From 43c4349788d46a1e973254f4efb87366eb873765 Mon Sep 17 00:00:00 2001 From: Morgante Pell Date: Tue, 26 May 2020 21:20:20 -0400 Subject: [PATCH] fix: Add additional guardrails for disabled workload identity. (#542) --- autogen/main/main.tf.tmpl | 3 ++- examples/simple_regional_beta/main.tf | 4 +++ .../main.tf | 3 ++- modules/beta-private-cluster/main.tf | 3 ++- modules/beta-public-cluster/main.tf | 3 ++- .../beta_cluster/controls/gcloud.rb | 27 ------------------- 6 files changed, 12 insertions(+), 31 deletions(-) diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 1dd1576bb..ebfc09067 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -171,7 +171,8 @@ locals { cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled - cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{ + workload_identity_enabled = ! (var.identity_namespace == null || var.identity_namespace == "null") + cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace }] # /BETA features diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index 9a4eba5af..9becfec11 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -47,6 +47,10 @@ module "gke" { enable_binary_authorization = var.enable_binary_authorization pod_security_policy_config = var.pod_security_policy_config release_channel = "REGULAR" + + # Disable workload identity + identity_namespace = null + node_metadata = "UNSPECIFIED" } data "google_client_config" "default" { diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 98aa39d05..b6f731994 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -155,7 +155,8 @@ locals { cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled - cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{ + workload_identity_enabled = ! (var.identity_namespace == null || var.identity_namespace == "null") + cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace }] # /BETA features diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 98aa39d05..b6f731994 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -155,7 +155,8 @@ locals { cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled - cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{ + workload_identity_enabled = ! (var.identity_namespace == null || var.identity_namespace == "null") + cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace }] # /BETA features diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 1d559b3df..7b4394938 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -154,7 +154,8 @@ locals { cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled - cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{ + workload_identity_enabled = ! (var.identity_namespace == null || var.identity_namespace == "null") + cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace }] # /BETA features diff --git a/test/integration/beta_cluster/controls/gcloud.rb b/test/integration/beta_cluster/controls/gcloud.rb index 64094f7ef..2d1aff5ce 100644 --- a/test/integration/beta_cluster/controls/gcloud.rb +++ b/test/integration/beta_cluster/controls/gcloud.rb @@ -74,13 +74,6 @@ }) end - it "has the expected nodeMetadata conseal config" do - expect(data['nodeConfig']['workloadMetadataConfig']).to eq({ - "mode" => "GKE_METADATA", - "nodeMetadata" => 'GKE_METADATA_SERVER', - }) - end - it "has the expected podSecurityPolicyConfig config" do expect(data['podSecurityPolicyConfig']).to eq({ "enabled" => true, @@ -93,13 +86,6 @@ "keyName" => attribute('database_encryption_key_name'), }) end - - it "has the expected workload identity config" do - expect(data['workloadIdentityConfig']).to eq({ - "identityNamespace" => attribute('identity_namespace'), - "workloadPool" => attribute('identity_namespace'), - }) - end end describe "default node pool" do @@ -212,19 +198,6 @@ ) ) end - - it "has the expected node metadata for workload identity" do - expect(node_pools).to include( - including( - "config" => including( - "workloadMetadataConfig" => eq( - "mode" => "GKE_METADATA", - "nodeMetadata" => 'GKE_METADATA_SERVER', - ), - ), - ) - ) - end end end end