Add Value Based Exclusion for Environment Variables and Secrets

[omendra-tomar]

Terraform module that allows users to exclude specific environment variables and secrets based on their values. The exclusion list is configurable via the input variable advanced.common.app_chart.values.exclude_env_and_secret_values. The update adds logic to filter out specific environment variables and secrets from being merged into Helm release values based on an exclusion list. This is achieved by defining new local variables that exclude entries with values specified in the exclusion list, affecting only the internal configuration of the Terraform module.
same as : https://github.com/Facets-cloud/facets-iac/pull/1840

Summary by CodeRabbit

• Refactor
  • Improved the handling and merging of environment variables and secrets for deployments, resulting in a more streamlined and consistent configuration process.
  • Minor formatting and whitespace adjustments for better readability.

[coderabbitai]

Walkthrough

The update refactors the Terraform configuration for handling environment variables and secrets in a Helm release. It replaces JSON encoding/decoding and intermediate variables with direct merging and stringification of environment variable maps, streamlining the filtering and construction of the final environment variables passed to the Helm chart. Lifecycle ignore settings are also removed.

Changes

File(s)	Change Summary
application/main.tf	Refactored environment variable and secret merging logic, removed JSON transformations and lifecycle ignore, improved filtering and formatting.

Sequence Diagram(s)

sequenceDiagram
    participant Terraform
    participant HelmRelease
    participant EnvVars
    participant Secrets

    Terraform->>EnvVars: Merge common and spec env vars
    EnvVars->>EnvVars: Convert all values to strings
    EnvVars->>EnvVars: Filter out excluded values
    Terraform->>Secrets: Filter secrets
    Terraform->>HelmRelease: Pass merged env vars and secrets inline

Loading

Estimated code review effort

2 (~15 minutes)

Possibly related PRs

• Add Value Based Exclusion for Environment Variables and Secrets #11: Refactored and simplified the environment variable and secret merging logic, building on the same approach and variables as this PR.

Suggested reviewers

• pramodh-ayyappan

Poem

In the meadow of code where secrets grow,
I hop through variables, merging as I go.
No more JSON burrows, no tangled string,
Just simple maps—what joy they bring!
With a twitch of my nose, the chart deploys—
Refactored and tidy, a bunny’s small joys. 🐇

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (2)

application/main.tf (2)

100-109: Secret filtering may skip intended items due to type mismatch

local.filtered_env_vars compares stringified env-var values against the exclusion list, but local.filtered_all_secrets compares the raw secret value (possibly sensitive / non-string) against the same list.
If the secret is already a complex/sensitive type, contains() will never match and the exclusion will silently fail.

-filtered_all_secrets = {
-  for k, v in local.all_secrets :
-  k => v
-  if !(contains(local.exclude_env_and_secret_values, v))
-}
+filtered_all_secrets = {
+  for k, v in local.all_secrets :
+  k => v
+  if !(contains(local.exclude_env_and_secret_values, tostring(v)))
+}

---

181-186: Pin the external module source to a tag or commit

source = "github.com/Facets-cloud/facets-utility-modules//pvc" pulls the latest main, making the build non-deterministic and violating CKV_TF_1 / CKV_TF_2.

-source          = "github.com/Facets-cloud/facets-utility-modules//pvc"
+source          = "github.com/Facets-cloud/facets-utility-modules//pvc?ref=v1.4.3"

Replace v1.4.3 with an existing, immutable tag or commit hash to lock dependencies.

🧹 Nitpick comments (1)

application/main.tf (1)

19-23: Use tostring() for safer value conversion

String interpolation ("${value}") implicitly calls toset.ctyToString, but it silently converts non-primitive types to an opaque representation (<cty.Value>).
tos tring(value) is explicit, guarantees a usable string, and fails fast if the value is not convertible – much safer for env-var propagation.

-env_vars_str                 = {for key,value in local.env_vars: key => "${value}"}
+env_vars_str                 = {for key, value in local.env_vars : key => tostring(value)}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c0db4e1 and 8d95698.

📒 Files selected for processing (1)

• application/main.tf (4 hunks)

🪛 Checkov (3.2.334)

application/main.tf

[MEDIUM] 181-198: Ensure Terraform module sources use a commit hash

(CKV_TF_1)

---

[HIGH] 181-198: Ensure Terraform module sources use a tag with a version number

(CKV_TF_2)

🧰 Additional context used

🪛 Checkov (3.2.334)

application/main.tf

[MEDIUM] 181-198: Ensure Terraform module sources use a commit hash

(CKV_TF_1)

---

[HIGH] 181-198: Ensure Terraform module sources use a tag with a version number

(CKV_TF_2)

🔇 Additional comments (1)

application/main.tf (1)

152-159: Confirm merge-order precedence of environment variables

The merge order gives last-writer-wins semantics:

1. global cluster vars
2. filtered env vars
3. build-id
4. filtered secrets
5. (optional) deployment_id

If a secret key duplicates one from globalVariables, it will override the cluster value. Ensure this precedence is intentional; reversing lines 155 & 157 would give secrets lower priority.