Bad deprecation on `google_container_cluster.binary_authorization.enabled`

[rileykarson]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Affected Resource(s)

• google_container_cluster

Terraform Configuration Files

- enable_binary_authorization = true
+ binary_authorization {
+   evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+ }

Debug Output

Panic Output

Expected Behavior

Binary authorization remains enabled

Actual Behavior

Binary authorization is disabled

Steps to Reproduce

1. terraform apply

Important Factoids

In 5.0.0 we deprecated enable_binary_authorization in favour of binary_authorization.enabled: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/version_5_upgrade#enable_binary_authorization-is-now-removed

However, the field that we directed folks to was introduced as deprecated in https://github.com/GoogleCloudPlatform/magic-modules/pull/6101 and pointed folks to a different field, binary_authorization.evaluation_mode. In the API if you send just that field the API will determine enabled based on its value (and has deprecated setting enablement explicitly). Our implementation always sends an enabled field, which appears to override the value.

This means that I don't think that that upgrade path is possible- and a user that attempts to resolve the deprecation warning is likely to accidentally set binary_authorization.enabled to false, disabling binary authorization on their cluster regardless of their evaluation_mode setting.

We should update our 5.0.0 upgrade guide to warn against specifying just evaluation_mode, and either remove the deprecation clientside until we handle it properly or fix our handling.

References

• yaqs/5859821931464753152

b/315582550

[rmoriar1]

This means that I don't think that that upgrade path is possible- and a user that attempts to resolve the deprecation warning is likely to accidentally set binary_authorization.enabled to false, disabling binary authorization on their cluster regardless of their evaluation_mode setting.

I don't think this is right, if the user passes both an evaluation mode and enabled bool the evaluation mode has precedence.

[rileykarson]

I don't think this is right, if the user passes both an evaluation mode and enabled bool the evaluation mode has precedence.

In the API, or Terraform specifically? I think that Terraform is always sending an explicit value to the API.

[rileykarson]

Request/response:

{
  "update": {
    "desiredBinaryAuthorization": {
      "enabled": false,
      "evaluationMode": "PROJECT_SINGLETON_POLICY_ENFORCE"
    }
  }
}

  "binaryAuthorization": {
    "evaluationMode": "PROJECT_SINGLETON_POLICY_ENFORCE",
    "policy": ""
  },

That does mean that an explicit false is not a problem. Note that enabled cannot be true at the same time as evaluationMode is set.

To set BinaryAuthorization.EvaluationMode, leave the deprecated BinaryAuthorization.Enabled field unset.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.