Skip to content

fix: handle null secondary_ip_range in cluster_alias_ranges_cidr#2581

Open
raman1236 wants to merge 2 commits into
terraform-google-modules:mainfrom
raman1236:fix/null-secondary-ip-range-564
Open

fix: handle null secondary_ip_range in cluster_alias_ranges_cidr#2581
raman1236 wants to merge 2 commits into
terraform-google-modules:mainfrom
raman1236:fix/null-secondary-ip-range-564

Conversation

@raman1236

Copy link
Copy Markdown

Description

Fixes #564

When using add_cluster_firewall_rules=true and performing terraform destroy, or when the subnetwork data source returns null secondary_ip_range, Terraform fails with:

Error: Iteration over null value

A null value cannot be used as the collection in a 'for' expression.

Root Cause

The cluster_alias_ranges_cidr local iterates over data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range directly. During destroy operations (or certain edge cases), this value can be null instead of an empty list, causing the error.

Solution

This fix uses coalesce() to default null secondary_ip_range to an empty list:

# Before
cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}

# After  
cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(coalesce(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range, [])) : range.range_name => range.ip_cidr_range } : {}

Affected Modules

Applied the fix consistently across all modules that use this pattern:

  • Root module
  • beta-private-cluster-update-variant
  • private-cluster
  • beta-public-cluster
  • beta-private-cluster
  • beta-autopilot-public-cluster
  • beta-autopilot-private-cluster
  • private-cluster-update-variant
  • beta-public-cluster-update-variant

Testing

  • The fix is backward compatible - when secondary_ip_range is not null, behavior is identical
  • When null, returns empty map instead of error
  • No configuration changes required for users

@google-cla

google-cla Bot commented Apr 30, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request enhances several GKE modules by adding the coalesce function to handle potential null values in secondary_ip_range and refactoring logging_config logic to use a new logging_config_is_set local variable. These changes ensure more reliable resource creation and clearer conditional logic for logging components. I have no feedback to provide.

@raman1236
raman1236 force-pushed the fix/null-secondary-ip-range-564 branch from c4aa6d0 to 3676f68 Compare May 16, 2026 21:39
@apeabody

Copy link
Copy Markdown
Contributor

/gcbrun

@raman1236
raman1236 force-pushed the fix/null-secondary-ip-range-564 branch 2 times, most recently from 8fe444c to edaaf44 Compare May 30, 2026 18:06
Fixes terraform-google-modules#564

When using add_cluster_firewall_rules=true and performing terraform destroy,
or when the subnetwork data source returns null secondary_ip_range, Terraform
fails with 'A null value cannot be used as the collection in a for expression.'

This fix uses coalesce() to default null secondary_ip_range to an empty list,
preventing the error during destroy operations and edge cases where the
subnetwork might not have secondary IP ranges available.

Affected modules:
- main root module
- beta-private-cluster-update-variant
- private-cluster
- beta-public-cluster
- beta-private-cluster
- beta-autopilot-public-cluster
- beta-autopilot-private-cluster
- private-cluster-update-variant
- beta-public-cluster-update-variant
@raman1236
raman1236 force-pushed the fix/null-secondary-ip-range-564 branch from edaaf44 to 939b50f Compare May 30, 2026 18:10
@apeabody

apeabody commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

/gcbrun

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

A null value cannot be used as the collection in a 'for' expression.

2 participants