Unclear error 400 on creating private cluster: (cluster.master_ipv4_cidr causes http 400)

[vdboor]

When I tried creating a VPC-based cluster, I got an unclear error message. This was caused by a faulty enable_private_nodes = true setting (this should have been kept on false)

Terraform v0.12.3

• provider.google v2.10.0
• provider.google-beta v2.10.0
• provider.kubernetes v1.8.0

Affected Resource(s)

• google_container_cluster

Terraform Configuration Files

resource "google_container_cluster" "default" {
  name     = "test"
  location = "europe-west1-d"

  logging_service    = "logging.googleapis.com/kubernetes"    # beta
  monitoring_service = "monitoring.googleapis.com/kubernetes" # beta

  # Network config
  network = "projects/${var.gcp_project}/global/networks/terraform"
  subnetwork = "projects/${var.gcp_project}/regions/europe-west1/subnetworks/terraform"

  private_cluster_config {
    # VPC default, but public accessable
    enable_private_nodes    = true   # this causes master_ipv4_cidr error!
    enable_private_endpoint = false

    # no master_ipv4_cidr_block defined here
  }

  ip_allocation_policy {
    use_ip_aliases    = true
    create_subnetwork = false
  }

  network_policy {
    enabled  = true
    provider = "CALICO"
  }

  master_auth {
    client_certificate_config {
      issue_client_certificate = false
    }
  }

  initial_node_count = 1

  node_config {
    disk_size_gb = 20

    oauth_scopes = [
      "https://www.googleapis.com/auth/devstorage.read_only", # access private images on buckets
      "https://www.googleapis.com/auth/logging.write",        # logging_service to google/stackdriver
      "https://www.googleapis.com/auth/monitoring",           # monitoring_service to google
      "https://www.googleapis.com/auth/trace.append",         # stackdriver traces
    ]

    metadata = {
      disable-legacy-endpoints = "true"
    }

    labels = {}
  }
}

Actual Behavior

google_container_cluster.default: Creating...

Error: googleapi: Error 400: Unable to parse cluster.master_ipv4_cidr "" into a valid IP address and mask., badRequest

  on kubernetes_cluster.tf line 1, in resource "google_container_cluster" "default":
   1: resource "google_container_cluster" "default" {

Expected behavior

• Terraform warning me that this configuration doesn't work
• Terraform having an option to define the master IP CIDR as the IP requests.

Steps to Reproduce

1. terraform apply

[tysen]

@vdboor - you can specify master_ipv4_cidr_block within the private_cluster_config block. Are you looking for something other than that?

[vdboor]

@tysen Thanks for taking care! :-) In the end I solved it by setting enable_private_nodes = false because I didn't want a completely private system.

My main reason for reporting this issue is because of it's unclear message. I'd expect that Terraform would at least warn that setting private_cluster_config.master_ipv4_cidr_block is required when enable_private_nodes=false, or that it could auto-generate that value. I don't have any clue what CIDR I should to assign for the master.

[danilo404]

@vdboor I think there's a typo in your message in the second part, did you mean "private_cluster_config.master_ipv4_cidr_block is required when enable_private_nodes=true"?

[vdboor]

@calmacara Yes, that seems to be the case. The API returns a HTTP 400 when it's not provided for private clusters.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!