workload_vulnerability_mode is creating Advanced by default

[sg7653]

TL;DR

workload_vulnerability_mode is creating Advanced by default, though we pass as DISABLED or BASIC
Whenever we repply the cluster its going to change BASIC and updating it is taking very long time, it's effecting our production
we are using Version "30.2.0"

Expected behavior

workload_vulnerability_mode should BASIC if we pass this value

Observed behavior

No response

Terraform Configuration

module "primary-cluster" {
  source                              = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster-update-variant"
  version                             = "30.2.0"

  add_cluster_firewall_rules          = var.add_cluster_firewall_rules
  cloudrun                            = var.cloudrun
  cluster_dns_provider                = var.cluster_dns_provider
  cluster_dns_scope                   = var.cluster_dns_scope
  cluster_resource_labels             = { "mesh_id" : "proj-${data.google_project.project.number}" }
  datapath_provider                   = var.datapath_provider
  default_max_pods_per_node           = var.default_max_pods_per_node
  deletion_protection	                = var.deletion_protection
  dns_cache                           = var.dns_cache
  enable_binary_authorization         = var.is_enable_binary_authorization
  enable_cost_allocation              = var.enable_cost_allocation
  enable_intranode_visibility         = var.enable_intranode_visibility
  enable_network_egress_export        = var.enable_network_egress_export
  enable_private_endpoint             = var.is_private_endpoint
  enable_private_nodes                = var.is_private_nodes
  enable_resource_consumption_export  = var.enable_resource_consumption_export
  enable_shielded_nodes               = var.enable_shielded_nodes
  enable_vertical_pod_autoscaling     = var.enable_vertical_pod_autoscaling
  filestore_csi_driver                = var.filestore_csi_driver
  firewall_inbound_ports              = var.firewall_inbound_ports
  fleet_project	                      = var.fleet_project
  gateway_api_channel                 = var.gateway_api_channel
  gce_pd_csi_driver                   = var.gce_pd_csi_driver
  grant_registry_access               = var.grant_registry_access
  horizontal_pod_autoscaling          = var.is_horizontal_pod_autoscaling
  http_load_balancing                 = var.is_http_load_balancing
  ip_range_pods                       = var.primary_pods
  additional_ip_range_pods            = var.additional_ip_range_pods
  ip_range_services                   = var.primary_services
  istio                               = var.istio
  logging_service                     = var.logging_service
  maintenance_end_time                = var.maintenance_end_time
  maintenance_recurrence              = var.maintenance_recurrence
  maintenance_start_time              = var.maintenance_start_time
  master_authorized_networks          = var.master_authorized_networks
  master_global_access_enabled        = var.is_master_global_access_enabled
  master_ipv4_cidr_block              = var.master_ipv4_cidr_block
  monitoring_service                  = var.monitoring_service
  name                                = var.primary_cluster
  network                             = var.vpc_name
  network_policy                      = var.is_network_policy
  node_pools                          = var.node_pools
  node_pools_labels                   = var.node_pools_labels
  node_pools_metadata                 = var.node_pools_metadata
  node_pools_oauth_scopes             = var.node_pools_oauth_scopes
  node_pools_tags                     = var.node_pools_tags
  notification_config_topic           = var.gke_pubsub_topic
  project_id                          = var.project_id
  region                              = var.primary_region
  regional                            = var.is_regional
  release_channel                     = var.release_channel
  remove_default_node_pool            = var.is_remove_default_node_pool
  resource_usage_export_dataset_id    = var.resource_usage_export_dataset_id
  security_posture_mode               = var.security_posture_mode
  security_posture_vulnerability_mode = var.security_posture_vulnerability_mode
  subnetwork                          = var.primary_subnet
  workload_config_audit_mode          = var.workload_config_audit_mode
  workload_vulnerability_mode         = var.workload_vulnerability_mode
  zones                               = var.zones
}

Terraform Version

Version   "30.2.0"

Additional information

No response

[wyardley]

hashicorp/terraform-provider-google#16925

What are your values for var.workload_config_audit_mode, var.workload_vulnerability_mode, security_posture_mode, and security_posture_vulnerability_mode?

From the thread above, seems like maybe the setting you're looking at relates to how you have security_posture_vulnerability_mode set - so maybe try disabling the workload_config / protect_config related stuff and using the security_posture related ones only?

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days