Flatten vars

Signed-off-by: Edvin Norling <edvin.norling@kognic.com>

autogen/main/cluster.tf.tmpl

@@ -318,9 +318,9 @@ resource "google_container_cluster" "primary" {
 
   protect_config {
     workload_config {
-      audit_mode = var.protect_config.workload_config.audit_mode
+      audit_mode = var.workload_config_audit_mode
     }
-    workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+    workload_vulnerability_mode = var.workload_vulnerability_mode
   }
   {% endif %}
   ip_allocation_policy {

autogen/main/variables.tf.tmpl

@@ -767,22 +767,16 @@ variable "enable_identity_service" {
   default     = false
 }
 
-variable "protect_config" {
-  description = "(beta) Enable/Disable Protect API features for the cluster."
-  type = object({
-    workload_vulnerability_mode = string,
-    workload_config = object({
-      audit_mode = string
-    })
-    }
-  )
+variable "workload_vulnerability_mode" {
+  description = "(beta) Vulnerability mode."
+  type        = string
+  default     = ""
+}
 
-  default = {
-    workload_vulnerability_mode = ""
-    workload_config = {
-      audit_mode = "MODE_UNSPECIFIED"
-    }
-  }
+variable "workload_config_audit_mode" {
+  description = "(beta) Worload config audit mode."
+  type        = string
+  default     = "MODE_UNSPECIFIED"
 }
   {% endif %}
 {% endif %}

modules/beta-autopilot-private-cluster/cluster.tf

@@ -131,9 +131,9 @@ resource "google_container_cluster" "primary" {
 
   protect_config {
     workload_config {
-      audit_mode = var.protect_config.workload_config.audit_mode
+      audit_mode = var.workload_config_audit_mode
     }
-    workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+    workload_vulnerability_mode = var.workload_vulnerability_mode
   }
   ip_allocation_policy {
     cluster_secondary_range_name  = var.ip_range_pods

modules/beta-autopilot-public-cluster/cluster.tf

@@ -131,9 +131,9 @@ resource "google_container_cluster" "primary" {
 
   protect_config {
     workload_config {
-      audit_mode = var.protect_config.workload_config.audit_mode
+      audit_mode = var.workload_config_audit_mode
     }
-    workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+    workload_vulnerability_mode = var.workload_vulnerability_mode
   }
   ip_allocation_policy {
     cluster_secondary_range_name  = var.ip_range_pods

modules/beta-private-cluster-update-variant/README.md

@@ -247,7 +247,6 @@ Then perform the following commands on the root folder:
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | <pre>[<br>  "10.0.0.0/8",<br>  "172.16.0.0/12",<br>  "192.168.0.0/16"<br>]</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
-| protect\_config | (beta) Enable/Disable Protect API features for the cluster. | <pre>object({<br>    workload_vulnerability_mode = string,<br>    workload_config = object({<br>      audit_mode = string<br>    })<br>    }<br>  )</pre> | <pre>{<br>  "workload_config": {<br>    "audit_mode": "MODE_UNSPECIFIED"<br>  },<br>  "workload_vulnerability_mode": ""<br>}</pre> | no |
 | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
 | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
@@ -265,6 +264,8 @@ Then perform the following commands on the root folder:
 | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
 | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
 | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
+| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"MODE_UNSPECIFIED"` | no |
+| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |
 
 ## Outputs

modules/beta-private-cluster-update-variant/cluster.tf

@@ -259,9 +259,9 @@ resource "google_container_cluster" "primary" {
 
   protect_config {
     workload_config {
-      audit_mode = var.protect_config.workload_config.audit_mode
+      audit_mode = var.workload_config_audit_mode
     }
-    workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+    workload_vulnerability_mode = var.workload_vulnerability_mode
   }
   ip_allocation_policy {
     cluster_secondary_range_name  = var.ip_range_pods

modules/beta-private-cluster-update-variant/variables.tf

@@ -726,20 +726,14 @@ variable "enable_identity_service" {
   default     = false
 }
 
-variable "protect_config" {
-  description = "(beta) Enable/Disable Protect API features for the cluster."
-  type = object({
-    workload_vulnerability_mode = string,
-    workload_config = object({
-      audit_mode = string
-    })
-    }
-  )
+variable "workload_vulnerability_mode" {
+  description = "(beta) Vulnerability mode."
+  type        = string
+  default     = ""
+}
 
-  default = {
-    workload_vulnerability_mode = ""
-    workload_config = {
-      audit_mode = "MODE_UNSPECIFIED"
-    }
-  }
+variable "workload_config_audit_mode" {
+  description = "(beta) Worload config audit mode."
+  type        = string
+  default     = "MODE_UNSPECIFIED"
 }

modules/beta-private-cluster/README.md

@@ -225,7 +225,6 @@ Then perform the following commands on the root folder:
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | <pre>[<br>  "10.0.0.0/8",<br>  "172.16.0.0/12",<br>  "192.168.0.0/16"<br>]</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
-| protect\_config | (beta) Enable/Disable Protect API features for the cluster. | <pre>object({<br>    workload_vulnerability_mode = string,<br>    workload_config = object({<br>      audit_mode = string<br>    })<br>    }<br>  )</pre> | <pre>{<br>  "workload_config": {<br>    "audit_mode": "MODE_UNSPECIFIED"<br>  },<br>  "workload_vulnerability_mode": ""<br>}</pre> | no |
 | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
 | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
@@ -243,6 +242,8 @@ Then perform the following commands on the root folder:
 | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
 | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
 | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
+| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"MODE_UNSPECIFIED"` | no |
+| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |
 
 ## Outputs

modules/beta-private-cluster/cluster.tf

@@ -259,9 +259,9 @@ resource "google_container_cluster" "primary" {
 
   protect_config {
     workload_config {
-      audit_mode = var.protect_config.workload_config.audit_mode
+      audit_mode = var.workload_config_audit_mode
     }
-    workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+    workload_vulnerability_mode = var.workload_vulnerability_mode
   }
   ip_allocation_policy {
     cluster_secondary_range_name  = var.ip_range_pods

modules/beta-private-cluster/variables.tf

@@ -726,20 +726,14 @@ variable "enable_identity_service" {
   default     = false
 }
 
-variable "protect_config" {
-  description = "(beta) Enable/Disable Protect API features for the cluster."
-  type = object({
-    workload_vulnerability_mode = string,
-    workload_config = object({
-      audit_mode = string
-    })
-    }
-  )
+variable "workload_vulnerability_mode" {
+  description = "(beta) Vulnerability mode."
+  type        = string
+  default     = ""
+}
 
-  default = {
-    workload_vulnerability_mode = ""
-    workload_config = {
-      audit_mode = "MODE_UNSPECIFIED"
-    }
-  }
+variable "workload_config_audit_mode" {
+  description = "(beta) Worload config audit mode."
+  type        = string
+  default     = "MODE_UNSPECIFIED"
 }

modules/beta-public-cluster-update-variant/README.md

@@ -236,7 +236,6 @@ Then perform the following commands on the root folder:
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | <pre>[<br>  "10.0.0.0/8",<br>  "172.16.0.0/12",<br>  "192.168.0.0/16"<br>]</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
-| protect\_config | (beta) Enable/Disable Protect API features for the cluster. | <pre>object({<br>    workload_vulnerability_mode = string,<br>    workload_config = object({<br>      audit_mode = string<br>    })<br>    }<br>  )</pre> | <pre>{<br>  "workload_config": {<br>    "audit_mode": "MODE_UNSPECIFIED"<br>  },<br>  "workload_vulnerability_mode": ""<br>}</pre> | no |
 | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
 | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
@@ -254,6 +253,8 @@ Then perform the following commands on the root folder:
 | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
 | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
 | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
+| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"MODE_UNSPECIFIED"` | no |
+| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |
 
 ## Outputs

modules/beta-public-cluster-update-variant/cluster.tf

@@ -259,9 +259,9 @@ resource "google_container_cluster" "primary" {
 
   protect_config {
     workload_config {
-      audit_mode = var.protect_config.workload_config.audit_mode
+      audit_mode = var.workload_config_audit_mode
     }
-    workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+    workload_vulnerability_mode = var.workload_vulnerability_mode
   }
   ip_allocation_policy {
     cluster_secondary_range_name  = var.ip_range_pods

modules/beta-public-cluster-update-variant/variables.tf

@@ -696,20 +696,14 @@ variable "enable_identity_service" {
   default     = false
 }
 
-variable "protect_config" {
-  description = "(beta) Enable/Disable Protect API features for the cluster."
-  type = object({
-    workload_vulnerability_mode = string,
-    workload_config = object({
-      audit_mode = string
-    })
-    }
-  )
+variable "workload_vulnerability_mode" {
+  description = "(beta) Vulnerability mode."
+  type        = string
+  default     = ""
+}
 
-  default = {
-    workload_vulnerability_mode = ""
-    workload_config = {
-      audit_mode = "MODE_UNSPECIFIED"
-    }
-  }
+variable "workload_config_audit_mode" {
+  description = "(beta) Worload config audit mode."
+  type        = string
+  default     = "MODE_UNSPECIFIED"
 }

modules/beta-public-cluster/README.md

@@ -214,7 +214,6 @@ Then perform the following commands on the root folder:
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | <pre>[<br>  "10.0.0.0/8",<br>  "172.16.0.0/12",<br>  "192.168.0.0/16"<br>]</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
-| protect\_config | (beta) Enable/Disable Protect API features for the cluster. | <pre>object({<br>    workload_vulnerability_mode = string,<br>    workload_config = object({<br>      audit_mode = string<br>    })<br>    }<br>  )</pre> | <pre>{<br>  "workload_config": {<br>    "audit_mode": "MODE_UNSPECIFIED"<br>  },<br>  "workload_vulnerability_mode": ""<br>}</pre> | no |
 | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
 | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
@@ -232,6 +231,8 @@ Then perform the following commands on the root folder:
 | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
 | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
 | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
+| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"MODE_UNSPECIFIED"` | no |
+| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |
 
 ## Outputs

modules/beta-public-cluster/cluster.tf

@@ -259,9 +259,9 @@ resource "google_container_cluster" "primary" {
 
   protect_config {
     workload_config {
-      audit_mode = var.protect_config.workload_config.audit_mode
+      audit_mode = var.workload_config_audit_mode
     }
-    workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+    workload_vulnerability_mode = var.workload_vulnerability_mode
   }
   ip_allocation_policy {
     cluster_secondary_range_name  = var.ip_range_pods

modules/beta-public-cluster/variables.tf

@@ -696,20 +696,14 @@ variable "enable_identity_service" {
   default     = false
 }
 
-variable "protect_config" {
-  description = "(beta) Enable/Disable Protect API features for the cluster."
-  type = object({
-    workload_vulnerability_mode = string,
-    workload_config = object({
-      audit_mode = string
-    })
-    }
-  )
+variable "workload_vulnerability_mode" {
+  description = "(beta) Vulnerability mode."
+  type        = string
+  default     = ""
+}
 
-  default = {
-    workload_vulnerability_mode = ""
-    workload_config = {
-      audit_mode = "MODE_UNSPECIFIED"
-    }
-  }
+variable "workload_config_audit_mode" {
+  description = "(beta) Worload config audit mode."
+  type        = string
+  default     = "MODE_UNSPECIFIED"
 }