component change based on template testing

Daisyprakash · Daisyprakash · commit 6f350a95c1c2 · 2025-09-30T10:27:07.000Z
diff --git a/modules/gke-autopilot-cluster/README.md b/modules/gke-autopilot-cluster/README.md
@@ -41,7 +41,7 @@ For a module with a complete configuration of a Google Cloud Platform Kubernetes
 | logging\_config | The GKE components exposing logs. Supported values include: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, SCHEDULER, and WORKLOADS. | <pre>object({<br>    enable_components = optional(list(string))<br>  })</pre> | `null` | no |
 | maintenance\_policy | The maintenance policy to use for the cluster. | <pre>object({<br>    daily_maintenance_window = optional(object({<br>      start_time = optional(string)<br>    }))<br>    recurring_window = optional(object({<br>      start_time = optional(string)<br>      end_time   = optional(string)<br>      recurrence = optional(string)<br>    }))<br>    maintenance_exclusion = optional(list(object({<br>      exclusion_name = optional(string)<br>      start_time     = optional(string)<br>      end_time       = optional(string)<br>      exclusion_options = optional(object({<br>        scope = optional(string)<br>      }))<br>    })))<br>  })</pre> | <pre>{<br>  "daily_maintenance_window": {<br>    "start_time": "05:00"<br>  }<br>}</pre> | no |
 | master\_auth | The authentication information for accessing the Kubernetes master. | <pre>object({<br>    client_certificate_config = optional(object({<br>      issue_client_certificate = optional(bool)<br>    }))<br>  })</pre> | `null` | no |
-| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. | <pre>object({<br>    cidr_blocks = optional(list(object({<br>      display_name = optional(string)<br>      cidr_block   = optional(string)<br>    })))<br>    gcp_public_cidrs_access_enabled      = optional(bool)<br>    private_endpoint_enforcement_enabled = optional(bool)<br>  })</pre> | `null` | no |
+| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. | <pre>object({<br>    cidr_blocks = list(object({<br>      display_name = string<br>      cidr_block   = string<br>    }))<br>    gcp_public_cidrs_access_enabled      = optional(bool)<br>    private_endpoint_enforcement_enabled = optional(bool)<br>  })</pre> | n/a | yes |
 | mesh\_certificates | Configuration for the provisioning of managed mesh certificates. | <pre>object({<br>    enable_certificates = optional(bool)<br>  })</pre> | `null` | no |
 | min\_master\_version | The minimum version of the master. GKE will auto-update the master to new versions, so this does not guarantee the master version--use the read-only master\_version field to obtain a current version. If unset, the server's default version will be used. | `string` | `null` | no |
 | monitoring\_config | (Optional) The GKE components exposing metrics. Supported values include: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR, DCGM and JOBSET. | <pre>object({<br>    enable_components = optional(list(string))<br>  })</pre> | `null` | no |
@@ -66,7 +66,7 @@ For a module with a complete configuration of a Google Cloud Platform Kubernetes
 | timeouts | Timeout for cluster operations. | <pre>object({<br>    create = optional(string)<br>    update = optional(string)<br>    delete = optional(string)<br>  })</pre> | <pre>{<br>  "create": "45m",<br>  "delete": "45m",<br>  "update": "45m"<br>}</pre> | no |
 | vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it. | <pre>object({<br>    enabled = optional(bool)<br>  })</pre> | <pre>{<br>  "enabled": true<br>}</pre> | no |
 | workload\_alts\_config | Workload ALTS configuration for the cluster. Whether the alts handshaker should be enabled or not for direct-path. Requires Workload Identity (workloadPool) must be non-empty | <pre>object({<br>    enable_alts = bool<br>  })</pre> | `null` | no |
-| workload\_identity\_config | Configuration for the use of Kubernetes Service Accounts in GCP IAM policies. | <pre>object({<br>    workload_pool = optional(string)<br>  })</pre> | `null` | no |
+| workload\_identity\_config | Configuration for the use of Kubernetes Service Accounts in GCP IAM policies. | <pre>object({<br>    workload_pool = string<br>  })</pre> | n/a | yes |
 
 ## Outputs
 
diff --git a/modules/gke-autopilot-cluster/metadata.yaml b/modules/gke-autopilot-cluster/metadata.yaml
@@ -277,13 +277,14 @@ spec:
         description: The desired configuration options for master authorized networks.
         varType: |-
           object({
-              cidr_blocks = optional(list(object({
-                display_name = optional(string)
-                cidr_block   = optional(string)
-              })))
+              cidr_blocks = list(object({
+                display_name = string
+                cidr_block   = string
+              }))
               gcp_public_cidrs_access_enabled      = optional(bool)
               private_endpoint_enforcement_enabled = optional(bool)
             })
+        required: true
       - name: min_master_version
         description: The minimum version of the master. GKE will auto-update the master to new versions, so this does not guarantee the master version--use the read-only master_version field to obtain a current version. If unset, the server's default version will be used.
         varType: string
@@ -426,8 +427,9 @@ spec:
         description: Configuration for the use of Kubernetes Service Accounts in GCP IAM policies.
         varType: |-
           object({
-              workload_pool = optional(string)
+              workload_pool = string
             })
+        required: true
       - name: identity_service_config
         description: Whether to enable the Identity Service component. It is disabled by default. Set enabled=true to enable.
         varType: |-
@@ -569,9 +571,9 @@ spec:
     roles:
       - level: Project
         roles:
+          - roles/compute.admin
           - roles/container.admin
           - roles/iam.serviceAccountUser
-          - roles/compute.admin
     services:
       - compute.googleapis.com
       - container.googleapis.com
diff --git a/modules/gke-autopilot-cluster/variables.tf b/modules/gke-autopilot-cluster/variables.tf
@@ -203,14 +203,13 @@ variable "master_auth" {
 variable "master_authorized_networks_config" {
   description = "The desired configuration options for master authorized networks."
   type = object({
-    cidr_blocks = optional(list(object({
-      display_name = optional(string)
-      cidr_block   = optional(string)
-    })))
+    cidr_blocks = list(object({
+      display_name = string
+      cidr_block   = string
+    }))
     gcp_public_cidrs_access_enabled      = optional(bool)
     private_endpoint_enforcement_enabled = optional(bool)
   })
-  default = null
 }
 
 variable "min_master_version" {
@@ -394,9 +393,8 @@ variable "resource_usage_export_config" {
 variable "workload_identity_config" {
   description = "Configuration for the use of Kubernetes Service Accounts in GCP IAM policies."
   type = object({
-    workload_pool = optional(string)
+    workload_pool = string
   })
-  default = null
 }
 
 variable "identity_service_config" {
diff --git a/modules/gke-standard-cluster/README.md b/modules/gke-standard-cluster/README.md
@@ -48,7 +48,7 @@ For a module with a complete configuration of a Google Cloud Platform Kubernetes
 | logging\_service | The logging service that the cluster should write logs to. Available options include `logging.googleapis.com`, `logging.googleapis.com/kubernetes`, and `none`. | `string` | `null` | no |
 | maintenance\_policy | The maintenance policy to use for the cluster. | <pre>object({<br>    daily_maintenance_window = optional(object({<br>      start_time = optional(string)<br>    }))<br>    recurring_window = optional(object({<br>      start_time = optional(string)<br>      end_time   = optional(string)<br>      recurrence = optional(string)<br>    }))<br>    maintenance_exclusion = optional(list(object({<br>      exclusion_name = optional(string)<br>      start_time     = optional(string)<br>      end_time       = optional(string)<br>      exclusion_options = optional(object({<br>        scope = optional(string)<br>      }))<br>    })))<br>  })</pre> | `null` | no |
 | master\_auth | The authentication information for accessing the Kubernetes master. | <pre>object({<br>    client_certificate_config = optional(object({<br>      issue_client_certificate = optional(bool)<br>    }))<br>  })</pre> | `null` | no |
-| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. | <pre>object({<br>    cidr_blocks = optional(list(object({<br>      display_name = optional(string)<br>      cidr_block   = optional(string)<br>    })))<br>    gcp_public_cidrs_access_enabled      = optional(bool)<br>    private_endpoint_enforcement_enabled = optional(bool)<br>  })</pre> | `null` | no |
+| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. | <pre>object({<br>    cidr_blocks = list(object({<br>      display_name = string<br>      cidr_block   = string<br>    }))<br>    gcp_public_cidrs_access_enabled      = optional(bool)<br>    private_endpoint_enforcement_enabled = optional(bool)<br>  })</pre> | n/a | yes |
 | mesh\_certificates | Configuration for the provisioning of managed mesh certificates. | <pre>object({<br>    enable_certificates = optional(bool)<br>  })</pre> | `null` | no |
 | min\_master\_version | The minimum version of the master. GKE will auto-update the master to new versions, so this does not guarantee the master version--use the read-only master\_version field to obtain a current version. If unset, the server's default version will be used. | `string` | `null` | no |
 | monitoring\_config | Monitoring configuration for the cluster. | <pre>object({<br>    enable_components = optional(list(string))<br>  })</pre> | `null` | no |
@@ -67,7 +67,7 @@ For a module with a complete configuration of a Google Cloud Platform Kubernetes
 | pod\_security\_policy\_config | Configuration for the [PodSecurityPolicy](https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies) feature. | <pre>object({<br>    enabled = bool<br>  })</pre> | `null` | no |
 | private\_cluster\_config | Configuration for private clusters, clusters with private nodes. | <pre>object({<br>    enable_private_nodes        = optional(bool)<br>    enable_private_endpoint     = optional(bool)<br>    master_ipv4_cidr_block      = optional(string)<br>    private_endpoint_subnetwork = optional(string)<br>    master_global_access_config = optional(object({<br>      enabled = optional(bool)<br>    }))<br>  })</pre> | <pre>{<br>  "enable_private_endpoint": true,<br>  "enable_private_nodes": true,<br>  "master_global_access_config": {<br>    "enabled": true<br>  }<br>}</pre> | no |
 | private\_ipv6\_google\_access | The desired state of IPv6 access to Google Services. By default, no private IPv6 access to or from Google Services (all access will be via IPv4). | `string` | `null` | no |
-| project\_id | The ID of the project in which the resource belongs. If it is not provided, the provider project id is used. | `string` | `null` | no |
+| project\_id | The ID of the project in which the resource belongs. If it is not provided, the provider project id is used. | `string` | n/a | yes |
 | protect\_config | Enable GKE Protect workloads for this cluster. | <pre>object({<br>    workload_config = object({<br>      audit_mode = string<br>    })<br>    workload_vulnerability_mode = optional(string)<br>  })</pre> | `null` | no |
 | release\_channel | Configuration for the release channel feature, which provides more control over automatic upgrades of your GKE clusters. | <pre>object({<br>    channel = optional(string)<br>  })</pre> | `null` | no |
 | remove\_default\_node\_pool | If true, deletes the default node pool upon cluster creation. If you're using google\_container\_node\_pool resources with no default node pool, this should be set to true. | `bool` | `true` | no |
@@ -80,7 +80,7 @@ For a module with a complete configuration of a Google Cloud Platform Kubernetes
 | timeouts | Timeout for cluster operations. | <pre>object({<br>    create = optional(string)<br>    update = optional(string)<br>    delete = optional(string)<br>  })</pre> | <pre>{<br>  "create": "45m",<br>  "delete": "45m",<br>  "update": "45m"<br>}</pre> | no |
 | vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it. | <pre>object({<br>    enabled = optional(bool)<br>  })</pre> | `null` | no |
 | workload\_alts\_config | Workload ALTS configuration for the cluster. Whether the alts handshaker should be enabled or not for direct-path. Requires Workload Identity (workloadPool) must be non-empty | <pre>object({<br>    enable_alts = bool<br>  })</pre> | `null` | no |
-| workload\_identity\_config | Configuration for the use of Kubernetes Service Accounts in GCP IAM policies. | <pre>object({<br>    workload_pool = optional(string)<br>  })</pre> | `null` | no |
+| workload\_identity\_config | Configuration for the use of Kubernetes Service Accounts in GCP IAM policies. | <pre>object({<br>    workload_pool = string<br>  })</pre> | n/a | yes |
 
 ## Outputs
 
diff --git a/modules/gke-standard-cluster/metadata.display.yaml b/modules/gke-standard-cluster/metadata.display.yaml
@@ -375,10 +375,6 @@ spec:
         master_authorized_networks_config:
           name: master_authorized_networks_config
           title: Master Authorized Networks Config
-          altDefaults:
-            - type: ALTERNATE_TYPE_DC
-              value:
-                private_endpoint_enforcement_enabled: true
         mesh_certificates:
           name: mesh_certificates
           title: Mesh Certificates
@@ -896,6 +892,7 @@ spec:
         project_id:
           name: project_id
           title: Project Id
+          level: 1
         protect_config:
           name: protect_config
           title: Protect Config
diff --git a/modules/gke-standard-cluster/metadata.yaml b/modules/gke-standard-cluster/metadata.yaml
@@ -136,6 +136,7 @@ spec:
       - name: project_id
         description: The ID of the project in which the resource belongs. If it is not provided, the provider project id is used.
         varType: string
+        required: true
       - name: location
         description: The location (region or zone) in which the cluster master will be created, as well as the default node location. If you specify a zone (such as us-central1-a), the cluster will be a zonal cluster with a single cluster master. If you specify a region (such as us-west1), the cluster will be a regional cluster with multiple masters spread across zones in the region, and with default node locations in those zones as well.
         varType: string
@@ -359,13 +360,14 @@ spec:
         description: The desired configuration options for master authorized networks.
         varType: |-
           object({
-              cidr_blocks = optional(list(object({
-                display_name = optional(string)
-                cidr_block   = optional(string)
-              })))
+              cidr_blocks = list(object({
+                display_name = string
+                cidr_block   = string
+              }))
               gcp_public_cidrs_access_enabled      = optional(bool)
               private_endpoint_enforcement_enabled = optional(bool)
             })
+        required: true
       - name: min_master_version
         description: The minimum version of the master. GKE will auto-update the master to new versions, so this does not guarantee the master version--use the read-only master_version field to obtain a current version. If unset, the server's default version will be used.
         varType: string
@@ -861,8 +863,9 @@ spec:
         description: Configuration for the use of Kubernetes Service Accounts in GCP IAM policies.
         varType: |-
           object({
-              workload_pool = optional(string)
+              workload_pool = string
             })
+        required: true
       - name: identity_service_config
         description: Whether to enable the Identity Service component. It is disabled by default. Set enabled=true to enable.
         varType: |-
diff --git a/modules/gke-standard-cluster/variables.tf b/modules/gke-standard-cluster/variables.tf
@@ -29,7 +29,6 @@ variable "description" {
 variable "project_id" {
   description = "The ID of the project in which the resource belongs. If it is not provided, the provider project id is used."
   type        = string
-  default     = null
 }
 
 variable "location" {
@@ -314,14 +313,13 @@ variable "master_auth" {
 variable "master_authorized_networks_config" {
   description = "The desired configuration options for master authorized networks."
   type = object({
-    cidr_blocks = optional(list(object({
-      display_name = optional(string)
-      cidr_block   = optional(string)
-    })))
+    cidr_blocks = list(object({
+      display_name = string
+      cidr_block   = string
+    }))
     gcp_public_cidrs_access_enabled      = optional(bool)
     private_endpoint_enforcement_enabled = optional(bool)
   })
-  default = null
 }
 
 variable "min_master_version" {
@@ -876,9 +874,8 @@ variable "resource_usage_export_config" {
 variable "workload_identity_config" {
   description = "Configuration for the use of Kubernetes Service Accounts in GCP IAM policies."
   type = object({
-    workload_pool = optional(string)
+    workload_pool = string
   })
-  default = null
 }
 
 variable "identity_service_config" {
