unable to update auto_provisioning_defaults shielded_instance_config

[descampsk]

TL;DR

The private cluster module can't update shielded_instance_config of the auto_provisioning_defaults if not null.

Expected behavior

I expect the following plan to update the value to null.

Terraform will perform the following actions:

  # module.gke.google_container_cluster.primary will be updated in-place
  ~ resource "google_container_cluster" "primary" {
        id                          = "projects/dev/locations/europe-west1/clusters/gke-app-dev"
        name                        = "gke-app-dev"
        # (26 unchanged attributes hidden)

      ~ cluster_autoscaling {
            # (1 unchanged attribute hidden)

          ~ auto_provisioning_defaults {
                # (5 unchanged attributes hidden)


              - shielded_instance_config {
                  - enable_integrity_monitoring = true -> null
                  - enable_secure_boot          = false -> null
                }

                # (2 unchanged blocks hidden)
            }

            # (2 unchanged blocks hidden)
        }

        # (23 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy

Observed behavior

Instead the apply change nothing and if I do again a plan, the value didn't change and I go the same plan as before.

Terraform Configuration

google = {
      source  = "hashicorp/google"
      version = "~> 4.51.0"
    }

module "gke" {
  source  = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster"
  version = "v25.0.0"

  project_id = local.google_project

  name               = local.cluster_name
  kubernetes_version = var.gke_version
  release_channel    = var.release_channel

  region            = "europe-west1"
  zones             = ["europe-west1-b", "europe-west1-c", "europe-west1-d"]
  network           = "vpc-${terraform.workspace}"
  subnetwork        = google_compute_subnetwork.gke.name
  ip_range_pods     = "${local.cluster_name}-pods"
  ip_range_services = "${local.cluster_name}-services"

  enable_private_nodes       = true
  master_ipv4_cidr_block     = var.master_ipv4_cidr_block
  master_authorized_networks = var.master_authorized_networks

  http_load_balancing             = true
  horizontal_pod_autoscaling      = true
  network_policy                  = true
  enable_vertical_pod_autoscaling = true

  grant_registry_access = true

  // To enable better cost and resource monitoring
  enable_cost_allocation             = true
  enable_resource_consumption_export = true

  master_global_access_enabled = false

  cluster_autoscaling = {
    enabled       = true
    min_cpu_cores = 12
    max_cpu_cores = var.cluster_autoscaling_max_cpu_cores
    min_memory_gb = 12
    max_memory_gb = var.cluster_autoscaling_max_memory_gb
    gpu_resources = []
    auto_repair   = true
    auto_upgrade  = true
  }

  remove_default_node_pool = true
  create_service_account   = true

  node_pools = [
    {
      name               = "system"
      machine_type       = var.system_node_pool_machine_type
      node_locations     = join(",", var.node_locations)
      min_count          = var.min_nodes_count_system
      max_count          = var.max_nodes_count_system
      local_ssd_count    = 0
      disk_size_gb       = var.system_node_pool_disk_size_gb
      disk_type          = "pd-standard"
      image_type         = "COS_CONTAINERD"
      auto_repair        = true
      auto_upgrade       = true
      preemptible        = true
      initial_node_count = var.min_nodes_count_system
    },
    {
      name               = "apps"
      machine_type       = var.apps_node_pool_machine_type
      node_locations     = join(",", var.node_locations)
      min_count          = var.min_nodes_count_apps
      max_count          = var.max_nodes_count_apps
      local_ssd_count    = 0
      disk_size_gb       = var.apps_node_pool_disk_size_gb
      disk_type          = "pd-standard"
      image_type         = "COS_CONTAINERD"
      auto_repair        = true
      auto_upgrade       = true
      preemptible        = true
      initial_node_count = var.min_nodes_count_apps
    },
  ]

  node_pools_oauth_scopes = {
    all = [
      "https://www.googleapis.com/auth/cloud-platform",
    ]
  }
}

### Terraform Version

```sh
Terraform v1.4.2
on linux_amd64
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/hashicorp/external v2.2.3
+ provider registry.terraform.io/hashicorp/google v4.51.0
+ provider registry.terraform.io/hashicorp/google-beta v4.51.0
+ provider registry.terraform.io/hashicorp/helm v2.9.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.18.1
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.4.3
+ provider registry.terraform.io/hashicorp/vault v3.13.0

Additional information

No response

[dangarthwaite]

This might be as simple as:

$ git diff master
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
index 50cd158d..2d27998b 100644
--- a/modules/beta-private-cluster/cluster.tf
+++ b/modules/beta-private-cluster/cluster.tf
@@ -122,6 +122,11 @@ resource "google_container_cluster" "primary" {
           auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true)
         }

+        shielded_instance_config {
+          enable_integrity_monitoring = lookup(var.node_pools[0], "enable_integrity_monitoring", true)
+          enable_secure_boot          = lookup(var.node_pools[0], "enable_secure_boot", false)
+        }
+
         min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "")
       }
     }

[asallam-zen]

@apeabody can we please fix this? we're facing the same issue and it's kinda blocker.

[mfar]

any thoughts when this will be fixed?

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days