Suppress verbose, insecure metadata output in terraform plans

[ndebuhr]

Hi team. Taking a stab at the security/UX issue discussed in #1315.

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

None

Description

Keep existing state metadata in plans instead of marking it as unknown when inputs change. This prevents voluminous and low-value computed metadata from cluttering plan output while maintaining correct state updates during apply.

Acceptance tests

• Have you added an acceptance test for the functionality being added?

Yes, took a stab at that as well

Release Note

Release note for CHANGELOG:

Suppress verbose, and potentially insecure, metadata outputs in terraform plans

References

#1315

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[ndebuhr]

I've revised this PR with a different approach after some additional testing. Instead of hiding metadata changes, we now provide opt-in experiments that suppress the verbose content at the source:

provider "helm" {
  experiments = {
    suppress_metadata_notes  = true  # Hides verbose helm chart notes
    suppress_metadata_values = true  # Hides values JSON
  }
}

When enabled, metadata.notes and metadata.values are set to empty strings instead of their full content. This gives users full control over verbosity without breaking Terraform's consistency checks.

Results

Without experiments (default - backward compatible):

~ metadata = {
    ~ notes = <<-EOT
        [50+ lines of helm chart notes]
      EOT
    ~ values = jsonencode({...})
  }

With experiments enabled:

~ metadata = {
    + notes  = (known after apply)
    + values = (known after apply)
  }

Benefits

• Opt-in - Default behavior unchanged
• Flexible - Suppress notes, values, or both independently
• No errors - Works correctly with Terraform's consistency checks
• Security focused - Documentation explicitly mentions avoiding sensitive data exposure

[Pluies]

^ I tested this locally, and I can confirm this works as expected 🙌 I'm closing my own attempt at #1738 in favour of this PR.

In my opinion these values should be set as default, and left as opt-in for people who require the previous functionality for some odd reason. But that's a change in functionality so it probably should be done on the next major release of the provider. 👍

cc @jrhouston @BBBmau @arybolovlev (going by who I'm guessing has review powers here), could we please get a review on this?

[ndebuhr]

I signed the CLA

[Pluies]

Ping @jrhouston @BBBmau @arybolovlev ; please let us know if anything else is needed here 👍

[tzdybelandea]

This feature would be a huge benefit for us

[ndebuhr]

@jrhouston @BBBmau @arybolovlev Any thoughts? There's a lot of community interest in getting this integrated.

[eklesel]

Can't explain how much use this would be, hopefully this gets merged soon

[Pluies]

Ping @jrhouston @BBBmau @arybolovlev again 🙏 the linked issue has 76 thumbs up at this point; revealing secrets on outputs is clearly a pain point for the community. Could you please review this?

[Pluies]

Regular plea for @jrhouston @BBBmau @arybolovlev to take a look at this, or let us know if there is an alternative approach to consider. Thank you!