From 59158869a31cdc6024081360332ffdf44d8c30d6 Mon Sep 17 00:00:00 2001
From: Ihor Pukha <sorceress1979@gmail.com>
Date: Tue, 27 Aug 2019 14:33:00 +0300
Subject: [PATCH] enabling metadata-concealment by default

---
 CHANGELOG.md                              | 3 ++-
 autogen/variables.tf                      | 3 ++-
 modules/beta-private-cluster/README.md    | 2 +-
 modules/beta-private-cluster/variables.tf | 3 ++-
 modules/beta-public-cluster/README.md     | 2 +-
 modules/beta-public-cluster/variables.tf  | 3 ++-
 6 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 706682fbf1..c070bc124c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,7 +8,7 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 ## [Unreleased]
 ### Added
-
+* Enabled metadata-concealment by default [#248]
 * Added `grant_registry_access` variable to grant Container Registry access to created SA [#236]
 * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216]
 * Support for Workload Identity beta feature [#234]
@@ -170,6 +170,7 @@ Extending the adopted spec, each change should have a link to its corresponding
 [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0
 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0
 
+[#248]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/248
 [#236]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/236
 [#217]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/217
 [#234]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/234
diff --git a/autogen/variables.tf b/autogen/variables.tf
index 9a956194e0..f88ce66782 100644
--- a/autogen/variables.tf
+++ b/autogen/variables.tf
@@ -368,7 +368,8 @@ variable "pod_security_policy_config" {
 
 variable "node_metadata" {
   description = "Specifies how node metadata is exposed to the workload running on the node"
-  default     = "UNSPECIFIED"
+  default     = "SECURE"
+  type        = string
 }
 
 variable "enable_intranode_visibility" {
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
index eba9f48d31..7c750d3bbe 100644
--- a/modules/beta-private-cluster/README.md
+++ b/modules/beta-private-cluster/README.md
@@ -177,7 +177,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | network\_policy | Enable network policy addon | bool | `"false"` | no |
 | network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
-| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"UNSPECIFIED"` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no |
 | node\_pools | List of maps containing node pools | list(map(string)) | `<list>` | no |
 | node\_pools\_labels | Map of maps containing node labels by node-pool name | map(map(string)) | `<map>` | no |
 | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map(map(string)) | `<map>` | no |
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
index 6aa50eafff..82eb9906d0 100644
--- a/modules/beta-private-cluster/variables.tf
+++ b/modules/beta-private-cluster/variables.tf
@@ -365,7 +365,8 @@ variable "pod_security_policy_config" {
 
 variable "node_metadata" {
   description = "Specifies how node metadata is exposed to the workload running on the node"
-  default     = "UNSPECIFIED"
+  default     = "SECURE"
+  type        = string
 }
 
 variable "enable_intranode_visibility" {
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
index 49ffddedc1..7c257c619f 100644
--- a/modules/beta-public-cluster/README.md
+++ b/modules/beta-public-cluster/README.md
@@ -168,7 +168,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | network\_policy | Enable network policy addon | bool | `"false"` | no |
 | network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
-| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"UNSPECIFIED"` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no |
 | node\_pools | List of maps containing node pools | list(map(string)) | `<list>` | no |
 | node\_pools\_labels | Map of maps containing node labels by node-pool name | map(map(string)) | `<map>` | no |
 | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map(map(string)) | `<map>` | no |
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
index d8b68de69b..acfecfb515 100644
--- a/modules/beta-public-cluster/variables.tf
+++ b/modules/beta-public-cluster/variables.tf
@@ -341,7 +341,8 @@ variable "pod_security_policy_config" {
 
 variable "node_metadata" {
   description = "Specifies how node metadata is exposed to the workload running on the node"
-  default     = "UNSPECIFIED"
+  default     = "SECURE"
+  type        = string
 }
 
 variable "enable_intranode_visibility" {