Unable to Create Public Cluster with private_cluster_config block, even when enable_private_endpoint = enable_private_nodes = false

[Jberlinsky]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

Affected Resource(s)

• google_container_cluster

Problem Statement

At present, due to shortcomings in the current version of Terraform and the implementation of private_cluster_config in this provider, it is not possible to specify a private_cluster_config block without making the cluster private. This prevents the development of wrapper modules without adding significant complexity to their implementation.

This issue was uncovered while developing terraform-google-kubernetes-engine. In building out this module, we wish to allow users to specify whether their cluster should be public or private. However, due to the implementation at the provider level, it is not possible to do so -- since blocks can not be specified to resources in a modular manner, that resource is preordained to be private or not. Although the provider currently allows private_cluster_config.enable_private_endpoint and private_cluster_config.enable_private_nodes to both be false, private_cluster_config. master_ipv4_cidr_block is required to be a valid CIDR.

Suggested Change(s)

It seems reasonable to allow an empty string (or some other control string) to be passed here, which the backing Golang code would interpret as an instruction to disregard the master_ipv4_cidr_block argument when populating the google_container_cluster resource.

[emilymye]

@Jberlinsky Can I ask what your config looks like or what error you are getting exactly? I tried creating a cluster like so, with master_ipv4_cidr_block just not in the config, and it seemed to create fine.

resource "google_container_cluster" "without_private_cluster" {
  name = "cluster-test-not-private"
  zone = "us-central1-a"
  initial_node_count = 1

  network = "${google_compute_network.container_network.name}"
  subnetwork = "${google_compute_subnetwork.container_subnetwork.name}"

  private_cluster_config {
    enable_private_endpoint = false
    enable_private_nodes = false
  }

  master_authorized_networks_config {
    cidr_blocks = []
  }
  ip_allocation_policy {
    cluster_secondary_range_name = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.0.range_name}"
    services_secondary_range_name = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.1.range_name}"
  }
}

[rileykarson]

I think this issue has to do with limitations in how modules can be configured! Since fields can't be excluded, the only nil-like behaviour we can have pre-0.12 is to set the empty string as the value.

Our validation means that we don't allow that- the value has to be a valid CIDR- so it's impossible to conditionally create a private cluster.

[emilymye]

Oh, I see! Alright, I'll go ahead and maybe add a customize diff then.

[Jberlinsky]

@emilymye Sorry for the delay. Do you still need something more specific from me?

[rileykarson]

Assigning this issue to myself since I'm also interested in having it fixed, I'll probably end up making the change by 2.0.0 / 2.0.1.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!