Autopilot modules do not set network tags properly

[TobiasLierzer]

TL;DR

The beta-autopilot-*-modules define a local.cluster_network_tag which is referenced in the firewall rules. The node_pool_auto_config on the other hand only uses var.network_tags. Due to this mismatch, the Firewall rules do not apply to the cluster.

Expected behavior

I'd expect that var.network_tags and local.cluster_network_tag are concatted like here in the root/cluster.tf

Observed behavior

The firewall rules do not apply for the cluster.

Terraform Configuration

module "gke" {
  source                       = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster"
  version                      = "28.0.0"
  project_id                   = var.project_id
  name                         = "xx-${var.env}"
  kubernetes_version           = "1.27.3-gke.1700"
  region                       = var.region
  network                      = local.network
  subnetwork                   = local.subnetwork
  master_ipv4_cidr_block       = var.control_plane_ipv4
  authenticator_security_group = "xx"

  ip_range_pods              = "pods"
  ip_range_services          = "services"
  enable_cost_allocation     = true
  enable_private_nodes       = true
  add_cluster_firewall_rules = true
  maintenance_start_time     = "06:00"
  firewall_inbound_ports  = ["8000", "8443", "9443", "15017"]

}

Terraform Version

Terraform v1.6.0

Additional information

local.cluster_network_tag definition
sample firewall rule
node_pool_auto_config

[GorginZ]

hi @TobiasLierzer I came across this too. I have a PR open that's being looked at. Any thoughts are welcome! #1817
I've only done for the private cluster, but pending feedback we'll want to fix for other autopilot configs too.

[TobiasLierzer]

I just checked your PR. Great thought making the tag dependent on the three firewall variables.

Closing this issue as it is a duplicate of
#1230