Creating a cluster without a default service account and deleting the initial node pool cannot be done simultaneously.

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to a user, that user is claiming responsibility for the issue.
Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

As explained by @volodymyr-stoiko in issue #12070, the cluster is recreated whenever the default node pool includes a node_config block.

The creation of the cluster fails because the default service account is disabled, preventing the initial node pool from being created. However, adding the node_config block to specify a custom service account leads to a conflict with container_node_pool, resulting in the cluster being recreated every time.

Would it be possible to introduce a default_service_account_override variable to avoid the need for a node_config block?

New or Affected Resource(s)

google_container_cluster

Potential Terraform Configuration

resource "google_container_cluster" "cluster" {
  project                   = var.project_id
  name                      = var.cluster_name
  location                  = var.zone == "" ? var.region : var.zone
  network                   = var.network_name
  subnetwork                = var.sub_network_name
  logging_service           = var.google_logging_service ? "logging.googleapis.com/kubernetes" : "none"
  monitoring_service        = var.google_monitoring_service ? "monitoring.googleapis.com/kubernetes" : "none"
  default_max_pods_per_node = var.default_max_pods_per_node

  release_channel {
    channel = var.release_channel
  }

  # node_config {
  #  service_account = var.service_account_email
  # }
  default_service_account_override = var.service_account_email
  remove_default_node_pool = var.remove_default_node_pool
  initial_node_count       = var.initial_node_count
}

b/330175568

Seeing this behavior as well for a cluster that deletes the default pool and uses only node auto-provisioning. We've had success ignoring changes to node_config as @Montana does in #17252, but this may not be appropriate for all users.

resource "google_container_cluster" "cluster" {
  [ ... ]

  remove_default_node_pool = true

  cluster_autoscaling {
    enabled = true

    auto_provisioning_defaults {
      service_account = var.node_service_account
      oauth_scopes    = ["https://www.googleapis.com/auth/cloud-platform"]
    }
  }

  node_config {
    service_account = var.node_service_account
    oauth_scopes    = ["https://www.googleapis.com/auth/cloud-platform"]
  }

  lifecycle {
    // Suppress permanent diff in "node_config" block that forces cluster recreation.
    ignore_changes = [node_config]
  }
}

hashicorp / terraform-provider-google