chore(deps): update pin terraform dependencies to v3 (major)

[renovate-a-roo]

Pinning Terraform dependencies prevents unexpected changes being inherited from the common terraform-modules repo.

The common terraform-modules will be updated separately in a weekly PR.

This PR contains the following updates:

Package	Type	Update	Change
helm (source)	required_provider	major	2.13.0 -> 3.1.1
kubernetes (source)	required_provider	major	2.29.0 -> 3.0.1

---

Release Notes

hashicorp/terraform-provider-helm (helm)

v3.1.1

Compare Source

BUG FIXES:

• resource/helm_release: Fix "inconsistent result after apply" error by moving recomputeMetadata function call [GH-1713]

v3.1.0

Compare Source

FEATURES:

• Add qps field to Helm provider configuration [GH-1668]
• Add resources attribute to manifest experimental feature [GH-1693]
• helm_template: Add set_wo write-only attribute [GH-1703]
• helm_release: Add support for the take_ownership field [GH-1680]

ENHANCEMENT:

• Introduce the timeouts field to the helm_release resource and helm_template data source, enabling configurable operation timeouts for create, read, update, and delete actions. [GH-1702]

BUG FIXES:

• Port missing field upgrade_install [GH-1675]

v3.0.2

Compare Source

This is a patch release that fixes a number of bugs discovered in the v3.x.x release.

BUG FIXES:

• helm_release: Fix description field causing inconsistent plan [GH-1648]
• helm_release: Fix plan error when devel = false is set and version is provided [GH-1656]
• helm_release: Fix postrender being run when binaryPath is nil [GH-1649]
• helm_release: Fix shallow clone bug causing nested sensitive values to be redacted in the k8s API [GH-1644]
• provider: Fix namespace override logic in Kubernetes client initialization [GH-1650]
• provider: Restore support for the KUBE_PROXY_URL environment variable [GH-1655]

v3.0.1

Compare Source

This is a hotfix release.

HOTFIX:

• helm_release: Fix state upgrader code to use correct type for "values" attribute. [GH-1638]

v3.0.0

Compare Source

This release migrates ports the provider project from terraform-plugin-sdk/v2 to terraform-plugin-framework [GH-1379]

Please refer to the migration guide.

BREAKING CHANGES:

• Blocks to Nested Objects: Blocks like kubernetes, registry, and experiments are now represented as nested objects.
• List Syntax for Nested Attributes: Attributes like set, set_list, and set_sensitive in helm_release and helm_template are now lists of nested objects instead of blocks
• The new framework code uses Terraform Plugin Protocol Version 6 which is compatible with Terraform versions 1.0 and above. Users of earlier versions of Terraform can continue to use the Helm provider by pinning their configuration to the 2.x version.

FEATURES:

• Add "literal" as a supported type for the set block [GH-1615]

• helm_release: Add support for ResourceIdentity. [GH-1625]

• helm_release: Add set_wo write-only attribute [GH-1592]

ENHANCEMENT:

• helm_release: Add UpgradeState logic to support migration from SDKv2 to Plugin Framework [GH-1633]
• update helm dependency to v3.17.2 [GH-1608]

BUG FIXES:

• helm_release: Fix namespace behaviour for dependency charts in non-default namespaces [GH-1583]

• change set.value && set_list.value to optional instead of required [GH-1572]

v2.17.0

Compare Source

ENHANCEMENT:

• resource/helm_release: the dry-run option is now set to server to execute any chart lookups against the server during the plan stage. [GH-1335]

BUG FIXES:

• resource/helm_release: fix an issue where postrender.args is not parsed correctly. [GH-1534]

v2.16.1

Compare Source

BUG FIXES:

• helm_release: Fix nil pointer deref panic on destroy when helm release is not found [GH-1501]

v2.16.0

Compare Source

BUG FIXES:

• helm_release: On destroy, do not error when release is not found [GH-1487]
• resource/helm_release: Fix: only recompute metadata when the version in the metadata changes [GH-1458]

v2.15.0

Compare Source

ENHANCEMENT:

• resource/helm_release: add upgrade_install boolean attribute to enable idempotent release installation, addressing components of GH-425 [GH-1247]

v2.14.1

Compare Source

DEPENDENCIES:

• Bump golang.org/x/crypto from v0.23.0 to v0.25.0 [GH-1399]
• Bump k8s.io/api from v0.30.0 to v0.30.3 [GH-1436]
• Bump k8s.io/apimachinery from v0.30.0 to v0.30.3 [GH-1436]
• Bump k8s.io/client-go from v0.30.0 to v0.30.3 [GH-1436]
• Bump helm.sh/helm/v3 from v3.13.2 to v3.15.3 [GH-1422]

v2.14.0

Compare Source

ENHANCEMENT:

• Add support for Terraform's experimental deferred actions [GH-1377]
• helm_release: add new attributes metadata.last_deployed, metadata.first_deployed, metadata.notes [GH-1380]

v2.13.2

Compare Source

DEPENDENCIES:

• Bump github.com/docker/docker from 24.0.7 to 24.0.9
• Bump golang.org/x/net from 0.21.0 to 0.23.0
• Bundle license file with TF provider release artifacts

v2.13.1

Compare Source

HOTFIX:

• helm_release: Fix regression causing errors at plan time.

hashicorp/terraform-provider-kubernetes (kubernetes)

v3.0.1

Compare Source

HOTFIX:

• Fix missing ip_mode attribute in kubernetes_service_v1 data source. [GH-2807]

v3.0.0

Compare Source

ENHANCEMENTS:

• • Add support for sidecar containers via restart_policy field in init_container spec [GH-2786]
• Add ip_mode attribute to service status [GH-2784]
• Add support for ValidatingAdmissionPolicy [GH-2794]
• Bump Kubernetes dependencies to v1.33 [GH-2774]

DEPRECATIONS:

• Data Sources

• kubernetes_config_map → use kubernetes_config_map_v1
• kubernetes_namespace → use kubernetes_namespace_v1
• kubernetes_secret → use kubernetes_secret_v1
• kubernetes_service → use kubernetes_service_v1
• kubernetes_pod → use kubernetes_pod_v1
• kubernetes_service_account → use kubernetes_service_account_v1
• kubernetes_persistent_volume_claim → use kubernetes_persistent_volume_claim_v1
• kubernetes_storage_class → use kubernetes_storage_class_v1
• kubernetes_ingress → use kubernetes_ingress_v1

Resources

• kubernetes_namespace → use kubernetes_namespace_v1
• kubernetes_service → use kubernetes_service_v1
• kubernetes_service_account → use kubernetes_service_account_v1
• kubernetes_default_service_account → use kubernetes_default_service_account_v1
• kubernetes_config_map → use kubernetes_config_map_v1
• kubernetes_secret → use kubernetes_secret_v1
• kubernetes_pod → use kubernetes_pod_v1
• kubernetes_endpoints → use kubernetes_endpoints_v1
• kubernetes_limit_range → use kubernetes_limit_range_v1
• kubernetes_persistent_volume → use kubernetes_persistent_volume_v1
• kubernetes_persistent_volume_claim → use kubernetes_persistent_volume_claim_v1
• kubernetes_replication_controller → use kubernetes_replication_controller_v1
• kubernetes_resource_quota → use kubernetes_resource_quota_v1
• kubernetes_api_service → use kubernetes_api_service_v1
• kubernetes_deployment → use kubernetes_deployment_v1
• kubernetes_daemonset → use kubernetes_daemon_set_v1
• kubernetes_stateful_set → use kubernetes_stateful_set_v1
• kubernetes_job → use kubernetes_job_v1
• kubernetes_cron_job → use kubernetes_cron_job_v1
• kubernetes_horizontal_pod_autoscaler → use kubernetes_horizontal_pod_autoscaler_v1 or kubernetes_horizontal_pod_autoscaler_v2
• kubernetes_certificate_signing_request → use kubernetes_certificate_signing_request_v1
• kubernetes_role → use kubernetes_role_v1
• kubernetes_role_binding → use kubernetes_role_binding_v1
• kubernetes_cluster_role → use kubernetes_cluster_role_v1
• kubernetes_cluster_role_binding → use kubernetes_cluster_role_binding_v1
• kubernetes_ingress → use kubernetes_ingress_v1
• kubernetes_ingress_class → use kubernetes_ingress_class_v1
• kubernetes_network_policy → use kubernetes_network_policy_v1
• kubernetes_pod_disruption_budget → use kubernetes_pod_disruption_budget_v1
• kubernetes_pod_security_policy → removed upstream; use Pod Security Admission instead
• kubernetes_priority_class → use kubernetes_priority_class_v1
• kubernetes_validating_webhook_configuration → use kubernetes_validating_webhook_configuration_v1
• kubernetes_mutating_webhook_configuration → use kubernetes_mutating_webhook_configuration_v1
• kubernetes_storage_class → use kubernetes_storage_class_v1
• kubernetes_csi_driver → use kubernetes_csi_driver_v1 [GH-2770]

BUG FIXES:

• Environment variables should not override configuration when using kubernetes_manifest. [GH-2788]
• resource/kubernetes_daemon_set_v1: fix an issue with the provider not waiting for rollout with wait_for_rollout = true. [GH-2789]

v2.38.0

Compare Source

ENHANCEMENTS:

• Add ResourceIdentity support to kubernetes_manifest [GH-2737]
• Add sub_path_expr to volume mount options pod spec [GH-2622]
• Add support for ResourceIdentity to SDKv2 resources [GH-2751]

BUG FIXES:

• Fixed goroutine-safety in the CRD and metadata cache, resulting in far fewer provider metadata requests. [GH-2699]
• data_source/kubernetes_pod_v1: fix an issue when the provider cuts out toleration under pod spec(spec.toleration) if it uses a well-known taint. [GH-2380]
• data_source/kubernetes_pod: fix an issue when the provider cuts out toleration under pod spec(spec.toleration) if it uses a well-known taint. [GH-2380]
• resource/kubernetes_cron_job: fix an issue when the provider cuts out toleration under pod spec template(*.template.spec.toleration`) if it uses a well-known taint. That could lead to a perpetual diff behavior. [GH-2380]
• resource/kubernetes_cron_job_v1: fix an issue when the provider cuts out toleration under pod spec template(*.template.spec.toleration`) if it uses a well-known taint. That could lead to a perpetual diff behavior. [GH-2380]
• resource/kubernetes_daemon_set_v1: fix an issue when the provider cuts out toleration under pod spec template(*.template.spec.toleration`) if it uses a well-known taint. That could lead to a perpetual diff behavior. [GH-2380]
• resource/kubernetes_daemonset: fix an issue when the provider cuts out toleration under pod spec template(*.template.spec.toleration`) if it uses a well-known taint. That could lead to a perpetual diff behavior. [GH-2380]
• resource/kubernetes_deployment: fix an issue when the provider cuts out toleration under pod spec template(*.template.spec.toleration`) if it uses a well-known taint. That could lead to a perpetual diff behavior. [GH-2380]
• resource/kubernetes_deployment_v1: fix an issue when the provider cuts out toleration under pod spec template(*.template.spec.toleration`) if it uses a well-known taint. That could lead to a perpetual diff behavior. [GH-2380]
• resource/kubernetes_job: fix an issue when the provider cuts out toleration under pod spec template(*.template.spec.toleration`) if it uses a well-known taint. That could lead to a perpetual diff behavior. [GH-2380]
• resource/kubernetes_job_v1: fix an issue when the provider cuts out toleration under pod spec template(*.template.spec.toleration`) if it uses a well-known taint. That could lead to a perpetual diff behavior. [GH-2380]
• resource/kubernetes_replication_controller_v1: fix an issue when the provider cuts out toleration under pod spec template(*.template.spec.toleration) if it uses a well-known taint. That could lead to a perpetual diff behavior. [GH-2380]
• resource/kubernetes_replication_controller: fix an issue when the provider cuts out toleration under pod spec template(*.template.spec.toleration) if it uses a well-known taint. That could lead to a perpetual diff behavior. [GH-2380]
• resource/kubernetes_stateful_set: fix an issue when the provider cuts out toleration under pod spec template(*.template.spec.toleration`) if it uses a well-known taint. That could lead to a perpetual diff behavior. [GH-2380]
• resource/kubernetes_stateful_set_v1: fix an issue when the provider cuts out toleration under pod spec template(*.template.spec.toleration`) if it uses a well-known taint. That could lead to a perpetual diff behavior. [GH-2380]

NOTES:

• We have updated the logic of resources that use the Pod specification template, such as kubernetes_deployment_v1, kubernetes_stateful_set_v1, etc, and now the provider will keep all tolerations(spec.toleration) returned by Kubernetes. The same is applicable for the data sources kubernetes_pod_v1 and kubernetes_pod. The behavior of resources kubernetes_pod_v1 and kubernetes_pod remains unchanged, i.e. the provider will keep removing tolerations with well-known taints since they might be attached to the object by Kubernetes controller and could lead to a perpetual diff. [GH-2380]

v2.37.1

Compare Source

BUG FIXES:

• Fixes issue #​2732 where the provider would fail when used with Terraform >= v1.12.1 due to missing GetResourceIdentitySchemas implementation. [GH-2732]

v2.37.0

Compare Source

ENHANCEMENTS:

• kubernetes_config_map_v1: Add support for ResourceIdentity [GH-2721]

v2.36.0

Compare Source

ENHANCEMENTS:

• resource/kubernetes_secret_v1: Add support for write only attributes for data_wo and binary_data_wo. [GH-2692]

v2.35.1

Compare Source

BUG FIXES:

• resource/kubernetes_job_v1: revert the changes introduced in v2.34.0, where ttl_seconds_after_finished was set to 0. [GH-2650]
• resource/kubernetes_daemon_set_v1: fix issue where fields spec.strategy.rolling_update.max_surge and spec.strategy.rolling_update.max_unavailable were not being validated correctly. [GH-2653]

v2.35.0

Compare Source

FEATURES:

• resources_kubernetes_daemon_set_v1 : Added max_surge argument for to rolling_update block. [GH-2630]

v2.34.0

Compare Source

ENHANCEMENTS:

• Added conditions attribute to kubernetes_nodes data source, which will provide detailed node health and status information [GH-2612]
• Adding the kubernetes_secret_v1_data resource to the kubernetes provider. This resource will allow users to manage kubernetes secrets [GH-2604]
• Properly handle Kubernetes Jobs with ttl_seconds_after_finished = 0 to prevent unnecessary recreation. [GH-2596]

FEATURES:

• New ephemeral resource: kubernetes_certificate_signing_request_v1 [GH-2628]
• New ephemeral resource: kubernetes_token_request_v1 [GH-2628]

v2.33.0

Compare Source

ENHANCEMENTS:

• Add backoff_per_limit_index and max_failed_indexes fields in structure_job.go [GH-2421]
• Added support for namespace_selector field in PodAffinityTerm to enhance pod affinity and anti-affinity rules, allowing selection of namespaces based on label selectors. [GH-2577]
• kubernetes_manifest - handling "404 Not Found" errors during the deletion of Kubernetes resources, particularly in cases where the resource may have already been deleted by an operator managing the CRD before Terraform attempts to delete it. [GH-2592]
• schema_container.go: Add VolumeDevices [GH-2573]

v2.32.0

Compare Source

FEATURES:

• New data source: kubernetes_server_version [GH-2306]

ENHANCEMENTS:

• resource/kubernetes_certificate_signing_request_v1: Add argument spec.expiration_seconds [GH-2559]
• resource/kubernetes_persistent_volume_v1: support ReadWriteOncePod access mode for PVs [GH-2488]

v2.31.0

Compare Source

ENHANCEMENTS:

• Add support for Terraform's experimental deferred actions [GH-2510]

v2.30.0

Compare Source

BUG FIXES:

• data_source/kubernetes_resources: fix an issue where the provider exit with an error when the data source kubernetes_resources receives multiple Kubernetes objects containing tuples with different numbers of elements. [GH-2372]
• kubernetes_manifest: fix issue preventing KUBE_PROXY_URL environment variable from being used in client configuration (#​1733) [GH-2485]
• resource/kubernetes_node_taint: Fix the error check for nonexistant nodes so that terraform does not fail if there is a taint in the state file for a node that has been deleted. [GH-2402]

DOCS:

• Migrate legacy structure to new tfplugindocs template structure [GH-2470]

---

Configuration

📅 Schedule: Branch creation - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday ( * 0-4,22-23 * * 1-5 ), Only on Sunday and Saturday ( * * * * 0,6 ) in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.