Skip to content

fix: additional_ip_ranges_config #2458

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 27 commits into
base: main
Choose a base branch
from
Open

fix: additional_ip_ranges_config #2458

wants to merge 27 commits into from

Conversation

@DrFaust92
Copy link
Contributor

@DrFaust92 DrFaust92 commented Sep 26, 2025
edited by apeabody
Loading

apologies, missed this again

Fixes: #2437

@DrFaust92 DrFaust92 marked this pull request as ready for review September 26, 2025 02:46
@DrFaust92 DrFaust92 requested review from a team, apeabody and ericyz as code owners September 26, 2025 02:46
@apeabody
Copy link
Collaborator

apeabody commented Sep 26, 2025

/gcbrun

pib
pib reviewed Sep 26, 2025
View reviewed changes
@DrFaust92 DrFaust92 marked this pull request as draft September 28, 2025 01:59
@DrFaust92 DrFaust92 marked this pull request as ready for review October 3, 2025 01:07
@apeabody
Copy link
Collaborator

apeabody commented Oct 3, 2025

/gcbrun

1 similar comment
@apeabody
Copy link
Collaborator

apeabody commented Oct 3, 2025

/gcbrun

@apeabody apeabody self-assigned this Oct 3, 2025
@apeabody
Copy link
Collaborator

apeabody commented Oct 3, 2025

/gcbrun

@apeabody
Copy link
Collaborator

apeabody commented Oct 3, 2025

Hi @DrFaust92 - I'm going to run the test again, but this is the only PR I'm currently seeing this error:

Error: Cannot determine region: set in this resource, or set provider-level 'region' or 'zone'.

  with module.example.module.gke.google_container_cluster.primary,
  on ../../../modules/beta-public-cluster/cluster.tf line 22, in resource "google_container_cluster" "primary":
  22: resource "google_container_cluster" "primary" {
}

@apeabody
Copy link
Collaborator

apeabody commented Oct 3, 2025

/gcbrun

@apeabody
Copy link
Collaborator

apeabody commented Oct 7, 2025

Thanks @DrFaust92, still seeing:

TestNodePool 2025-10-07T21:08:49Z command.go:212: module.example.module.gke.google_container_cluster.primary: Creating...
TestNodePool 2025-10-07T21:08:49Z command.go:212: 
TestNodePool 2025-10-07T21:08:49Z command.go:212: Error: Cannot determine region: set in this resource, or set provider-level 'region' or 'zone'.
TestNodePool 2025-10-07T21:08:49Z command.go:212: 
TestNodePool 2025-10-07T21:08:49Z command.go:212:   with module.example.module.gke.google_container_cluster.primary,
TestNodePool 2025-10-07T21:08:49Z command.go:212:   on ../../../modules/beta-public-cluster/cluster.tf line 22, in resource "google_container_cluster" "primary":
TestNodePool 2025-10-07T21:08:49Z command.go:212:   22: resource "google_container_cluster" "primary" {
TestNodePool 2025-10-07T21:08:49Z command.go:212:

@apeabody apeabody mentioned this pull request Oct 8, 2025
Open
@cwh-hcl
Copy link

cwh-hcl commented Oct 8, 2025

I don't think the additional_ip_ranges_config variable needs to be defined as a list... see my comment here -> #2437 (comment)

@DrFaust92 DrFaust92 marked this pull request as draft October 8, 2025 17:54
DrFaust92
DrFaust92 commented Oct 8, 2025
View reviewed changes
@DrFaust92 DrFaust92 marked this pull request as ready for review October 8, 2025 18:10
@apeabody
Copy link
Collaborator

apeabody commented Oct 8, 2025

/gcbrun

1 similar comment
@apeabody
Copy link
Collaborator

apeabody commented Oct 8, 2025

/gcbrun

apeabody
apeabody reviewed Oct 9, 2025
View reviewed changes
@apeabody
Copy link
Collaborator

apeabody commented Oct 9, 2025

/gcbrun

@DrFaust92
Copy link
Contributor Author

DrFaust92 commented Oct 9, 2025

apeabody, can you share the current failure? 🙏

@apeabody
Copy link
Collaborator

apeabody commented Oct 9, 2025

apeabody, can you share the current failure? 🙏

Hi @DrFaust92 - Running again as I'm not convinced this is due to the change:

Step #60 - "apply node-pool-local": Error: Error updating cluster for []: googleapi: Error 400: Cluster is running incompatible operation operation-1760041804071-8378a7c3-539b-4e68-a2d3-8f58bb864553.
Step #60 - "apply node-pool-local": Details:
Step #60 - "apply node-pool-local": [
Step #60 - "apply node-pool-local":   {
Step #60 - "apply node-pool-local":     "@type": "type.googleapis.com/google.rpc.RequestInfo",
Step #60 - "apply node-pool-local":     "requestId": "0xf2eadd1a8ccb3137"
Step #60 - "apply node-pool-local":   },
Step #60 - "apply node-pool-local":   {
Step #60 - "apply node-pool-local":     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
Step #60 - "apply node-pool-local":     "domain": "container.googleapis.com",
Step #60 - "apply node-pool-local":     "reason": "CLUSTER_ALREADY_HAS_OPERATION"
Step #60 - "apply node-pool-local":   }
Step #60 - "apply node-pool-local": ]
Step #60 - "apply node-pool-local": , failedPrecondition
Step #60 - "apply node-pool-local": 
Step #60 - "apply node-pool-local":   with module.example.module.gke.google_container_cluster.primary,
Step #60 - "apply node-pool-local":   on ../../../modules/beta-public-cluster/cluster.tf line 22, in resource "google_container_cluster" "primary":
Step #60 - "apply node-pool-local":   22: resource "google_container_cluster" "primary" {
Step #60 - "apply node-pool-local": }

@apeabody
Copy link
Collaborator

apeabody commented Oct 10, 2025
edited
Loading

apeabody, can you share the current failure? 🙏

Hi @DrFaust92 - Running again as I'm not convinced this is due to the change:

Step #60 - "apply node-pool-local": Error: Error updating cluster for []: googleapi: Error 400: Cluster is running incompatible operation operation-1760041804071-8378a7c3-539b-4e68-a2d3-8f58bb864553.
Step #60 - "apply node-pool-local": Details:
Step #60 - "apply node-pool-local": [
Step #60 - "apply node-pool-local":   {
Step #60 - "apply node-pool-local":     "@type": "type.googleapis.com/google.rpc.RequestInfo",
Step #60 - "apply node-pool-local":     "requestId": "0xf2eadd1a8ccb3137"
Step #60 - "apply node-pool-local":   },
Step #60 - "apply node-pool-local":   {
Step #60 - "apply node-pool-local":     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
Step #60 - "apply node-pool-local":     "domain": "container.googleapis.com",
Step #60 - "apply node-pool-local":     "reason": "CLUSTER_ALREADY_HAS_OPERATION"
Step #60 - "apply node-pool-local":   }
Step #60 - "apply node-pool-local": ]
Step #60 - "apply node-pool-local": , failedPrecondition
Step #60 - "apply node-pool-local": 
Step #60 - "apply node-pool-local":   with module.example.module.gke.google_container_cluster.primary,
Step #60 - "apply node-pool-local":   on ../../../modules/beta-public-cluster/cluster.tf line 22, in resource "google_container_cluster" "primary":
Step #60 - "apply node-pool-local":   22: resource "google_container_cluster" "primary" {
Step #60 - "apply node-pool-local": }

I'm seeing the same error in #2466

@apeabody
Copy link
Collaborator

apeabody commented Oct 28, 2025

/gcbrun

@apeabody
Copy link
Collaborator

apeabody commented Oct 28, 2025

Thanks @DrFaust92!

This looks great, we just need to add the new integration test to the build: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/main/build/int.cloudbuild.yaml#L514

Something like this:

- id: apply test-simple-regional
  waitFor:
    - init-all
  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
  args: ['/bin/bash', '-c', 'cft test run TestSimpleRegional --stage apply --verbose']
- id: verify test-simple-regional
  waitFor:
    - apply test-simple-regional
  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
  args: ['/bin/bash', '-c', 'cft test run TestSimpleRegional --stage verify --verbose']
- id: teardown test-simple-regional
  waitFor:
    - verify test-simple-regional
  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
  args: ['/bin/bash', '-c', 'cft test run TestSimpleRegional --stage teardown --verbose']

@DrFaust92
change test
65e3ea9 
Signed-off-by: drfaust92 <[email protected]>
@DrFaust92
Copy link
Contributor Author

DrFaust92 commented Oct 31, 2025

Thanks @DrFaust92!

This looks great, we just need to add the new integration test to the build: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/main/build/int.cloudbuild.yaml#L514

Something like this:

- id: apply test-simple-regional
  waitFor:
    - init-all
  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
  args: ['/bin/bash', '-c', 'cft test run TestSimpleRegional --stage apply --verbose']
- id: verify test-simple-regional
  waitFor:
    - apply test-simple-regional
  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
  args: ['/bin/bash', '-c', 'cft test run TestSimpleRegional --stage verify --verbose']
- id: teardown test-simple-regional
  waitFor:
    - verify test-simple-regional
  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
  args: ['/bin/bash', '-c', 'cft test run TestSimpleRegional --stage teardown --verbose']

added

@apeabody
Copy link
Collaborator

apeabody commented Oct 31, 2025

/gcbrun

1 similar comment
@apeabody
Copy link
Collaborator

apeabody commented Oct 31, 2025

/gcbrun

@apeabody
Copy link
Collaborator

apeabody commented Oct 31, 2025

/gcbrun

apeabody
apeabody reviewed Nov 4, 2025
View reviewed changes
@apeabody
Copy link
Collaborator

apeabody commented Nov 4, 2025

/gcbrun

@apeabody
Copy link
Collaborator

apeabody commented Nov 7, 2025

Great news @DrFaust92! - The new test is running with two highlights:

Step #16 - "verify simple-regional-additional-local":         	Error:      	Not equal: 
Step #16 - "verify simple-regional-additional-local":         	            	expected: "{\"configConnectorConfig\":{},\"dnsCacheConfig\":{},\"gcePersistentDiskCsiDriverConfig\":{\"enabled\":true},\"gcpFilestoreCsiDriverConfig\":{},\"gcsFuseCsiDriverConfig\":{\"enabled\":true},\"gkeBackupAgentConfig\":{},\"horizontalPodAutoscaling\":{},\"httpLoadBalancing\":{},\"kubernetesDashboard\":{\"disabled\":true},\"networkPolicyConfig\":{\"disabled\":true},\"statefulHaConfig\":{\"enabled\":true}}"
Step #16 - "verify simple-regional-additional-local":         	            	actual  : "{\"configConnectorConfig\":{},\"dnsCacheConfig\":{},\"gcePersistentDiskCsiDriverConfig\":{\"enabled\":true},\"gcpFilestoreCsiDriverConfig\":{},\"gkeBackupAgentConfig\":{},\"horizontalPodAutoscaling\":{},\"httpLoadBalancing\":{},\"kubernetesDashboard\":{\"disabled\":true},\"networkPolicyConfig\":{\"disabled\":true}}"
Step #16 - "verify simple-regional-additional-local":         	            	
Step #16 - "verify simple-regional-additional-local":         	            	Diff:
Step #16 - "verify simple-regional-additional-local":         	            	--- Expected
Step #16 - "verify simple-regional-additional-local":         	            	+++ Actual
Step #16 - "verify simple-regional-additional-local":         	            	@@ -1 +1 @@
Step #16 - "verify simple-regional-additional-local":         	            	-{"configConnectorConfig":{},"dnsCacheConfig":{},"gcePersistentDiskCsiDriverConfig":{"enabled":true},"gcpFilestoreCsiDriverConfig":{},"gcsFuseCsiDriverConfig":{"enabled":true},"gkeBackupAgentConfig":{},"horizontalPodAutoscaling":{},"httpLoadBalancing":{},"kubernetesDashboard":{"disabled":true},"networkPolicyConfig":{"disabled":true},"statefulHaConfig":{"enabled":true}}
Step #16 - "verify simple-regional-additional-local":         	            	+{"configConnectorConfig":{},"dnsCacheConfig":{},"gcePersistentDiskCsiDriverConfig":{"enabled":true},"gcpFilestoreCsiDriverConfig":{},"gkeBackupAgentConfig":{},"horizontalPodAutoscaling":{},"httpLoadBalancing":{},"kubernetesDashboard":{"disabled":true},"networkPolicyConfig":{"disabled":true}}
Step #16 - "verify simple-regional-additional-local":         	Test:       	TestSimpleRegionalAdditionalIPRanges
Step #16 - "verify simple-regional-additional-local":         	Messages:   	For path "addonsConfig" expected "{\"configConnectorConfig\":{},\"dnsCacheConfig\":{},\"gcePersistentDiskCsiDriverConfig\":{\"enabled\":true},\"gcpFilestoreCsiDriverConfig\":{},\"gkeBackupAgentConfig\":{},\"horizontalPodAutoscaling\":{},\"httpLoadBalancing\":{},\"kubernetesDashboard\":{\"disabled\":true},\"networkPolicyConfig\":{\"disabled\":true}}" to match fixture "{\"configConnectorConfig\":{},\"dnsCacheConfig\":{},\"gcePersistentDiskCsiDriverConfig\":{\"enabled\":true},\"gcpFilestoreCsiDriverConfig\":{},\"gcsFuseCsiDriverConfig\":{\"enabled\":true},\"gkeBackupAgentConfig\":{},\"horizontalPodAutoscaling\":{},\"httpLoadBalancing\":{},\"kubernetesDashboard\":{\"disabled\":true},\"networkPolicyConfig\":{\"disabled\":true},\"statefulHaConfig\":{\"enabled\":true}}"

Step #16 - "verify simple-regional-additional-local":         	Error:      	Not equal: 
Step #16 - "verify simple-regional-additional-local":         	            	expected: "{\"evaluationMode\":\"PROJECT_SINGLETON_POLICY_ENFORCE\"}"
Step #16 - "verify simple-regional-additional-local":         	            	actual  : "{}"
Step #16 - "verify simple-regional-additional-local":         	            	
Step #16 - "verify simple-regional-additional-local":         	            	Diff:
Step #16 - "verify simple-regional-additional-local":         	            	--- Expected
Step #16 - "verify simple-regional-additional-local":         	            	+++ Actual
Step #16 - "verify simple-regional-additional-local":         	            	@@ -1 +1 @@
Step #16 - "verify simple-regional-additional-local":         	            	-{"evaluationMode":"PROJECT_SINGLETON_POLICY_ENFORCE"}
Step #16 - "verify simple-regional-additional-local":         	            	+{}
Step #16 - "verify simple-regional-additional-local":         	Test:       	TestSimpleRegionalAdditionalIPRanges
Step #16 - "verify simple-regional-additional-local":         	Messages:   	For path "binaryAuthorization" expected "{}" to match fixture "{\"evaluationMode\":\"PROJECT_SINGLETON_POLICY_ENFORCE\"}"

@DrFaust92
align test
06099d9 
Signed-off-by: drfaust92 <[email protected]>
@DrFaust92
Copy link
Contributor Author

DrFaust92 commented Nov 13, 2025

Great news @DrFaust92! - The new test is running with two highlights:

Step #16 - "verify simple-regional-additional-local":         	Error:      	Not equal: 
Step #16 - "verify simple-regional-additional-local":         	            	expected: "{\"configConnectorConfig\":{},\"dnsCacheConfig\":{},\"gcePersistentDiskCsiDriverConfig\":{\"enabled\":true},\"gcpFilestoreCsiDriverConfig\":{},\"gcsFuseCsiDriverConfig\":{\"enabled\":true},\"gkeBackupAgentConfig\":{},\"horizontalPodAutoscaling\":{},\"httpLoadBalancing\":{},\"kubernetesDashboard\":{\"disabled\":true},\"networkPolicyConfig\":{\"disabled\":true},\"statefulHaConfig\":{\"enabled\":true}}"
Step #16 - "verify simple-regional-additional-local":         	            	actual  : "{\"configConnectorConfig\":{},\"dnsCacheConfig\":{},\"gcePersistentDiskCsiDriverConfig\":{\"enabled\":true},\"gcpFilestoreCsiDriverConfig\":{},\"gkeBackupAgentConfig\":{},\"horizontalPodAutoscaling\":{},\"httpLoadBalancing\":{},\"kubernetesDashboard\":{\"disabled\":true},\"networkPolicyConfig\":{\"disabled\":true}}"
Step #16 - "verify simple-regional-additional-local":         	            	
Step #16 - "verify simple-regional-additional-local":         	            	Diff:
Step #16 - "verify simple-regional-additional-local":         	            	--- Expected
Step #16 - "verify simple-regional-additional-local":         	            	+++ Actual
Step #16 - "verify simple-regional-additional-local":         	            	@@ -1 +1 @@
Step #16 - "verify simple-regional-additional-local":         	            	-{"configConnectorConfig":{},"dnsCacheConfig":{},"gcePersistentDiskCsiDriverConfig":{"enabled":true},"gcpFilestoreCsiDriverConfig":{},"gcsFuseCsiDriverConfig":{"enabled":true},"gkeBackupAgentConfig":{},"horizontalPodAutoscaling":{},"httpLoadBalancing":{},"kubernetesDashboard":{"disabled":true},"networkPolicyConfig":{"disabled":true},"statefulHaConfig":{"enabled":true}}
Step #16 - "verify simple-regional-additional-local":         	            	+{"configConnectorConfig":{},"dnsCacheConfig":{},"gcePersistentDiskCsiDriverConfig":{"enabled":true},"gcpFilestoreCsiDriverConfig":{},"gkeBackupAgentConfig":{},"horizontalPodAutoscaling":{},"httpLoadBalancing":{},"kubernetesDashboard":{"disabled":true},"networkPolicyConfig":{"disabled":true}}
Step #16 - "verify simple-regional-additional-local":         	Test:       	TestSimpleRegionalAdditionalIPRanges
Step #16 - "verify simple-regional-additional-local":         	Messages:   	For path "addonsConfig" expected "{\"configConnectorConfig\":{},\"dnsCacheConfig\":{},\"gcePersistentDiskCsiDriverConfig\":{\"enabled\":true},\"gcpFilestoreCsiDriverConfig\":{},\"gkeBackupAgentConfig\":{},\"horizontalPodAutoscaling\":{},\"httpLoadBalancing\":{},\"kubernetesDashboard\":{\"disabled\":true},\"networkPolicyConfig\":{\"disabled\":true}}" to match fixture "{\"configConnectorConfig\":{},\"dnsCacheConfig\":{},\"gcePersistentDiskCsiDriverConfig\":{\"enabled\":true},\"gcpFilestoreCsiDriverConfig\":{},\"gcsFuseCsiDriverConfig\":{\"enabled\":true},\"gkeBackupAgentConfig\":{},\"horizontalPodAutoscaling\":{},\"httpLoadBalancing\":{},\"kubernetesDashboard\":{\"disabled\":true},\"networkPolicyConfig\":{\"disabled\":true},\"statefulHaConfig\":{\"enabled\":true}}"

Step #16 - "verify simple-regional-additional-local":         	Error:      	Not equal: 
Step #16 - "verify simple-regional-additional-local":         	            	expected: "{\"evaluationMode\":\"PROJECT_SINGLETON_POLICY_ENFORCE\"}"
Step #16 - "verify simple-regional-additional-local":         	            	actual  : "{}"
Step #16 - "verify simple-regional-additional-local":         	            	
Step #16 - "verify simple-regional-additional-local":         	            	Diff:
Step #16 - "verify simple-regional-additional-local":         	            	--- Expected
Step #16 - "verify simple-regional-additional-local":         	            	+++ Actual
Step #16 - "verify simple-regional-additional-local":         	            	@@ -1 +1 @@
Step #16 - "verify simple-regional-additional-local":         	            	-{"evaluationMode":"PROJECT_SINGLETON_POLICY_ENFORCE"}
Step #16 - "verify simple-regional-additional-local":         	            	+{}
Step #16 - "verify simple-regional-additional-local":         	Test:       	TestSimpleRegionalAdditionalIPRanges
Step #16 - "verify simple-regional-additional-local":         	Messages:   	For path "binaryAuthorization" expected "{}" to match fixture "{\"evaluationMode\":\"PROJECT_SINGLETON_POLICY_ENFORCE\"}"

thanks, remove those checks for test as those are not enabled

@apeabody
Copy link
Collaborator

apeabody commented Nov 13, 2025

/gcbrun

@apeabody
Copy link
Collaborator

apeabody commented Nov 14, 2025

/gcbrun

@apeabody apeabody changed the title fix: additional_ip_ranges_config - again fix: additional_ip_ranges_config Nov 14, 2025
@apeabody
Copy link
Collaborator

apeabody commented Nov 14, 2025

/gcbrun

@apeabody
Copy link
Collaborator

apeabody commented Nov 14, 2025

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Nov 14, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly fixes an issue with the additional_ip_ranges_config dynamic block by using additional_ip_ranges_config.value to access iterated values. The fix is applied consistently across all relevant Terraform module files. Additionally, a new example simple_regional_additional_ip_ranges and a corresponding integration test have been added to validate this functionality. I've found one issue in the new test file where the gcloud command uses an incorrect flag, which I've commented on. Overall, the changes are good and improve the module's functionality and test coverage.

@apeabody @gemini-code-assist
Update test/integration/simple_regional_additional_ip_ranges/simple_r…
5e83282 
…egional_additional_ip_ranges_test.go

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
@apeabody
Copy link
Collaborator

apeabody commented Nov 14, 2025

/gcbrun

@apeabody
Copy link
Collaborator

apeabody commented Nov 14, 2025

/gcbrun

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@apeabody apeabody apeabody left review comments

@ericyz ericyz Awaiting requested review from ericyz ericyz is a code owner

+3 more reviewers

@pib pib pib left review comments

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

@cwh-hcl cwh-hcl cwh-hcl left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@apeabody apeabody

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unable to specify pod_ipv4_range_names?

4 participants

@DrFaust92 @apeabody @cwh-hcl @pib