search

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.36k stars 1.75k forks source link

`google_container_cluster` does not support using GKE-managed Services range in a Shared VPC setup #20448

Open fdaguin opened 4 days ago

fdaguin commented 4 days ago

Community Note

Terraform Version & Provider Version(s)

Terraform v1.5.2 on linux_amd64

Affected Resource(s)

google_container_cluster

Terraform Configuration

resource "google_container_cluster" "container_cluster" {
  # ...
  ip_allocation_policy {
    cluster_secondary_range_name  = "gke-pods-ip-range"
    services_ipv4_cidr_block      = "/20"
  }
}

Debug Output

N/A

Expected Behavior

In a GKE Standard cluster running >=1.29, when setting a range size (for example /22) through ip_allocation_policy.0.services_ipv4_cidr_block, GKE assigns IP addresses for Services from a GKE-managed range [1].

However, when in Shared VPC setup, ip_allocation_policy.0.cluster_secondary_range_name must be used [2].

At the moment, the provider does not allow using both attributes at the same time despite being supported by Google APIs.

[1] https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips#cluster_sizing_secondary_range_svcs [2] https://cloud.google.com/sdk/gcloud/reference/container/clusters/create#--cluster-ipv4-cidr

Actual Behavior

ā•·
ā”‚ Error: Conflicting configuration arguments
ā”‚ 
ā”‚   with google_container_cluster.container_cluster,
ā”‚   on [main.tf](http://main.tf/) line 1, in resource "google_container_cluster" "container_cluster":
ā”‚   4:     cluster_secondary_range_name  = "gke-pods-ip-range"
ā”‚ 
ā”‚ "ip_allocation_policy.0.cluster_secondary_range_name": conflicts with ip_allocation_policy.0.services_ipv4_cidr_block
ā•µ
ā•·
ā”‚ Error: Conflicting configuration arguments
ā”‚ 
ā”‚   with google_container_cluster.container_cluster,
ā”‚   on [main.tf](http://main.tf/) line 1, in resource "google_container_cluster" "container_cluster":
ā”‚   5:     services_ipv4_cidr_block = "/20"
ā”‚ 
ā”‚ "ip_allocation_policy.0.services_ipv4_cidr_block": conflicts with ip_allocation_policy.0.cluster_secondary_range_name

Steps to reproduce

Using a custom provider with the following patch does work:

diff --git a/google/services/container/resource_container_cluster.go b/google/services/container/resource_container_cluster.go
index e2c35dad9..83ea8d5d7 100644
--- a/google/services/container/resource_container_cluster.go
+++ b/google/services/container/resource_container_cluster.go
@@ -1475,7 +1475,7 @@ func ResourceContainerCluster() *schema.Resource {
                                                        Optional:         true,
                                                        Computed:         true,
                                                        ForceNew:         true,
-                                                       ConflictsWith:    ipAllocationRangeFields,
+                                                       ConflictsWith:    []string{"ip_allocation_policy.0.services_secondary_range_name"},
                                                        DiffSuppressFunc: tpgresource.CidrOrSizeDiffSuppress,
                                                        Description:      `The IP address range of the services IPs in this cluster. Set to blank to have a range chosen with the default size. Set to /netmask (e.g. /14) to have a range chosen with a specific netmask. Set to a CIDR notation (e.g. 10.96.0.0/14) from the RFC-1918 private networks (e.g. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to pick a specific range to use.`,
                                                },
@@ -1486,7 +1486,7 @@ func ResourceContainerCluster() *schema.Resource {
                                                        Optional:      true,
                                                        Computed:      true,
                                                        ForceNew:      true,
-                                                       ConflictsWith: ipAllocationCidrBlockFields,
+                                                       ConflictsWith: []string{"ip_allocation_policy.0.cluster_ipv4_cidr_block"},
                                                        Description:   `The name of the existing secondary range in the cluster's subnetwork to use for pod IP addresses. Alternatively, cluster_ipv4_cidr_block can be used to automatically create a GKE-managed one.`,
                                                },

Important Factoids

N/A

References

N/A

b/380489439

ggtisc commented 4 days ago

Confirmed issue!

After trying to create the google_container_cluster with a value of "/20" it returns the following error messages:

Error: Conflicting configuration arguments
ā”‚ 
ā”‚   with google_container_cluster.container_cluster_20448,
ā”‚   on main.tf line 34, in resource "google_container_cluster" "container_cluster_20448":
ā”‚   34:     cluster_secondary_range_name  = "gke-pods-ip-range"
ā”‚ 
ā”‚ "ip_allocation_policy.0.cluster_secondary_range_name": conflicts with ip_allocation_policy.0.services_ipv4_cidr_block
ā•µ
ā•·
ā”‚ Error: Conflicting configuration arguments
ā”‚ 
ā”‚   with google_container_cluster.container_cluster_20448,
ā”‚   on main.tf line 35, in resource "google_container_cluster" "container_cluster_20448":
ā”‚   35:     services_ipv4_cidr_block      = "/20"
ā”‚ 
ā”‚ "ip_allocation_policy.0.services_ipv4_cidr_block": conflicts with ip_allocation_policy.0.cluster_secondary_range_name

Used code:

resource "google_container_cluster" "container_cluster_20448" {
  name = "container-cluster-20448"
  location                = "us-central1-a"
  deletion_protection     = false
  initial_node_count      = 3

  ip_allocation_policy {
    cluster_secondary_range_name  = "gke-pods-ip-range"
    services_ipv4_cidr_block      = "/20"
  }
}