fix: avoid auto_provisioning_defaults drift

[michaellzc]

fixes #1596

This PR added two new optional fields to var.cluster_autoscaling, enable_secure_boot=false, and enable_integrity_monitoring=true.

design decisions:

• enable_integrity_monitoring defaults to true, which is what other places are using
• enable_secure_boot defaults to false, which is what other places are using
• I decided not to reuse attribute from lookup(var.node_pools[0], "enable_integrity_monitoring", true), similar pattern was used for auto_provisioning_defaults.oauth_scopes, and it was actually a surprise to me. It's better to give users more control over it.

Why not just let provider to decide this optional field?

Since some google provider version ago, cluster in this module with NAP enabled will result in infinite drift, and GCP may or may not decided to update the cluster (it's unpredictable)

  # module.gke_self_15C14BFE.google_container_cluster.primary will be updated in-place
  ~ resource "google_container_cluster" "primary" {
        id                          = "projects/<redacted>/locations/us-central1/clusters/<redacted>"
        name                        = "<redacted>"
        # (31 unchanged attributes hidden)

      ~ cluster_autoscaling {
            # (2 unchanged attributes hidden)

          ~ auto_provisioning_defaults {
                # (5 unchanged attributes hidden)

              - shielded_instance_config {
                  - enable_integrity_monitoring = true -> null
                  - enable_secure_boot          = false -> null
                }

                # (2 unchanged blocks hidden)
            }

            # (2 unchanged blocks hidden)
        }

        # (27 unchanged blocks hidden)
    }

Test:

Using our own fork with this patch https://github.com/michaellzc/terraform-google-kubernetes-engine/tree/fork-26-1-1,

terraform plan no longer showed any drift at auto_provisioning_defaults .shielded_instance_config.

[michaellzc]

the default values for optional needs to be provided in the modifier, otherwise, terraform will still require the attribute.

[github-actions]

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[michaellzc]

renew

[github-actions]

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[michaellzc]

renew

[github-actions]

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[apeabody]

Thanks for the contribution @michaellzc!

Can you please rebase/re-build, and we'll get a fresh run of the CI tests.

[michaellzc]

Thanks for the contribution @michaellzc!

Can you please rebase/re-build, and we'll get a fresh run of the CI tests.

@apeabody
It's done. Would you kick off Google's internal CI?

[apeabody]

/gcbrun

stale review

[michaellzc]

Thanks for the contribution @michaellzc!
Can you please rebase/re-build, and we'll get a fresh run of the CI tests.

@apeabody It's done. Would you kick off Google's internal CI?

@apeabody Thank you.

All CI checks pass now. Is there anything I can do to help move things forward?

[apeabody]

Thanks for the contribution @michaellzc!

enable_secure_boot = false and enable_integrity_monitoring = true matches TPG defaults, and are GA in minimum TPG version constraint