container_cluster: Improve error message when both Network Policy and GKE Dataplane V2 is enabled

[jcanseco]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

According to this warning in GKE Documentation, if users want to enable GKE Dataplane V2 on a GKE cluster, they must not explicitly enable or disable network policy enforcement, or the request will fail with error Enabling NetworkPolicy for clusters with DatapathProvider=ADVANCED_DATAPATH is not allowed.

This means that if google_container_cluster has datapath_provider = ADVANCED_DATAPATH, the user must omit the network_policy and addons_config.network_policy_config fields. If either field is specified, then the user gets the error above.

Request: Can we put up a better error message if the user makes the above mistake? The current error message does not make it too obvious which particular fields need to be omitted and the fact that the user has to omit two fields (Example user confusion: https://github.com/GoogleCloudPlatform/k8s-config-connector/issues/616).

Example better error message (for reference only): If datapath_provider is set to ADVANCED_DATAPATH, the fields network_policy and addons_config.network_policy_config must not be specified.

New or Affected Resource(s)

• google_container_cluster

References

• https://github.com/GoogleCloudPlatform/k8s-config-connector/issues/616

b/359989210

[rileykarson]

@jcanseco can we request the API returns a better error? The googleapi prefix in there means we're just parroting back what they said to us.

[jcanseco]

Yes we can do that too: b/226464091

[roaks3]

Adding the review label, as I'm not sure if it warrants forwarding at this point (b/226464091 is still waiting)

[ggtisc]

Even today when it is attempting to include the next different arguments for a google_container_cluster resource it results in different errors, and the terraform registry documentation and API are not intuitive or have almost a basic example of how to manage it:

• network_policy
• addons_config
• datapath_provider