CKV_GCP_123 triggers even if remove_default_node_pool is set #7406
Description
Describe the issue
As noted in the GKE Terraform provider documentation it is impossible to create a GKE cluster without creating the default node pool, so as a workaround the remove_default_node_pool flag can be used to immediately delete it after the cluster is created.
The check for CKV_GCP_123 is simply checking that the nested node_pool block does not exist to configure the default node pool, however this has some issues:
- In some cases, you may have to define characteristics for the default node pool due to org policies etc or the cluster creation will fail, even if you intend to immediately delete the default node pool anyway
- The lack of that nested configuration block does not imply that a default node pool isn't created
The second problem is mostly a question of what exactly the check is trying to protect against - I would argue that it really should trigger when remove_default_node_pool != true to align closer to what the recommendation actually is saying.
Examples
resource "google_container_cluster" "example" {
initial_node_count = 1
remove_default_node_pool = true
node_pool {
node_config {
service_account = google_service_account.default.email
}
}
} Version (please complete the following information):
- 3.2.461
Additional context
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#remove_default_node_pool-1