diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
index cd2ec4574c..f26b0d8a08 100644
--- a/autogen/main/cluster.tf.tmpl
+++ b/autogen/main/cluster.tf.tmpl
@@ -318,9 +318,9 @@ resource "google_container_cluster" "primary" {
protect_config {
workload_config {
- audit_mode = var.protect_config.workload_config.audit_mode
+ audit_mode = var.workload_config_audit_mode
}
- workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+ workload_vulnerability_mode = var.workload_vulnerability_mode
}
{% endif %}
ip_allocation_policy {
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
index 786d5b8d2f..77951b9a9a 100644
--- a/autogen/main/variables.tf.tmpl
+++ b/autogen/main/variables.tf.tmpl
@@ -767,22 +767,16 @@ variable "enable_identity_service" {
default = false
}
-variable "protect_config" {
- description = "(beta) Enable/Disable Protect API features for the cluster."
- type = object({
- workload_vulnerability_mode = string,
- workload_config = object({
- audit_mode = string
- })
- }
- )
+variable "workload_vulnerability_mode" {
+ description = "(beta) Vulnerability mode."
+ type = string
+ default = ""
+}
- default = {
- workload_vulnerability_mode = ""
- workload_config = {
- audit_mode = "MODE_UNSPECIFIED"
- }
- }
+variable "workload_config_audit_mode" {
+ description = "(beta) Worload config audit mode."
+ type = string
+ default = "MODE_UNSPECIFIED"
}
{% endif %}
{% endif %}
diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf
index 71e5e9c1a6..625bcfaa94 100644
--- a/modules/beta-autopilot-private-cluster/cluster.tf
+++ b/modules/beta-autopilot-private-cluster/cluster.tf
@@ -131,9 +131,9 @@ resource "google_container_cluster" "primary" {
protect_config {
workload_config {
- audit_mode = var.protect_config.workload_config.audit_mode
+ audit_mode = var.workload_config_audit_mode
}
- workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+ workload_vulnerability_mode = var.workload_vulnerability_mode
}
ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf
index 1cbc56ca2d..beedc01499 100644
--- a/modules/beta-autopilot-public-cluster/cluster.tf
+++ b/modules/beta-autopilot-public-cluster/cluster.tf
@@ -131,9 +131,9 @@ resource "google_container_cluster" "primary" {
protect_config {
workload_config {
- audit_mode = var.protect_config.workload_config.audit_mode
+ audit_mode = var.workload_config_audit_mode
}
- workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+ workload_vulnerability_mode = var.workload_vulnerability_mode
}
ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
index 0065f9bbb7..accab64491 100644
--- a/modules/beta-private-cluster-update-variant/README.md
+++ b/modules/beta-private-cluster-update-variant/README.md
@@ -247,7 +247,6 @@ Then perform the following commands on the root folder:
| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16"
]
| no |
| notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
-| protect\_config | (beta) Enable/Disable Protect API features for the cluster. | object({
workload_vulnerability_mode = string,
workload_config = object({
audit_mode = string
})
}
) | {
"workload_config": {
"audit_mode": "MODE_UNSPECIFIED"
},
"workload_vulnerability_mode": ""
} | no |
| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
@@ -265,6 +264,8 @@ Then perform the following commands on the root folder:
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
+| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"MODE_UNSPECIFIED"` | no |
+| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |
## Outputs
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
index 2c70511d64..2606979792 100644
--- a/modules/beta-private-cluster-update-variant/cluster.tf
+++ b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -259,9 +259,9 @@ resource "google_container_cluster" "primary" {
protect_config {
workload_config {
- audit_mode = var.protect_config.workload_config.audit_mode
+ audit_mode = var.workload_config_audit_mode
}
- workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+ workload_vulnerability_mode = var.workload_vulnerability_mode
}
ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
index 4db2b73b1e..daaf840e1a 100644
--- a/modules/beta-private-cluster-update-variant/variables.tf
+++ b/modules/beta-private-cluster-update-variant/variables.tf
@@ -726,20 +726,14 @@ variable "enable_identity_service" {
default = false
}
-variable "protect_config" {
- description = "(beta) Enable/Disable Protect API features for the cluster."
- type = object({
- workload_vulnerability_mode = string,
- workload_config = object({
- audit_mode = string
- })
- }
- )
+variable "workload_vulnerability_mode" {
+ description = "(beta) Vulnerability mode."
+ type = string
+ default = ""
+}
- default = {
- workload_vulnerability_mode = ""
- workload_config = {
- audit_mode = "MODE_UNSPECIFIED"
- }
- }
+variable "workload_config_audit_mode" {
+ description = "(beta) Worload config audit mode."
+ type = string
+ default = "MODE_UNSPECIFIED"
}
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
index 4ebdbee4d4..7bf573a8f1 100644
--- a/modules/beta-private-cluster/README.md
+++ b/modules/beta-private-cluster/README.md
@@ -225,7 +225,6 @@ Then perform the following commands on the root folder:
| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16"
]
| no |
| notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
-| protect\_config | (beta) Enable/Disable Protect API features for the cluster. | object({
workload_vulnerability_mode = string,
workload_config = object({
audit_mode = string
})
}
) | {
"workload_config": {
"audit_mode": "MODE_UNSPECIFIED"
},
"workload_vulnerability_mode": ""
} | no |
| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
@@ -243,6 +242,8 @@ Then perform the following commands on the root folder:
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
+| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"MODE_UNSPECIFIED"` | no |
+| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |
## Outputs
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
index 338d246427..542e0b86ea 100644
--- a/modules/beta-private-cluster/cluster.tf
+++ b/modules/beta-private-cluster/cluster.tf
@@ -259,9 +259,9 @@ resource "google_container_cluster" "primary" {
protect_config {
workload_config {
- audit_mode = var.protect_config.workload_config.audit_mode
+ audit_mode = var.workload_config_audit_mode
}
- workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+ workload_vulnerability_mode = var.workload_vulnerability_mode
}
ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
index 4db2b73b1e..daaf840e1a 100644
--- a/modules/beta-private-cluster/variables.tf
+++ b/modules/beta-private-cluster/variables.tf
@@ -726,20 +726,14 @@ variable "enable_identity_service" {
default = false
}
-variable "protect_config" {
- description = "(beta) Enable/Disable Protect API features for the cluster."
- type = object({
- workload_vulnerability_mode = string,
- workload_config = object({
- audit_mode = string
- })
- }
- )
+variable "workload_vulnerability_mode" {
+ description = "(beta) Vulnerability mode."
+ type = string
+ default = ""
+}
- default = {
- workload_vulnerability_mode = ""
- workload_config = {
- audit_mode = "MODE_UNSPECIFIED"
- }
- }
+variable "workload_config_audit_mode" {
+ description = "(beta) Worload config audit mode."
+ type = string
+ default = "MODE_UNSPECIFIED"
}
diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md
index 1ba79364d7..91d46d3b59 100644
--- a/modules/beta-public-cluster-update-variant/README.md
+++ b/modules/beta-public-cluster-update-variant/README.md
@@ -236,7 +236,6 @@ Then perform the following commands on the root folder:
| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16"
]
| no |
| notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
-| protect\_config | (beta) Enable/Disable Protect API features for the cluster. | object({
workload_vulnerability_mode = string,
workload_config = object({
audit_mode = string
})
}
) | {
"workload_config": {
"audit_mode": "MODE_UNSPECIFIED"
},
"workload_vulnerability_mode": ""
} | no |
| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
@@ -254,6 +253,8 @@ Then perform the following commands on the root folder:
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
+| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"MODE_UNSPECIFIED"` | no |
+| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |
## Outputs
diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf
index 8c72e0e87d..5b7d72c97e 100644
--- a/modules/beta-public-cluster-update-variant/cluster.tf
+++ b/modules/beta-public-cluster-update-variant/cluster.tf
@@ -259,9 +259,9 @@ resource "google_container_cluster" "primary" {
protect_config {
workload_config {
- audit_mode = var.protect_config.workload_config.audit_mode
+ audit_mode = var.workload_config_audit_mode
}
- workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+ workload_vulnerability_mode = var.workload_vulnerability_mode
}
ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf
index 6975db90be..cfa1ac2d12 100644
--- a/modules/beta-public-cluster-update-variant/variables.tf
+++ b/modules/beta-public-cluster-update-variant/variables.tf
@@ -696,20 +696,14 @@ variable "enable_identity_service" {
default = false
}
-variable "protect_config" {
- description = "(beta) Enable/Disable Protect API features for the cluster."
- type = object({
- workload_vulnerability_mode = string,
- workload_config = object({
- audit_mode = string
- })
- }
- )
+variable "workload_vulnerability_mode" {
+ description = "(beta) Vulnerability mode."
+ type = string
+ default = ""
+}
- default = {
- workload_vulnerability_mode = ""
- workload_config = {
- audit_mode = "MODE_UNSPECIFIED"
- }
- }
+variable "workload_config_audit_mode" {
+ description = "(beta) Worload config audit mode."
+ type = string
+ default = "MODE_UNSPECIFIED"
}
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
index 7643eb30b8..6f0124a0a2 100644
--- a/modules/beta-public-cluster/README.md
+++ b/modules/beta-public-cluster/README.md
@@ -214,7 +214,6 @@ Then perform the following commands on the root folder:
| non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16"
]
| no |
| notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
-| protect\_config | (beta) Enable/Disable Protect API features for the cluster. | object({
workload_vulnerability_mode = string,
workload_config = object({
audit_mode = string
})
}
) | {
"workload_config": {
"audit_mode": "MODE_UNSPECIFIED"
},
"workload_vulnerability_mode": ""
} | no |
| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
@@ -232,6 +231,8 @@ Then perform the following commands on the root folder:
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
+| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"MODE_UNSPECIFIED"` | no |
+| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |
## Outputs
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
index cb07ede372..67c7b7b3ea 100644
--- a/modules/beta-public-cluster/cluster.tf
+++ b/modules/beta-public-cluster/cluster.tf
@@ -259,9 +259,9 @@ resource "google_container_cluster" "primary" {
protect_config {
workload_config {
- audit_mode = var.protect_config.workload_config.audit_mode
+ audit_mode = var.workload_config_audit_mode
}
- workload_vulnerability_mode = var.protect_config.workload_vulnerability_mode
+ workload_vulnerability_mode = var.workload_vulnerability_mode
}
ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
index 6975db90be..cfa1ac2d12 100644
--- a/modules/beta-public-cluster/variables.tf
+++ b/modules/beta-public-cluster/variables.tf
@@ -696,20 +696,14 @@ variable "enable_identity_service" {
default = false
}
-variable "protect_config" {
- description = "(beta) Enable/Disable Protect API features for the cluster."
- type = object({
- workload_vulnerability_mode = string,
- workload_config = object({
- audit_mode = string
- })
- }
- )
+variable "workload_vulnerability_mode" {
+ description = "(beta) Vulnerability mode."
+ type = string
+ default = ""
+}
- default = {
- workload_vulnerability_mode = ""
- workload_config = {
- audit_mode = "MODE_UNSPECIFIED"
- }
- }
+variable "workload_config_audit_mode" {
+ description = "(beta) Worload config audit mode."
+ type = string
+ default = "MODE_UNSPECIFIED"
}