enabling metadata-concealment by default

ingwarr · ingwarr · commit 59158869a31c · 2019-09-10T16:01:32.000+03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,7 +8,7 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 ## [Unreleased]
 ### Added
-
+* Enabled metadata-concealment by default [#248]
 * Added `grant_registry_access` variable to grant Container Registry access to created SA [#236]
 * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216]
 * Support for Workload Identity beta feature [#234]
@@ -170,6 +170,7 @@ Extending the adopted spec, each change should have a link to its corresponding
 [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0
 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0
 
+[#248]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/248
 [#236]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/236
 [#217]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/217
 [#234]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/234
diff --git a/autogen/variables.tf b/autogen/variables.tf
@@ -368,7 +368,8 @@ variable "pod_security_policy_config" {
 
 variable "node_metadata" {
   description = "Specifies how node metadata is exposed to the workload running on the node"
-  default     = "UNSPECIFIED"
+  default     = "SECURE"
+  type        = string
 }
 
 variable "enable_intranode_visibility" {
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
@@ -177,7 +177,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | network\_policy | Enable network policy addon | bool | `"false"` | no |
 | network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
-| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"UNSPECIFIED"` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no |
 | node\_pools | List of maps containing node pools | list(map(string)) | `<list>` | no |
 | node\_pools\_labels | Map of maps containing node labels by node-pool name | map(map(string)) | `<map>` | no |
 | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map(map(string)) | `<map>` | no |
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
@@ -365,7 +365,8 @@ variable "pod_security_policy_config" {
 
 variable "node_metadata" {
   description = "Specifies how node metadata is exposed to the workload running on the node"
-  default     = "UNSPECIFIED"
+  default     = "SECURE"
+  type        = string
 }
 
 variable "enable_intranode_visibility" {
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
@@ -168,7 +168,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | network\_policy | Enable network policy addon | bool | `"false"` | no |
 | network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
-| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"UNSPECIFIED"` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"SECURE"` | no |
 | node\_pools | List of maps containing node pools | list(map(string)) | `<list>` | no |
 | node\_pools\_labels | Map of maps containing node labels by node-pool name | map(map(string)) | `<map>` | no |
 | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map(map(string)) | `<map>` | no |
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
@@ -341,7 +341,8 @@ variable "pod_security_policy_config" {
 
 variable "node_metadata" {
   description = "Specifies how node metadata is exposed to the workload running on the node"
-  default     = "UNSPECIFIED"
+  default     = "SECURE"
+  type        = string
 }
 
 variable "enable_intranode_visibility" {

Original file line number	Diff line number	Diff line change
`@@ -368,7 +368,8 @@ variable "pod_security_policy_config" {`
`368`	`368`
`369`	`369`	`variable "node_metadata" {`
`370`	`370`	`description = "Specifies how node metadata is exposed to the workload running on the node"`
`371`		`- default = "UNSPECIFIED"`
	`371`	`+ default = "SECURE"`
	`372`	`+ type = string`
`372`	`373`	`}`
`373`	`374`
`374`	`375`	`variable "enable_intranode_visibility" {`
Original file line number	Diff line number	Diff line change
`@@ -365,7 +365,8 @@ variable "pod_security_policy_config" {`
`365`	`365`
`366`	`366`	`variable "node_metadata" {`
`367`	`367`	`description = "Specifies how node metadata is exposed to the workload running on the node"`
`368`		`- default = "UNSPECIFIED"`
	`368`	`+ default = "SECURE"`
	`369`	`+ type = string`
`369`	`370`	`}`
`370`	`371`
`371`	`372`	`variable "enable_intranode_visibility" {`
Original file line number	Diff line number	Diff line change
`@@ -341,7 +341,8 @@ variable "pod_security_policy_config" {`
`341`	`341`
`342`	`342`	`variable "node_metadata" {`
`343`	`343`	`description = "Specifies how node metadata is exposed to the workload running on the node"`
`344`		`- default = "UNSPECIFIED"`
	`344`	`+ default = "SECURE"`
	`345`	`+ type = string`
`345`	`346`	`}`
`346`	`347`
`347`	`348`	`variable "enable_intranode_visibility" {`