fix: allow enable_private_endpoint with no master_authorized_networks (#2058)

apeabody · web-flow · commit 528b373cc13e · 2024-08-26T10:17:58.000-07:00
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
@@ -257,10 +257,10 @@ resource "google_container_cluster" "primary" {
   enable_autopilot = true
 {% endif %}
   dynamic "master_authorized_networks_config" {
-    for_each = local.master_authorized_networks_config
+    for_each = {% if private_cluster %}var.enable_private_endpoint || {% endif %}length(var.master_authorized_networks) > 0 ? [true] : []
     content {
       dynamic "cidr_blocks" {
-        for_each = master_authorized_networks_config.value.cidr_blocks
+        for_each = var.master_authorized_networks
         content {
           cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
           display_name = lookup(cidr_blocks.value, "display_name", "")
diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl
@@ -174,11 +174,6 @@ locals {
 
   # /BETA features
   {% endif %}
-
-  master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{
-    cidr_blocks : var.master_authorized_networks
-  }]
-
   {% if autopilot_cluster != true %}
   cluster_output_node_pools_names    = concat(
    [for np in google_container_node_pool.pools : np.name], [""],
diff --git a/cluster.tf b/cluster.tf
@@ -190,10 +190,10 @@ resource "google_container_cluster" "primary" {
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   dynamic "master_authorized_networks_config" {
-    for_each = local.master_authorized_networks_config
+    for_each = length(var.master_authorized_networks) > 0 ? [true] : []
     content {
       dynamic "cidr_blocks" {
-        for_each = master_authorized_networks_config.value.cidr_blocks
+        for_each = var.master_authorized_networks
         content {
           cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
           display_name = lookup(cidr_blocks.value, "display_name", "")
diff --git a/examples/simple_autopilot_private/main.tf b/examples/simple_autopilot_private/main.tf
@@ -51,11 +51,4 @@ module "gke" {
   enable_private_nodes            = true
   network_tags                    = [local.cluster_type]
   deletion_protection             = false
-
-  master_authorized_networks = [
-    {
-      cidr_block   = "10.60.0.0/17"
-      display_name = "VPC"
-    },
-  ]
 }
diff --git a/main.tf b/main.tf
@@ -126,11 +126,6 @@ locals {
   cluster_output_intranode_visbility_enabled        = google_container_cluster.primary.enable_intranode_visibility
   cluster_output_identity_service_enabled           = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
 
-
-  master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{
-    cidr_blocks : var.master_authorized_networks
-  }]
-
   cluster_output_node_pools_names = concat(
     [for np in google_container_node_pool.pools : np.name], [""],
     [for np in google_container_node_pool.windows_pools : np.name], [""]
diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf
@@ -106,10 +106,10 @@ resource "google_container_cluster" "primary" {
   enable_fqdn_network_policy = var.enable_fqdn_network_policy
   enable_autopilot           = true
   dynamic "master_authorized_networks_config" {
-    for_each = local.master_authorized_networks_config
+    for_each = var.enable_private_endpoint || length(var.master_authorized_networks) > 0 ? [true] : []
     content {
       dynamic "cidr_blocks" {
-        for_each = master_authorized_networks_config.value.cidr_blocks
+        for_each = var.master_authorized_networks
         content {
           cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
           display_name = lookup(cidr_blocks.value, "display_name", "")
diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf
@@ -101,11 +101,6 @@ locals {
 
   # /BETA features
 
-  master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{
-    cidr_blocks : var.master_authorized_networks
-  }]
-
-
   cluster_master_auth_list_layer1 = local.cluster_output_master_auth
   cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
   cluster_master_auth_map         = local.cluster_master_auth_list_layer2[0]
diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf
@@ -106,10 +106,10 @@ resource "google_container_cluster" "primary" {
   enable_fqdn_network_policy = var.enable_fqdn_network_policy
   enable_autopilot           = true
   dynamic "master_authorized_networks_config" {
-    for_each = local.master_authorized_networks_config
+    for_each = length(var.master_authorized_networks) > 0 ? [true] : []
     content {
       dynamic "cidr_blocks" {
-        for_each = master_authorized_networks_config.value.cidr_blocks
+        for_each = var.master_authorized_networks
         content {
           cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
           display_name = lookup(cidr_blocks.value, "display_name", "")
diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf
@@ -100,11 +100,6 @@ locals {
 
   # /BETA features
 
-  master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{
-    cidr_blocks : var.master_authorized_networks
-  }]
-
-
   cluster_master_auth_list_layer1 = local.cluster_output_master_auth
   cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0]
   cluster_master_auth_map         = local.cluster_master_auth_list_layer2[0]
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -211,10 +211,10 @@ resource "google_container_cluster" "primary" {
 
   enable_fqdn_network_policy = var.enable_fqdn_network_policy
   dynamic "master_authorized_networks_config" {
-    for_each = local.master_authorized_networks_config
+    for_each = var.enable_private_endpoint || length(var.master_authorized_networks) > 0 ? [true] : []
     content {
       dynamic "cidr_blocks" {
-        for_each = master_authorized_networks_config.value.cidr_blocks
+        for_each = var.master_authorized_networks
         content {
           cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
           display_name = lookup(cidr_blocks.value, "display_name", "")
diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf
@@ -145,11 +145,6 @@ locals {
   cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
   # /BETA features
-
-  master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{
-    cidr_blocks : var.master_authorized_networks
-  }]
-
   cluster_output_node_pools_names = concat(
     [for np in google_container_node_pool.pools : np.name], [""],
     [for np in google_container_node_pool.windows_pools : np.name], [""]
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
@@ -211,10 +211,10 @@ resource "google_container_cluster" "primary" {
 
   enable_fqdn_network_policy = var.enable_fqdn_network_policy
   dynamic "master_authorized_networks_config" {
-    for_each = local.master_authorized_networks_config
+    for_each = var.enable_private_endpoint || length(var.master_authorized_networks) > 0 ? [true] : []
     content {
       dynamic "cidr_blocks" {
-        for_each = master_authorized_networks_config.value.cidr_blocks
+        for_each = var.master_authorized_networks
         content {
           cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
           display_name = lookup(cidr_blocks.value, "display_name", "")
diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf
@@ -145,11 +145,6 @@ locals {
   cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
   # /BETA features
-
-  master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{
-    cidr_blocks : var.master_authorized_networks
-  }]
-
   cluster_output_node_pools_names = concat(
     [for np in google_container_node_pool.pools : np.name], [""],
     [for np in google_container_node_pool.windows_pools : np.name], [""]
diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf
@@ -211,10 +211,10 @@ resource "google_container_cluster" "primary" {
 
   enable_fqdn_network_policy = var.enable_fqdn_network_policy
   dynamic "master_authorized_networks_config" {
-    for_each = local.master_authorized_networks_config
+    for_each = length(var.master_authorized_networks) > 0 ? [true] : []
     content {
       dynamic "cidr_blocks" {
-        for_each = master_authorized_networks_config.value.cidr_blocks
+        for_each = var.master_authorized_networks
         content {
           cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
           display_name = lookup(cidr_blocks.value, "display_name", "")
diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf
@@ -144,11 +144,6 @@ locals {
   cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
   # /BETA features
-
-  master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{
-    cidr_blocks : var.master_authorized_networks
-  }]
-
   cluster_output_node_pools_names = concat(
     [for np in google_container_node_pool.pools : np.name], [""],
     [for np in google_container_node_pool.windows_pools : np.name], [""]
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
@@ -211,10 +211,10 @@ resource "google_container_cluster" "primary" {
 
   enable_fqdn_network_policy = var.enable_fqdn_network_policy
   dynamic "master_authorized_networks_config" {
-    for_each = local.master_authorized_networks_config
+    for_each = length(var.master_authorized_networks) > 0 ? [true] : []
     content {
       dynamic "cidr_blocks" {
-        for_each = master_authorized_networks_config.value.cidr_blocks
+        for_each = var.master_authorized_networks
         content {
           cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
           display_name = lookup(cidr_blocks.value, "display_name", "")
diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf
@@ -144,11 +144,6 @@ locals {
   cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false
 
   # /BETA features
-
-  master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{
-    cidr_blocks : var.master_authorized_networks
-  }]
-
   cluster_output_node_pools_names = concat(
     [for np in google_container_node_pool.pools : np.name], [""],
     [for np in google_container_node_pool.windows_pools : np.name], [""]
diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf
@@ -190,10 +190,10 @@ resource "google_container_cluster" "primary" {
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   dynamic "master_authorized_networks_config" {
-    for_each = local.master_authorized_networks_config
+    for_each = var.enable_private_endpoint || length(var.master_authorized_networks) > 0 ? [true] : []
     content {
       dynamic "cidr_blocks" {
-        for_each = master_authorized_networks_config.value.cidr_blocks
+        for_each = var.master_authorized_networks
         content {
           cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
           display_name = lookup(cidr_blocks.value, "display_name", "")
diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf
@@ -127,11 +127,6 @@ locals {
   cluster_output_intranode_visbility_enabled        = google_container_cluster.primary.enable_intranode_visibility
   cluster_output_identity_service_enabled           = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
 
-
-  master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{
-    cidr_blocks : var.master_authorized_networks
-  }]
-
   cluster_output_node_pools_names = concat(
     [for np in google_container_node_pool.pools : np.name], [""],
     [for np in google_container_node_pool.windows_pools : np.name], [""]
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
@@ -190,10 +190,10 @@ resource "google_container_cluster" "primary" {
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   dynamic "master_authorized_networks_config" {
-    for_each = local.master_authorized_networks_config
+    for_each = var.enable_private_endpoint || length(var.master_authorized_networks) > 0 ? [true] : []
     content {
       dynamic "cidr_blocks" {
-        for_each = master_authorized_networks_config.value.cidr_blocks
+        for_each = var.master_authorized_networks
         content {
           cidr_block   = lookup(cidr_blocks.value, "cidr_block", "")
           display_name = lookup(cidr_blocks.value, "display_name", "")
diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf
@@ -127,11 +127,6 @@ locals {
   cluster_output_intranode_visbility_enabled        = google_container_cluster.primary.enable_intranode_visibility
   cluster_output_identity_service_enabled           = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false
 
-
-  master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{
-    cidr_blocks : var.master_authorized_networks
-  }]
-
   cluster_output_node_pools_names = concat(
     [for np in google_container_node_pool.pools : np.name], [""],
     [for np in google_container_node_pool.windows_pools : np.name], [""]
diff --git a/test/integration/simple_autopilot_private/simple_autopilot_private_test.go b/test/integration/simple_autopilot_private/simple_autopilot_private_test.go
@@ -53,6 +53,7 @@ func TestSimpleAutopilotPrivate(t *testing.T) {
 			"addonsConfig.httpLoadBalancing",
 			"addonsConfig.kubernetesDashboard.disabled",
 			"addonsConfig.networkPolicyConfig.disabled",
+			"masterAuthorizedNetworksConfig.enabled",
 		}
 		for _, pth := range validateJSONPaths {
 			g.JSONEq(assert, op, pth)
diff --git a/test/integration/simple_autopilot_private/testdata/TestSimpleAutopilotPrivate.json b/test/integration/simple_autopilot_private/testdata/TestSimpleAutopilotPrivate.json
@@ -124,12 +124,6 @@
       "clusterCaCertificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMVENDQXBXZ0F3SUJBZ0lSQUl6eEJuNWlDNm9hV2h5N0YwMnpoand3RFFZSktvWklodmNOQVFFTEJRQXcKTHpFdE1Dc0dBMVVFQXhNa05UZ3hOak5qWVRVdFpHSmhOQzAwWXpKaExUZ3lNemN0TmpreE9Ua3paREJpWXpJMQpNQ0FYRFRJek1ERXhNakF6TURZMU1Gb1lEekl3TlRNd01UQTBNRFF3TmpVd1dqQXZNUzB3S3dZRFZRUURFeVExCk9ERTJNMk5oTlMxa1ltRTBMVFJqTW1FdE9ESXpOeTAyT1RFNU9UTmtNR0pqTWpVd2dnR2lNQTBHQ1NxR1NJYjMKRFFFQkFRVUFBNElCandBd2dnR0tBb0lCZ1FEUnltd1RVaEFkN1cwcWNZYWhRY0hkeTkxNWdRYzJrUTJQM2ZNcwozdGlISmRaUDFLb3o5djVuWUlZL3Q4aWxSb0NCSHEvNzhQVnBJZjNSWDVvSDdiTjN4UTFKWWF0ZEEvZ1lhVTRzCkdSZG05OW9zUmFsc01JdzR3SkNDWm50b2dtV3FmcmFzZldyOHo4b1NUSFVCL2N3UFhiaHBxMjlTanFUckM3elQKQnpoT0M5aGg5WUcwYnc0cHBReC9PL1Y2eGdhQ1Y0ZllQU1BML3lGSGs5cUpqUnB3bEh1YzduVlVLNHZFL2Y0LwpHRm44dXp1SnpRQ1FrSzBTUmx4WHJzRlM1WlB3YVB5OHJUZVJsVmhzRW1HWjYySkd5RFJuTDhJNTBvQlZtWXlSClF0ay93eGpFUVZiYUFNYlZsLytjSnhBWGJSTmhCZU85OWRjaFlhZ1o2UitBR2pHTHNaWUlka3JoNlZJNVh3OTcKY2xnTUJ0bXAxdHV2dVlIM3pGQitwckRMMmF5eXRTYXZ6VnlVV21OSDV6aDZSWnphMk9sRmFyeWo0RHYyemlNRgozckFnUE9KejhSdC9ZMUQzM1Y4ODZQVlNnUjNpZFZ0NDJ2dDcvaU9ZNUkxbmMyM1orRWdvaWZDTmtKVEM1MUtHClVZdTJjTjdzVjh1NnNuK1ltT1dPY0tXYzd2MENBd0VBQWFOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdJRU1BOEcKQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRHpPUGYyZU84enVMa2prZWI4TEZ5eVpRMk1YTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQmdRQlZDR2RGRWtmTE43bVg2SXZlb2tvMmVjZjhrUGlreTQyeFBvTEJtTnI2Cm94UXZWbnJtZlAxRTdxM2oyUnRNc2N5VzFUQU8wMTAwdzQyUWVUWWVPYm94em5xSms4TmNjQmQxdlNTa3NaOHUKdDlsS29GVmdRdkhLUzNldy81eG1Cb2o3em0rU0llQkRnSFJTNmMrNFQ0L25zMnl2UEhsbno2ZE5sLzJQMWtINwpBdmh2MkF3andZVC9EZU1tc3BEZERnMlVvVlhpYjliRTRES2Q2MUVCanhOc05EUjJDZ0VEYkZ1M0QwK01zRmcrCm9kcEUvc1BtZytsQWE0U24xNEZWZUNRdGxwWTBjY1RYY0tmKzN4c3FLMGZoSGk4Tk53ckg2bGpkUGN6VVJmS3cKK0hDVXVjeWtFOC96ay91aHR1dzhmOXlXbjcrS3RJbmxSNEtkOHk5WGFCaytsMkt6TVlxSkUyTzFNTmNkYlhONApvQmVrNE5QcGhGM1FrQmo3RUpnL0lkTGx1WEVCd1J3ZHg4SFlRRVoyRENvemlMNENtWThuS1dXR3lLeVJWSTIxCnlSaVY4SEJvWXZ5ZHNxYy9NSFFQUERrZDRSRk52YWtVUW55M0tUaDJoSlJyejB4Y2xXNENydDhsN3dGQkNEdzcKTEJvcWs5dWxjY01iWlJ6bTV4YkxCcUE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
     },
     "masterAuthorizedNetworksConfig": {
-      "cidrBlocks": [
-        {
-          "cidrBlock": "10.60.0.0/17",
-          "displayName": "VPC"
-        }
-      ],
       "enabled": true
     },
     "monitoringConfig": {
diff --git a/test/integration/simple_zonal_private/simple_zonal_private_test.go b/test/integration/simple_zonal_private/simple_zonal_private_test.go
@@ -64,6 +64,7 @@ func TestSimpleZonalPrivate(t *testing.T) {
 			"nodePools.config.labels",
 			"nodePools.config.tags",
 			"nodePools.management.autoRepair",
+			"masterAuthorizedNetworksConfig",
 		}
 		for _, pth := range validateJSONPaths {
 			g.JSONEq(assert, op, pth)
