Flapping network_tags for beta-autopilot-private-cluster

[nikolaik]

TL;DR

When passing insecure_kubelet_readonly_port_enabled to beta-autopilot-private-cluster, network_tags is flapping like this

 # module.my_cluster.module.gke.google_container_cluster.primary will be updated in-place
! resource "google_container_cluster" "primary" {
        id                                       = "projects/my-project/locations/europe-west1/clusters/my-cluster"
        name                                     = "my-cluster"
        # (35 unchanged attributes hidden)

!       node_pool_auto_config {
            # (1 unchanged attribute hidden)

+           network_tags {}

            # (1 unchanged block hidden)
        }

        # (38 unchanged blocks hidden)
    }

Should the default value here be {}?

Or do we need make network_tags dynamic too?

Expected behavior

No flapping

Observed behavior

No response

Terraform Configuration

module "gke" {
  source  = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster"
  version = "36.0.0"
  
  # <snipped variables>
  insecure_kubelet_readonly_port_enabled = false
}

Terraform Version

1.10.5

Terraform Provider Versions

.
├── provider[registry.terraform.io/hashicorp/google] >= 6.0.0
└── module.gke
    ├── provider[registry.terraform.io/hashicorp/kubernetes] ~> 2.10
    ├── provider[registry.terraform.io/hashicorp/random] >= 2.1.0
    ├── provider[registry.terraform.io/hashicorp/google] >= 6.14.0, < 7.0.0
    └── provider[registry.terraform.io/hashicorp/google-beta] >= 6.14.0, < 7.0.0

Additional information

No response

[apeabody]

Hi @nikolaik!

Or do we need make network_tags dynamic too?

Yes, given your use of insecure_kubelet_readonly_port_enabled, I believe network_tags would need to be made a dynamic block here:

• https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/main/autogen/main/cluster.tf.tmpl#L284
• https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/main/autogen/main/cluster.tf.tmpl#L302

Unfortunately, just setting network_tags.tags to {} will still result in the empty network_tags {} being created.

[Ameausoone]

it would be fixed by #2282 https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/2282/files#diff-a3a07be3819af6f1a65ed243a613e69b544b7274d248a4b4d7d4d127aec40aeeR291

[Ameausoone]

Fixed with release https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/releases/tag/v36.2.0

[apeabody]

Thanks @Ameausoone!

[nikolaik]

Wonderful <3