fix: Simplified pod security policy interface.

BREAKING CHANGE: Pod security policy enablement has been changed to use a simple boolean flag (`var. enable_pod_security_policy`)

Author: msgongora

autogen/main/cluster.tf.tmpl

@@ -94,9 +94,9 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "pod_security_policy_config" {
-    for_each = var.pod_security_policy_config
+    for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : []
     content {
-      enabled = pod_security_policy_config.value.enabled
+      enabled = pod_security_policy_config.value
     }
   }
 {% endif %}

autogen/main/variables.tf.tmpl

@@ -455,13 +455,10 @@ variable "enable_binary_authorization" {
   default     = false
 }
 
-variable "pod_security_policy_config" {
-  type        = list(object({ enabled = bool }))
+variable "enable_pod_security_policy" {
+  type        = bool
   description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created."
-
-  default = [{
-    "enabled" = false
-  }]
+  default     = false
 }
 
 variable "node_metadata" {

autogen/safer-cluster/main.tf.tmpl

@@ -137,9 +137,9 @@ module "gke" {
   // We suggest to define policies about  which images can run on a cluster.
   enable_binary_authorization = true
 
-  // Define PodSecurityPolicies for differnet applications.
-  // Example: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#example
-  pod_security_policy_config = var.pod_security_policy_config
+  // Use of PodSecurityPolicy admission controller
+  // https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies
+  enable_pod_security_policy = var.enable_pod_security_policy
 
   resource_usage_export_dataset_id = var.resource_usage_export_dataset_id
 

autogen/safer-cluster/variables.tf.tmpl

@@ -328,13 +328,10 @@ variable "skip_provisioners" {
   default     = false
 }
 
-variable "pod_security_policy_config" {
-  type        = list(object({ enabled = bool }))
+variable "enable_pod_security_policy" {
+  type        = bool
   description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created."
-
-  default = [{
-    "enabled" = true
-  }]
+  default     = false
 }
 
 variable "gce_pd_csi_driver" {

examples/simple_regional_beta/README.md

@@ -13,13 +13,13 @@ This example illustrates how to create a simple cluster with beta features.
 | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `<list>` | no |
 | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
+| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | bool | `"false"` | no |
 | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | bool | `"false"` | no |
 | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The secondary ip range to use for services | string | n/a | yes |
 | istio | Boolean to enable / disable Istio | string | `"true"` | no |
 | network | The VPC network to host the cluster in | string | n/a | yes |
 | node\_pools | List of maps containing node pools | list(map(string)) | `<list>` | no |
-| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `<list>` | no |
 | project\_id | The project ID to host the cluster in | string | n/a | yes |
 | region | The region to host the cluster in | string | n/a | yes |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |

examples/simple_regional_beta/main.tf

@@ -45,7 +45,7 @@ module "gke" {
   node_pools                  = var.node_pools
   database_encryption         = var.database_encryption
   enable_binary_authorization = var.enable_binary_authorization
-  pod_security_policy_config  = var.pod_security_policy_config
+  enable_pod_security_policy  = var.enable_pod_security_policy
   release_channel             = "REGULAR"
 
   # Disable workload identity

examples/simple_regional_beta/variables.tf

@@ -106,11 +106,10 @@ variable "enable_binary_authorization" {
   default     = false
 }
 
-variable "pod_security_policy_config" {
+variable "enable_pod_security_policy" {
+  type        = bool
   description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created."
-  default = [{
-    "enabled" = false
-  }]
+  default     = false
 }
 
 variable "zones" {

modules/beta-private-cluster-update-variant/README.md

@@ -165,6 +165,7 @@ Then perform the following commands on the root folder:
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no |
+| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | bool | `"false"` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no |
 | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no |
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no |
@@ -209,7 +210,6 @@ Then perform the following commands on the root folder:
 | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `<map>` | no |
 | node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `<map>` | no |
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `<list>` | no |
-| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `<list>` | no |
 | project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
 | region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |

modules/beta-private-cluster-update-variant/cluster.tf

@@ -81,9 +81,9 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "pod_security_policy_config" {
-    for_each = var.pod_security_policy_config
+    for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : []
     content {
-      enabled = pod_security_policy_config.value.enabled
+      enabled = pod_security_policy_config.value
     }
   }
   dynamic "master_authorized_networks_config" {

modules/beta-private-cluster-update-variant/variables.tf

@@ -448,13 +448,10 @@ variable "enable_binary_authorization" {
   default     = false
 }
 
-variable "pod_security_policy_config" {
-  type        = list(object({ enabled = bool }))
+variable "enable_pod_security_policy" {
+  type        = bool
   description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created."
-
-  default = [{
-    "enabled" = false
-  }]
+  default     = false
 }
 
 variable "node_metadata" {

modules/beta-private-cluster/README.md

@@ -143,6 +143,7 @@ Then perform the following commands on the root folder:
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no |
+| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | bool | `"false"` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no |
 | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no |
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no |
@@ -187,7 +188,6 @@ Then perform the following commands on the root folder:
 | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `<map>` | no |
 | node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `<map>` | no |
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `<list>` | no |
-| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `<list>` | no |
 | project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
 | region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |

modules/beta-private-cluster/cluster.tf

@@ -81,9 +81,9 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "pod_security_policy_config" {
-    for_each = var.pod_security_policy_config
+    for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : []
     content {
-      enabled = pod_security_policy_config.value.enabled
+      enabled = pod_security_policy_config.value
     }
   }
   dynamic "master_authorized_networks_config" {

modules/beta-private-cluster/variables.tf

@@ -448,13 +448,10 @@ variable "enable_binary_authorization" {
   default     = false
 }
 
-variable "pod_security_policy_config" {
-  type        = list(object({ enabled = bool }))
+variable "enable_pod_security_policy" {
+  type        = bool
   description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created."
-
-  default = [{
-    "enabled" = false
-  }]
+  default     = false
 }
 
 variable "node_metadata" {

modules/beta-public-cluster-update-variant/README.md

@@ -158,6 +158,7 @@ Then perform the following commands on the root folder:
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no |
+| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | bool | `"false"` | no |
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"true"` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
@@ -199,7 +200,6 @@ Then perform the following commands on the root folder:
 | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `<map>` | no |
 | node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `<map>` | no |
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `<list>` | no |
-| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `<list>` | no |
 | project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
 | region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |

modules/beta-public-cluster-update-variant/cluster.tf

@@ -81,9 +81,9 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "pod_security_policy_config" {
-    for_each = var.pod_security_policy_config
+    for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : []
     content {
-      enabled = pod_security_policy_config.value.enabled
+      enabled = pod_security_policy_config.value
     }
   }
   dynamic "master_authorized_networks_config" {

modules/beta-public-cluster-update-variant/variables.tf

@@ -424,13 +424,10 @@ variable "enable_binary_authorization" {
   default     = false
 }
 
-variable "pod_security_policy_config" {
-  type        = list(object({ enabled = bool }))
+variable "enable_pod_security_policy" {
+  type        = bool
   description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created."
-
-  default = [{
-    "enabled" = false
-  }]
+  default     = false
 }
 
 variable "node_metadata" {

modules/beta-public-cluster/README.md

@@ -136,6 +136,7 @@ Then perform the following commands on the root folder:
 | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no |
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no |
+| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | bool | `"false"` | no |
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"true"` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
@@ -177,7 +178,6 @@ Then perform the following commands on the root folder:
 | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `<map>` | no |
 | node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `<map>` | no |
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `<list>` | no |
-| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `<list>` | no |
 | project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
 | region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |

modules/beta-public-cluster/cluster.tf

@@ -81,9 +81,9 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "pod_security_policy_config" {
-    for_each = var.pod_security_policy_config
+    for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : []
     content {
-      enabled = pod_security_policy_config.value.enabled
+      enabled = pod_security_policy_config.value
     }
   }
   dynamic "master_authorized_networks_config" {

modules/beta-public-cluster/variables.tf

@@ -424,13 +424,10 @@ variable "enable_binary_authorization" {
   default     = false
 }
 
-variable "pod_security_policy_config" {
-  type        = list(object({ enabled = bool }))
+variable "enable_pod_security_policy" {
+  type        = bool
   description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created."
-
-  default = [{
-    "enabled" = false
-  }]
+  default     = false
 }
 
 variable "node_metadata" {