Not possible to disable workload identity /modules/beta-private-cluster v8.1.0

[konstantin-recurly]

This is the variable

variable "identity_namespace" {
  description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`)"
  type        = string
  default     = "enabled"
}

This is the local variable

cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{
    identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
  }]

I would like to use the variable in this way

identity_namespace = null

Expected:
if var.identity_namespace == null it should use an empty list, like so

       workload_identity_config {
           identity_namespace = []
        }

Actual result:

      + workload_identity_config {
          + identity_namespace = "null"
        }

It basically converts null to "null"

[bharathkkb]

I doubt identity_namespace = [] is possible as identity_namespace takes the identity namespace as a string. Have you tried identity_namespace = ""?

[morgante]

It looks like idenity_namespace might be getting cast to a string.

[morgante]

I'm unable to replicate this and successfully disabled workload identity with this config - #542.

Any chance you're using Terragrunt or some other tool which might be incorrectly casting null to "null"?

[konstantin-recurly]

Yes, I was using terragrunt to run it.

[morgante]

Got it. This is really a bug in Terragrunt (it shouldn't treat null as "null") but we can attempt to work around it.

[konstantin-recurly]

I think it happens because the variable has type=string
and this

Note that because the values are being passed in with environment variables and json, the type information is lost when crossing the boundary between Terragrunt and Terraform. You must specify the proper type constraint on the variable in Terraform in order for Terraform to process the inputs to the right type.

https://terragrunt.gruntwork.io/docs/reference/config-blocks-and-attributes/#inputs

This is what I am getting if use identity_namespace = ""

+ workload_identity_config {}

Seems that it's what we want.
Thanks

[bharathkkb]

@morgante since identity_namespace = "" is working do we need to add the guardrail? ihmo either is fine, identity_namespace = "" seems more Terraform native.

[morgante]

I think the guardrail would still be helpful.

[konstantin-recurly]

Tried to apply what I have posted earlier
identity_namespace = ""
the plan was showing this
+ workload_identity_config {}
and the apply didn't work, I got an error

Error: googleapi: Error 400: Must specify a field to update., badRequest

  on cluster.tf line 22, in resource "google_container_cluster" "primary":
  22: resource "google_container_cluster" "primary" {

Seems that it's not possible to use an empty string.

[morgante]

Can you try setting null explicitly and using the latest module? We don't even generate the workload identity block if it's set to null.

[konstantin-recurly]

unfortunately, I cannot use the latest version of the module.
with version 8.1.0 if I set it as

  identity_namespace     = null

in the plan it shows null as a string "null"

      + workload_identity_config {
          + identity_namespace = "null"
        }

[morgante]

This is fixed on version 9.2.0, please upgrade to that version.

[konstantin-recurly]

Thanks