Simplify variable interface and disable by deafult

Author: aaron-lane

CHANGELOG.md

@@ -12,9 +12,6 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 ### Added
 
-* Add `enable_basic_auth` set to `true` by default. This will cause a
-  plan change for existing users. Enabling it will require them to set
-  a username and password. [#40]
 * Add `basic_auth_username` set to `""` by default. [#40]
 * Add `basic_auth_password` set to `""` by default. [#40]
 * Add `issue_client_certificate` set to `false` by default. [#40]
@@ -23,7 +20,8 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 * The `service_account` variable defaults  to `"create"` which causes a
   cluster-specific service account to be created.
-  
+* Disabled Basic Authentication by default. [#40]
+
 ## [v1.0.1] - 2019-04-04
 
 ### Added

README.md

@@ -106,11 +106,10 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| basic\_auth\_password | Kubernetes HTTP Basic auth password. Only used if `enable_basic_auth` is true | string | `""` | no |
-| basic\_auth\_username | Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true | string | `""` | no |
+| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
+| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
 | description | The description of the cluster | string | `""` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |
-| enable\_basic\_auth | Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials | string | `"false"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |
 | http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no |
 | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | string | `"false"` | no |

autogen/cluster_regional.tf

@@ -39,8 +39,8 @@ resource "google_container_cluster" "primary" {
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {
-    username = "${local.cluster_basic_auth_username}"
-    password = "${local.cluster_basic_auth_password}"
+    username = "${var.basic_auth_username}"
+    password = "${var.basic_auth_password}"
 
     client_certificate_config {
       issue_client_certificate = "${var.issue_client_certificate}"

autogen/cluster_zonal.tf

@@ -39,8 +39,8 @@ resource "google_container_cluster" "zonal_primary" {
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {
-    username = "${local.cluster_basic_auth_username}"
-    password = "${local.cluster_basic_auth_password}"
+    username = "${var.basic_auth_username}"
+    password = "${var.basic_auth_password}"
 
     client_certificate_config {
       issue_client_certificate = "${var.issue_client_certificate}"

autogen/main.tf

@@ -145,9 +145,6 @@ locals {
   cluster_http_load_balancing_enabled        = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
   cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
   cluster_kubernetes_dashboard_enabled       = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
-
-  cluster_basic_auth_username = "${var.enable_basic_auth ? var.basic_auth_username : ""}"
-  cluster_basic_auth_password = "${var.enable_basic_auth ? var.basic_auth_password : ""}"
 }
 
 /******************************************

autogen/variables.tf

@@ -234,18 +234,13 @@ variable "master_ipv4_cidr_block" {
 }
 {% endif %}
 
-variable "enable_basic_auth" {
-  description = "Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials"
-  default = "false"
-}
-
 variable "basic_auth_username" {
-  description = "Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true"
+  description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
   default = ""
 }
 
 variable "basic_auth_password" {
-  description = "Kubernetes HTTP Basic auth password. Only used if `enable_basic_auth` is true"
+  description = "The password to be used with Basic Authentication."
   default = ""
 }
 

cluster_regional.tf

@@ -39,8 +39,8 @@ resource "google_container_cluster" "primary" {
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {
-    username = "${local.cluster_basic_auth_username}"
-    password = "${local.cluster_basic_auth_password}"
+    username = "${var.basic_auth_username}"
+    password = "${var.basic_auth_password}"
 
     client_certificate_config {
       issue_client_certificate = "${var.issue_client_certificate}"

cluster_zonal.tf

@@ -39,8 +39,8 @@ resource "google_container_cluster" "zonal_primary" {
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {
-    username = "${local.cluster_basic_auth_username}"
-    password = "${local.cluster_basic_auth_password}"
+    username = "${var.basic_auth_username}"
+    password = "${var.basic_auth_password}"
 
     client_certificate_config {
       issue_client_certificate = "${var.issue_client_certificate}"

docs/upgrading_to_v1.0.md

@@ -41,3 +41,44 @@ module "kubernetes_engine" {
   service_account = "${module.project_factory.service_account_email}"
 }
 ```
+
+### Enabling Kubernetes Basic Authentication
+
+Starting with GKE v1.12, clusters will have Basic Authentication and
+client certificate issuance disabled by default. In previous versions
+of *kubernetes-engine*, Basic Authentication was enabled and configured with the username `"admin"` and an automatically generated password. Basic Authentication is now disabled by default and requires credentials to be provided to remain enabled.
+
+Using Basic Authentication causes Terraform to store the credentials in
+a state file. It is important to use a Terraform Backend which supports encryption at rest, like the [GCS Backend][gcs-backend]. The
+[Sensitive Data in State article][sensitive-data] provides more context
+and recommendations on how to handle scenarios like this.
+
+```hcl
+terraform {
+  backend "gcs" {
+    bucket = "terraform-state"
+  }
+}
+
+module "enabling-basic-auth" {
+  source  = "terraform-google-modules/kubernetes-engine/google"
+  version = "~> 2.0"
+
+  project_id = "${var.project_id}"
+  name       = "cluster-with-basic-auth"
+
+  basic_auth_username = "admin"
+  basic_auth_password = "s3crets!"
+
+  regional          = "true"
+  region            = "${var.region}"
+  network           = "${var.network}"
+  subnetwork        = "${var.subnetwork}"
+  ip_range_pods     = "${var.ip_range_pods}"
+  ip_range_services = "${var.ip_range_services}"
+  service_account   = "${var.compute_engine_service_account}"
+}
+```
+
+[gsc-backend]: https://www.terraform.io/docs/backends/types/gcs.html
+[sensitive-data]: https://www.terraform.io/docs/state/sensitive-data.html

docs/upgrading_to_v2.0.md

@@ -24,18 +24,17 @@ provider "google" {
 }
 
 module "gke" {
-  source             = "../../"
-  project_id         = "${var.project_id}"
-  name               = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
-  region             = "${var.region}"
-  network            = "${var.network}"
-  network_project_id = "${var.network_project_id}"
-  subnetwork         = "${var.subnetwork}"
-  ip_range_pods      = "${var.ip_range_pods}"
-  ip_range_services  = "${var.ip_range_services}"
-  service_account    = "${var.compute_engine_service_account}"
+  source = "../../"
 
-  enable_basic_auth = false
+  project_id               = "${var.project_id}"
+  name                     = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
+  region                   = "${var.region}"
+  network                  = "${var.network}"
+  network_project_id       = "${var.network_project_id}"
+  subnetwork               = "${var.subnetwork}"
+  ip_range_pods            = "${var.ip_range_pods}"
+  ip_range_services        = "${var.ip_range_services}"
+  service_account          = "${var.compute_engine_service_account}"
   issue_client_certificate = false
 }
 

examples/disable_client_cert/main.tf

@@ -145,9 +145,6 @@ locals {
   cluster_http_load_balancing_enabled        = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
   cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
   cluster_kubernetes_dashboard_enabled       = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
-
-  cluster_basic_auth_username = "${var.enable_basic_auth ? var.basic_auth_username : ""}"
-  cluster_basic_auth_password = "${var.enable_basic_auth ? var.basic_auth_password : ""}"
 }
 
 /******************************************

main.tf

@@ -111,11 +111,10 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| basic\_auth\_password | Kubernetes HTTP Basic auth password. Only used if `enable_basic_auth` is true | string | `""` | no |
-| basic\_auth\_username | Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true | string | `""` | no |
+| basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no |
+| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no |
 | description | The description of the cluster | string | `""` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |
-| enable\_basic\_auth | Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials | string | `"false"` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no |
 | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |

modules/private-cluster/README.md

@@ -39,8 +39,8 @@ resource "google_container_cluster" "primary" {
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {
-    username = "${local.cluster_basic_auth_username}"
-    password = "${local.cluster_basic_auth_password}"
+    username = "${var.basic_auth_username}"
+    password = "${var.basic_auth_password}"
 
     client_certificate_config {
       issue_client_certificate = "${var.issue_client_certificate}"

modules/private-cluster/cluster_regional.tf

@@ -39,8 +39,8 @@ resource "google_container_cluster" "zonal_primary" {
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {
-    username = "${local.cluster_basic_auth_username}"
-    password = "${local.cluster_basic_auth_password}"
+    username = "${var.basic_auth_username}"
+    password = "${var.basic_auth_password}"
 
     client_certificate_config {
       issue_client_certificate = "${var.issue_client_certificate}"

modules/private-cluster/cluster_zonal.tf

@@ -145,9 +145,6 @@ locals {
   cluster_http_load_balancing_enabled        = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
   cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
   cluster_kubernetes_dashboard_enabled       = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
-
-  cluster_basic_auth_username = "${var.enable_basic_auth ? var.basic_auth_username : ""}"
-  cluster_basic_auth_password = "${var.enable_basic_auth ? var.basic_auth_password : ""}"
 }
 
 /******************************************

modules/private-cluster/main.tf

@@ -232,18 +232,13 @@ variable "master_ipv4_cidr_block" {
   default     = "10.0.0.0/28"
 }
 
-variable "enable_basic_auth" {
-  description = "Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials"
-  default     = "false"
-}
-
 variable "basic_auth_username" {
-  description = "Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true"
+  description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
   default     = ""
 }
 
 variable "basic_auth_password" {
-  description = "Kubernetes HTTP Basic auth password. Only used if `enable_basic_auth` is true"
+  description = "The password to be used with Basic Authentication."
   default     = ""
 }
 

modules/private-cluster/variables.tf

@@ -217,18 +217,13 @@ variable "service_account" {
   default     = "create"
 }
 
-variable "enable_basic_auth" {
-  description = "Basic authentication allows a user to authenticate to the cluster with a username and password. To maximize the security of your cluster, disable this option. Basic authentication is not recommended because it provides no confidentiality protection for transmitted credentials"
-  default     = "false"
-}
-
 variable "basic_auth_username" {
-  description = "Kubernetes HTTP Basic auth username. Only used if `enable_basic_auth` is true"
+  description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
   default     = ""
 }
 
 variable "basic_auth_password" {
-  description = "Kubernetes HTTP Basic auth password. Only used if `enable_basic_auth` is true"
+  description = "The password to be used with Basic Authentication."
   default     = ""
 }