Open doyelese opened 8 months ago
My mistake, Advanced is supported but does not correctly enable if security scanning isn't set up.
I have to run my terraform apply twice. Here is the plan from the two runs.
RUN 1:
~ security_posture_config {
~ vulnerability_mode = "VULNERABILITY_MODE_UNSPECIFIED" -> "VULNERABILITY_ENTERPRISE"
RUN 2:
~ security_posture_config {
~ vulnerability_mode = "VULNERABILITY_BASIC" -> "VULNERABILITY_ENTERPRISE"
so even though the first apply was supposed to go to enterprise, I think GCP will only set it to BASIC. Then after you reapply it will change BASIC to Advanced. Is this bug behaviour?
Hi @doyelese,
Sorry for the experience. I was not able to reproduce the issue on my end. Could you please try again with your cluster?
Also, please note that the vulnerability_mode
can be downgraded to BASIC
automatically if,
Let me know if you still have the issue and we will investigate further with your cluster name, location, project ID and project number.
I'm finding the variable naming quite confusing here. In the GCP console there are two distinct settings: "Security posture" and "Vulnerability scan"
I am trying to programatically set the vulnerability scan to Advanced which is what is pictured in the screenshot in the original post. The Advanced vulnerability scan does not require GKE Enterprise but the Advanced Security posture does.
I would expect that protect_config.workload_vulnerability_mode
is the variable to set the Vulnerability scan but according to the current docs this can only be DISABLED
or BASIC
. Should there therefore be a feature request to allow this to be set to ADVANCED
?
Presumably security_posture_config.vulnerability_mode
is supposed to set Security posture settings?
Does perhaps setting Security posture to Advanced also set Vulnerability scan to Advanced? That might explain what @doyelese found but I do want to just specifically set Vulnerability scan and not Security posture. Unfortunately, I do not have Enterprise enabled so cannot test this myself at present.
I would expect that
protect_config.workload_vulnerability_mode
is the variable to set the Vulnerability scan but according to the current docs this can only beDISABLED
orBASIC
. Should there therefore be a feature request to allow this to be set toADVANCED
?
As far as I can tell protect_config should get deprecated:
security_posture_config.mode
seems to configure "Security posture enabled clusters" and security_posture_config.vulnerability_mode
seems to configure "Vulnerability scan enabled clusters" in the Security Posture view and the "Workload vulnerability scanning" field in the cluster detail view. VULNERABILITY_ENTERPRISE
is, from what I can gather, equal to "Advanced" in the WebUI
@kvanzuijlen thanks very much for explaining that. Using security_posture_config.vulnerability_mode
does do what I wanted. Would be great if the terraform docs could be updated to reflect that protectConfig
is deprecated and recommend securityPostureConfig
instead.
Since my clusters were already on VULNERABILITY_BASIC
I can't comment on the subsequent issue @doyelese raised.
Community Note
Description
Currently google_container_cluster protect_config.workload_vulnerability_mode only supports DISABLED and BASIC for workload security scanning. A new option, ADVANCED, should be added to enable most recent edition of security scanning (see pic). EDIT: It is not workload_vulnerability_mode it is security_posture_config.vulnerability_mode please read first comment
New or Affected Resource(s)
b/322961537