beta-private-cluster-update-variant should generate new node pool ID if nodepools.enable_secure_boot value is changed

[fbeevikm]

TL;DR

beta-private-cluster-update-variant does not currently generate a new node pool random suffix when enable_secure_boot is changed. This results in a name conflict error, like:

Error: resource - projects/sample-project/locations/europe-west2/clusters/mllp-stage/nodePools/default-node-pool-55e2 - already exists

Expected behavior

No response

Observed behavior

No response

Terraform Configuration

module "{{.module_name}}" {
  source  = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster-update-variant"
  version = "~> 13.0.0"
  depends_on = [module.project]

  # Required.
  name       = "{{.cluster_name}}"
  project_id = "{{.project_id}}"
  region     = "{{.region}}"
  regional   = true

  network_project_id       = "{{.network_project_id}}"
  network                  = "{{.network}}"
  subnetwork               = "{{.subnet}}"
  ip_range_pods            = "pods-range"
  ip_range_services        = "services-range"
  add_cluster_firewall_rules = true
  master_ipv4_cidr_block   = "{{.master_ipv4_cidr_block}}"
  istio                    = false
  skip_provisioners        = true
  enable_private_endpoint  = true
  release_channel          = "STABLE"
  network_policy           = true
  # Removing the default node pull, as it cannot be modified without destroying the cluster.
  remove_default_node_pool = true
  # Basic Auth disabled
  basic_auth_username           = ""
  basic_auth_password           = ""
  issue_client_certificate      = false
  deploy_using_private_endpoint = true
  # Private nodes better control public exposure, and reduce the
  # ability of nodes to reach to the Internet without additional configurations.
  enable_private_nodes          = true
  # Allow the cluster master to be accessible globally (from any region).
  master_global_access_enabled  = true
  # master_authorized_networks can be specified to restrict access to the public endpoint.
  # Also see https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters.
  enable_binary_authorization   = true
  # Workload Identity is enabled by default in beta-private-cluster-update-variant.

  master_authorized_networks = [
    {
      display_name: "cloudbuild"
      cidr_block: "{{.cloud_build_pool_range}}"
    }
  ]
  node_pools = [
    {
      name               = "default-node-pool"
      machine_type       = "e2-medium"
      min_count          = 1
      max_count          = 20
      local_ssd_count    = 0
      disk_size_gb       = 100
      disk_type          = "pd-standard"
      image_type         = "COS_CONTAINERD"
      auto_repair        = true
      auto_upgrade       = true
      service_account    = "{{.service_account}}"
      preemptible        = false
      initial_node_count = 1
      enable_secure_boot = true
    },
  ]
}

Terraform Version

Terraform v0.14.9

Additional information

No response

[fbeevikm]

PR #1277