google_container_cluster resource no longer supports the node_ipv4_cidr_size property

[walterdolce]

It appears as though the node_ipv4_cidr_size property can no longer be verified.

InSpec spec:

describe google_container_cluster(project: 'some-project', zone: 'some-zone', name: 'my-cluster') do
   its('node_ipv4_cidr_size') { should eq 24 }
end

Result:

×  Cluster my-cluster node_ipv4_cidr_size
     undefined method `node_ipv4_cidr_size' for Cluster my-cluster:#<Class:0x00007fb5bdaedad8>

According to this search result here, it is documented but there is no reference in the relevant Ruby class. There is a reference in the google_container_regional_cluster.

This used to work just fine. But it doesn't anymore. Is this something resulting from a change on Google API's end?

Inspec version in use is 3.6.6 and Inspec-gcp version in use is the latest, v0.11.0. Thank you

[slevenick]

If a property doesn't exist on a resource the method doesn't get created. So if the property only is returned by the API in certain cases, it's tricky to write tests against them. This is a result of the methods that are generated via GcpResourceDynamicMethods.create_methods.

So, based on the REST documentation for the container cluster resource: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#Cluster

specifically the nodeIpv4CidrSize property: This field will only be set when cluster is in route-based network mode.. I'm guessing that you are testing a cluster in route-based network mode, which would not return the nodeIpv4CidrSize which would cause the error you are seeing.

I would test this by grabbing the API response directly, and seeing if the nodeIpv4CidrSize is set.

I prefer the Magic Modules generated resources for this reason, they will return nil rather than having a method be undefined.

[walterdolce]

I see. You're absolutely right @slevenick. Thank you for that.

What's the reason for us to using the beta version of the API internally within inspec-gcp instead of using the stable version?

[slevenick]

That's a bad link on my part

The stable version is the same: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters

Edit: looks like you're correct, we are using the beta version within that resource Google::Apis::ContainerV1beta1::ContainerService

Not sure of any reason on that, probably because it simply hasn't been updated.

[walterdolce]

Edit: looks like you're correct, we are using the beta version within that resource [...]

Yep. That's exactly what I was referring to :-) I should have added a link to the code! Let's see what the maintainers say about that. I would not expect the tool to rely on potentially unstable APIs, despite the fact inspec-gcp itself has not reached the 1.x version mark.

[skpaterson]

In order to check for particular CIS related properties in some cases there was no choice except to use beta api versions. Behind the scenes we continually test the resource pack against the APIs so any fluctuations are quickly dealt with.

[walterdolce]

That's good to know. I guess that's the usual "versioning enigma".