Changing `enable_cilium_clusterwide_network_policy` from true to false does not work via terraform

[ehorning]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.5.7 on darwin_arm64

• provider registry.terraform.io/hashicorp/google v5.29.1
• provider registry.terraform.io/hashicorp/google-beta v5.29.1

Affected Resource(s)

google_container_cluster

Terraform Configuration

GKE cluster is initially created with enable_cilium_clusterwide_network_policy=true, and then this parameter is changed to false as per below:

resource "google_container_cluster" "cluster-1" {
  project                                  = google_project.dev-1.project_id
  name                                     = "jericho-dev-cluster-1"
  location                                 = "us-west1"
  remove_default_node_pool                 = true
  initial_node_count                       = 1
  network                                  = google_compute_network.vpc-1.id
  subnetwork                               = google_compute_subnetwork.vpc-1-subnet-1.id
  deletion_protection                      = false
  datapath_provider                        = "ADVANCED_DATAPATH"
  enable_cilium_clusterwide_network_policy = false

  ip_allocation_policy {
    cluster_secondary_range_name  = "pods-1"
    services_secondary_range_name = "services"
  }

  private_cluster_config {
    enable_private_nodes    = true
    enable_private_endpoint = true
    master_ipv4_cidr_block  = "10.x.x.x/28"

    master_global_access_config {
      enabled = true
    }
  }

  master_authorized_networks_config {}

  fleet {
    project = google_project.fleet.project_id
  }
}

Debug Output

No response

Expected Behavior

Cluster updates enable_cilium_clusterwide_network_policy to be false

Actual Behavior

Terraform plan correctly shows:

  # google_container_cluster.cluster-1 will be updated in-place
  ~ resource "google_container_cluster" "cluster-1" {
      ~ enable_cilium_clusterwide_network_policy = true -> false
        id                                       = "$project_id"
        name                                     = "$cluster_name"
        # (28 unchanged attributes hidden)

        # (20 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

But on apply:

╷
│ Error: googleapi: Error 400: Must specify a field to update.
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.RequestInfo",
│     "requestId": "0xf411aec7f206f190"
│   }
│ ]
│ , badRequest
│
│   with google_container_cluster.cluster-1,
│   on main.tf line 113, in resource "google_container_cluster" "cluster-1":
│  113: resource "google_container_cluster" "cluster-1" {
│
╵

Steps to reproduce

1. Create cluster via terraform with enable_cilium_clusterwide_network_policy=true
2. Update cluster code in terraform such that enable_cilium_clusterwide_network_policy=false

Important Factoids

This operation works just fine via gcloud using the --no-enable-cilium-clusterwide-network-policy flag.

References

No response

b/365578714

[ggtisc]

Confirmed issue after applying the shared configuration it returns the following error:

Error: googleapi: Error 400: Must specify a field to update.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.