identity_namespace output is "enabled" instead of [project_id].svc.id.goog for beta-private-cluster #489

schostin · 2020-04-15T08:02:45Z

We are using module version 8.1.0 and when I create a beta-private-cluster with the default identity_namespace = "enabled" the output value of identity_namespace is also "enabled". I would expect [project_id].svc.id.goog as output here. Any opinions on this? Happy to issue a PR if needed :)

The text was updated successfully, but these errors were encountered:

morgante · 2020-04-15T14:24:23Z

Yeah looks like a bug in the output. Just need to update it to point to the actual value from the cluster.

schostin · 2020-04-29T19:58:56Z

I was just able to get all tests working on my machine and would love to fix this. So therefore a question popped up:

What is the rational of having the workload identity configuration block as dynamic. Currently there is only one workload identity namespace supported and therefore the module could just reflect this. If the workload identity namespace is a dynamic based on a list, the output of identity_namespace should therefore be a list as well?

Any opinions on this? Imho there are 2 possibilities:

Having workload_identity_config as a dynamic as it is now. Change the inputs / outputs to be a list as well to match this.
Having workload_identity_config be a single "resource" and remove the dynamic part, only a small change on the output side would be needed then.

I would favor version 2 here since it is not clear, when and if multiple workload identity namespace will come.

morgante · 2020-04-29T20:05:15Z

It's dynamic because workload identity can be disabled. In such cases we omit the block entirely. The block should be kept as-is (dynamic).

We shouldn't change the output much either. There's no need to make it a list.

This should work fine:

output "identity_namespace" {
  description = "Workload Identity namespace"
  value       = length(local.cluster_workload_identity_config) > 0 ? local.local.cluster_workload_identity_config[0].identity_namespace : null
  depends_on = [
    google_container_cluster.primary
  ]
}

schostin · 2020-04-29T20:35:49Z

Fine with me. Will adjust the output tomorrow and try to add a test for it. Will issue the PR once it's ready and I've played around with tests a bit.

* Fixes #489 Identity namespace output for beta clusters The identity namespace flag was "enabled". Changed the output value to reference the actual identity namespace of the cluster / the project. * Fixed tests by re-building the module

…oogle-modules#500) * Fixes terraform-google-modules#489 Identity namespace output for beta clusters The identity namespace flag was "enabled". Changed the output value to reference the actual identity namespace of the cluster / the project. * Fixed tests by re-building the module

morgante added bug Something isn't working good first issue Good for newcomers P2 high priority issues triaged Scoped and ready for work labels Apr 15, 2020

schostin mentioned this issue Apr 30, 2020

Fixes #489 Identity namespace output for beta clusters #500

Merged

morgante closed this as completed in #500 May 4, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

identity_namespace output is "enabled" instead of [project_id].svc.id.goog for beta-private-cluster #489

identity_namespace output is "enabled" instead of [project_id].svc.id.goog for beta-private-cluster #489

schostin commented Apr 15, 2020

morgante commented Apr 15, 2020

schostin commented Apr 29, 2020

morgante commented Apr 29, 2020

schostin commented Apr 29, 2020

identity_namespace output is "enabled" instead of [project_id].svc.id.goog for beta-private-cluster #489

identity_namespace output is "enabled" instead of [project_id].svc.id.goog for beta-private-cluster #489

Comments

schostin commented Apr 15, 2020

morgante commented Apr 15, 2020

schostin commented Apr 29, 2020

morgante commented Apr 29, 2020

schostin commented Apr 29, 2020