@ -88,7 +88,7 @@ You need the following permissions to run this module.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.9.0 |
-| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.15.0, <3.0.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 3.0.0, <4.0.0 |
 | <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.79.2, <2.0.0 |
 
 ### Modules
diff --git a/examples/obs-agent-iks/provider.tf b/examples/obs-agent-iks/provider.tf
@@ -4,7 +4,7 @@ provider "ibm" {
 }
 
 provider "helm" {
-  kubernetes {
+  kubernetes = {
     host                   = data.ibm_container_cluster_config.cluster_config.host
     token                  = data.ibm_container_cluster_config.cluster_config.token
     cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
diff --git a/examples/obs-agent-iks/version.tf b/examples/obs-agent-iks/version.tf
@@ -10,7 +10,7 @@ terraform {
     }
     helm = {
       source  = "hashicorp/helm"
-      version = "2.15.0"
+      version = "3.0.2"
     }
     # The kubernetes provider is not actually required by the module itself, just this example, so OK to use ">=" here instead of locking into a version
     kubernetes = {
diff --git a/examples/obs-agent-ocp/provider.tf b/examples/obs-agent-ocp/provider.tf
@@ -4,7 +4,7 @@ provider "ibm" {
 }
 
 provider "helm" {
-  kubernetes {
+  kubernetes = {
     host                   = data.ibm_container_cluster_config.cluster_config.host
     token                  = data.ibm_container_cluster_config.cluster_config.token
     cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
diff --git a/examples/obs-agent-ocp/version.tf b/examples/obs-agent-ocp/version.tf
@@ -10,7 +10,7 @@ terraform {
     }
     helm = {
       source  = "hashicorp/helm"
-      version = ">= 2.15.0"
+      version = ">= 3.0.0, <4.0.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
diff --git a/main.tf b/main.tf
@@ -36,6 +36,17 @@ locals {
   base_endpoint           = var.use_scc_wp_endpoint ? local.scc_wp_api_endpoint : local.monitoring_api_endpoint
   ingestion_endpoint      = var.use_private_endpoint ? "ingest.private.${local.base_endpoint}" : "ingest.${local.base_endpoint}"
   api_host                = replace(local.ingestion_endpoint, "ingest.", "")
+  dynamic_set_access_key_secret = var.existing_access_key_secret_name != null && var.existing_access_key_secret_name != "" ? [{
+    name  = "global.sysdig.accessKeySecret"
+    type  = "string"
+    value = var.existing_access_key_secret_name
+  }] : []
+  dynamic_agent_tags = [for k, v in var.agent_tags :
+    {
+      name  = "global.sysdig.tags.${k}"
+      value = v
+    }
+  ]
 }
 
 resource "helm_release" "cloud_monitoring_agent" {
@@ -51,132 +62,114 @@ resource "helm_release" "cloud_monitoring_agent" {
   force_update     = true
   reset_values     = true
 
-  # Values
-  set {
-    name  = "Values.image.repository"
-    type  = "string"
-    value = var.image_registry_base_url
-  }
-
-  # Global
-  set {
-    name  = "global.imageRegistry"
-    type  = "string"
-    value = "${var.image_registry_base_url}/${var.image_registry_namespace}"
-  }
-  set {
-    name  = "global.sysdig.apiHost"
-    value = local.api_host
-  }
-  dynamic "set_sensitive" {
-    for_each = var.access_key != null && var.access_key != "" ? [1] : []
-    content {
-      name  = "global.sysdig.accessKey"
+  set = concat([
+    # Values
+    {
+      name  = "Values.image.repository"
       type  = "string"
-      value = var.access_key
-    }
-  }
-  dynamic "set" {
-    for_each = var.existing_access_key_secret_name != null && var.existing_access_key_secret_name != "" ? [1] : []
-    content {
-      name  = "global.sysdig.accessKeySecret"
+      value = var.image_registry_base_url
+    },
+    # Global
+    {
+      name  = "global.imageRegistry"
       type  = "string"
-      value = var.existing_access_key_secret_name
-    }
-  }
-  set {
-    name  = "global.clusterConfig.name"
-    type  = "string"
-    value = local.cluster_name
-  }
-  set {
-    name  = "global.sysdig.tags.deployment"
-    type  = "string"
-    value = var.deployment_tag
-  }
-  set {
-    name  = "global.sysdig.tags.ibm-containers-kubernetes-cluster-name"
-    type  = "string"
-    value = var.add_cluster_name ? local.cluster_name : null
-  }
-  dynamic "set" {
-    for_each = var.agent_tags
-    content {
-      name  = "global.sysdig.tags.${set.key}"
-      value = set.value
+      value = "${var.image_registry_base_url}/${var.image_registry_namespace}"
+    },
+    {
+      name  = "global.sysdig.apiHost"
+      value = local.api_host
+    },
+    {
+      name  = "global.clusterConfig.name"
+      type  = "string"
+      value = local.cluster_name
+    },
+    {
+      name  = "global.sysdig.tags.deployment"
+      type  = "string"
+      value = var.deployment_tag
+    },
+    {
+      name  = "global.sysdig.tags.ibm-containers-kubernetes-cluster-name"
+      type  = "string"
+      value = var.add_cluster_name ? local.cluster_name : null
+    },
+    # Cluster shield
+    {
+      name  = "clusterShield.enabled"
+      value = var.cluster_shield_deploy
+    },
+    {
+      name  = "clusterShield.image.repository"
+      value = var.cluster_shield_image_repository
+    },
+    {
+      name  = "clusterShield.image.tag"
+      value = var.cluster_shield_image_tag_digest
+    },
+    {
+      name  = "clusterShield.resources.requests.cpu"
+      type  = "string"
+      value = var.cluster_shield_requests_cpu
+    },
+    {
+      name  = "clusterShield.resources.requests.memory"
+      type  = "string"
+      value = var.cluster_shield_requests_memory
+    },
+    {
+      name  = "clusterShield.resources.limits.cpu"
+      type  = "string"
+      value = var.cluster_shield_limits_cpu
+    },
+    {
+      name  = "clusterShield.resources.limits.memory"
+      type  = "string"
+      value = var.cluster_shield_limits_memory
+    },
+    {
+      name  = "clusterShield.cluster_shield.sysdig_endpoint.region"
+      type  = "string"
+      value = "custom"
+    },
+    {
+      name  = "clusterShield.cluster_shield.log_level"
+      type  = "string"
+      value = "info"
+    },
+    {
+      name  = "clusterShield.cluster_shield.features.admission_control.enabled"
+      value = var.cluster_shield_deploy
+    },
+    {
+      name  = "clusterShield.cluster_shield.features.container_vulnerability_management.enabled"
+      value = var.cluster_shield_deploy
+    },
+    {
+      name  = "clusterShield.cluster_shield.features.audit.enabled"
+      value = var.cluster_shield_deploy
+    },
+    {
+      name  = "clusterShield.cluster_shield.features.posture.enabled"
+      value = var.cluster_shield_deploy
+    },
+    # nodeAnalyzer has been replaced by the host_scanner and kspm_analyzer functionality of main agent daemonset
+    {
+      name  = "nodeAnalyzer.enabled"
+      value = false
+    },
+    # clusterScanner has been replaced by cluster_shield component
+    {
+      name  = "clusterScanner.enabled"
+      value = false
     }
-  }
+  ], local.dynamic_agent_tags, local.dynamic_set_access_key_secret)
 
-  # Cluster shield
-  set {
-    name  = "clusterShield.enabled"
-    value = var.cluster_shield_deploy
-  }
-  set {
-    name  = "clusterShield.image.repository"
-    value = var.cluster_shield_image_repository
-  }
-  set {
-    name  = "clusterShield.image.tag"
-    value = var.cluster_shield_image_tag_digest
-  }
-  set {
-    name  = "clusterShield.resources.requests.cpu"
-    type  = "string"
-    value = var.cluster_shield_requests_cpu
-  }
-  set {
-    name  = "clusterShield.resources.requests.memory"
-    type  = "string"
-    value = var.cluster_shield_requests_memory
-  }
-  set {
-    name  = "clusterShield.resources.limits.cpu"
-    type  = "string"
-    value = var.cluster_shield_limits_cpu
-  }
-  set {
-    name  = "clusterShield.resources.limits.memory"
+  set_sensitive = var.access_key != null && var.access_key != "" ? [{
+    name  = "global.sysdig.accessKey"
     type  = "string"
-    value = var.cluster_shield_limits_memory
-  }
-  set {
-    name  = "clusterShield.cluster_shield.sysdig_endpoint.region"
-    type  = "string"
-    value = "custom"
-  }
-  set {
-    name  = "clusterShield.cluster_shield.log_level"
-    type  = "string"
-    value = "info"
-  }
-  set {
-    name  = "clusterShield.cluster_shield.features.admission_control.enabled"
-    value = var.cluster_shield_deploy
-  }
-  set {
-    name  = "clusterShield.cluster_shield.features.container_vulnerability_management.enabled"
-    value = var.cluster_shield_deploy
-  }
-  set {
-    name  = "clusterShield.cluster_shield.features.audit.enabled"
-    value = var.cluster_shield_deploy
-  }
-  set {
-    name  = "clusterShield.cluster_shield.features.posture.enabled"
-    value = var.cluster_shield_deploy
-  }
-
-  # nodeAnalyzer has been replaced by the host_scanner and kspm_analyzer functionality of main agent daemonset
-  set {
-    name  = "nodeAnalyzer.enabled"
-    value = false
-  }
-  # clusterScanner has been replaced by cluster_shield component
-  set {
-    name  = "clusterScanner.enabled"
-    value = false
-  }
+    value = var.access_key
+  }] : []
 
   # Had to use raw yaml here instead of converting HCL to yaml due to this issue with boolean getting converted to string which sysdig helm chart rejects:
   # https://github.com/hashicorp/terraform-provider-helm/issues/1677
diff --git a/solutions/fully-configurable/provider.tf b/solutions/fully-configurable/provider.tf
@@ -9,7 +9,7 @@ provider "kubernetes" {
 }
 
 provider "helm" {
-  kubernetes {
+  kubernetes = {
     host                   = data.ibm_container_cluster_config.cluster_config.host
     token                  = data.ibm_container_cluster_config.cluster_config.token
     cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate
diff --git a/solutions/fully-configurable/version.tf b/solutions/fully-configurable/version.tf
@@ -10,7 +10,7 @@ terraform {
     }
     helm = {
       source  = "hashicorp/helm"
-      version = "2.17.0"
+      version = "3.0.2"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
diff --git a/tests/pr_test.go b/tests/pr_test.go
@@ -261,8 +261,9 @@ func TestRunAgentClassicKubernetes(t *testing.T) {
 		CloudInfoService: sharedInfoSvc,
 	})
 	options.TerraformVars = map[string]any{
-		"datacenter": "syd01",
-		"prefix":     options.Prefix,
+		"resource_group": resourceGroup,
+		"datacenter":     "syd01",
+		"prefix":         options.Prefix,
 	}
 
 	output, err := options.RunTestConsistency()
diff --git a/version.tf b/version.tf
@@ -16,7 +16,7 @@ terraform {
     }
     helm = {
       source  = "hashicorp/helm"
-      version = ">= 2.15.0, <3.0.0"
+      version = ">= 3.0.0, <4.0.0"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ provider "ibm" {`
`4`	`4`	`}`
`5`	`5`
`6`	`6`	`provider "helm" {`
`7`		`- kubernetes {`
	`7`	`+ kubernetes = {`
`8`	`8`	`host = data.ibm_container_cluster_config.cluster_config.host`
`9`	`9`	`token = data.ibm_container_cluster_config.cluster_config.token`
`10`	`10`	`cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate`
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ terraform {`
`10`	`10`	`}`
`11`	`11`	`helm = {`
`12`	`12`	`source = "hashicorp/helm"`
`13`		`- version = "2.15.0"`
	`13`	`+ version = "3.0.2"`
`14`	`14`	`}`
`15`	`15`	`# The kubernetes provider is not actually required by the module itself, just this example, so OK to use ">=" here instead of locking into a version`
`16`	`16`	`kubernetes = {`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ provider "kubernetes" {`
`9`	`9`	`}`
`10`	`10`
`11`	`11`	`provider "helm" {`
`12`		`- kubernetes {`
	`12`	`+ kubernetes = {`
`13`	`13`	`host = data.ibm_container_cluster_config.cluster_config.host`
`14`	`14`	`token = data.ibm_container_cluster_config.cluster_config.token`
`15`	`15`	`cluster_ca_certificate = data.ibm_container_cluster_config.cluster_config.ca_certificate`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ terraform {`
`16`	`16`	`}`
`17`	`17`	`helm = {`
`18`	`18`	`source = "hashicorp/helm"`
`19`		`- version = ">= 2.15.0, <3.0.0"`
	`19`	`+ version = ">= 3.0.0, <4.0.0"`
`20`	`20`	`}`
`21`	`21`	`}`
`22`	`22`	`}`