google_container_cluster `enable_l4_ilb_subsetting = false` not honored

[glimberg]

TL;DR

When specifying enable_l4_ilb_subsetting = false in cluster creation, the cluster gets created with the feature enabled anyway. Because of this, subsequent runs cause a full cluster replacement also with enable_l4_ilb_subsetting enabled.

Expected behavior

Cluster should be created with enable_l4_ilb_subsetting = false

Observed behavior

Cluster is created enable_l4_ilb_subsetting = true causing a replacement cycle every time a change is applied.

Terraform Configuration

// VPC network
resource "google_compute_network" "vpc_network" {
  project                 = var.project
  description             = "VPC"
  name                    = "vpc-network"
  auto_create_subnetworks = false
  routing_mode            = "REGIONAL"
}

resource "google_compute_subnetwork" "vpc_us_central1" {
  name                     = "${var.project}-${var.region}"
  project                  = var.project
  region                   = var.region
  network                  = google_compute_network.zt_vpc_network.id
  role                     = "ACTIVE"
  stack_type               = "IPV4_IPV6"
  ipv6_access_type         = "EXTERNAL"
  private_ip_google_access = true

  ip_cidr_range = "10.187.0.0/20"

  secondary_ip_range {
    range_name    = "kube-pods"
    ip_cidr_range = "10.60.0.0/14"
  }

  secondary_ip_range {
    range_name    = "kube-services"
    ip_cidr_range = "10.58.96.0/20"
  }
}

// Create Kubernetes Cluster
resource "google_container_cluster" "cluster" {
  name    = "cluster-${var.region}"
  project = var.project
  location                    = "us-central1-a"
  remove_default_node_pool    = true
  initial_node_count          = 1
  networking_mode             = "VPC_NATIVE"
  logging_service             = "logging.googleapis.com/kubernetes"
  min_master_version          = "1.25.8-gke.1000"
  monitoring_service          = "monitoring.googleapis.com/kubernetes"
  network                     = google_compute_network.vpc_network.id
  subnetwork                  = google_compute_subnetwork.vpc_us_central1.id
  datapath_provider           = "ADVANCED_DATAPATH"
  enable_intranode_visibility = false
  enable_l4_ilb_subsetting    = false

  release_channel {
    channel = "STABLE"
  }

  ip_allocation_policy {
    cluster_secondary_range_name  = "kube-pods"
    services_secondary_range_name = "kube-services"
    stack_type                    = "IPV4_IPV6"
  }
}

Terraform Version

Terraform v1.4.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v4.65.2
+ provider registry.terraform.io/hashicorp/random v3.5.1

Additional information

No response

[tfluehmann]

Similar issue when I try to change the setting in an existing public cluster (works via google UI):

- Using previously-installed hashicorp/google-beta v4.71.0
- Using previously-installed hashicorp/random v3.5.1
- Using previously-installed hashicorp/google v4.71.0
- Using previously-installed hashicorp/null v3.1.1
- Using previously-installed hashicorp/kubernetes v2.21.1

    {
      "Key": "gke",
      "Source": "registry.terraform.io/terraform-google-modules/kubernetes-engine/google",
      "Version": "26.1.1",
      "Dir": ".terraform/modules/gke"
    },

adding enable_l4_ilb_subsetting = true to an existing cluster results in:

╷
│ Error: Unsupported argument
│ 
│   on main.tf line 564, in module "gke":
│  564:   enable_l4_ilb_subsetting = true
│ 
│ An argument named "enable_l4_ilb_subsetting" is not expected here.
╵

According to this PR: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/896 I expected it to work.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days