master_authorized_networks_config Drift with DNS Endpoints EnabledΒ #2460
Description
TL;DR
When using GKE clusters with DNS endpoints enabled (dns_allow_external_traffic = true and ip_endpoints_enabled = false), Terraform detects a drift in the master_authorized_networks_config configuration even though no actual changes have been made.
The GCP API automatically manages the master_authorized_networks_config when DNS endpoints are enabled and IP endpoints disabled, setting it to an empty block {}. However, the Terraform module's current implementation causes a plan to continuously show changes.
Expected behavior
When dns_allow_external_traffic = true and ip_endpoints_enabled = false, the module should set the master_authorized_networks_config = {} to avoid drift.
Observed behavior
Drift present, resulting in a change to the cluster even with no changes from user side:
# module.google_container_cluster.primary will be updated in-place
~ resource "google_container_cluster" "primary" {
id = "projects/xxxxxxxx/locations/yyyyyyy/clusters/sbx-cluster"
name = "sbx-cluster"
# (39 unchanged attributes hidden)
+ master_authorized_networks_config {}
# (36 unchanged blocks hidden)
}Terraform Configuration
module "gke_cluster_mt" {
source = "[email protected]:terraform-google-modules/terraform-google-kubernetes-engine.git//modules/beta-private-cluster?ref=v37.1.0"
dns_allow_external_traffic = true
ip_endpoints_enabled = false
enable_private_endpoint = true
enable_private_nodes = true
project_id = var.project_id
cluster_name = "sbx-cluster"
region = var.region
zones = var.zones
max_pods_per_node = 110
egress_internal = [
local.gke_subnet,
local.gke_subnet_sec_pod,
local.gke_subnet_sec_svc,
]
gke_version = "1.32"
service_account = var.service_account
create_service_account = false
network_name = var.network_name
subnet_name = var.subnet_name
secondary_pod_name = lookup(local.ip_range_pods_mt[0], "range_name")
secondary_svc_name = lookup(local.ip_range_services_mt[1], "range_name")
horizontal_pod_autoscaling = "true"
deletion_protection = false
remove_default_node_pool = true
enable_vertical_pod_autoscaling = true
gateway_api_channel = "CHANNEL_STANDARD"
node_pools = [
{
name = "holding-pool"
machine_type = "e2-standard-2"
min_count = 0
max_count = 0
disk_size_gb = 50
disk_type = "pd-standard"
image_type = "COS_CONTAINERD"
auto_repair = true
auto_upgrade = true
preemptible = false
initial_node_count = 0
gcfs_config = null
}
]
cluster_autoscaling = {
enabled = true
autoscaling_profile = "OPTIMIZE_UTILIZATION"
max_cpu_cores = 48
min_cpu_cores = 0
max_memory_gb = 144
min_memory_gb = 0
gpu_resources = []
auto_repair = true
auto_upgrade = true
disk_size = 50
disk_type = "pd-standard"
strategy = "SURGE"
max_surge = 3
max_unavailable = 3
}
node_pools_oauth_scopes = {
"all" = [
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring",
"https://www.googleapis.com/auth/cloud-platform",
],
"workload-pool" = []
}
node_pools_tags = {
all = ["workloads", "workload-node-pool", "pool-1"]
}
node_pools_labels = {
all = {
"workloadType" = "workload"
}
}
network_tags = ["gke-test"]
}Terraform Version
Terraform 1.8.5Terraform Provider Versions
google-beta v6.50.0Additional information
No response