Skip to content

fix: Regex for network, subnetwork, CIDR block and Workload Pool in standard and autopilot cluster #2479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Oct 28, 2025
+62 −8
Merged

fix: Regex for network, subnetwork, CIDR block and Workload Pool in standard and autopilot cluster #2479

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
96749e4
regex validation for network,subnetwork ,workloadpool and cidr block
Daisyprakash Oct 27, 2025
3aee13f
changes
Daisyprakash Oct 27, 2025
b67c65b
updated regex for network and subnetwork based on codeassist comment
Daisyprakash Oct 27, 2025
a2a8079
updated regex for cidr block validation based on codeassist comment
Daisyprakash Oct 27, 2025
f04aaf8
changes based on gemini code review comments
Daisyprakash Oct 28, 2025
c3f31bf
changes
Daisyprakash Oct 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion modules/gke-autopilot-cluster/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ For a module with a complete configuration of a Google Cloud Platform Kubernetes
| logging\_config | The GKE components exposing logs. Supported values include: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, SCHEDULER, and WORKLOADS. | <pre>object({<br> enable_components = optional(list(string))<br> })</pre> | `null` | no |
| maintenance\_policy | The maintenance policy to use for the cluster. | <pre>object({<br> daily_maintenance_window = optional(object({<br> start_time = optional(string)<br> }))<br> recurring_window = optional(object({<br> start_time = optional(string)<br> end_time = optional(string)<br> recurrence = optional(string)<br> }))<br> maintenance_exclusion = optional(list(object({<br> exclusion_name = optional(string)<br> start_time = optional(string)<br> end_time = optional(string)<br> exclusion_options = optional(object({<br> scope = optional(string)<br> }))<br> })))<br> })</pre> | <pre>{<br> "daily_maintenance_window": {<br> "start_time": "05:00"<br> }<br>}</pre> | no |
| master\_auth | The authentication information for accessing the Kubernetes master. | <pre>object({<br> client_certificate_config = optional(object({<br> issue_client_certificate = optional(bool)<br> }))<br> })</pre> | `null` | no |
| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. | <pre>object({<br> cidr_blocks = list(object({<br> display_name = string<br> cidr_block = string<br> }))<br> gcp_public_cidrs_access_enabled = optional(bool)<br> private_endpoint_enforcement_enabled = optional(bool)<br> })</pre> | n/a | yes |
| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Cidr Block must follow [Cidr notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation) | <pre>object({<br> cidr_blocks = list(object({<br> display_name = string<br> cidr_block = string<br> }))<br> gcp_public_cidrs_access_enabled = optional(bool)<br> private_endpoint_enforcement_enabled = optional(bool)<br> })</pre> | n/a | yes |
| mesh\_certificates | Configuration for the provisioning of managed mesh certificates. | <pre>object({<br> enable_certificates = optional(bool)<br> })</pre> | `null` | no |
| min\_master\_version | The minimum version of the master. GKE will auto-update the master to new versions, so this does not guarantee the master version--use the read-only master\_version field to obtain a current version. If unset, the server's default version will be used. | `string` | `null` | no |
| monitoring\_config | (Optional) The GKE components exposing metrics. Supported values include: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR, DCGM and JOBSET. | <pre>object({<br> enable_components = optional(list(string))<br> })</pre> | `null` | no |
Expand Down
26 changes: 26 additions & 0 deletions modules/gke-autopilot-cluster/metadata.display.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,16 @@ spec:
master_authorized_networks_config:
name: master_authorized_networks_config
title: Master Authorized Networks Config
properties:
cidr_blocks:
name: cidr_blocks
title: Cidr Blocks
properties:
cidr_block:
name: cidr_block
title: Cidr Block
regexValidation: ^((((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(3[0-2]|[12]?[0-9]))|((\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*\/(12[0-8]|1[01][0-9]|[1-9]?[0-9]))))$
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The regex for CIDR validation is very complex and contains an inconsistency. It allows optional whitespace (\s*) for IPv6 CIDRs, both at the beginning of the string and before the /, but not for IPv4 CIDRs. For consistency and stricter validation, it's better to remove the whitespace allowance from the IPv6 part.

                  regexValidation: ^((((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(3[0-2]|[12]?[0-9]))|((((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\/(12[0-8]|1[01][0-9]|[1-9]?[0-9]))))$

validation: Enter the valid CIDR notation.
mesh_certificates:
name: mesh_certificates
title: Mesh Certificates
Expand Down Expand Up @@ -306,6 +316,11 @@ spec:
network:
name: network
title: Network
regexValidation: ^[a-z]([a-z0-9-]{0,60}[a-z0-9])?$
validation: Network name must start with a lowercase letter followed by up to 62 lowercase letters, numbers, or hyphens and cannot end with a hyphen.
altDefaults:
- type: ALTERNATE_TYPE_DC
value: default
node_locations:
name: node_locations
title: Node Locations
Expand Down Expand Up @@ -456,6 +471,11 @@ spec:
subnetwork:
name: subnetwork
title: Subnetwork
regexValidation: ^[a-z]([a-z0-9-]{0,60}[a-z0-9])?$
validation: Network name must start with a lowercase letter followed by up to 62 lowercase letters, numbers, or hyphens and cannot end with a hyphen.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The regex for the subnetwork name is incorrect. Similar to network names, GCP subnetwork names can be up to 63 characters long, but this regex restricts them to 62. The validation message is also confusing. I've suggested a corrected regex and a clearer validation message.

          regexValidation: ^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$
          validation: Must be 1-63 characters, start with a lowercase letter, contain only lowercase letters, numbers, or hyphens, and cannot end with a hyphen.

altDefaults:
- type: ALTERNATE_TYPE_DC
value: default
timeouts:
name: timeouts
title: Timeouts
Expand All @@ -468,6 +488,12 @@ spec:
workload_identity_config:
name: workload_identity_config
title: Workload Identity Config
properties:
workload_pool:
name: workload_pool
title: Workload Pool
regexValidation: ^.+\.svc\.id\.goog$
validation: Workload pool must be in the format <project_id>.svc.id.goog.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The regex for the workload pool is too permissive. It allows any characters for the project ID part. The format for a project ID is more restrictive (6-30 characters, starting with a letter, no trailing hyphen). I've provided a stricter regex that correctly validates the project ID format within the workload pool string.

              regexValidation: ^[a-z]([-a-z0-9]{4,28}[a-z0-9])\.svc\.id\.goog$
              validation: Workload pool must be in the format <project_id>.svc.id.goog, where <project_id> is a valid GCP project ID.

runtime:
outputs:
cluster_id:
Expand Down
4 changes: 2 additions & 2 deletions modules/gke-autopilot-cluster/metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -274,7 +274,7 @@ spec:
}))
})
- name: master_authorized_networks_config
description: The desired configuration options for master authorized networks.
description: The desired configuration options for master authorized networks. Cidr Block must follow [Cidr notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation)
varType: |-
object({
cidr_blocks = list(object({
Expand Down Expand Up @@ -571,9 +571,9 @@ spec:
roles:
- level: Project
roles:
- roles/iam.serviceAccountUser
- roles/compute.admin
- roles/container.admin
- roles/iam.serviceAccountUser
services:
- compute.googleapis.com
- container.googleapis.com
Expand Down
2 changes: 1 addition & 1 deletion modules/gke-autopilot-cluster/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,7 +201,7 @@ variable "master_auth" {
}

variable "master_authorized_networks_config" {
description = "The desired configuration options for master authorized networks."
description = "The desired configuration options for master authorized networks. Cidr Block must follow [Cidr notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation)"
type = object({
cidr_blocks = list(object({
display_name = string
Expand Down
2 changes: 1 addition & 1 deletion modules/gke-standard-cluster/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ For a module with a complete configuration of a Google Cloud Platform Kubernetes
| logging\_service | The logging service that the cluster should write logs to. Available options include `logging.googleapis.com`, `logging.googleapis.com/kubernetes`, and `none`. | `string` | `null` | no |
| maintenance\_policy | The maintenance policy to use for the cluster. | <pre>object({<br> daily_maintenance_window = optional(object({<br> start_time = optional(string)<br> }))<br> recurring_window = optional(object({<br> start_time = optional(string)<br> end_time = optional(string)<br> recurrence = optional(string)<br> }))<br> maintenance_exclusion = optional(list(object({<br> exclusion_name = optional(string)<br> start_time = optional(string)<br> end_time = optional(string)<br> exclusion_options = optional(object({<br> scope = optional(string)<br> }))<br> })))<br> })</pre> | `null` | no |
| master\_auth | The authentication information for accessing the Kubernetes master. | <pre>object({<br> client_certificate_config = optional(object({<br> issue_client_certificate = optional(bool)<br> }))<br> })</pre> | `null` | no |
| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. | <pre>object({<br> cidr_blocks = list(object({<br> display_name = string<br> cidr_block = string<br> }))<br> gcp_public_cidrs_access_enabled = optional(bool)<br> private_endpoint_enforcement_enabled = optional(bool)<br> })</pre> | n/a | yes |
| master\_authorized\_networks\_config | The desired configuration options for master authorized networks. Cidr Block must follow [Cidr notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation) | <pre>object({<br> cidr_blocks = list(object({<br> display_name = string<br> cidr_block = string<br> }))<br> gcp_public_cidrs_access_enabled = optional(bool)<br> private_endpoint_enforcement_enabled = optional(bool)<br> })</pre> | n/a | yes |
| mesh\_certificates | Configuration for the provisioning of managed mesh certificates. | <pre>object({<br> enable_certificates = optional(bool)<br> })</pre> | `null` | no |
| min\_master\_version | The minimum version of the master. GKE will auto-update the master to new versions, so this does not guarantee the master version--use the read-only master\_version field to obtain a current version. If unset, the server's default version will be used. | `string` | `null` | no |
| monitoring\_config | Monitoring configuration for the cluster. | <pre>object({<br> enable_components = optional(list(string))<br> })</pre> | `null` | no |
Expand Down
26 changes: 26 additions & 0 deletions modules/gke-standard-cluster/metadata.display.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -375,6 +375,16 @@ spec:
master_authorized_networks_config:
name: master_authorized_networks_config
title: Master Authorized Networks Config
properties:
cidr_blocks:
name: cidr_blocks
title: Cidr Blocks
properties:
cidr_block:
name: cidr_block
title: Cidr Block
regexValidation: ^((((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(3[0-2]|[12]?[0-9]))|((\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*\/(12[0-8]|1[01][0-9]|[1-9]?[0-9]))))$
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The regex for CIDR validation is very complex and contains an inconsistency. It allows optional whitespace (\s*) for IPv6 CIDRs, both at the beginning of the string and before the /, but not for IPv4 CIDRs. For consistency and stricter validation, it's better to remove the whitespace allowance from the IPv6 part.

                  regexValidation: ^((((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(3[0-2]|[12]?[0-9]))|((((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\/(12[0-8]|1[01][0-9]|[1-9]?[0-9]))))$

validation: Enter the valid CIDR notation.
mesh_certificates:
name: mesh_certificates
title: Mesh Certificates
Expand Down Expand Up @@ -406,6 +416,11 @@ spec:
network:
name: network
title: Network
regexValidation: ^[a-z]([a-z0-9-]{0,60}[a-z0-9])?$
validation: Network name must start with a lowercase letter followed by up to 62 lowercase letters, numbers, or hyphens and cannot end with a hyphen.
altDefaults:
- type: ALTERNATE_TYPE_DC
value: default
network_policy:
name: network_policy
title: Network Policy
Expand Down Expand Up @@ -977,6 +992,11 @@ spec:
subnetwork:
name: subnetwork
title: Subnetwork
regexValidation: ^[a-z]([a-z0-9-]{0,60}[a-z0-9])?$
validation: Network name must start with a lowercase letter followed by up to 62 lowercase letters, numbers, or hyphens and cannot end with a hyphen.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The regex for the subnetwork name is incorrect. Similar to network names, GCP subnetwork names can be up to 63 characters long, but this regex restricts them to 62. The validation message is also confusing. I've suggested a corrected regex and a clearer validation message.

          regexValidation: ^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$
          validation: Must be 1-63 characters, start with a lowercase letter, contain only lowercase letters, numbers, or hyphens, and cannot end with a hyphen.

altDefaults:
- type: ALTERNATE_TYPE_DC
value: default
timeouts:
name: timeouts
title: Timeouts
Expand All @@ -989,6 +1009,12 @@ spec:
workload_identity_config:
name: workload_identity_config
title: Workload Identity Config
properties:
workload_pool:
name: workload_pool
title: Workload Pool
regexValidation: ^.+\.svc\.id\.goog$
validation: Workload pool must be in the format <project_id>.svc.id.goog.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The regex for the workload pool is too permissive. It allows any characters for the project ID part. The format for a project ID is more restrictive (6-30 characters, starting with a letter, no trailing hyphen). I've provided a stricter regex that correctly validates the project ID format within the workload pool string.

              regexValidation: ^[a-z]([-a-z0-9]{4,28}[a-z0-9])\.svc\.id\.goog$
              validation: Workload pool must be in the format <project_id>.svc.id.goog, where <project_id> is a valid GCP project ID.

runtime:
outputs:
cluster_id:
Expand Down
4 changes: 2 additions & 2 deletions modules/gke-standard-cluster/metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -359,7 +359,7 @@ spec:
}))
})
- name: master_authorized_networks_config
description: The desired configuration options for master authorized networks.
description: The desired configuration options for master authorized networks. Cidr Block must follow [Cidr notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation)
varType: |-
object({
cidr_blocks = list(object({
Expand Down Expand Up @@ -1013,9 +1013,9 @@ spec:
roles:
- level: Project
roles:
- roles/iam.serviceAccountUser
- roles/compute.admin
- roles/container.admin
- roles/iam.serviceAccountUser
services:
- compute.googleapis.com
- container.googleapis.com
Expand Down
2 changes: 1 addition & 1 deletion modules/gke-standard-cluster/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -309,7 +309,7 @@ variable "master_auth" {
}

variable "master_authorized_networks_config" {
description = "The desired configuration options for master authorized networks."
description = "The desired configuration options for master authorized networks. Cidr Block must follow [Cidr notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation)"
type = object({
cidr_blocks = list(object({
display_name = string
Expand Down
Loading