containerd_config in resource google_container_cluster is not working

[tduverge]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.9.2 on

• provider registry.terraform.io/hashicorp/google v5.40.0
• provider registry.terraform.io/hashicorp/google-beta v5.40.0

Affected Resource(s)

google_container_cluster

Terraform Configuration

resource "google_service_account" "default" {
  account_id   = "service-account-id"
  display_name = "Service Account"
}

resource "google_container_cluster" "primary" {
  name               = "marcellus-wallace"
  location           = "us-central1-a"
  initial_node_count = 3
  node_config {
    # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
    service_account = google_service_account.default.email
    oauth_scopes = [
      "https://www.googleapis.com/auth/cloud-platform"
    ]
    containerd_config {
      private_registry_access_config {
        enabled = true
        certificate_authority_domain_config" {
          fqdns = ["example.com"]
          gcp_secret_manager_certificate_config {
            secret_uri = "secret link"
          }
        }
      }
    }
    labels = {
      foo = "bar"
    }
    tags = ["foo", "bar"]
  }
  timeouts {
    create = "30m"
    update = "40m"
  }
}

Debug Output

No response

Expected Behavior

As a declared available argument of node_config (see there), I expected containerd_config modify the resource but it does nothing. I finally found that the block containerd_config do the job when you put it in node_config_defaults.

Since the containerd_config apply for the whole cluster and not for the node pool (as you can see there), documentation should evolve to remove the argument from node_config and add it only in node_config_defaults section.

Actual Behavior

containerd_config doesn't change anything on resource but still appear in change.

Steps to reproduce

1. terraform apply
2. Accept changes
3. terraform plan. Changes are there, previous apply does nothing.

Important Factoids

No response

References

No response

b/359218687

[ggtisc]

Hi @tduverge!

I tried to replicate this issue, but everything was successful without errors. Maybe you could provide more information about this issue.

• Do you have an initial configuration before this (other initial terraform code)?
• What are you trying to modify?
• Are you having an error message? If that is the case please share with us that message

[tduverge]

Hello @ggtisc !

Thanks to answer 😃

My problem isn't that there's an error, but that a change hasn't been taken into account.

My objective is to add a certificate authority for a private container registry, which should be done with an argument containerd_config in the block node_config according to the documentation (it's the only place where the argument is supported, again according to the documentation).

  node_config {
    containerd_config {
      private_registry_access_config {
        enabled = true
        certificate_authority_domain_config" {
          fqdns = ["example.com"]
          gcp_secret_manager_certificate_config {
            secret_uri = "secret link"
          }
        }
      }
    }
  }

But when I'm applying this configuration, nothing append in my cluster. A change appears when I'm applying but noting is modify and the change appear again and again in each plan. Whereas when I'm putting the same configuration in the block node_pool_defaults.node_config_defaults like that :

  node_pool_defaults {
    node_config_defaults {
      containerd_config {
        private_registry_access_config {
          enabled = true
          certificate_authority_domain_config" {
            fqdns = ["example.com"]
            gcp_secret_manager_certificate_config {
              secret_uri = "secret link"
            }
          }
        }
      }
    }
  }

Everything is working very well.

I'm surprised that everything is working well on your side cause I've seen this bug with different terraform versions . And there is no doubt when I look at the code there that the argument containerd_config must be in node_pool_defaults.node_config_defaults and not in node_config contrary to what the documentation says.

Moreover the documentation says that node_config_defaults only support logging_variant and gcfs_config which is also an error, since containerd_config is supported and should be set only there. And it describes node_config_defaults as a Subset of NodeConfig message that has defaults. which is also false, since containerd_config is only supported in node_pool_defaults and not in node_config.

[ggtisc]

After running a terraform apply resources were created and the change is visible on tfstate file but user is reporting that this is not affecting the cluster and the change is not implemented