Add support for Advanced Workload Scanning

[doyelese]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Currently google_container_cluster protect_config.workload_vulnerability_mode only supports DISABLED and BASIC for workload security scanning. A new option, ADVANCED, should be added to enable most recent edition of security scanning (see pic). EDIT: It is not workload_vulnerability_mode it is security_posture_config.vulnerability_mode please read first comment

New or Affected Resource(s)

• google_container_cluster.protect_config.workload_vulnerability_mode

b/322961537

[doyelese]

My mistake, Advanced is supported but does not correctly enable if security scanning isn't set up.

I have to run my terraform apply twice. Here is the plan from the two runs.

RUN 1:

      ~ security_posture_config {
          ~ vulnerability_mode = "VULNERABILITY_MODE_UNSPECIFIED" -> "VULNERABILITY_ENTERPRISE"

RUN 2:

      ~ security_posture_config {
          ~ vulnerability_mode = "VULNERABILITY_BASIC" -> "VULNERABILITY_ENTERPRISE"

 so even though the first apply was supposed to go to enterprise, I think GCP will only set it to BASIC. Then after you reapply it will change BASIC to Advanced. Is this bug behaviour?

[DDDDarrenWB]

Hi @doyelese,

Sorry for the experience. I was not able to reproduce the issue on my end. Could you please try again with your cluster? Also, please note that the vulnerability_mode can be downgraded to BASIC automatically if,

1. Not using GKE ENTERPRISE.
2. The cluster is not registered to a fleet.
3. The Container Analysis API is not enabeld.

Let me know if you still have the issue and we will investigate further with your cluster name, location, project ID and project number.

[rparini-intellegens]

I'm finding the variable naming quite confusing here. In the GCP console there are two distinct settings: "Security posture" and "Vulnerability scan"

I am trying to programatically set the vulnerability scan to Advanced which is what is pictured in the screenshot in the original post. The Advanced vulnerability scan does not require GKE Enterprise but the Advanced Security posture does.

I would expect that protect_config.workload_vulnerability_mode is the variable to set the Vulnerability scan but according to the current docs this can only be DISABLED or BASIC. Should there therefore be a feature request to allow this to be set to ADVANCED?

Presumably security_posture_config.vulnerability_mode is supposed to set Security posture settings? Does perhaps setting Security posture to Advanced also set Vulnerability scan to Advanced? That might explain what @doyelese found but I do want to just specifically set Vulnerability scan and not Security posture. Unfortunately, I do not have Enterprise enabled so cannot test this myself at present.

[kvanzuijlen]

I would expect that protect_config.workload_vulnerability_mode is the variable to set the Vulnerability scan but according to the current docs this can only be DISABLED or BASIC. Should there therefore be a feature request to allow this to be set to ADVANCED?

As far as I can tell protect_config should get deprecated:

security_posture_config.mode seems to configure "Security posture enabled clusters" and security_posture_config.vulnerability_mode seems to configure "Vulnerability scan enabled clusters" in the Security Posture view and the "Workload vulnerability scanning" field in the cluster detail view. VULNERABILITY_ENTERPRISE is, from what I can gather, equal to "Advanced" in the WebUI

[rparini-intellegens]

@kvanzuijlen thanks very much for explaining that. Using security_posture_config.vulnerability_mode does do what I wanted. Would be great if the terraform docs could be updated to reflect that protectConfig is deprecated and recommend securityPostureConfig instead.

Since my clusters were already on VULNERABILITY_BASIC I can't comment on the subsequent issue @doyelese raised.