From 0d8d27de536b8f8fdf511041323395d7d9d80aa0 Mon Sep 17 00:00:00 2001
From: bharathkkb <bharathkrishnakb@gmail.com>
Date: Fri, 20 Mar 2020 23:47:13 -0500
Subject: [PATCH 1/7] add istio mtls support

---
 autogen/main/README.md                        |   5 +-
 autogen/main/cluster.tf.tmpl                  |   3 +-
 autogen/main/variables.tf.tmpl                |  11 +-
 examples/simple_regional_beta/README.md       |   2 +-
 examples/simple_regional_beta/variables.tf    |   7 +-
 .../README.md                                 | 110 +-----------------
 .../cluster.tf                                |   3 +-
 .../variables.tf                              |  11 +-
 modules/beta-private-cluster/README.md        | 110 +-----------------
 modules/beta-private-cluster/cluster.tf       |   3 +-
 modules/beta-private-cluster/variables.tf     |  11 +-
 modules/beta-public-cluster/README.md         | 105 +----------------
 modules/beta-public-cluster/cluster.tf        |   3 +-
 modules/beta-public-cluster/variables.tf      |  11 +-
 test/fixtures/beta_cluster/main.tf            |   5 +-
 test/fixtures/sandbox_enabled/example.tf      |  12 +-
 .../beta_cluster/controls/gcloud.rb           |   2 +-
 17 files changed, 78 insertions(+), 336 deletions(-)

diff --git a/autogen/main/README.md b/autogen/main/README.md
index abe1bb2af6..f6275a3280 100644
--- a/autogen/main/README.md
+++ b/autogen/main/README.md
@@ -82,7 +82,10 @@ module "gke" {
   master_ipv4_cidr_block     = "10.0.0.0/28"
   {% endif %}
   {% if beta_cluster %}
-  istio = true
+  istio = {
+    disabled = false
+    auth     = "AUTH_MUTUAL_TLS"
+  }
   cloudrun = true
   {% endif %}
 
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
index b2b4245a0e..2b1e793411 100644
--- a/autogen/main/cluster.tf.tmpl
+++ b/autogen/main/cluster.tf.tmpl
@@ -145,7 +145,8 @@ resource "google_container_cluster" "primary" {
     {% if beta_cluster %}
 
     istio_config {
-      disabled = ! var.istio
+      disabled = var.istio.disabled
+      auth     = var.istio.auth != null ? var.istio.auth : "AUTH_MUTUAL_TLS"
     }
 
     dynamic "cloudrun_config" {
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
index db83f3e690..da54c93fe9 100644
--- a/autogen/main/variables.tf.tmpl
+++ b/autogen/main/variables.tf.tmpl
@@ -387,8 +387,15 @@ variable "master_ipv4_cidr_block" {
 {% if beta_cluster %}
 
 variable "istio" {
-  description = "(Beta) Enable Istio addon"
-  default     = false
+  description = "Istio configs"
+  type= object({
+    disabled = bool
+    auth     = string
+  })
+  default    = {
+    disabled = true
+    auth     = null
+  }
 }
 
 variable "database_encryption" {
diff --git a/examples/simple_regional_beta/README.md b/examples/simple_regional_beta/README.md
index 9b31404baf..4fdd43c154 100644
--- a/examples/simple_regional_beta/README.md
+++ b/examples/simple_regional_beta/README.md
@@ -14,7 +14,7 @@ This example illustrates how to create a simple cluster with beta features.
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
 | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The secondary ip range to use for services | string | n/a | yes |
-| istio | Boolean to enable / disable Istio | string | `"true"` | no |
+| istio | Istio Config | map | `<map>` | no |
 | network | The VPC network to host the cluster in | string | n/a | yes |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no |
 | node\_pools | List of maps containing node pools | list(map(string)) | `<list>` | no |
diff --git a/examples/simple_regional_beta/variables.tf b/examples/simple_regional_beta/variables.tf
index 496b42f45a..ff6c324d17 100644
--- a/examples/simple_regional_beta/variables.tf
+++ b/examples/simple_regional_beta/variables.tf
@@ -48,8 +48,11 @@ variable "compute_engine_service_account" {
 }
 
 variable "istio" {
-  description = "Boolean to enable / disable Istio"
-  default     = true
+  description = "Istio Config"
+  default = {
+    disabled = false
+    auth     = "AUTH_MUTUAL_TLS"
+  }
 }
 
 variable "cloudrun" {
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
index b651ec4964..8c5cfca55c 100644
--- a/modules/beta-private-cluster-update-variant/README.md
+++ b/modules/beta-private-cluster-update-variant/README.md
@@ -74,7 +74,10 @@ module "gke" {
   enable_private_endpoint    = true
   enable_private_nodes       = true
   master_ipv4_cidr_block     = "10.0.0.0/28"
-  istio = true
+  istio = {
+    disabled = false
+    auth     = "AUTH_MUTUAL_TLS"
+  }
   cloudrun = true
 
   node_pools = [
@@ -151,111 +154,6 @@ Then perform the following commands on the root folder:
 - `terraform destroy` to destroy the built infrastructure
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no |
-| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
-| cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
-| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object | `<map>` | no |
-| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `"null"` | no |
-| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | map(string) | `<map>` | no |
-| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | string | `"false"` | no |
-| create\_service\_account | Defines if service account specified to run nodes should be created. | bool | `"true"` | no |
-| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `<list>` | no |
-| default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no |
-| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | bool | `"false"` | no |
-| description | The description of the cluster | string | `""` | no |
-| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no |
-| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
-| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no |
-| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no |
-| enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no |
-| enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no |
-| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"true"` | no |
-| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
-| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
-| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
-| http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no |
-| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | string | `"enabled"` | no |
-| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no |
-| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | bool | `"false"` | no |
-| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no |
-| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
-| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
-| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
-| istio | (Beta) Enable Istio addon | string | `"false"` | no |
-| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
-| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
-| maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |
-| maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | string | `""` | no |
-| maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | string | `"05:00"` | no |
-| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | object | `<list>` | no |
-| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | string | `"10.0.0.0/28"` | no |
-| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com/kubernetes"` | no |
-| name | The name of the cluster (required) | string | n/a | yes |
-| network | The VPC network to host the cluster in (required) | string | n/a | yes |
-| network\_policy | Enable network policy addon | bool | `"true"` | no |
-| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
-| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
-| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no |
-| node\_pools | List of maps containing node pools | list(map(string)) | `<list>` | no |
-| node\_pools\_labels | Map of maps containing node labels by node-pool name | map(map(string)) | `<map>` | no |
-| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map(map(string)) | `<map>` | no |
-| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map(list(string)) | `<map>` | no |
-| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `<map>` | no |
-| node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `<map>` | no |
-| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no |
-| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `<list>` | no |
-| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `<list>` | no |
-| project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
-| region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no |
-| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |
-| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. | string | `""` | no |
-| release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | string | `"null"` | no |
-| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no |
-| resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no |
-| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no |
-| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no |
-| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no |
-| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
-| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
-| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list(string) | `<list>` | no |
-| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list(string) | `<list>` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| ca\_certificate | Cluster ca certificate (base64 encoded) |
-| cloudrun\_enabled | Whether CloudRun enabled |
-| endpoint | Cluster endpoint |
-| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
-| http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| identity\_namespace | Workload Identity namespace |
-| intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
-| istio\_enabled | Whether Istio is enabled |
-| location | Cluster location (region if regional cluster, zone if zonal cluster) |
-| logging\_service | Logging service used |
-| master\_authorized\_networks\_config | Networks from which access to master is permitted |
-| master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network |
-| master\_version | Current master kubernetes version |
-| min\_master\_version | Minimum master kubernetes version |
-| monitoring\_service | Monitoring service used |
-| name | Cluster name |
-| network\_policy\_enabled | Whether network policy enabled |
-| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
-| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
-| region | Cluster region |
-| release\_channel | The release channel of this cluster |
-| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
-| type | Cluster type (regional / zonal) |
-| vertical\_pod\_autoscaling\_enabled | Whether veritical pod autoscaling is enabled |
-| zones | List of zones in which the cluster resides |
-
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## node_pools variable
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
index b870fd244b..d247cce952 100644
--- a/modules/beta-private-cluster-update-variant/cluster.tf
+++ b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -130,7 +130,8 @@ resource "google_container_cluster" "primary" {
     }
 
     istio_config {
-      disabled = ! var.istio
+      disabled = var.istio.disabled
+      auth     = var.istio.auth != null ? var.istio.auth : "AUTH_MUTUAL_TLS"
     }
 
     dynamic "cloudrun_config" {
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
index e1a26aafc8..fda7259d69 100644
--- a/modules/beta-private-cluster-update-variant/variables.tf
+++ b/modules/beta-private-cluster-update-variant/variables.tf
@@ -380,8 +380,15 @@ variable "master_ipv4_cidr_block" {
 }
 
 variable "istio" {
-  description = "(Beta) Enable Istio addon"
-  default     = false
+  description = "Istio configs"
+  type = object({
+    disabled = bool
+    auth     = string
+  })
+  default = {
+    disabled = true
+    auth     = null
+  }
 }
 
 variable "database_encryption" {
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
index 1390bd614b..fd66aee51e 100644
--- a/modules/beta-private-cluster/README.md
+++ b/modules/beta-private-cluster/README.md
@@ -52,7 +52,10 @@ module "gke" {
   enable_private_endpoint    = true
   enable_private_nodes       = true
   master_ipv4_cidr_block     = "10.0.0.0/28"
-  istio = true
+  istio = {
+    disabled = false
+    auth     = "AUTH_MUTUAL_TLS"
+  }
   cloudrun = true
 
   node_pools = [
@@ -129,111 +132,6 @@ Then perform the following commands on the root folder:
 - `terraform destroy` to destroy the built infrastructure
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no |
-| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
-| cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
-| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object | `<map>` | no |
-| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `"null"` | no |
-| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | map(string) | `<map>` | no |
-| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | string | `"false"` | no |
-| create\_service\_account | Defines if service account specified to run nodes should be created. | bool | `"true"` | no |
-| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `<list>` | no |
-| default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no |
-| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | bool | `"false"` | no |
-| description | The description of the cluster | string | `""` | no |
-| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no |
-| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
-| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no |
-| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no |
-| enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no |
-| enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no |
-| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"true"` | no |
-| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
-| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
-| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
-| http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no |
-| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | string | `"enabled"` | no |
-| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no |
-| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | bool | `"false"` | no |
-| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no |
-| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
-| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
-| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
-| istio | (Beta) Enable Istio addon | string | `"false"` | no |
-| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
-| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
-| maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |
-| maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | string | `""` | no |
-| maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | string | `"05:00"` | no |
-| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | object | `<list>` | no |
-| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | string | `"10.0.0.0/28"` | no |
-| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com/kubernetes"` | no |
-| name | The name of the cluster (required) | string | n/a | yes |
-| network | The VPC network to host the cluster in (required) | string | n/a | yes |
-| network\_policy | Enable network policy addon | bool | `"true"` | no |
-| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
-| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
-| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no |
-| node\_pools | List of maps containing node pools | list(map(string)) | `<list>` | no |
-| node\_pools\_labels | Map of maps containing node labels by node-pool name | map(map(string)) | `<map>` | no |
-| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map(map(string)) | `<map>` | no |
-| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map(list(string)) | `<map>` | no |
-| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `<map>` | no |
-| node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `<map>` | no |
-| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no |
-| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `<list>` | no |
-| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `<list>` | no |
-| project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
-| region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no |
-| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |
-| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. | string | `""` | no |
-| release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | string | `"null"` | no |
-| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no |
-| resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no |
-| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no |
-| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no |
-| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no |
-| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
-| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
-| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list(string) | `<list>` | no |
-| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list(string) | `<list>` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| ca\_certificate | Cluster ca certificate (base64 encoded) |
-| cloudrun\_enabled | Whether CloudRun enabled |
-| endpoint | Cluster endpoint |
-| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
-| http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| identity\_namespace | Workload Identity namespace |
-| intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
-| istio\_enabled | Whether Istio is enabled |
-| location | Cluster location (region if regional cluster, zone if zonal cluster) |
-| logging\_service | Logging service used |
-| master\_authorized\_networks\_config | Networks from which access to master is permitted |
-| master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network |
-| master\_version | Current master kubernetes version |
-| min\_master\_version | Minimum master kubernetes version |
-| monitoring\_service | Monitoring service used |
-| name | Cluster name |
-| network\_policy\_enabled | Whether network policy enabled |
-| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
-| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
-| region | Cluster region |
-| release\_channel | The release channel of this cluster |
-| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
-| type | Cluster type (regional / zonal) |
-| vertical\_pod\_autoscaling\_enabled | Whether veritical pod autoscaling is enabled |
-| zones | List of zones in which the cluster resides |
-
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## node_pools variable
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
index 1c73331c02..f2518b5e69 100644
--- a/modules/beta-private-cluster/cluster.tf
+++ b/modules/beta-private-cluster/cluster.tf
@@ -130,7 +130,8 @@ resource "google_container_cluster" "primary" {
     }
 
     istio_config {
-      disabled = ! var.istio
+      disabled = var.istio.disabled
+      auth     = var.istio.auth != null ? var.istio.auth : "AUTH_MUTUAL_TLS"
     }
 
     dynamic "cloudrun_config" {
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
index e1a26aafc8..fda7259d69 100644
--- a/modules/beta-private-cluster/variables.tf
+++ b/modules/beta-private-cluster/variables.tf
@@ -380,8 +380,15 @@ variable "master_ipv4_cidr_block" {
 }
 
 variable "istio" {
-  description = "(Beta) Enable Istio addon"
-  default     = false
+  description = "Istio configs"
+  type = object({
+    disabled = bool
+    auth     = string
+  })
+  default = {
+    disabled = true
+    auth     = null
+  }
 }
 
 variable "database_encryption" {
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
index 4ff61f1dbb..208096e8c4 100644
--- a/modules/beta-public-cluster/README.md
+++ b/modules/beta-public-cluster/README.md
@@ -34,7 +34,10 @@ module "gke" {
   http_load_balancing        = false
   horizontal_pod_autoscaling = true
   network_policy             = true
-  istio = true
+  istio = {
+    disabled = false
+    auth     = "AUTH_MUTUAL_TLS"
+  }
   cloudrun = true
 
   node_pools = [
@@ -111,106 +114,6 @@ Then perform the following commands on the root folder:
 - `terraform destroy` to destroy the built infrastructure
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no |
-| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
-| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
-| cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
-| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object | `<map>` | no |
-| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `"null"` | no |
-| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | map(string) | `<map>` | no |
-| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | string | `"false"` | no |
-| create\_service\_account | Defines if service account specified to run nodes should be created. | bool | `"true"` | no |
-| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `<list>` | no |
-| default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no |
-| description | The description of the cluster | string | `""` | no |
-| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no |
-| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
-| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no |
-| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no |
-| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"true"` | no |
-| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
-| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
-| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
-| http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no |
-| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | string | `"enabled"` | no |
-| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no |
-| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | bool | `"false"` | no |
-| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no |
-| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
-| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
-| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
-| istio | (Beta) Enable Istio addon | string | `"false"` | no |
-| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
-| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
-| maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |
-| maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | string | `""` | no |
-| maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | string | `"05:00"` | no |
-| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | object | `<list>` | no |
-| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com/kubernetes"` | no |
-| name | The name of the cluster (required) | string | n/a | yes |
-| network | The VPC network to host the cluster in (required) | string | n/a | yes |
-| network\_policy | Enable network policy addon | bool | `"true"` | no |
-| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
-| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
-| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no |
-| node\_pools | List of maps containing node pools | list(map(string)) | `<list>` | no |
-| node\_pools\_labels | Map of maps containing node labels by node-pool name | map(map(string)) | `<map>` | no |
-| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map(map(string)) | `<map>` | no |
-| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map(list(string)) | `<map>` | no |
-| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `<map>` | no |
-| node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `<map>` | no |
-| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no |
-| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `<list>` | no |
-| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `<list>` | no |
-| project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
-| region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no |
-| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |
-| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. | string | `""` | no |
-| release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | string | `"null"` | no |
-| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no |
-| resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no |
-| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no |
-| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no |
-| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no |
-| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
-| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
-| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list(string) | `<list>` | no |
-| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list(string) | `<list>` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| ca\_certificate | Cluster ca certificate (base64 encoded) |
-| cloudrun\_enabled | Whether CloudRun enabled |
-| endpoint | Cluster endpoint |
-| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
-| http\_load\_balancing\_enabled | Whether http load balancing enabled |
-| identity\_namespace | Workload Identity namespace |
-| intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
-| istio\_enabled | Whether Istio is enabled |
-| location | Cluster location (region if regional cluster, zone if zonal cluster) |
-| logging\_service | Logging service used |
-| master\_authorized\_networks\_config | Networks from which access to master is permitted |
-| master\_version | Current master kubernetes version |
-| min\_master\_version | Minimum master kubernetes version |
-| monitoring\_service | Monitoring service used |
-| name | Cluster name |
-| network\_policy\_enabled | Whether network policy enabled |
-| node\_pools\_names | List of node pools names |
-| node\_pools\_versions | List of node pools versions |
-| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
-| region | Cluster region |
-| release\_channel | The release channel of this cluster |
-| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
-| type | Cluster type (regional / zonal) |
-| vertical\_pod\_autoscaling\_enabled | Whether veritical pod autoscaling is enabled |
-| zones | List of zones in which the cluster resides |
-
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## node_pools variable
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
index 3fc4c75034..2bc35c7535 100644
--- a/modules/beta-public-cluster/cluster.tf
+++ b/modules/beta-public-cluster/cluster.tf
@@ -130,7 +130,8 @@ resource "google_container_cluster" "primary" {
     }
 
     istio_config {
-      disabled = ! var.istio
+      disabled = var.istio.disabled
+      auth     = var.istio.auth != null ? var.istio.auth : "AUTH_MUTUAL_TLS"
     }
 
     dynamic "cloudrun_config" {
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
index c04d860ef4..a93f06dfdb 100644
--- a/modules/beta-public-cluster/variables.tf
+++ b/modules/beta-public-cluster/variables.tf
@@ -356,8 +356,15 @@ variable "default_max_pods_per_node" {
 }
 
 variable "istio" {
-  description = "(Beta) Enable Istio addon"
-  default     = false
+  description = "Istio configs"
+  type = object({
+    disabled = bool
+    auth     = string
+  })
+  default = {
+    disabled = true
+    auth     = null
+  }
 }
 
 variable "database_encryption" {
diff --git a/test/fixtures/beta_cluster/main.tf b/test/fixtures/beta_cluster/main.tf
index 82f65126b4..b2608e21bf 100644
--- a/test/fixtures/beta_cluster/main.tf
+++ b/test/fixtures/beta_cluster/main.tf
@@ -45,7 +45,10 @@ module "this" {
   compute_engine_service_account = "create"
 
   // Beta features
-  istio = true
+  istio = {
+    disabled = false
+    auth     = "AUTH_MUTUAL_TLS"
+  }
 
   database_encryption = [{
     state    = "ENCRYPTED"
diff --git a/test/fixtures/sandbox_enabled/example.tf b/test/fixtures/sandbox_enabled/example.tf
index 920c5e179f..73cc9e6ebc 100644
--- a/test/fixtures/sandbox_enabled/example.tf
+++ b/test/fixtures/sandbox_enabled/example.tf
@@ -25,11 +25,13 @@ module "example" {
   ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
   ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
   compute_engine_service_account = var.compute_engine_service_accounts[0]
-  istio                          = false
-  cloudrun                       = false
-  node_metadata                  = "UNSPECIFIED"
-  sandbox_enabled                = true
-  remove_default_node_pool       = true
+  istio = {
+    disabled = true
+  }
+  cloudrun                 = false
+  node_metadata            = "UNSPECIFIED"
+  sandbox_enabled          = true
+  remove_default_node_pool = true
 
   node_pools = [
     {
diff --git a/test/integration/beta_cluster/controls/gcloud.rb b/test/integration/beta_cluster/controls/gcloud.rb
index 7170656d69..26de68f7a3 100644
--- a/test/integration/beta_cluster/controls/gcloud.rb
+++ b/test/integration/beta_cluster/controls/gcloud.rb
@@ -56,7 +56,7 @@
             "disabled" => true,
           },
           "networkPolicyConfig" => {},
-          "istioConfig" => {},
+          "istioConfig" => {"auth"=>"AUTH_MUTUAL_TLS"},
           "cloudRunConfig" => {},
         })
       end

From e98b678cd1bd0692695551435bbd77d6b8be7e81 Mon Sep 17 00:00:00 2001
From: bharathkkb <bharathkrishnakb@gmail.com>
Date: Sat, 21 Mar 2020 19:11:16 -0500
Subject: [PATCH 2/7] docs

---
 autogen/main/cluster.tf.tmpl                  |   2 +-
 autogen/main/variables.tf.tmpl                |   4 +-
 autogen/safer-cluster/variables.tf.tmpl       |  11 +-
 examples/safer_cluster/main.tf                |   5 +-
 .../simple_regional_private_beta/variables.tf |   7 +-
 .../README.md                                 | 105 ++++++++++++++++++
 .../cluster.tf                                |   2 +-
 .../variables.tf                              |   2 +-
 modules/beta-private-cluster/README.md        | 105 ++++++++++++++++++
 modules/beta-private-cluster/cluster.tf       |   2 +-
 modules/beta-private-cluster/variables.tf     |   2 +-
 modules/beta-public-cluster/README.md         | 100 +++++++++++++++++
 modules/beta-public-cluster/cluster.tf        |   2 +-
 modules/beta-public-cluster/variables.tf      |   2 +-
 .../safer-cluster-update-variant/README.md    |   2 +-
 .../safer-cluster-update-variant/variables.tf |  11 +-
 modules/safer-cluster/README.md               |   2 +-
 modules/safer-cluster/variables.tf            |  11 +-
 18 files changed, 357 insertions(+), 20 deletions(-)

diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
index 2b1e793411..8b06c4e91d 100644
--- a/autogen/main/cluster.tf.tmpl
+++ b/autogen/main/cluster.tf.tmpl
@@ -146,7 +146,7 @@ resource "google_container_cluster" "primary" {
 
     istio_config {
       disabled = var.istio.disabled
-      auth     = var.istio.auth != null ? var.istio.auth : "AUTH_MUTUAL_TLS"
+      auth     = var.istio.auth != "" ? var.istio.auth : "AUTH_MUTUAL_TLS"
     }
 
     dynamic "cloudrun_config" {
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
index da54c93fe9..1f8517f391 100644
--- a/autogen/main/variables.tf.tmpl
+++ b/autogen/main/variables.tf.tmpl
@@ -388,13 +388,13 @@ variable "master_ipv4_cidr_block" {
 
 variable "istio" {
   description = "Istio configs"
-  type= object({
+  type        = object({
     disabled = bool
     auth     = string
   })
   default    = {
     disabled = true
-    auth     = null
+    auth     = ""
   }
 }
 
diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl
index 666798a8a6..cb83e1aa87 100644
--- a/autogen/safer-cluster/variables.tf.tmpl
+++ b/autogen/safer-cluster/variables.tf.tmpl
@@ -227,8 +227,15 @@ variable "master_ipv4_cidr_block" {
 }
 
 variable "istio" {
-  description = "(Beta) Enable Istio addon"
-  default     = false
+  description = "Istio configs"
+  type        = object({
+    disabled = bool
+    auth     = string
+  })
+  default    = {
+    disabled = true
+    auth     = ""
+  }
 }
 
 variable "default_max_pods_per_node" {
diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf
index 4d6e7e4dbc..a4fe8279ac 100644
--- a/examples/safer_cluster/main.tf
+++ b/examples/safer_cluster/main.tf
@@ -57,7 +57,10 @@ module "gke" {
     },
   ]
 
-  istio    = true
+  istio = {
+    disabled = false
+    auth     = "AUTH_MUTUAL_TLS"
+  }
   cloudrun = true
 }
 
diff --git a/examples/simple_regional_private_beta/variables.tf b/examples/simple_regional_private_beta/variables.tf
index b05d008bfd..c27b86a7b1 100644
--- a/examples/simple_regional_private_beta/variables.tf
+++ b/examples/simple_regional_private_beta/variables.tf
@@ -48,8 +48,11 @@ variable "compute_engine_service_account" {
 }
 
 variable "istio" {
-  description = "Boolean to enable / disable Istio"
-  default     = true
+  description = "Istio Config"
+  default = {
+    disabled = false
+    auth     = "AUTH_MUTUAL_TLS"
+  }
 }
 
 variable "cloudrun" {
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
index 8c5cfca55c..9b9eb1db86 100644
--- a/modules/beta-private-cluster-update-variant/README.md
+++ b/modules/beta-private-cluster-update-variant/README.md
@@ -154,6 +154,111 @@ Then perform the following commands on the root folder:
 - `terraform destroy` to destroy the built infrastructure
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no |
+| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
+| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
+| cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
+| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object | `<map>` | no |
+| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `"null"` | no |
+| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | map(string) | `<map>` | no |
+| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | string | `"false"` | no |
+| create\_service\_account | Defines if service account specified to run nodes should be created. | bool | `"true"` | no |
+| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `<list>` | no |
+| default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no |
+| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | bool | `"false"` | no |
+| description | The description of the cluster | string | `""` | no |
+| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
+| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no |
+| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no |
+| enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no |
+| enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no |
+| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"true"` | no |
+| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
+| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
+| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
+| http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no |
+| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | string | `"enabled"` | no |
+| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no |
+| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | bool | `"false"` | no |
+| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no |
+| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
+| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
+| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
+| istio | Istio configs | object | `<map>` | no |
+| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
+| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
+| maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |
+| maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | string | `""` | no |
+| maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | string | `"05:00"` | no |
+| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | object | `<list>` | no |
+| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | string | `"10.0.0.0/28"` | no |
+| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com/kubernetes"` | no |
+| name | The name of the cluster (required) | string | n/a | yes |
+| network | The VPC network to host the cluster in (required) | string | n/a | yes |
+| network\_policy | Enable network policy addon | bool | `"true"` | no |
+| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
+| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no |
+| node\_pools | List of maps containing node pools | list(map(string)) | `<list>` | no |
+| node\_pools\_labels | Map of maps containing node labels by node-pool name | map(map(string)) | `<map>` | no |
+| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map(map(string)) | `<map>` | no |
+| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map(list(string)) | `<map>` | no |
+| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `<map>` | no |
+| node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `<map>` | no |
+| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no |
+| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `<list>` | no |
+| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `<list>` | no |
+| project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
+| region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no |
+| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |
+| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. | string | `""` | no |
+| release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | string | `"null"` | no |
+| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no |
+| resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no |
+| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no |
+| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no |
+| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no |
+| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
+| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
+| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list(string) | `<list>` | no |
+| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list(string) | `<list>` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| ca\_certificate | Cluster ca certificate (base64 encoded) |
+| cloudrun\_enabled | Whether CloudRun enabled |
+| endpoint | Cluster endpoint |
+| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
+| http\_load\_balancing\_enabled | Whether http load balancing enabled |
+| identity\_namespace | Workload Identity namespace |
+| intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
+| istio\_enabled | Whether Istio is enabled |
+| location | Cluster location (region if regional cluster, zone if zonal cluster) |
+| logging\_service | Logging service used |
+| master\_authorized\_networks\_config | Networks from which access to master is permitted |
+| master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network |
+| master\_version | Current master kubernetes version |
+| min\_master\_version | Minimum master kubernetes version |
+| monitoring\_service | Monitoring service used |
+| name | Cluster name |
+| network\_policy\_enabled | Whether network policy enabled |
+| node\_pools\_names | List of node pools names |
+| node\_pools\_versions | List of node pools versions |
+| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
+| region | Cluster region |
+| release\_channel | The release channel of this cluster |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
+| type | Cluster type (regional / zonal) |
+| vertical\_pod\_autoscaling\_enabled | Whether veritical pod autoscaling is enabled |
+| zones | List of zones in which the cluster resides |
+
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## node_pools variable
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
index d247cce952..f8d29de0fa 100644
--- a/modules/beta-private-cluster-update-variant/cluster.tf
+++ b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -131,7 +131,7 @@ resource "google_container_cluster" "primary" {
 
     istio_config {
       disabled = var.istio.disabled
-      auth     = var.istio.auth != null ? var.istio.auth : "AUTH_MUTUAL_TLS"
+      auth     = var.istio.auth != "" ? var.istio.auth : "AUTH_MUTUAL_TLS"
     }
 
     dynamic "cloudrun_config" {
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
index fda7259d69..bb59ba5617 100644
--- a/modules/beta-private-cluster-update-variant/variables.tf
+++ b/modules/beta-private-cluster-update-variant/variables.tf
@@ -387,7 +387,7 @@ variable "istio" {
   })
   default = {
     disabled = true
-    auth     = null
+    auth     = ""
   }
 }
 
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
index fd66aee51e..1ef88b3b3b 100644
--- a/modules/beta-private-cluster/README.md
+++ b/modules/beta-private-cluster/README.md
@@ -132,6 +132,111 @@ Then perform the following commands on the root folder:
 - `terraform destroy` to destroy the built infrastructure
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no |
+| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
+| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
+| cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
+| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object | `<map>` | no |
+| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `"null"` | no |
+| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | map(string) | `<map>` | no |
+| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | string | `"false"` | no |
+| create\_service\_account | Defines if service account specified to run nodes should be created. | bool | `"true"` | no |
+| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `<list>` | no |
+| default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no |
+| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | bool | `"false"` | no |
+| description | The description of the cluster | string | `""` | no |
+| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
+| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no |
+| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no |
+| enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no |
+| enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no |
+| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"true"` | no |
+| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
+| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
+| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
+| http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no |
+| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | string | `"enabled"` | no |
+| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no |
+| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | bool | `"false"` | no |
+| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no |
+| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
+| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
+| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
+| istio | Istio configs | object | `<map>` | no |
+| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
+| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
+| maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |
+| maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | string | `""` | no |
+| maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | string | `"05:00"` | no |
+| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | object | `<list>` | no |
+| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | string | `"10.0.0.0/28"` | no |
+| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com/kubernetes"` | no |
+| name | The name of the cluster (required) | string | n/a | yes |
+| network | The VPC network to host the cluster in (required) | string | n/a | yes |
+| network\_policy | Enable network policy addon | bool | `"true"` | no |
+| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
+| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no |
+| node\_pools | List of maps containing node pools | list(map(string)) | `<list>` | no |
+| node\_pools\_labels | Map of maps containing node labels by node-pool name | map(map(string)) | `<map>` | no |
+| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map(map(string)) | `<map>` | no |
+| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map(list(string)) | `<map>` | no |
+| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `<map>` | no |
+| node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `<map>` | no |
+| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no |
+| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `<list>` | no |
+| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `<list>` | no |
+| project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
+| region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no |
+| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |
+| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. | string | `""` | no |
+| release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | string | `"null"` | no |
+| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no |
+| resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no |
+| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no |
+| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no |
+| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no |
+| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
+| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
+| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list(string) | `<list>` | no |
+| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list(string) | `<list>` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| ca\_certificate | Cluster ca certificate (base64 encoded) |
+| cloudrun\_enabled | Whether CloudRun enabled |
+| endpoint | Cluster endpoint |
+| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
+| http\_load\_balancing\_enabled | Whether http load balancing enabled |
+| identity\_namespace | Workload Identity namespace |
+| intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
+| istio\_enabled | Whether Istio is enabled |
+| location | Cluster location (region if regional cluster, zone if zonal cluster) |
+| logging\_service | Logging service used |
+| master\_authorized\_networks\_config | Networks from which access to master is permitted |
+| master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network |
+| master\_version | Current master kubernetes version |
+| min\_master\_version | Minimum master kubernetes version |
+| monitoring\_service | Monitoring service used |
+| name | Cluster name |
+| network\_policy\_enabled | Whether network policy enabled |
+| node\_pools\_names | List of node pools names |
+| node\_pools\_versions | List of node pools versions |
+| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
+| region | Cluster region |
+| release\_channel | The release channel of this cluster |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
+| type | Cluster type (regional / zonal) |
+| vertical\_pod\_autoscaling\_enabled | Whether veritical pod autoscaling is enabled |
+| zones | List of zones in which the cluster resides |
+
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## node_pools variable
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
index f2518b5e69..2a85a08889 100644
--- a/modules/beta-private-cluster/cluster.tf
+++ b/modules/beta-private-cluster/cluster.tf
@@ -131,7 +131,7 @@ resource "google_container_cluster" "primary" {
 
     istio_config {
       disabled = var.istio.disabled
-      auth     = var.istio.auth != null ? var.istio.auth : "AUTH_MUTUAL_TLS"
+      auth     = var.istio.auth != "" ? var.istio.auth : "AUTH_MUTUAL_TLS"
     }
 
     dynamic "cloudrun_config" {
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
index fda7259d69..bb59ba5617 100644
--- a/modules/beta-private-cluster/variables.tf
+++ b/modules/beta-private-cluster/variables.tf
@@ -387,7 +387,7 @@ variable "istio" {
   })
   default = {
     disabled = true
-    auth     = null
+    auth     = ""
   }
 }
 
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
index 208096e8c4..c5c8ae0faa 100644
--- a/modules/beta-public-cluster/README.md
+++ b/modules/beta-public-cluster/README.md
@@ -114,6 +114,106 @@ Then perform the following commands on the root folder:
 - `terraform destroy` to destroy the built infrastructure
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no |
+| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
+| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
+| cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no |
+| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object | `<map>` | no |
+| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | string | `"null"` | no |
+| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | map(string) | `<map>` | no |
+| configure\_ip\_masq | Enables the installation of ip masquerading, which is usually no longer required when using aliasied IP addresses. IP masquerading uses a kubectl call, so when you have a private cluster, you will need access to the API server. | string | `"false"` | no |
+| create\_service\_account | Defines if service account specified to run nodes should be created. | bool | `"true"` | no |
+| database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `<list>` | no |
+| default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no |
+| description | The description of the cluster | string | `""` | no |
+| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
+| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no |
+| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no |
+| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"true"` | no |
+| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
+| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
+| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
+| http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no |
+| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `[project_id].svc.id.goog`) | string | `"enabled"` | no |
+| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no |
+| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | bool | `"false"` | no |
+| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no |
+| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
+| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
+| issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
+| istio | Istio configs | object | `<map>` | no |
+| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
+| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
+| maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |
+| maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | string | `""` | no |
+| maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | string | `"05:00"` | no |
+| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | object | `<list>` | no |
+| monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | string | `"monitoring.googleapis.com/kubernetes"` | no |
+| name | The name of the cluster (required) | string | n/a | yes |
+| network | The VPC network to host the cluster in (required) | string | n/a | yes |
+| network\_policy | Enable network policy addon | bool | `"true"` | no |
+| network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
+| network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no |
+| node\_pools | List of maps containing node pools | list(map(string)) | `<list>` | no |
+| node\_pools\_labels | Map of maps containing node labels by node-pool name | map(map(string)) | `<map>` | no |
+| node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map(map(string)) | `<map>` | no |
+| node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map(list(string)) | `<map>` | no |
+| node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `<map>` | no |
+| node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `<map>` | no |
+| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no |
+| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `<list>` | no |
+| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `<list>` | no |
+| project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
+| region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no |
+| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |
+| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. | string | `""` | no |
+| release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | string | `"null"` | no |
+| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no |
+| resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no |
+| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no |
+| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no |
+| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no |
+| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
+| subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
+| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list(string) | `<list>` | no |
+| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list(string) | `<list>` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| ca\_certificate | Cluster ca certificate (base64 encoded) |
+| cloudrun\_enabled | Whether CloudRun enabled |
+| endpoint | Cluster endpoint |
+| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
+| http\_load\_balancing\_enabled | Whether http load balancing enabled |
+| identity\_namespace | Workload Identity namespace |
+| intranode\_visibility\_enabled | Whether intra-node visibility is enabled |
+| istio\_enabled | Whether Istio is enabled |
+| location | Cluster location (region if regional cluster, zone if zonal cluster) |
+| logging\_service | Logging service used |
+| master\_authorized\_networks\_config | Networks from which access to master is permitted |
+| master\_version | Current master kubernetes version |
+| min\_master\_version | Minimum master kubernetes version |
+| monitoring\_service | Monitoring service used |
+| name | Cluster name |
+| network\_policy\_enabled | Whether network policy enabled |
+| node\_pools\_names | List of node pools names |
+| node\_pools\_versions | List of node pools versions |
+| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
+| region | Cluster region |
+| release\_channel | The release channel of this cluster |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
+| type | Cluster type (regional / zonal) |
+| vertical\_pod\_autoscaling\_enabled | Whether veritical pod autoscaling is enabled |
+| zones | List of zones in which the cluster resides |
+
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## node_pools variable
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
index 2bc35c7535..f72af4db28 100644
--- a/modules/beta-public-cluster/cluster.tf
+++ b/modules/beta-public-cluster/cluster.tf
@@ -131,7 +131,7 @@ resource "google_container_cluster" "primary" {
 
     istio_config {
       disabled = var.istio.disabled
-      auth     = var.istio.auth != null ? var.istio.auth : "AUTH_MUTUAL_TLS"
+      auth     = var.istio.auth != "" ? var.istio.auth : "AUTH_MUTUAL_TLS"
     }
 
     dynamic "cloudrun_config" {
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
index a93f06dfdb..b06b132df9 100644
--- a/modules/beta-public-cluster/variables.tf
+++ b/modules/beta-public-cluster/variables.tf
@@ -363,7 +363,7 @@ variable "istio" {
   })
   default = {
     disabled = true
-    auth     = null
+    auth     = ""
   }
 }
 
diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md
index a813efd182..b11feb171d 100644
--- a/modules/safer-cluster-update-variant/README.md
+++ b/modules/safer-cluster-update-variant/README.md
@@ -217,7 +217,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no |
 | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
-| istio | (Beta) Enable Istio addon | string | `"false"` | no |
+| istio | Istio configs | object | `<map>` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no |
diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf
index c5a87248e1..3df8949473 100644
--- a/modules/safer-cluster-update-variant/variables.tf
+++ b/modules/safer-cluster-update-variant/variables.tf
@@ -227,8 +227,15 @@ variable "master_ipv4_cidr_block" {
 }
 
 variable "istio" {
-  description = "(Beta) Enable Istio addon"
-  default     = false
+  description = "Istio configs"
+  type = object({
+    disabled = bool
+    auth     = string
+  })
+  default = {
+    disabled = true
+    auth     = ""
+  }
 }
 
 variable "default_max_pods_per_node" {
diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md
index a813efd182..b11feb171d 100644
--- a/modules/safer-cluster/README.md
+++ b/modules/safer-cluster/README.md
@@ -217,7 +217,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no |
 | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
-| istio | (Beta) Enable Istio addon | string | `"false"` | no |
+| istio | Istio configs | object | `<map>` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no |
diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf
index c5a87248e1..3df8949473 100644
--- a/modules/safer-cluster/variables.tf
+++ b/modules/safer-cluster/variables.tf
@@ -227,8 +227,15 @@ variable "master_ipv4_cidr_block" {
 }
 
 variable "istio" {
-  description = "(Beta) Enable Istio addon"
-  default     = false
+  description = "Istio configs"
+  type = object({
+    disabled = bool
+    auth     = string
+  })
+  default = {
+    disabled = true
+    auth     = ""
+  }
 }
 
 variable "default_max_pods_per_node" {

From ba0adcb80269c331c0482f0c7a8657128a3b002c Mon Sep 17 00:00:00 2001
From: bharathkkb <bharathkrishnakb@gmail.com>
Date: Sat, 21 Mar 2020 21:54:42 -0500
Subject: [PATCH 3/7] fix test

---
 test/fixtures/sandbox_enabled/example.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/fixtures/sandbox_enabled/example.tf b/test/fixtures/sandbox_enabled/example.tf
index 73cc9e6ebc..35304f94c6 100644
--- a/test/fixtures/sandbox_enabled/example.tf
+++ b/test/fixtures/sandbox_enabled/example.tf
@@ -27,6 +27,7 @@ module "example" {
   compute_engine_service_account = var.compute_engine_service_accounts[0]
   istio = {
     disabled = true
+    auth     = ""
   }
   cloudrun                 = false
   node_metadata            = "UNSPECIFIED"

From b059659e9b06a9ea5c36a732be76a7e6343587ae Mon Sep 17 00:00:00 2001
From: bharathkkb <bharathkrishnakb@gmail.com>
Date: Sun, 29 Mar 2020 23:02:09 -0500
Subject: [PATCH 4/7] keep istio config flat

---
 README.md                                     | 18 ++++++-------
 autogen/main/README.md                        | 23 +++++++---------
 autogen/main/cluster.tf.tmpl                  |  4 +--
 autogen/main/variables.tf.tmpl                | 17 ++++++------
 examples/simple_regional_beta/README.md       |  2 +-
 examples/simple_regional_beta/variables.tf    |  7 ++---
 .../README.md                                 | 26 +++++++++----------
 .../cluster.tf                                |  4 +--
 .../variables.tf                              | 17 ++++++------
 modules/beta-private-cluster/README.md        | 26 +++++++++----------
 modules/beta-private-cluster/cluster.tf       |  4 +--
 modules/beta-private-cluster/variables.tf     | 17 ++++++------
 modules/beta-public-cluster/README.md         | 26 +++++++++----------
 modules/beta-public-cluster/cluster.tf        |  4 +--
 modules/beta-public-cluster/variables.tf      | 17 ++++++------
 .../private-cluster-update-variant/README.md  | 18 ++++++-------
 modules/private-cluster/README.md             | 18 ++++++-------
 test/fixtures/beta_cluster/main.tf            |  5 +---
 test/fixtures/sandbox_enabled/example.tf      | 13 ++++------
 19 files changed, 122 insertions(+), 144 deletions(-)

diff --git a/README.md b/README.md
index 61b664aca8..421f441b47 100644
--- a/README.md
+++ b/README.md
@@ -187,15 +187,15 @@ Then perform the following commands on the root folder:
 ## node_pools variable
 The node_pools variable takes the following parameters:
 
-| Name | Description | Default | Requirement |
-| --- | --- | --- | --- |
-| accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional |
-| accelerator_type | The accelerator type resource to expose to the instance | " " | Optional |
-| auto_repair | Whether the nodes will be automatically repaired | true | Optional |
-| autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional |
-| auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional |
-| disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100GB | Optional |
-| disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |
+| Name              | Description                                                                                                   | Default                       | Requirement |
+| ----------------- | ------------------------------------------------------------------------------------------------------------- | ----------------------------- | ----------- |
+| accelerator_count | The number of the guest accelerator cards exposed to this instance                                            | 0                             | Optional    |
+| accelerator_type  | The accelerator type resource to expose to the instance                                                       | " "                           | Optional    |
+| auto_repair       | Whether the nodes will be automatically repaired                                                              | true                          | Optional    |
+| autoscaling       | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true                          | Optional    |
+| auto_upgrade      | Whether the nodes will be automatically upgraded                                                              | true (if cluster is regional) | Optional    |
+| disk_size_gb      | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB               | 100GB                         | Optional    |
+| disk_type         | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd')                                       | pd-standard                   | Optional    |
 | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional |
 | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
 | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node | 0 | Optional |
diff --git a/autogen/main/README.md b/autogen/main/README.md
index f6275a3280..7c9882425e 100644
--- a/autogen/main/README.md
+++ b/autogen/main/README.md
@@ -82,10 +82,7 @@ module "gke" {
   master_ipv4_cidr_block     = "10.0.0.0/28"
   {% endif %}
   {% if beta_cluster %}
-  istio = {
-    disabled = false
-    auth     = "AUTH_MUTUAL_TLS"
-  }
+  istio = true
   cloudrun = true
   {% endif %}
 
@@ -170,15 +167,15 @@ Then perform the following commands on the root folder:
 ## node_pools variable
 The node_pools variable takes the following parameters:
 
-| Name | Description | Default | Requirement |
-| --- | --- | --- | --- |
-| accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional |
-| accelerator_type | The accelerator type resource to expose to the instance | " " | Optional |
-| auto_repair | Whether the nodes will be automatically repaired | true | Optional |
-| autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional |
-| auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional |
-| disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100GB | Optional |
-| disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |
+| Name              | Description                                                                                                   | Default                       | Requirement |
+| ----------------- | ------------------------------------------------------------------------------------------------------------- | ----------------------------- | ----------- |
+| accelerator_count | The number of the guest accelerator cards exposed to this instance                                            | 0                             | Optional    |
+| accelerator_type  | The accelerator type resource to expose to the instance                                                       | " "                           | Optional    |
+| auto_repair       | Whether the nodes will be automatically repaired                                                              | true                          | Optional    |
+| autoscaling       | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true                          | Optional    |
+| auto_upgrade      | Whether the nodes will be automatically upgraded                                                              | true (if cluster is regional) | Optional    |
+| disk_size_gb      | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB               | 100GB                         | Optional    |
+| disk_type         | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd')                                       | pd-standard                   | Optional    |
 {% if beta_cluster %}
 | effect | Effect for the taint | | Required |
 {% endif %}
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
index 8b06c4e91d..6f326a67fc 100644
--- a/autogen/main/cluster.tf.tmpl
+++ b/autogen/main/cluster.tf.tmpl
@@ -145,8 +145,8 @@ resource "google_container_cluster" "primary" {
     {% if beta_cluster %}
 
     istio_config {
-      disabled = var.istio.disabled
-      auth     = var.istio.auth != "" ? var.istio.auth : "AUTH_MUTUAL_TLS"
+      disabled = ! var.istio
+      auth     = var.istio_auth
     }
 
     dynamic "cloudrun_config" {
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
index 1f8517f391..6eb57b4e49 100644
--- a/autogen/main/variables.tf.tmpl
+++ b/autogen/main/variables.tf.tmpl
@@ -387,15 +387,14 @@ variable "master_ipv4_cidr_block" {
 {% if beta_cluster %}
 
 variable "istio" {
-  description = "Istio configs"
-  type        = object({
-    disabled = bool
-    auth     = string
-  })
-  default    = {
-    disabled = true
-    auth     = ""
-  }
+  description = "(Beta) Enable Istio addon"
+  default     = false
+}
+
+variable "istio_auth" {
+  type        = string
+  description = "(Beta) The authentication type between services in Istio."
+  default     = "AUTH_MUTUAL_TLS"
 }
 
 variable "database_encryption" {
diff --git a/examples/simple_regional_beta/README.md b/examples/simple_regional_beta/README.md
index 4fdd43c154..9b31404baf 100644
--- a/examples/simple_regional_beta/README.md
+++ b/examples/simple_regional_beta/README.md
@@ -14,7 +14,7 @@ This example illustrates how to create a simple cluster with beta features.
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
 | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The secondary ip range to use for services | string | n/a | yes |
-| istio | Istio Config | map | `<map>` | no |
+| istio | Boolean to enable / disable Istio | string | `"true"` | no |
 | network | The VPC network to host the cluster in | string | n/a | yes |
 | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no |
 | node\_pools | List of maps containing node pools | list(map(string)) | `<list>` | no |
diff --git a/examples/simple_regional_beta/variables.tf b/examples/simple_regional_beta/variables.tf
index ff6c324d17..496b42f45a 100644
--- a/examples/simple_regional_beta/variables.tf
+++ b/examples/simple_regional_beta/variables.tf
@@ -48,11 +48,8 @@ variable "compute_engine_service_account" {
 }
 
 variable "istio" {
-  description = "Istio Config"
-  default = {
-    disabled = false
-    auth     = "AUTH_MUTUAL_TLS"
-  }
+  description = "Boolean to enable / disable Istio"
+  default     = true
 }
 
 variable "cloudrun" {
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
index 9b9eb1db86..bf457aaf66 100644
--- a/modules/beta-private-cluster-update-variant/README.md
+++ b/modules/beta-private-cluster-update-variant/README.md
@@ -74,10 +74,7 @@ module "gke" {
   enable_private_endpoint    = true
   enable_private_nodes       = true
   master_ipv4_cidr_block     = "10.0.0.0/28"
-  istio = {
-    disabled = false
-    auth     = "AUTH_MUTUAL_TLS"
-  }
+  istio = true
   cloudrun = true
 
   node_pools = [
@@ -189,7 +186,8 @@ Then perform the following commands on the root folder:
 | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
 | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
-| istio | Istio configs | object | `<map>` | no |
+| istio | (Beta) Enable Istio addon | string | `"false"` | no |
+| istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |
@@ -264,15 +262,15 @@ Then perform the following commands on the root folder:
 ## node_pools variable
 The node_pools variable takes the following parameters:
 
-| Name | Description | Default | Requirement |
-| --- | --- | --- | --- |
-| accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional |
-| accelerator_type | The accelerator type resource to expose to the instance | " " | Optional |
-| auto_repair | Whether the nodes will be automatically repaired | true | Optional |
-| autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional |
-| auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional |
-| disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100GB | Optional |
-| disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |
+| Name              | Description                                                                                                   | Default                       | Requirement |
+| ----------------- | ------------------------------------------------------------------------------------------------------------- | ----------------------------- | ----------- |
+| accelerator_count | The number of the guest accelerator cards exposed to this instance                                            | 0                             | Optional    |
+| accelerator_type  | The accelerator type resource to expose to the instance                                                       | " "                           | Optional    |
+| auto_repair       | Whether the nodes will be automatically repaired                                                              | true                          | Optional    |
+| autoscaling       | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true                          | Optional    |
+| auto_upgrade      | Whether the nodes will be automatically upgraded                                                              | true (if cluster is regional) | Optional    |
+| disk_size_gb      | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB               | 100GB                         | Optional    |
+| disk_type         | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd')                                       | pd-standard                   | Optional    |
 | effect | Effect for the taint | | Required |
 | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional |
 | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
index f8d29de0fa..b5c743fe18 100644
--- a/modules/beta-private-cluster-update-variant/cluster.tf
+++ b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -130,8 +130,8 @@ resource "google_container_cluster" "primary" {
     }
 
     istio_config {
-      disabled = var.istio.disabled
-      auth     = var.istio.auth != "" ? var.istio.auth : "AUTH_MUTUAL_TLS"
+      disabled = ! var.istio
+      auth     = var.istio_auth
     }
 
     dynamic "cloudrun_config" {
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
index bb59ba5617..87961c90e5 100644
--- a/modules/beta-private-cluster-update-variant/variables.tf
+++ b/modules/beta-private-cluster-update-variant/variables.tf
@@ -380,15 +380,14 @@ variable "master_ipv4_cidr_block" {
 }
 
 variable "istio" {
-  description = "Istio configs"
-  type = object({
-    disabled = bool
-    auth     = string
-  })
-  default = {
-    disabled = true
-    auth     = ""
-  }
+  description = "(Beta) Enable Istio addon"
+  default     = false
+}
+
+variable "istio_auth" {
+  type        = string
+  description = "(Beta) The authentication type between services in Istio."
+  default     = "AUTH_MUTUAL_TLS"
 }
 
 variable "database_encryption" {
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
index 1ef88b3b3b..502d4f51b3 100644
--- a/modules/beta-private-cluster/README.md
+++ b/modules/beta-private-cluster/README.md
@@ -52,10 +52,7 @@ module "gke" {
   enable_private_endpoint    = true
   enable_private_nodes       = true
   master_ipv4_cidr_block     = "10.0.0.0/28"
-  istio = {
-    disabled = false
-    auth     = "AUTH_MUTUAL_TLS"
-  }
+  istio = true
   cloudrun = true
 
   node_pools = [
@@ -167,7 +164,8 @@ Then perform the following commands on the root folder:
 | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
 | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
-| istio | Istio configs | object | `<map>` | no |
+| istio | (Beta) Enable Istio addon | string | `"false"` | no |
+| istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |
@@ -242,15 +240,15 @@ Then perform the following commands on the root folder:
 ## node_pools variable
 The node_pools variable takes the following parameters:
 
-| Name | Description | Default | Requirement |
-| --- | --- | --- | --- |
-| accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional |
-| accelerator_type | The accelerator type resource to expose to the instance | " " | Optional |
-| auto_repair | Whether the nodes will be automatically repaired | true | Optional |
-| autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional |
-| auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional |
-| disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100GB | Optional |
-| disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |
+| Name              | Description                                                                                                   | Default                       | Requirement |
+| ----------------- | ------------------------------------------------------------------------------------------------------------- | ----------------------------- | ----------- |
+| accelerator_count | The number of the guest accelerator cards exposed to this instance                                            | 0                             | Optional    |
+| accelerator_type  | The accelerator type resource to expose to the instance                                                       | " "                           | Optional    |
+| auto_repair       | Whether the nodes will be automatically repaired                                                              | true                          | Optional    |
+| autoscaling       | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true                          | Optional    |
+| auto_upgrade      | Whether the nodes will be automatically upgraded                                                              | true (if cluster is regional) | Optional    |
+| disk_size_gb      | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB               | 100GB                         | Optional    |
+| disk_type         | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd')                                       | pd-standard                   | Optional    |
 | effect | Effect for the taint | | Required |
 | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional |
 | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
index 2a85a08889..efa0344828 100644
--- a/modules/beta-private-cluster/cluster.tf
+++ b/modules/beta-private-cluster/cluster.tf
@@ -130,8 +130,8 @@ resource "google_container_cluster" "primary" {
     }
 
     istio_config {
-      disabled = var.istio.disabled
-      auth     = var.istio.auth != "" ? var.istio.auth : "AUTH_MUTUAL_TLS"
+      disabled = ! var.istio
+      auth     = var.istio_auth
     }
 
     dynamic "cloudrun_config" {
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
index bb59ba5617..87961c90e5 100644
--- a/modules/beta-private-cluster/variables.tf
+++ b/modules/beta-private-cluster/variables.tf
@@ -380,15 +380,14 @@ variable "master_ipv4_cidr_block" {
 }
 
 variable "istio" {
-  description = "Istio configs"
-  type = object({
-    disabled = bool
-    auth     = string
-  })
-  default = {
-    disabled = true
-    auth     = ""
-  }
+  description = "(Beta) Enable Istio addon"
+  default     = false
+}
+
+variable "istio_auth" {
+  type        = string
+  description = "(Beta) The authentication type between services in Istio."
+  default     = "AUTH_MUTUAL_TLS"
 }
 
 variable "database_encryption" {
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
index c5c8ae0faa..c59e2856ba 100644
--- a/modules/beta-public-cluster/README.md
+++ b/modules/beta-public-cluster/README.md
@@ -34,10 +34,7 @@ module "gke" {
   http_load_balancing        = false
   horizontal_pod_autoscaling = true
   network_policy             = true
-  istio = {
-    disabled = false
-    auth     = "AUTH_MUTUAL_TLS"
-  }
+  istio = true
   cloudrun = true
 
   node_pools = [
@@ -146,7 +143,8 @@ Then perform the following commands on the root folder:
 | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
 | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | bool | `"false"` | no |
-| istio | Istio configs | object | `<map>` | no |
+| istio | (Beta) Enable Istio addon | string | `"false"` | no |
+| istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | string | `""` | no |
@@ -219,15 +217,15 @@ Then perform the following commands on the root folder:
 ## node_pools variable
 The node_pools variable takes the following parameters:
 
-| Name | Description | Default | Requirement |
-| --- | --- | --- | --- |
-| accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional |
-| accelerator_type | The accelerator type resource to expose to the instance | " " | Optional |
-| auto_repair | Whether the nodes will be automatically repaired | true | Optional |
-| autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional |
-| auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional |
-| disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100GB | Optional |
-| disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |
+| Name              | Description                                                                                                   | Default                       | Requirement |
+| ----------------- | ------------------------------------------------------------------------------------------------------------- | ----------------------------- | ----------- |
+| accelerator_count | The number of the guest accelerator cards exposed to this instance                                            | 0                             | Optional    |
+| accelerator_type  | The accelerator type resource to expose to the instance                                                       | " "                           | Optional    |
+| auto_repair       | Whether the nodes will be automatically repaired                                                              | true                          | Optional    |
+| autoscaling       | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true                          | Optional    |
+| auto_upgrade      | Whether the nodes will be automatically upgraded                                                              | true (if cluster is regional) | Optional    |
+| disk_size_gb      | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB               | 100GB                         | Optional    |
+| disk_type         | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd')                                       | pd-standard                   | Optional    |
 | effect | Effect for the taint | | Required |
 | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional |
 | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
index f72af4db28..f89a14a470 100644
--- a/modules/beta-public-cluster/cluster.tf
+++ b/modules/beta-public-cluster/cluster.tf
@@ -130,8 +130,8 @@ resource "google_container_cluster" "primary" {
     }
 
     istio_config {
-      disabled = var.istio.disabled
-      auth     = var.istio.auth != "" ? var.istio.auth : "AUTH_MUTUAL_TLS"
+      disabled = ! var.istio
+      auth     = var.istio_auth
     }
 
     dynamic "cloudrun_config" {
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
index b06b132df9..a9722b15ef 100644
--- a/modules/beta-public-cluster/variables.tf
+++ b/modules/beta-public-cluster/variables.tf
@@ -356,15 +356,14 @@ variable "default_max_pods_per_node" {
 }
 
 variable "istio" {
-  description = "Istio configs"
-  type = object({
-    disabled = bool
-    auth     = string
-  })
-  default = {
-    disabled = true
-    auth     = ""
-  }
+  description = "(Beta) Enable Istio addon"
+  default     = false
+}
+
+variable "istio_auth" {
+  type        = string
+  description = "(Beta) The authentication type between services in Istio."
+  default     = "AUTH_MUTUAL_TLS"
 }
 
 variable "database_encryption" {
diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md
index 27b9641271..dd5cfcb29d 100644
--- a/modules/private-cluster-update-variant/README.md
+++ b/modules/private-cluster-update-variant/README.md
@@ -232,15 +232,15 @@ Then perform the following commands on the root folder:
 ## node_pools variable
 The node_pools variable takes the following parameters:
 
-| Name | Description | Default | Requirement |
-| --- | --- | --- | --- |
-| accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional |
-| accelerator_type | The accelerator type resource to expose to the instance | " " | Optional |
-| auto_repair | Whether the nodes will be automatically repaired | true | Optional |
-| autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional |
-| auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional |
-| disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100GB | Optional |
-| disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |
+| Name              | Description                                                                                                   | Default                       | Requirement |
+| ----------------- | ------------------------------------------------------------------------------------------------------------- | ----------------------------- | ----------- |
+| accelerator_count | The number of the guest accelerator cards exposed to this instance                                            | 0                             | Optional    |
+| accelerator_type  | The accelerator type resource to expose to the instance                                                       | " "                           | Optional    |
+| auto_repair       | Whether the nodes will be automatically repaired                                                              | true                          | Optional    |
+| autoscaling       | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true                          | Optional    |
+| auto_upgrade      | Whether the nodes will be automatically upgraded                                                              | true (if cluster is regional) | Optional    |
+| disk_size_gb      | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB               | 100GB                         | Optional    |
+| disk_type         | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd')                                       | pd-standard                   | Optional    |
 | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional |
 | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
 | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node | 0 | Optional |
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
index c341638dd4..b58ece6c9b 100644
--- a/modules/private-cluster/README.md
+++ b/modules/private-cluster/README.md
@@ -210,15 +210,15 @@ Then perform the following commands on the root folder:
 ## node_pools variable
 The node_pools variable takes the following parameters:
 
-| Name | Description | Default | Requirement |
-| --- | --- | --- | --- |
-| accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional |
-| accelerator_type | The accelerator type resource to expose to the instance | " " | Optional |
-| auto_repair | Whether the nodes will be automatically repaired | true | Optional |
-| autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional |
-| auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional |
-| disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100GB | Optional |
-| disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |
+| Name              | Description                                                                                                   | Default                       | Requirement |
+| ----------------- | ------------------------------------------------------------------------------------------------------------- | ----------------------------- | ----------- |
+| accelerator_count | The number of the guest accelerator cards exposed to this instance                                            | 0                             | Optional    |
+| accelerator_type  | The accelerator type resource to expose to the instance                                                       | " "                           | Optional    |
+| auto_repair       | Whether the nodes will be automatically repaired                                                              | true                          | Optional    |
+| autoscaling       | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true                          | Optional    |
+| auto_upgrade      | Whether the nodes will be automatically upgraded                                                              | true (if cluster is regional) | Optional    |
+| disk_size_gb      | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB               | 100GB                         | Optional    |
+| disk_type         | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd')                                       | pd-standard                   | Optional    |
 | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional |
 | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
 | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node | 0 | Optional |
diff --git a/test/fixtures/beta_cluster/main.tf b/test/fixtures/beta_cluster/main.tf
index b2608e21bf..82f65126b4 100644
--- a/test/fixtures/beta_cluster/main.tf
+++ b/test/fixtures/beta_cluster/main.tf
@@ -45,10 +45,7 @@ module "this" {
   compute_engine_service_account = "create"
 
   // Beta features
-  istio = {
-    disabled = false
-    auth     = "AUTH_MUTUAL_TLS"
-  }
+  istio = true
 
   database_encryption = [{
     state    = "ENCRYPTED"
diff --git a/test/fixtures/sandbox_enabled/example.tf b/test/fixtures/sandbox_enabled/example.tf
index 35304f94c6..920c5e179f 100644
--- a/test/fixtures/sandbox_enabled/example.tf
+++ b/test/fixtures/sandbox_enabled/example.tf
@@ -25,14 +25,11 @@ module "example" {
   ip_range_pods                  = google_compute_subnetwork.main.secondary_ip_range[0].range_name
   ip_range_services              = google_compute_subnetwork.main.secondary_ip_range[1].range_name
   compute_engine_service_account = var.compute_engine_service_accounts[0]
-  istio = {
-    disabled = true
-    auth     = ""
-  }
-  cloudrun                 = false
-  node_metadata            = "UNSPECIFIED"
-  sandbox_enabled          = true
-  remove_default_node_pool = true
+  istio                          = false
+  cloudrun                       = false
+  node_metadata                  = "UNSPECIFIED"
+  sandbox_enabled                = true
+  remove_default_node_pool       = true
 
   node_pools = [
     {

From 7f49f5454f03ed6a2ba39cdb704cc624bd6c5e0f Mon Sep 17 00:00:00 2001
From: bharathkkb <bharathkrishnakb@gmail.com>
Date: Mon, 30 Mar 2020 01:38:28 -0500
Subject: [PATCH 5/7] lint

---
 README.md                                      | 18 +++++++++---------
 autogen/main/README.md                         | 18 +++++++++---------
 autogen/safer-cluster/main.tf.tmpl             |  4 +++-
 autogen/safer-cluster/variables.tf.tmpl        | 17 ++++++++---------
 .../README.md                                  | 18 +++++++++---------
 modules/beta-private-cluster/README.md         | 18 +++++++++---------
 modules/beta-public-cluster/README.md          | 18 +++++++++---------
 .../private-cluster-update-variant/README.md   | 18 +++++++++---------
 modules/private-cluster/README.md              | 18 +++++++++---------
 modules/safer-cluster-update-variant/README.md |  3 ++-
 modules/safer-cluster-update-variant/main.tf   |  4 +++-
 .../safer-cluster-update-variant/variables.tf  | 17 ++++++++---------
 modules/safer-cluster/README.md                |  3 ++-
 modules/safer-cluster/main.tf                  |  4 +++-
 modules/safer-cluster/variables.tf             | 17 ++++++++---------
 15 files changed, 100 insertions(+), 95 deletions(-)

diff --git a/README.md b/README.md
index 421f441b47..61b664aca8 100644
--- a/README.md
+++ b/README.md
@@ -187,15 +187,15 @@ Then perform the following commands on the root folder:
 ## node_pools variable
 The node_pools variable takes the following parameters:
 
-| Name              | Description                                                                                                   | Default                       | Requirement |
-| ----------------- | ------------------------------------------------------------------------------------------------------------- | ----------------------------- | ----------- |
-| accelerator_count | The number of the guest accelerator cards exposed to this instance                                            | 0                             | Optional    |
-| accelerator_type  | The accelerator type resource to expose to the instance                                                       | " "                           | Optional    |
-| auto_repair       | Whether the nodes will be automatically repaired                                                              | true                          | Optional    |
-| autoscaling       | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true                          | Optional    |
-| auto_upgrade      | Whether the nodes will be automatically upgraded                                                              | true (if cluster is regional) | Optional    |
-| disk_size_gb      | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB               | 100GB                         | Optional    |
-| disk_type         | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd')                                       | pd-standard                   | Optional    |
+| Name | Description | Default | Requirement |
+| --- | --- | --- | --- |
+| accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional |
+| accelerator_type | The accelerator type resource to expose to the instance | " " | Optional |
+| auto_repair | Whether the nodes will be automatically repaired | true | Optional |
+| autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional |
+| auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional |
+| disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100GB | Optional |
+| disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |
 | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional |
 | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
 | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node | 0 | Optional |
diff --git a/autogen/main/README.md b/autogen/main/README.md
index 7c9882425e..abe1bb2af6 100644
--- a/autogen/main/README.md
+++ b/autogen/main/README.md
@@ -167,15 +167,15 @@ Then perform the following commands on the root folder:
 ## node_pools variable
 The node_pools variable takes the following parameters:
 
-| Name              | Description                                                                                                   | Default                       | Requirement |
-| ----------------- | ------------------------------------------------------------------------------------------------------------- | ----------------------------- | ----------- |
-| accelerator_count | The number of the guest accelerator cards exposed to this instance                                            | 0                             | Optional    |
-| accelerator_type  | The accelerator type resource to expose to the instance                                                       | " "                           | Optional    |
-| auto_repair       | Whether the nodes will be automatically repaired                                                              | true                          | Optional    |
-| autoscaling       | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true                          | Optional    |
-| auto_upgrade      | Whether the nodes will be automatically upgraded                                                              | true (if cluster is regional) | Optional    |
-| disk_size_gb      | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB               | 100GB                         | Optional    |
-| disk_type         | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd')                                       | pd-standard                   | Optional    |
+| Name | Description | Default | Requirement |
+| --- | --- | --- | --- |
+| accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional |
+| accelerator_type | The accelerator type resource to expose to the instance | " " | Optional |
+| auto_repair | Whether the nodes will be automatically repaired | true | Optional |
+| autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional |
+| auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional |
+| disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100GB | Optional |
+| disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |
 {% if beta_cluster %}
 | effect | Effect for the taint | | Required |
 {% endif %}
diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl
index 22fdc9c05c..ecec2e4bd3 100644
--- a/autogen/safer-cluster/main.tf.tmpl
+++ b/autogen/safer-cluster/main.tf.tmpl
@@ -116,7 +116,9 @@ module "gke" {
   master_ipv4_cidr_block = var.master_ipv4_cidr_block
 
   // Istio is recommended for pod-to-pod communications.
-  istio    = var.istio
+  istio      = var.istio
+  istio_auth = var.istio_auth
+
   cloudrun = var.cloudrun
 
   default_max_pods_per_node = var.default_max_pods_per_node
diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl
index cb83e1aa87..5125273689 100644
--- a/autogen/safer-cluster/variables.tf.tmpl
+++ b/autogen/safer-cluster/variables.tf.tmpl
@@ -227,15 +227,14 @@ variable "master_ipv4_cidr_block" {
 }
 
 variable "istio" {
-  description = "Istio configs"
-  type        = object({
-    disabled = bool
-    auth     = string
-  })
-  default    = {
-    disabled = true
-    auth     = ""
-  }
+  description = "(Beta) Enable Istio addon"
+  default     = false
+}
+
+variable "istio_auth" {
+  type        = string
+  description = "(Beta) The authentication type between services in Istio."
+  default     = "AUTH_MUTUAL_TLS"
 }
 
 variable "default_max_pods_per_node" {
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
index bf457aaf66..1873582491 100644
--- a/modules/beta-private-cluster-update-variant/README.md
+++ b/modules/beta-private-cluster-update-variant/README.md
@@ -262,15 +262,15 @@ Then perform the following commands on the root folder:
 ## node_pools variable
 The node_pools variable takes the following parameters:
 
-| Name              | Description                                                                                                   | Default                       | Requirement |
-| ----------------- | ------------------------------------------------------------------------------------------------------------- | ----------------------------- | ----------- |
-| accelerator_count | The number of the guest accelerator cards exposed to this instance                                            | 0                             | Optional    |
-| accelerator_type  | The accelerator type resource to expose to the instance                                                       | " "                           | Optional    |
-| auto_repair       | Whether the nodes will be automatically repaired                                                              | true                          | Optional    |
-| autoscaling       | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true                          | Optional    |
-| auto_upgrade      | Whether the nodes will be automatically upgraded                                                              | true (if cluster is regional) | Optional    |
-| disk_size_gb      | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB               | 100GB                         | Optional    |
-| disk_type         | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd')                                       | pd-standard                   | Optional    |
+| Name | Description | Default | Requirement |
+| --- | --- | --- | --- |
+| accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional |
+| accelerator_type | The accelerator type resource to expose to the instance | " " | Optional |
+| auto_repair | Whether the nodes will be automatically repaired | true | Optional |
+| autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional |
+| auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional |
+| disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100GB | Optional |
+| disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |
 | effect | Effect for the taint | | Required |
 | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional |
 | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
index 502d4f51b3..5254e53e2e 100644
--- a/modules/beta-private-cluster/README.md
+++ b/modules/beta-private-cluster/README.md
@@ -240,15 +240,15 @@ Then perform the following commands on the root folder:
 ## node_pools variable
 The node_pools variable takes the following parameters:
 
-| Name              | Description                                                                                                   | Default                       | Requirement |
-| ----------------- | ------------------------------------------------------------------------------------------------------------- | ----------------------------- | ----------- |
-| accelerator_count | The number of the guest accelerator cards exposed to this instance                                            | 0                             | Optional    |
-| accelerator_type  | The accelerator type resource to expose to the instance                                                       | " "                           | Optional    |
-| auto_repair       | Whether the nodes will be automatically repaired                                                              | true                          | Optional    |
-| autoscaling       | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true                          | Optional    |
-| auto_upgrade      | Whether the nodes will be automatically upgraded                                                              | true (if cluster is regional) | Optional    |
-| disk_size_gb      | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB               | 100GB                         | Optional    |
-| disk_type         | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd')                                       | pd-standard                   | Optional    |
+| Name | Description | Default | Requirement |
+| --- | --- | --- | --- |
+| accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional |
+| accelerator_type | The accelerator type resource to expose to the instance | " " | Optional |
+| auto_repair | Whether the nodes will be automatically repaired | true | Optional |
+| autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional |
+| auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional |
+| disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100GB | Optional |
+| disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |
 | effect | Effect for the taint | | Required |
 | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional |
 | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
index c59e2856ba..64ef38e91b 100644
--- a/modules/beta-public-cluster/README.md
+++ b/modules/beta-public-cluster/README.md
@@ -217,15 +217,15 @@ Then perform the following commands on the root folder:
 ## node_pools variable
 The node_pools variable takes the following parameters:
 
-| Name              | Description                                                                                                   | Default                       | Requirement |
-| ----------------- | ------------------------------------------------------------------------------------------------------------- | ----------------------------- | ----------- |
-| accelerator_count | The number of the guest accelerator cards exposed to this instance                                            | 0                             | Optional    |
-| accelerator_type  | The accelerator type resource to expose to the instance                                                       | " "                           | Optional    |
-| auto_repair       | Whether the nodes will be automatically repaired                                                              | true                          | Optional    |
-| autoscaling       | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true                          | Optional    |
-| auto_upgrade      | Whether the nodes will be automatically upgraded                                                              | true (if cluster is regional) | Optional    |
-| disk_size_gb      | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB               | 100GB                         | Optional    |
-| disk_type         | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd')                                       | pd-standard                   | Optional    |
+| Name | Description | Default | Requirement |
+| --- | --- | --- | --- |
+| accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional |
+| accelerator_type | The accelerator type resource to expose to the instance | " " | Optional |
+| auto_repair | Whether the nodes will be automatically repaired | true | Optional |
+| autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional |
+| auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional |
+| disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100GB | Optional |
+| disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |
 | effect | Effect for the taint | | Required |
 | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional |
 | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md
index dd5cfcb29d..27b9641271 100644
--- a/modules/private-cluster-update-variant/README.md
+++ b/modules/private-cluster-update-variant/README.md
@@ -232,15 +232,15 @@ Then perform the following commands on the root folder:
 ## node_pools variable
 The node_pools variable takes the following parameters:
 
-| Name              | Description                                                                                                   | Default                       | Requirement |
-| ----------------- | ------------------------------------------------------------------------------------------------------------- | ----------------------------- | ----------- |
-| accelerator_count | The number of the guest accelerator cards exposed to this instance                                            | 0                             | Optional    |
-| accelerator_type  | The accelerator type resource to expose to the instance                                                       | " "                           | Optional    |
-| auto_repair       | Whether the nodes will be automatically repaired                                                              | true                          | Optional    |
-| autoscaling       | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true                          | Optional    |
-| auto_upgrade      | Whether the nodes will be automatically upgraded                                                              | true (if cluster is regional) | Optional    |
-| disk_size_gb      | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB               | 100GB                         | Optional    |
-| disk_type         | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd')                                       | pd-standard                   | Optional    |
+| Name | Description | Default | Requirement |
+| --- | --- | --- | --- |
+| accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional |
+| accelerator_type | The accelerator type resource to expose to the instance | " " | Optional |
+| auto_repair | Whether the nodes will be automatically repaired | true | Optional |
+| autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional |
+| auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional |
+| disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100GB | Optional |
+| disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |
 | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional |
 | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
 | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node | 0 | Optional |
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
index b58ece6c9b..c341638dd4 100644
--- a/modules/private-cluster/README.md
+++ b/modules/private-cluster/README.md
@@ -210,15 +210,15 @@ Then perform the following commands on the root folder:
 ## node_pools variable
 The node_pools variable takes the following parameters:
 
-| Name              | Description                                                                                                   | Default                       | Requirement |
-| ----------------- | ------------------------------------------------------------------------------------------------------------- | ----------------------------- | ----------- |
-| accelerator_count | The number of the guest accelerator cards exposed to this instance                                            | 0                             | Optional    |
-| accelerator_type  | The accelerator type resource to expose to the instance                                                       | " "                           | Optional    |
-| auto_repair       | Whether the nodes will be automatically repaired                                                              | true                          | Optional    |
-| autoscaling       | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true                          | Optional    |
-| auto_upgrade      | Whether the nodes will be automatically upgraded                                                              | true (if cluster is regional) | Optional    |
-| disk_size_gb      | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB               | 100GB                         | Optional    |
-| disk_type         | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd')                                       | pd-standard                   | Optional    |
+| Name | Description | Default | Requirement |
+| --- | --- | --- | --- |
+| accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional |
+| accelerator_type | The accelerator type resource to expose to the instance | " " | Optional |
+| auto_repair | Whether the nodes will be automatically repaired | true | Optional |
+| autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional |
+| auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional |
+| disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100GB | Optional |
+| disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |
 | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional |
 | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
 | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node | 0 | Optional |
diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md
index b11feb171d..3ea5b1945e 100644
--- a/modules/safer-cluster-update-variant/README.md
+++ b/modules/safer-cluster-update-variant/README.md
@@ -217,7 +217,8 @@ For simplicity, we suggest using `roles/container.admin` and
 | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no |
 | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
-| istio | Istio configs | object | `<map>` | no |
+| istio | (Beta) Enable Istio addon | string | `"false"` | no |
+| istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no |
diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf
index db7a575994..9cd0ad3e0c 100644
--- a/modules/safer-cluster-update-variant/main.tf
+++ b/modules/safer-cluster-update-variant/main.tf
@@ -112,7 +112,9 @@ module "gke" {
   master_ipv4_cidr_block = var.master_ipv4_cidr_block
 
   // Istio is recommended for pod-to-pod communications.
-  istio    = var.istio
+  istio      = var.istio
+  istio_auth = var.istio_auth
+
   cloudrun = var.cloudrun
 
   default_max_pods_per_node = var.default_max_pods_per_node
diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf
index 3df8949473..61ad1fce73 100644
--- a/modules/safer-cluster-update-variant/variables.tf
+++ b/modules/safer-cluster-update-variant/variables.tf
@@ -227,15 +227,14 @@ variable "master_ipv4_cidr_block" {
 }
 
 variable "istio" {
-  description = "Istio configs"
-  type = object({
-    disabled = bool
-    auth     = string
-  })
-  default = {
-    disabled = true
-    auth     = ""
-  }
+  description = "(Beta) Enable Istio addon"
+  default     = false
+}
+
+variable "istio_auth" {
+  type        = string
+  description = "(Beta) The authentication type between services in Istio."
+  default     = "AUTH_MUTUAL_TLS"
 }
 
 variable "default_max_pods_per_node" {
diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md
index b11feb171d..3ea5b1945e 100644
--- a/modules/safer-cluster/README.md
+++ b/modules/safer-cluster/README.md
@@ -217,7 +217,8 @@ For simplicity, we suggest using `roles/container.admin` and
 | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no |
 | ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
-| istio | Istio configs | object | `<map>` | no |
+| istio | (Beta) Enable Istio addon | string | `"false"` | no |
+| istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
 | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. | string | `"latest"` | no |
 | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
 | maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no |
diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf
index c5714e3013..fd12123bed 100644
--- a/modules/safer-cluster/main.tf
+++ b/modules/safer-cluster/main.tf
@@ -112,7 +112,9 @@ module "gke" {
   master_ipv4_cidr_block = var.master_ipv4_cidr_block
 
   // Istio is recommended for pod-to-pod communications.
-  istio    = var.istio
+  istio      = var.istio
+  istio_auth = var.istio_auth
+
   cloudrun = var.cloudrun
 
   default_max_pods_per_node = var.default_max_pods_per_node
diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf
index 3df8949473..61ad1fce73 100644
--- a/modules/safer-cluster/variables.tf
+++ b/modules/safer-cluster/variables.tf
@@ -227,15 +227,14 @@ variable "master_ipv4_cidr_block" {
 }
 
 variable "istio" {
-  description = "Istio configs"
-  type = object({
-    disabled = bool
-    auth     = string
-  })
-  default = {
-    disabled = true
-    auth     = ""
-  }
+  description = "(Beta) Enable Istio addon"
+  default     = false
+}
+
+variable "istio_auth" {
+  type        = string
+  description = "(Beta) The authentication type between services in Istio."
+  default     = "AUTH_MUTUAL_TLS"
 }
 
 variable "default_max_pods_per_node" {

From 8b73368bd89f8528a341c458d0d7adfbcff656f4 Mon Sep 17 00:00:00 2001
From: bharathkkb <bharathkrishnakb@gmail.com>
Date: Mon, 30 Mar 2020 09:43:08 -0500
Subject: [PATCH 6/7] fix examples

---
 examples/safer_cluster/main.tf                     | 7 +------
 examples/simple_regional_private_beta/variables.tf | 7 ++-----
 2 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf
index a4fe8279ac..b4bae17488 100644
--- a/examples/safer_cluster/main.tf
+++ b/examples/safer_cluster/main.tf
@@ -57,12 +57,7 @@ module "gke" {
     },
   ]
 
-  istio = {
-    disabled = false
-    auth     = "AUTH_MUTUAL_TLS"
-  }
-  cloudrun = true
-}
+  istio = true
 
 data "google_client_config" "default" {
 }
diff --git a/examples/simple_regional_private_beta/variables.tf b/examples/simple_regional_private_beta/variables.tf
index c27b86a7b1..b05d008bfd 100644
--- a/examples/simple_regional_private_beta/variables.tf
+++ b/examples/simple_regional_private_beta/variables.tf
@@ -48,11 +48,8 @@ variable "compute_engine_service_account" {
 }
 
 variable "istio" {
-  description = "Istio Config"
-  default = {
-    disabled = false
-    auth     = "AUTH_MUTUAL_TLS"
-  }
+  description = "Boolean to enable / disable Istio"
+  default     = true
 }
 
 variable "cloudrun" {

From 70feeb66858fb8f31c575a4dc5cda6b32c90e9f8 Mon Sep 17 00:00:00 2001
From: bharathkkb <bharathkrishnakb@gmail.com>
Date: Mon, 30 Mar 2020 10:23:30 -0500
Subject: [PATCH 7/7] fix examples

---
 examples/safer_cluster/main.tf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf
index b4bae17488..4d6e7e4dbc 100644
--- a/examples/safer_cluster/main.tf
+++ b/examples/safer_cluster/main.tf
@@ -57,7 +57,9 @@ module "gke" {
     },
   ]
 
-  istio = true
+  istio    = true
+  cloudrun = true
+}
 
 data "google_client_config" "default" {
 }