terraform-google-kubernetes-engine icon indicating copy to clipboard operation
terraform-google-kubernetes-engine copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

fix: avoid `auto_provisioning_defaults` drift

Open michaellzc opened this issue 2 years ago • 4 comments

fixes https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1596

This PR added two new optional fields to var.cluster_autoscaling, enable_secure_boot=false, and enable_integrity_monitoring=true.

design decisions:

  • enable_integrity_monitoring defaults to true, which is what other places are using
  • enable_secure_boot defaults to false, which is what other places are using
  • I decided not to reuse attribute from lookup(var.node_pools[0], "enable_integrity_monitoring", true), similar pattern was used for auto_provisioning_defaults.oauth_scopes, and it was actually a surprise to me. It's better to give users more control over it.

Why not just let provider to decide this optional field?

Since some google provider version ago, cluster in this module with NAP enabled will result in infinite drift, and GCP may or may not decided to update the cluster (it's unpredictable)

  # module.gke_self_15C14BFE.google_container_cluster.primary will be updated in-place
  ~ resource "google_container_cluster" "primary" {
        id                          = "projects/<redacted>/locations/us-central1/clusters/<redacted>"
        name                        = "<redacted>"
        # (31 unchanged attributes hidden)

      ~ cluster_autoscaling {
            # (2 unchanged attributes hidden)

          ~ auto_provisioning_defaults {
                # (5 unchanged attributes hidden)

              - shielded_instance_config {
                  - enable_integrity_monitoring = true -> null
                  - enable_secure_boot          = false -> null
                }

                # (2 unchanged blocks hidden)
            }

            # (2 unchanged blocks hidden)
        }

        # (27 unchanged blocks hidden)
    }

Test:

Using our own fork with this patch https://github.com/michaellzc/terraform-google-kubernetes-engine/tree/fork-26-1-1,

terraform plan no longer showed any drift at auto_provisioning_defaults .shielded_instance_config.

michaellzc avatar Nov 23 '23 19:11 michaellzc

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

github-actions[bot] avatar Jan 22 '24 23:01 github-actions[bot]

renew

michaellzc avatar Jan 22 '24 23:01 michaellzc

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

github-actions[bot] avatar Mar 23 '24 23:03 github-actions[bot]

renew

michaellzc avatar Mar 28 '24 19:03 michaellzc