Skip to content

feat: expose secret manager rotation config #2530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ggprod wants to merge 9 commits into
base: main
Choose a base branch
from
Open

feat: expose secret manager rotation config #2530

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
941ccd0
update private cluster module to support rotation interval
ggprod Jan 28, 2026
7d3c407
fix typo
ggprod Jan 28, 2026
1b022b9
fix expression error
ggprod Jan 28, 2026
44bd33f
feat: add support for new rotation_config property of secret_manager_…
ggprod Jan 28, 2026
48a37db
chore: address PR comments
ggprod Jan 28, 2026
48e3a4e
Merge branch 'main' into feature/2528-expose-secret-manager-rotation-…
ggprod Jan 30, 2026
a6dbf14
Merge branch 'main' into feature/2528-expose-secret-manager-rotation-…
apeabody Feb 3, 2026
dbcb229
chore: remove references to old variable and update examples to use n…
ggprod Feb 4, 2026
e6320a4
fixes for few more PR issues
ggprod Feb 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,6 @@ Then perform the following commands on the root folder:
| enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no |
| enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
Expand Down Expand Up @@ -267,6 +266,7 @@ Then perform the following commands on the root folder:
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
| resource\_manager\_tags | (Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: "tagKeys/{tag\_key\_id}"="tagValues/{tag\_value\_id}", "{org\_id}/{tag\_key\_name}"="{tag\_value\_name}", "{project\_id}/{tag\_key\_name}"="{tag\_value\_name}". | `map(string)` | `{}` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| secret\_manager\_addon | Configure the Secret Manager add-on for this cluster | <pre>object({<br> enabled = bool,<br> rotation_config = optional(object({<br> enabled = bool,<br> rotation_interval = string<br> }))<br> })</pre> | <pre>{<br> "enabled": false<br>}</pre> | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
Expand Down
11 changes: 9 additions & 2 deletions autogen/main/cluster.tf.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -305,9 +305,16 @@ resource "google_container_cluster" "primary" {
}

dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
for_each = var.secret_manager_addon.enabled ? [var.secret_manager_addon] : []
content {
enabled = secret_manager_config.value
enabled = secret_manager_config.value.enabled
dynamic "rotation_config" {
for_each = secret_manager_config.value.rotation_config != null ? [secret_manager_config.value.rotation_config] : []
content {
enabled = rotation_config.value.enabled
rotation_interval = rotation_config.value.rotation_interval
}
}
}
}

Expand Down
14 changes: 10 additions & 4 deletions autogen/main/variables.tf.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -708,10 +708,16 @@ variable "enable_gcfs" {
}
{% endif %}

variable "enable_secret_manager_addon" {
description = "Enable the Secret Manager add-on for this cluster"
type = bool
default = false
variable "secret_manager_addon" {
description = "Configure the Secret Manager add-on for this cluster"
type = object({
enabled = bool,
rotation_config = optional(object({
enabled = bool,
rotation_interval = string
}))
})
default = { enabled = false }
}
{% if beta_cluster %}

Expand Down
11 changes: 9 additions & 2 deletions cluster.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,9 +243,16 @@ resource "google_container_cluster" "primary" {
}

dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
for_each = var.secret_manager_addon.enabled ? [var.secret_manager_addon] : []
content {
enabled = secret_manager_config.value
enabled = secret_manager_config.value.enabled
dynamic "rotation_config" {
for_each = secret_manager_config.value.rotation_config != null ? [secret_manager_config.value.rotation_config] : []
content {
enabled = rotation_config.value.enabled
rotation_interval = rotation_config.value.rotation_interval
}
}
}
}

Expand Down
3 changes: 3 additions & 0 deletions metadata.display.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -414,6 +414,9 @@ spec:
resource_usage_export_dataset_id:
name: resource_usage_export_dataset_id
title: Resource Usage Export Dataset Id
secret_manager_addon:
name: secret_manager_addon
title: Secret Manager Addon
security_posture_mode:
name: security_posture_mode
title: Security Posture Mode
Expand Down
16 changes: 12 additions & 4 deletions metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -571,10 +571,18 @@ spec:
description: Enable image streaming on cluster level.
varType: bool
defaultValue: false
- name: enable_secret_manager_addon
description: Enable the Secret Manager add-on for this cluster
varType: bool
defaultValue: false
- name: secret_manager_addon
description: Configure the Secret Manager add-on for this cluster
varType: |-
object({
enabled = bool,
rotation_config = optional(object({
enabled = bool,
rotation_interval = string
}))
})
defaultValue:
enabled: false
- name: enable_fqdn_network_policy
description: Enable FQDN Network Policies on the cluster
varType: bool
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-autopilot-private-cluster/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,6 @@ Then perform the following commands on the root folder:
| enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no |
| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `true` | no |
| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `true` | no |
| enterprise\_config | (Optional) Enable or disable GKE enterprise. Valid values are STANDARD and ENTERPRISE. | `string` | `null` | no |
Expand Down Expand Up @@ -161,6 +160,7 @@ Then perform the following commands on the root folder:
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
| resource\_manager\_tags | (Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: "tagKeys/{tag\_key\_id}"="tagValues/{tag\_value\_id}", "{org\_id}/{tag\_key\_name}"="{tag\_value\_name}", "{project\_id}/{tag\_key\_name}"="{tag\_value\_name}". | `map(string)` | `{}` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| secret\_manager\_addon | Configure the Secret Manager add-on for this cluster | <pre>object({<br> enabled = bool,<br> rotation_config = optional(object({<br> enabled = bool,<br> rotation_interval = string<br> }))<br> })</pre> | <pre>{<br> "enabled": false<br>}</pre> | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
Expand Down
11 changes: 9 additions & 2 deletions modules/beta-autopilot-private-cluster/cluster.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,9 +157,16 @@ resource "google_container_cluster" "primary" {
}

dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
for_each = var.secret_manager_addon.enabled ? [var.secret_manager_addon] : []
content {
enabled = secret_manager_config.value
enabled = secret_manager_config.value.enabled
dynamic "rotation_config" {
for_each = secret_manager_config.value.rotation_config != null ? [secret_manager_config.value.rotation_config] : []
content {
enabled = rotation_config.value.enabled
rotation_interval = rotation_config.value.rotation_interval
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To improve robustness, it's good practice to explicitly handle the case where rotation_interval might be an empty string. While optional(string) handles a null value, an empty string "" can sometimes be passed and might be interpreted differently by the API than null. This change ensures that an empty string is treated as null, preventing potential issues.

          rotation_interval = rotation_config.value.rotation_interval != "" ? rotation_config.value.rotation_interval : null
References
  1. It's a good defensive programming practice to handle potential edge cases like empty strings for optional arguments, to prevent unexpected behavior from the underlying API.

}
}
}
}

Expand Down
3 changes: 3 additions & 0 deletions modules/beta-autopilot-private-cluster/metadata.display.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,9 @@ spec:
resource_usage_export_dataset_id:
name: resource_usage_export_dataset_id
title: Resource Usage Export Dataset Id
secret_manager_addon:
name: secret_manager_addon
title: Secret Manager Addon
security_posture_mode:
name: security_posture_mode
title: Security Posture Mode
Expand Down
16 changes: 12 additions & 4 deletions modules/beta-autopilot-private-cluster/metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -378,10 +378,18 @@ spec:
description: Enable the Horizontal Pod Autoscaling profile for this cluster. Values are "NONE" and "PERFORMANCE".
varType: string
defaultValue: ""
- name: enable_secret_manager_addon
description: Enable the Secret Manager add-on for this cluster
varType: bool
defaultValue: false
- name: secret_manager_addon
description: Configure the Secret Manager add-on for this cluster
varType: |-
object({
enabled = bool,
rotation_config = optional(object({
enabled = bool,
rotation_interval = string
}))
})
Comment on lines +384 to +390
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The indentation within the varType literal block is inconsistent. Consistent formatting improves readability and maintainability of the metadata file.

          object({
            enabled = bool,
            rotation_config = optional(object({
              enabled           = bool,
              rotation_interval = optional(string)
            }))
          })

defaultValue:
enabled: false
- name: workload_vulnerability_mode
description: (beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC.
varType: string
Expand Down
14 changes: 10 additions & 4 deletions modules/beta-autopilot-private-cluster/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -412,10 +412,16 @@ variable "hpa_profile" {
default = ""
}

variable "enable_secret_manager_addon" {
description = "Enable the Secret Manager add-on for this cluster"
type = bool
default = false
variable "secret_manager_addon" {
description = "Configure the Secret Manager add-on for this cluster"
type = object({
enabled = bool,
rotation_config = optional(object({
enabled = bool,
rotation_interval = string
}))
Comment on lines 419 to 422
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The rotation_interval attribute should be optional to align with the Google Provider documentation for the google_container_cluster resource. This allows enabling rotation without necessarily specifying an interval, letting the provider use its default.

    rotation_config = optional(object({
      enabled           = bool,
      rotation_interval = optional(string)
    }))

})
default = { enabled = false }
}
Comment on lines +415 to 425
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The formatting of this variable block is inconsistent with the standard terraform fmt style. Aligning the type and default arguments improves readability and maintainability.

variable "secret_manager_addon" {
  description = "Configure the Secret Manager add-on for this cluster"
  type        = object({
    enabled = bool,
    rotation_config = optional(object({
      enabled           = bool,
      rotation_interval = optional(string)
    }))
  })
  default     = { enabled = false }
}
References
  1. The formatting of this block does not adhere to the standard terraform fmt style, which is the convention for this project. Consistent formatting improves readability and maintainability. (link)


variable "workload_vulnerability_mode" {
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-autopilot-public-cluster/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,6 @@ Then perform the following commands on the root folder:
| enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no |
| enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
| enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
| enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `true` | no |
| enterprise\_config | (Optional) Enable or disable GKE enterprise. Valid values are STANDARD and ENTERPRISE. | `string` | `null` | no |
Expand Down Expand Up @@ -149,6 +148,7 @@ Then perform the following commands on the root folder:
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
| resource\_manager\_tags | (Optional) - List of resource manager tags applied to autopilot and auto-provisioned node pools. A maximum of 5 tags can be specified. Tags must be in one of these formats: "tagKeys/{tag\_key\_id}"="tagValues/{tag\_value\_id}", "{org\_id}/{tag\_key\_name}"="{tag\_value\_name}", "{project\_id}/{tag\_key\_name}"="{tag\_value\_name}". | `map(string)` | `{}` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| secret\_manager\_addon | Configure the Secret Manager add-on for this cluster | <pre>object({<br> enabled = bool,<br> rotation_config = optional(object({<br> enabled = bool,<br> rotation_interval = string<br> }))<br> })</pre> | <pre>{<br> "enabled": false<br>}</pre> | no |
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The documentation for the secret_manager_addon variable should be updated to reflect that rotation_interval is optional. This will likely be fixed automatically after updating the variable definition in variables.tf and re-running pre-commit-terraform-docs-hook.

Suggested change
| secret\_manager\_addon | Configure the Secret Manager add-on for this cluster | <pre>object({<br> enabled = bool,<br> rotation_config = optional(object({<br> enabled = bool,<br> rotation_interval = string<br> }))<br> })</pre> | <pre>{<br> "enabled": false<br>}</pre> | no |
| secret_manager_addon | Configure the Secret Manager add-on for this cluster | <pre>object({<br> enabled = bool,<br> rotation_config = optional(object({<br> enabled = bool,<br> rotation_interval = optional(string)<br> }))<br> })</pre> | <pre>{<br> "enabled": false<br>}</pre> | no |

| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
Expand Down
11 changes: 9 additions & 2 deletions modules/beta-autopilot-public-cluster/cluster.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,9 +157,16 @@ resource "google_container_cluster" "primary" {
}

dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
for_each = var.secret_manager_addon.enabled ? [var.secret_manager_addon] : []
content {
enabled = secret_manager_config.value
enabled = secret_manager_config.value.enabled
dynamic "rotation_config" {
for_each = secret_manager_config.value.rotation_config != null ? [secret_manager_config.value.rotation_config] : []
content {
enabled = rotation_config.value.enabled
rotation_interval = rotation_config.value.rotation_interval
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To improve robustness, it's good practice to explicitly handle the case where rotation_interval might be an empty string. While optional(string) handles a null value, an empty string "" can sometimes be passed and might be interpreted differently by the API than null. This change ensures that an empty string is treated as null, preventing potential issues.

          rotation_interval = rotation_config.value.rotation_interval != "" ? rotation_config.value.rotation_interval : null
References
  1. It's a good defensive programming practice to handle potential edge cases like empty strings for optional arguments, to prevent unexpected behavior from the underlying API.

}
}
}
}

Expand Down
3 changes: 3 additions & 0 deletions modules/beta-autopilot-public-cluster/metadata.display.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,9 @@ spec:
resource_usage_export_dataset_id:
name: resource_usage_export_dataset_id
title: Resource Usage Export Dataset Id
secret_manager_addon:
name: secret_manager_addon
title: Secret Manager Addon
security_posture_mode:
name: security_posture_mode
title: Security Posture Mode
Expand Down
16 changes: 12 additions & 4 deletions modules/beta-autopilot-public-cluster/metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -356,10 +356,18 @@ spec:
description: Enable the Horizontal Pod Autoscaling profile for this cluster. Values are "NONE" and "PERFORMANCE".
varType: string
defaultValue: ""
- name: enable_secret_manager_addon
description: Enable the Secret Manager add-on for this cluster
varType: bool
defaultValue: false
- name: secret_manager_addon
description: Configure the Secret Manager add-on for this cluster
varType: |-
object({
enabled = bool,
rotation_config = optional(object({
enabled = bool,
rotation_interval = string
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To align with the provider documentation and the suggested change in variables.tf, rotation_interval should be marked as optional here as well.

                rotation_interval = optional(string)

}))
})
Comment on lines +362 to +368
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The indentation within the varType literal block is inconsistent. Consistent formatting improves readability and maintainability of the metadata file.

          object({
            enabled = bool,
            rotation_config = optional(object({
              enabled           = bool,
              rotation_interval = optional(string)
            }))
          })

defaultValue:
enabled: false
- name: workload_vulnerability_mode
description: (beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC.
varType: string
Expand Down
14 changes: 10 additions & 4 deletions modules/beta-autopilot-public-cluster/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -376,10 +376,16 @@ variable "hpa_profile" {
default = ""
}

variable "enable_secret_manager_addon" {
description = "Enable the Secret Manager add-on for this cluster"
type = bool
default = false
variable "secret_manager_addon" {
description = "Configure the Secret Manager add-on for this cluster"
type = object({
enabled = bool,
rotation_config = optional(object({
enabled = bool,
rotation_interval = string
}))
Comment on lines 383 to 386
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The rotation_interval attribute should be optional to align with the Google Provider documentation for the google_container_cluster resource. This allows enabling rotation without necessarily specifying an interval, letting the provider use its default.

    rotation_config = optional(object({
      enabled           = bool,
      rotation_interval = optional(string)
    }))

})
default = { enabled = false }
}
Comment on lines +379 to 389
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The formatting of this variable block is inconsistent with the standard terraform fmt style. Aligning the type and default arguments improves readability and maintainability.

variable "secret_manager_addon" {
  description = "Configure the Secret Manager add-on for this cluster"
  type        = object({
    enabled = bool,
    rotation_config = optional(object({
      enabled           = bool,
      rotation_interval = optional(string)
    }))
  })
  default     = { enabled = false }
}
References
  1. The formatting of this block does not adhere to the standard terraform fmt style, which is the convention for this project. Consistent formatting improves readability and maintainability. (link)


variable "workload_vulnerability_mode" {
Expand Down
Loading