feat: add dns_allow_external_traffic

apeabody · apeabody · commit 7e3b22c9d12b · 2025-03-19T16:41:37.000Z
diff --git a/README.md b/README.md
@@ -161,6 +161,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
+| dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
@@ -666,15 +666,15 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+{% endif %}
   dynamic "control_plane_endpoints_config" {
-    for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : []
+    for_each = var.dns_allow_external_traffic != null ? [1] : []
     content {
       dns_endpoint_config {
-        allow_external_traffic = var.deploy_using_private_endpoint
+        allow_external_traffic = var.dns_allow_external_traffic
       }
     }
   }
-{% endif %}
 
   {% if autopilot_cluster != true %}
   remove_default_node_pool = var.remove_default_node_pool
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
@@ -1043,3 +1043,9 @@ variable "enterprise_config" {
   type        = string
   default     = null
 }
+
+variable "dns_allow_external_traffic" {
+  description = "(Optional) Controls whether external traffic is allowed over the dns endpoint."
+  type        = bool
+  default     = null
+}
diff --git a/cluster.tf b/cluster.tf
@@ -508,6 +508,14 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  dynamic "control_plane_endpoints_config" {
+    for_each = var.dns_allow_external_traffic != null ? [1] : []
+    content {
+      dns_endpoint_config {
+        allow_external_traffic = var.dns_allow_external_traffic
+      }
+    }
+  }
 
   remove_default_node_pool = var.remove_default_node_pool
 
diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf
@@ -45,6 +45,7 @@ module "gke" {
   deletion_protection               = false
   service_account                   = "default"
   logging_variant                   = "MAX_THROUGHPUT"
+  dns_allow_external_traffic        = true
 
   node_pools = [
     {
diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md
@@ -87,6 +87,7 @@ Then perform the following commands on the root folder:
 | deploy\_using\_private\_endpoint | A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no |
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
+| dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf
@@ -334,10 +334,10 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "control_plane_endpoints_config" {
-    for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : []
+    for_each = var.dns_allow_external_traffic != null ? [1] : []
     content {
       dns_endpoint_config {
-        allow_external_traffic = var.deploy_using_private_endpoint
+        allow_external_traffic = var.dns_allow_external_traffic
       }
     }
   }
diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf
@@ -613,3 +613,9 @@ variable "enterprise_config" {
   type        = string
   default     = null
 }
+
+variable "dns_allow_external_traffic" {
+  description = "(Optional) Controls whether external traffic is allowed over the dns endpoint."
+  type        = bool
+  default     = null
+}
diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md
@@ -81,6 +81,7 @@ Then perform the following commands on the root folder:
 | deletion\_protection | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no |
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
+| dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf
@@ -311,6 +311,14 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  dynamic "control_plane_endpoints_config" {
+    for_each = var.dns_allow_external_traffic != null ? [1] : []
+    content {
+      dns_endpoint_config {
+        allow_external_traffic = var.dns_allow_external_traffic
+      }
+    }
+  }
 
 
   dynamic "database_encryption" {
diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf
@@ -577,3 +577,9 @@ variable "enterprise_config" {
   type        = string
   default     = null
 }
+
+variable "dns_allow_external_traffic" {
+  description = "(Optional) Controls whether external traffic is allowed over the dns endpoint."
+  type        = bool
+  default     = null
+}
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
@@ -195,6 +195,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
+| dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -576,10 +576,10 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "control_plane_endpoints_config" {
-    for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : []
+    for_each = var.dns_allow_external_traffic != null ? [1] : []
     content {
       dns_endpoint_config {
-        allow_external_traffic = var.deploy_using_private_endpoint
+        allow_external_traffic = var.dns_allow_external_traffic
       }
     }
   }
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
@@ -990,3 +990,9 @@ variable "enterprise_config" {
   type        = string
   default     = null
 }
+
+variable "dns_allow_external_traffic" {
+  description = "(Optional) Controls whether external traffic is allowed over the dns endpoint."
+  type        = bool
+  default     = null
+}
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
@@ -173,6 +173,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
+| dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
@@ -576,10 +576,10 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "control_plane_endpoints_config" {
-    for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : []
+    for_each = var.dns_allow_external_traffic != null ? [1] : []
     content {
       dns_endpoint_config {
-        allow_external_traffic = var.deploy_using_private_endpoint
+        allow_external_traffic = var.dns_allow_external_traffic
       }
     }
   }
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
@@ -990,3 +990,9 @@ variable "enterprise_config" {
   type        = string
   default     = null
 }
+
+variable "dns_allow_external_traffic" {
+  description = "(Optional) Controls whether external traffic is allowed over the dns endpoint."
+  type        = bool
+  default     = null
+}
diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md
@@ -189,6 +189,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
+| dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf
@@ -553,6 +553,14 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  dynamic "control_plane_endpoints_config" {
+    for_each = var.dns_allow_external_traffic != null ? [1] : []
+    content {
+      dns_endpoint_config {
+        allow_external_traffic = var.dns_allow_external_traffic
+      }
+    }
+  }
 
   remove_default_node_pool = var.remove_default_node_pool
 
diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf
@@ -954,3 +954,9 @@ variable "enterprise_config" {
   type        = string
   default     = null
 }
+
+variable "dns_allow_external_traffic" {
+  description = "(Optional) Controls whether external traffic is allowed over the dns endpoint."
+  type        = bool
+  default     = null
+}
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
@@ -167,6 +167,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
+| dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
@@ -553,6 +553,14 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+  dynamic "control_plane_endpoints_config" {
+    for_each = var.dns_allow_external_traffic != null ? [1] : []
+    content {
+      dns_endpoint_config {
+        allow_external_traffic = var.dns_allow_external_traffic
+      }
+    }
+  }
 
   remove_default_node_pool = var.remove_default_node_pool
 
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
@@ -954,3 +954,9 @@ variable "enterprise_config" {
   type        = string
   default     = null
 }
+
+variable "dns_allow_external_traffic" {
+  description = "(Optional) Controls whether external traffic is allowed over the dns endpoint."
+  type        = bool
+  default     = null
+}
diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md
@@ -189,6 +189,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
+| dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf
@@ -531,10 +531,10 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "control_plane_endpoints_config" {
-    for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : []
+    for_each = var.dns_allow_external_traffic != null ? [1] : []
     content {
       dns_endpoint_config {
-        allow_external_traffic = var.deploy_using_private_endpoint
+        allow_external_traffic = var.dns_allow_external_traffic
       }
     }
   }
diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf
@@ -924,3 +924,9 @@ variable "enterprise_config" {
   type        = string
   default     = null
 }
+
+variable "dns_allow_external_traffic" {
+  description = "(Optional) Controls whether external traffic is allowed over the dns endpoint."
+  type        = bool
+  default     = null
+}
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
@@ -167,6 +167,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
+| dns\_allow\_external\_traffic | (Optional) Controls whether external traffic is allowed over the dns endpoint. | `bool` | `null` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
 | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
@@ -531,10 +531,10 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "control_plane_endpoints_config" {
-    for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : []
+    for_each = var.dns_allow_external_traffic != null ? [1] : []
     content {
       dns_endpoint_config {
-        allow_external_traffic = var.deploy_using_private_endpoint
+        allow_external_traffic = var.dns_allow_external_traffic
       }
     }
   }
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
@@ -924,3 +924,9 @@ variable "enterprise_config" {
   type        = string
   default     = null
 }
+
+variable "dns_allow_external_traffic" {
+  description = "(Optional) Controls whether external traffic is allowed over the dns endpoint."
+  type        = bool
+  default     = null
+}
diff --git a/test/integration/node_pool/testdata/TestNodePool.json b/test/integration/node_pool/testdata/TestNodePool.json
@@ -57,7 +57,7 @@
   "clusterIpv4Cidr": "192.168.0.0/18",
   "controlPlaneEndpointsConfig": {
     "dnsEndpointConfig": {
-      "allowExternalTraffic": false
+      "allowExternalTraffic": true
     },
     "ipEndpointsConfig": {
       "authorizedNetworksConfig": {
diff --git a/variables.tf b/variables.tf
@@ -888,3 +888,9 @@ variable "enterprise_config" {
   type        = string
   default     = null
 }
+
+variable "dns_allow_external_traffic" {
+  description = "(Optional) Controls whether external traffic is allowed over the dns endpoint."
+  type        = bool
+  default     = null
+}

Original file line number	Diff line number	Diff line change
`@@ -666,15 +666,15 @@ resource "google_container_cluster" "primary" {`
`666`	`666`	`}`
`667`	`667`	`}`
`668`	`668`
	`669`	`+{% endif %}`
`669`	`670`	`dynamic "control_plane_endpoints_config" {`
`670`		`- for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : []`
	`671`	`+ for_each = var.dns_allow_external_traffic != null ? [1] : []`
`671`	`672`	`content {`
`672`	`673`	`dns_endpoint_config {`
`673`		`- allow_external_traffic = var.deploy_using_private_endpoint`
	`674`	`+ allow_external_traffic = var.dns_allow_external_traffic`
`674`	`675`	`}`
`675`	`676`	`}`
`676`	`677`	`}`
`677`		`-{% endif %}`
`678`	`678`
`679`	`679`	`{% if autopilot_cluster != true %}`
`680`	`680`	`remove_default_node_pool = var.remove_default_node_pool`
Original file line number	Diff line number	Diff line change
`@@ -508,6 +508,14 @@ resource "google_container_cluster" "primary" {`
`508`	`508`	`}`
`509`	`509`	`}`
`510`	`510`
	`511`	`+ dynamic "control_plane_endpoints_config" {`
	`512`	`+ for_each = var.dns_allow_external_traffic != null ? [1] : []`
	`513`	`+ content {`
	`514`	`+ dns_endpoint_config {`
	`515`	`+ allow_external_traffic = var.dns_allow_external_traffic`
	`516`	`+ }`
	`517`	`+ }`
	`518`	`+ }`
`511`	`519`
`512`	`520`	`remove_default_node_pool = var.remove_default_node_pool`
`513`	`521`
Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,7 @@ module "gke" {`
`45`	`45`	`deletion_protection = false`
`46`	`46`	`service_account = "default"`
`47`	`47`	`logging_variant = "MAX_THROUGHPUT"`
	`48`	`+ dns_allow_external_traffic = true`
`48`	`49`
`49`	`50`	`node_pools = [`
`50`	`51`	`{`
Original file line number	Diff line number	Diff line change
`@@ -334,10 +334,10 @@ resource "google_container_cluster" "primary" {`
`334`	`334`	`}`
`335`	`335`
`336`	`336`	`dynamic "control_plane_endpoints_config" {`
`337`		`- for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : []`
	`337`	`+ for_each = var.dns_allow_external_traffic != null ? [1] : []`
`338`	`338`	`content {`
`339`	`339`	`dns_endpoint_config {`
`340`		`- allow_external_traffic = var.deploy_using_private_endpoint`
	`340`	`+ allow_external_traffic = var.dns_allow_external_traffic`
`341`	`341`	`}`
`342`	`342`	`}`
`343`	`343`	`}`
Original file line number	Diff line number	Diff line change
`@@ -311,6 +311,14 @@ resource "google_container_cluster" "primary" {`
`311`	`311`	`}`
`312`	`312`	`}`
`313`	`313`
	`314`	`+ dynamic "control_plane_endpoints_config" {`
	`315`	`+ for_each = var.dns_allow_external_traffic != null ? [1] : []`
	`316`	`+ content {`
	`317`	`+ dns_endpoint_config {`
	`318`	`+ allow_external_traffic = var.dns_allow_external_traffic`
	`319`	`+ }`
	`320`	`+ }`
	`321`	`+ }`
`314`	`322`
`315`	`323`
`316`	`324`	`dynamic "database_encryption" {`
Original file line number	Diff line number	Diff line change
`@@ -576,10 +576,10 @@ resource "google_container_cluster" "primary" {`
`576`	`576`	`}`
`577`	`577`
`578`	`578`	`dynamic "control_plane_endpoints_config" {`
`579`		`- for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : []`
	`579`	`+ for_each = var.dns_allow_external_traffic != null ? [1] : []`
`580`	`580`	`content {`
`581`	`581`	`dns_endpoint_config {`
`582`		`- allow_external_traffic = var.deploy_using_private_endpoint`
	`582`	`+ allow_external_traffic = var.dns_allow_external_traffic`
`583`	`583`	`}`
`584`	`584`	`}`
`585`	`585`	`}`
Original file line number	Diff line number	Diff line change
`@@ -553,6 +553,14 @@ resource "google_container_cluster" "primary" {`
`553`	`553`	`}`
`554`	`554`	`}`
`555`	`555`
	`556`	`+ dynamic "control_plane_endpoints_config" {`
	`557`	`+ for_each = var.dns_allow_external_traffic != null ? [1] : []`
	`558`	`+ content {`
	`559`	`+ dns_endpoint_config {`
	`560`	`+ allow_external_traffic = var.dns_allow_external_traffic`
	`561`	`+ }`
	`562`	`+ }`
	`563`	`+ }`
`556`	`564`
`557`	`565`	`remove_default_node_pool = var.remove_default_node_pool`
`558`	`566`
Original file line number	Diff line number	Diff line change
`@@ -531,10 +531,10 @@ resource "google_container_cluster" "primary" {`
`531`	`531`	`}`
`532`	`532`
`533`	`533`	`dynamic "control_plane_endpoints_config" {`
`534`		`- for_each = var.enable_private_endpoint && var.deploy_using_private_endpoint ? [1] : []`
	`534`	`+ for_each = var.dns_allow_external_traffic != null ? [1] : []`
`535`	`535`	`content {`
`536`	`536`	`dns_endpoint_config {`
`537`		`- allow_external_traffic = var.deploy_using_private_endpoint`
	`537`	`+ allow_external_traffic = var.dns_allow_external_traffic`
`538`	`538`	`}`
`539`	`539`	`}`
`540`	`540`	`}`