fix: Add additional guardrails for disabled workload identity. (#542)

morgante · web-flow · commit 43c4349788d4 · 2020-05-26T21:20:20.000-04:00
diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl
@@ -171,7 +171,8 @@ locals {
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
 
-  cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{
+  workload_identity_enabled = ! (var.identity_namespace == null || var.identity_namespace == "null")
+  cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
   }]
   # /BETA features
diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf
@@ -47,6 +47,10 @@ module "gke" {
   enable_binary_authorization = var.enable_binary_authorization
   pod_security_policy_config  = var.pod_security_policy_config
   release_channel             = "REGULAR"
+
+  # Disable workload identity
+  identity_namespace = null
+  node_metadata      = "UNSPECIFIED"
 }
 
 data "google_client_config" "default" {
diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf
@@ -155,7 +155,8 @@ locals {
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
 
-  cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{
+  workload_identity_enabled = ! (var.identity_namespace == null || var.identity_namespace == "null")
+  cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
   }]
   # /BETA features
diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf
@@ -155,7 +155,8 @@ locals {
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
 
-  cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{
+  workload_identity_enabled = ! (var.identity_namespace == null || var.identity_namespace == "null")
+  cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
   }]
   # /BETA features
diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf
@@ -154,7 +154,8 @@ locals {
   cluster_intranode_visibility_enabled     = local.cluster_output_intranode_visbility_enabled
   cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled
 
-  cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{
+  workload_identity_enabled = ! (var.identity_namespace == null || var.identity_namespace == "null")
+  cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{
     identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
   }]
   # /BETA features
diff --git a/test/integration/beta_cluster/controls/gcloud.rb b/test/integration/beta_cluster/controls/gcloud.rb
@@ -74,13 +74,6 @@
         })
       end
 
-      it "has the expected nodeMetadata conseal config" do
-        expect(data['nodeConfig']['workloadMetadataConfig']).to eq({
-          "mode" => "GKE_METADATA",
-          "nodeMetadata" => 'GKE_METADATA_SERVER',
-        })
-      end
-
       it "has the expected podSecurityPolicyConfig config" do
         expect(data['podSecurityPolicyConfig']).to eq({
           "enabled" => true,
@@ -93,13 +86,6 @@
           "keyName" => attribute('database_encryption_key_name'),
         })
       end
-
-      it "has the expected workload identity config" do
-        expect(data['workloadIdentityConfig']).to eq({
-          "identityNamespace" => attribute('identity_namespace'),
-          "workloadPool" => attribute('identity_namespace'),
-        })
-      end
     end
 
     describe "default node pool" do
@@ -212,19 +198,6 @@
           )
         )
       end
-
-      it "has the expected node metadata for workload identity" do
-        expect(node_pools).to include(
-          including(
-            "config" => including(
-              "workloadMetadataConfig" => eq(
-                "mode" => "GKE_METADATA",
-                "nodeMetadata" => 'GKE_METADATA_SERVER',
-              ),
-            ),
-          )
-        )
-      end
     end
   end
 end
