Search code examples
google-cloud-platformterraformgoogle-kubernetes-engineterraform-provider-gcpgcp-config-connector

Terraforming a Google Kubernetes Engine Cluster with Config Connector Enabled

The Google Kubernetes Engine cluster $GKE_CLUSTER_NAME is running inside of Google Cloud Platform (GCP) project $GCP_PROJECT_NAME with a matching Terraform configuration stored inside of container_cluster.tf that can be checked with:

terraform plan

#=>

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

I wish to enable Config Connector (more on that here) for $GKE_CLUSTER_NAME using Terraform by adding the following arguments to container_cluster.tf:

resource "google_container_cluster" ". . ." {
  addons_config {
    config_connector_config {
      enabled = true
    }

  . . .

}

but when I go to plan this change I encounter the following error:

terraform plan

#=>

╷
│ Error: Unsupported block type
│
│   on container_cluster.tf line 3, in resource "google_container_cluster" ". . .":
│    3:     config_connector_config {
│
│ Blocks of type "config_connector_config" are not expected here.

even though the official documentation, found here, states that config_connector_config is supported by the addons_config block.

I am using the latest versions of Terraform and the google provider:

terraform version

#=>

Terraform v1.0.6
on . . .
+ provider registry.terraform.io/hashicorp/google v3.84.0

What change do I need to make so that I can successfully enable Config Connector for $GKE_CLUSTER_NAME using Terraform?

Solution

  • The config_connector_config argument is still in Beta, so you will need to use the google-beta provider for $GKE_CLUSTER_NAME:

    1. Add the provider argument for every resource:

      • specify google-beta for any resource (e.g., $GKE_CLUSTER_NAME) with at least one Beta argument:

        resource "google_container_cluster" ". . ." {

   . . .

   provider        = google-beta

   . . .

}

      • specify google for all other resources:

        resource resource "google_container_node_pool" ". . ." {

   . . .

   provider       = google

   . . .

}

      even though the provider arg. is not found in the official reference documentation for google_container_cluster here.

    2. Add the google-beta provider alongside the google provider found in a providers.tf file:

      
. . .

provider "google" {
  project = ". . ."
}

provider "google-beta" {
  project = ". . ."
}

. . .

terraform {
  required_providers {

    . . .

    google = {
      version = "~> 3.84.0"
    }
    google-beta = {
      version = "~> 3.84.0"
    }

    . . .

  }
}

      It is safe to use both google and google-beta providers in the same Terraform config. More on that here.

      Note: setting your GCP project name in the provider definitions above allows you to run import commands (found here) without specifying your project.

    3. Attempts to plan or apply your changes so far can result in the following:

      terraform plan

#=>

╷
│ Error: Could not load plugin
│
│
│ Plugin reinitialization required. Please run "terraform init".
│
│ Plugins are external binaries that Terraform uses to . . .

      so you may have to init again:

      terraform init

#=>

Initializing the backend...

Initializing provider plugins...
- Finding latest version of hashicorp/google-beta...
- Reusing previous version of hashicorp/google from the dependency lock file
- Installing hashicorp/google-beta v3.84.0...
- Installed hashicorp/google-beta v3.84.0 (signed by HashiCorp)
- Using previously-installed hashicorp/google v3.84.0

Terraform has made some changes to the provider dependency selections recorded
in the .terraform.lock.hcl file. Review those changes and commit them to your
version control system if they represent changes you intended to make.

Terraform has been successfully initialized!

You may now begin working with Terraform. . . .

      The providers command should now confirm that google-beta is required by your current configuration:

      terraform providers

#=>

Providers required by configuration:
.
├── provider[registry.terraform.io/hashicorp/google] ~> 3.84.0
└── provider[registry.terraform.io/hashicorp/google-beta] ~> 3.84.0

Providers required by state:

    provider[registry.terraform.io/hashicorp/google]

    4. Run a plan to confirm Config Connector will be enabled:

      terraform plan

#=>

. . .

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # google_container_cluster.$GKE_CLUSTER_NAME will be updated in-place
  ~ resource "google_container_cluster" ". . ." {

. . .

      ~ addons_config {

          + config_connector_config {
              + enabled = true
            }
. . .

Plan: 0 to add, 1 to change, 0 to destroy.

. . .

      and then apply your changes:

      terraform apply

#=>

google_container_cluster.. . .: Modifying... [id=projects/$GCP_PROJECT_NAME/locations/$GKE_CLUSTER_ZONE/clusters/$GKE_CLUSTER_NAME]

. . .

google_container_cluster.. . .: Modifications complete after xmxxs [id=projects/$GCP_PROJECT_NAME/locations/$GKE_CLUSTER_ZONE/clusters/$GKE_CLUSTER_NAME]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

      Check to see if Config Connector is enabled for your cluster:

       gcloud container clusters describe $GKE_CLUSTER_NAME \
--format="value(addonsConfig.configConnectorConfig.enabled)" \
--zone=$GKE_CLUSTER_ZONE

#=>

True

    Want to learn more about using the google-beta provider? Visit here and here.