"authenticator_groups_config" is not working as intended

[rd-nikhil-singh]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v1.3.1
on darwin_amd64

• provider registry.terraform.io/hashicorp/google v4.39.0

Affected Resource(s)

• google_container_cluster

Terraform Configuration Files

provider "google" {
  project = "test-xxx"
  region  = "europe-west1"
}

resource "google_service_account" "default" {
  account_id   = "gke-sa"
  display_name = "Service Account for GKE"
}

resource "google_container_cluster" "primary" {
  name               = "gke"
  location           = "europe-west1-b"
  network            = "main-network"
  subnetwork         = "cluster-network"
  initial_node_count = 1
  node_config {
    service_account = google_service_account.default.email
    oauth_scopes = [
      "https://www.googleapis.com/auth/cloud-platform"
    ]
    labels = {
      foo = "bar"
    }
    tags = ["foo", "bar"]
  }
  authenticator_groups_config {
    security_group = "gke-security-groups@xxx.com"
  }
  timeouts {
    create = "30m"
    update = "40m"
  }
}

Expected Behavior

Google Groups for RBAC should be enabled with the above value

Actual Behavior

Still disabled.

Info

The reverse works fine. For example, if we enable it and add the value via Google Cloud Console then we can see it. If we decide to disable it via terraform then the following works:

authenticator_groups_config {
    security_group = ""
  }

Steps to Reproduce

1. Add the above-mentioned config block and runterraform apply

References

• Link to the code

[edwardmedia]

@rd-nikhil-singh I am not clear how to repro the issue. Can you detail the steps? What do you mean Tried both one by one? Can you also create a minimum config and share your debug log?

[rd-nikhil-singh]

Hi @edwardmedia, I have added the config with which you can reproduce it. It is recommended in the comments here that Group name must be in format "gke-security-groups@xxx.com." so this is what I tried first. It did not work then I tried without . in the end "gke-security-groups@xxx.com" and it did not work either. In the cloud console it works with "gke-security-groups@xxx.com" but not with "gke-security-groups@xxx.com.". I am sorry I cannot share the debug log for security reasons as it may reveal some of our internal details.

[edwardmedia]

@rd-nikhil-singh there is a daily test that works to verify authenticator_groups_config. Below is the source code. It appears working fine. The format should be "gke-security-groups@xxx.com". Without the log, it is difficult to guess what went wrong.

https://github.com/hashicorp/terraform-provider-google/blob/main/google/resource_container_cluster_test.go#L3059

[rd-nikhil-singh]

Hi @edwardmedia, thanks for your response. Once you apply the changes terraform shows applied successfully but you do not see it in the cloud console. So, it appears working fine but it doesn't work in reality. We have used "gke-security-groups@xxx.com" format with no success. Please try it and then you will see it.

[edwardmedia]

@rd-nikhil-singh I don't have a valid gke-security-group email available for reproing this. Can you share you debug log? You may redact your secrets in the log. I want to see the API requests and responses in general. Also I am curious what you meant but it doesn't work in reality? Are you able to enable it via gcloud?

it appears working fine but it doesn't work in reality.

[mmllc-jsilverman]

Howdy. I am also having this issue as described, and I think I can clarify some of the details.

I have a cluster in GKE. However, I did not enable RBAC sec group on creation. I wanted to rectify this.

I added a configured authenticator_groups_config block to implement the change via Terraform. (This block was not set on my original plan.)

I added:

  authenticator_groups_config {
    security_group = "gke-security-groups@my-domain.com"
  }

I re-ran the plan and there were no changes detected. i.e. My "Google Groups for RBAC" flag for this cluster is still "Disabled" in the GKE console.

I then enabled RBAC manually via gcloud:

gcloud --project=my-project container clusters update my-cluster-0     --region=us-central1     --security-group="gke-security-groups@my-domain.com"

I then set the security_group value to an empty string -- "" and re-ran Terraform. This time, TF does detect the change, and disables RBAC

I then re-add the security_group value to the Terraform manifest. Terraform plan now detects the change!

To sum up:

• This provider can enable the RBAC security group to a cluster on creation
• Provider is able to disable the RBAC security group setting from a cluster after the cluster has been created, and the security group was applied either at creation or manually
• Provider is able to enable the RBAC security group setting to a cluster after the cluster has been created only if the cluster was created with the authenticator_groups_config stanza
• Provider is NOT able to add the RBAC security group setting to a cluster after the cluster has been created if the cluster was created without the authenticator_groups_config stanza <-- this is the bug condition

This is a bug.

Workarounds:

• Add RBAC sec group manually
• If you want a cluster that has RBAC disabled but you want to be able to enable it later, you can add authenticator_groups_config stanza to Terraform manifest with security_group set to an empty string this probably won't work -- see my second comment, below

Possible Fixes for Provider

• Makeauthenticator_groups_config stanza not optional but document that you can set security_group to an empty string
• If it is detected that authenticator_groups_config stanza is empty, automatically add one with security_group set to an empty string

[mmllc-jsilverman]

Ouch! I must add to my last comment...

Terraform plan did detect the change when I tried to re-add the security_group.

However, terraform apply did not apply the change even though it is explicitly listed in the plan, and is explicitly declared as "Updated" in the apply step.

This is the first time I've ever seen a change called out in the plan, and apply says it is applying the change, but no change appears on the resource itself.

This is probably what @rd-nikhil-singh meant by "So, it appears working fine but it doesn't work in reality"

This also means my second workaround probably won't work

[lukpep]

I'm experiencing the same behaviour.
Change is detected and applied, but it seems that this "checkbox" is always off:

although the name of the group is, in fact, updated every time - so if I manually enable the checkbox proper (from TF) group is there waiting for me:

To conclude - from the end-user perspective, it seems like the provider is updating the group name every time but somehow forgets to tick the checkbox actually to enable the feature ;-)

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.