Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat!: enabling vulnerability and audit modes for workloads #1749

Conversation

mmorejon
Copy link
Contributor

Enable vulnerability and audit modes for workloads.

@mmorejon mmorejon requested review from Jberlinsky, ericyz and a team as code owners September 27, 2023 11:16
@google-cla
Copy link

google-cla bot commented Sep 27, 2023

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these new default values going to cause a replacement for existing clusters? Could we use null?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

workload_config_audit_mode cannot be null. This value is required. I got this message setting the value as null.

The argument "protect_config.0.workload_config.0.audit_mode" is required, but no definition was found.

workload_vulnerability_mode has the same behavior using an empty string or null value. I got a change in the tfstate only when DISABLED or BASIC is used.

~ protect_config {
   ~ workload_vulnerability_mode = "WORKLOAD_VULNERABILITY_MODE_UNSPECIFIED" -> "DISABLED"
}

and

~ protect_config {
   ~ workload_vulnerability_mode = "WORKLOAD_VULNERABILITY_MODE_UNSPECIFIED" -> "BASIC"
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@apeabody , what do you think?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @mmorejon - Yeah, for simplicity, I recommend we just go with default = "" and mark this as a breaking change.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. I set back the default value to empty.

@apeabody
Copy link
Collaborator

/gcbrun

@mmorejon mmorejon requested a review from apeabody September 28, 2023 11:32
@mmorejon mmorejon force-pushed the enabling-vulnerability-and-audit-for-workloads branch from 50b5e1b to 415769f Compare September 28, 2023 21:22
@mmorejon
Copy link
Contributor Author

mmorejon commented Oct 6, 2023

Do you have any other suggestions? @apeabody

@apeabody apeabody changed the title feat: enabling vulnerability and audit modes for workloads feat!: enabling vulnerability and audit modes for workloads Oct 6, 2023
Signed-off-by: Manuel Morejon <[email protected]>
Signed-off-by: Manuel Morejon <[email protected]>
Signed-off-by: Manuel Morejon <[email protected]>
@mmorejon mmorejon force-pushed the enabling-vulnerability-and-audit-for-workloads branch from 415769f to 86355a8 Compare October 10, 2023 07:18
@apeabody
Copy link
Collaborator

/gcbrun

Copy link
Collaborator

@apeabody apeabody left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution @mmorejon!

@apeabody apeabody merged commit 7bfd6fe into terraform-google-modules:master Oct 10, 2023
4 checks passed
@mmorejon mmorejon deleted the enabling-vulnerability-and-audit-for-workloads branch October 10, 2023 19:49
CPL-markus pushed a commit to WALTER-GROUP/terraform-google-kubernetes-engine that referenced this pull request Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants