Error "Null value found in list" when enabling add_master_webhook_firewall_rules #2453
Description
TL;DR
When enabling add_master_webhook_firewall_rules = true in the private-cluster module of terraform-google-kubernetes-engine (version ~> 39.0), with the following configuration:
Terraform plan fails with the error:
Error: Null value found in list
with module.gke.google_compute_firewall.master_webhooks[0],
on .terraform/modules/gke/modules/private-cluster/firewall.tf line 102, in resource "google_compute_firewall" "master_webhooks":
102: source_ranges = [local.cluster_endpoint_for_nodes]
Null values are not allowed for this attribute value.
Expected behavior
The module should handle this configuration gracefully by either:
Generating the firewall rules only when local.cluster_endpoint_for_nodes is valid (non-null)
Or clearly documenting that add_master_webhook_firewall_rules requires enable_private_endpoint = true to work properly
Or providing an option to disable automatic creation of webhook firewall rules gracefully when endpoint IP is unknown at plan time
Additional Context:
Using the private-cluster module
Observed behavior
Planning failed. Terraform encountered an error while generating this plan.
╷
│ Error: Null value found in list
│
│ with module.gke.google_compute_firewall.master_webhooks[0],
│ on .terraform/modules/gke/modules/private-cluster/firewall.tf line 102, in resource "google_compute_firewall" "master_webhooks":
│ 102: source_ranges = [local.cluster_endpoint_for_nodes]
│
│ Null values are not allowed for this attribute value.
╵
Terraform Configuration
module "gke" {
source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster"
version = "~> 39.0"
project_id = var.project_id
name = var.cluster_name
region = var.region
zones = local.zones
network = var.network_name
subnetwork = module.vpc.subnets_names[0]
ip_range_pods = var.subnets_secondary_ranges[0].range_name
ip_range_services = var.subnets_secondary_ranges[1].range_name
enable_private_endpoint = false
enable_private_nodes = true
deploy_using_private_endpoint = true
enable_cost_allocation = true
release_channel = "STABLE"
initial_node_count = 1
maintenance_start_time = "1970-01-01T00:00:00Z"
maintenance_end_time = "1970-01-01T04:00:00Z"
maintenance_recurrence = "FREQ=WEEKLY;BYDAY=MO,TU,WE,TH,FR,SA,SU"
remove_default_node_pool = true
grant_registry_access = true
dns_cache = true
gke_backup_agent_config = true
gce_pd_csi_driver = true
network_policy = true
master_global_access_enabled = false
enable_gcfs = false
add_master_webhook_firewall_rules = true
firewall_inbound_ports = ["8443", "9443"]
monitoring_enable_managed_prometheus = false
monitoring_enabled_components = ["SYSTEM_COMPONENTS"]
authenticator_security_group = "[email protected]"
enable_shielded_nodes = true
node_pools = concat([
{
name = "default-pool"
machine_type = "t2d-standard-2"
min_count = 1
max_count = 4
auto_repair = true
auto_upgrade = true
spot = true
enable_gcfs = true
image_type = "COS_CONTAINERD"
},
], var.gke_additional_node_pools
)
node_pools_taints = var.gke_node_pools_taints
cluster_autoscaling = {
enabled : false
autoscaling_profile : "OPTIMIZE_UTILIZATION"
auto_repair : true
auto_upgrade : true
gpu_resources : []
max_cpu_cores : 0
max_memory_gb : 0
min_cpu_cores : 0
min_memory_gb : 0
}
}Terraform Version
1.8.5Terraform Provider Versions
google = {
source = "hashicorp/google"
version = ">= 5.0"
}Additional information
If I set add_cluster_firewall_rules to true, the problem does not occur, but it adds firewall rules that we don't want to add since they are managed by Google.