From 4f40e1b25bab1ec2385106b388f157b4b07fb7d3 Mon Sep 17 00:00:00 2001
From: Brian Pham <brianpham827@gmail.com>
Date: Wed, 10 Nov 2021 15:07:32 -0800
Subject: [PATCH] Fix: google provider breaking changes in 4.0.0

* Add variable for enabled_shieled_nodes
  hashicorp/terraform-provider-google#10403
* Add required client_certificate_config and remove username and password from master_auth
  hashicorp/terraform-provider-google#10441
* Update workload_identity_config to use workload pool instead of
  identity_namespace hashicorp/terraform-provider-google#10410
---
 modules/gke-cluster/main.tf      | 13 ++++++++-----
 modules/gke-cluster/variables.tf | 20 +++++++-------------
 2 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf
index fa38889..bcc0737 100644
--- a/modules/gke-cluster/main.tf
+++ b/modules/gke-cluster/main.tf
@@ -11,8 +11,8 @@ terraform {
 }
 
 locals {
-  workload_identity_config = !var.enable_workload_identity ? [] : var.identity_namespace == null ? [{
-    identity_namespace = "${var.project}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace
+  workload_identity_config = !var.enable_workload_identity ? [] : var.workload_pool == null ? [{
+    workload_pool = "${var.project}.svc.id.goog" }] : [{ workload_pool = var.workload_pool
   }]
 }
 
@@ -36,6 +36,8 @@ resource "google_container_cluster" "cluster" {
   monitoring_service = var.monitoring_service
   min_master_version = local.kubernetes_version
 
+  enable_shielded_nodes = var.enable_shielded_nodes
+
   # Whether to enable legacy Attribute-Based Access Control (ABAC). RBAC has significant security advantages over ABAC.
   enable_legacy_abac = var.enable_legacy_abac
 
@@ -105,8 +107,9 @@ resource "google_container_cluster" "cluster" {
   }
 
   master_auth {
-    username = var.basic_auth_username
-    password = var.basic_auth_password
+    client_certificate_config {
+      issue_client_certificate = false
+    }
   }
 
   dynamic "master_authorized_networks_config" {
@@ -163,7 +166,7 @@ resource "google_container_cluster" "cluster" {
     for_each = local.workload_identity_config
 
     content {
-      identity_namespace = workload_identity_config.value.identity_namespace
+      workload_pool = workload_identity_config.value.workload_pool
     }
   }
 
diff --git a/modules/gke-cluster/variables.tf b/modules/gke-cluster/variables.tf
index c441061..d722f56 100644
--- a/modules/gke-cluster/variables.tf
+++ b/modules/gke-cluster/variables.tf
@@ -172,18 +172,6 @@ variable "enable_network_policy" {
   default     = true
 }
 
-variable "basic_auth_username" {
-  description = "The username used for basic auth; set both this and `basic_auth_password` to \"\" to disable basic auth."
-  type        = string
-  default     = ""
-}
-
-variable "basic_auth_password" {
-  description = "The password used for basic auth; set both this and `basic_auth_username` to \"\" to disable basic auth."
-  type        = string
-  default     = ""
-}
-
 variable "enable_client_certificate_authentication" {
   description = "Whether to enable authentication by x509 certificates. With ABAC disabled, these certificates are effectively useless."
   type        = bool
@@ -222,8 +210,14 @@ variable "enable_workload_identity" {
   type        = bool
 }
 
-variable "identity_namespace" {
+variable "workload_pool" {
   description = "Workload Identity Namespace. Default sets project based namespace [project_id].svc.id.goog"
   default     = null
   type        = string
 }
+
+variable "enable_shielded_nodes" {
+  description = "Enable shielded nodes features on all nodes in this cluster. Default is set to true"
+  default     = true
+  type        = bool
+}
\ No newline at end of file