@@ -326,6 +326,50 @@ deleted.
326326This behavior was changed to allow users to collect internal logs from the
327327cluster and/or manually resolve the issues and untaint their failed clusters.
328328
329+ ### ` node_config.0.taint ` and ` node_pool.0.node_config.0.taint ` field change
330+
331+ The ` taint ` field has been changed to manage a subset of the taint keys on a node pool
332+ and the ` effective_taints ` output field has been added to record the complete set of
333+ taints applied to the node pool by GKE.
334+
335+ Previously, the field was authoritative and would require every taint on the node pool
336+ to be recorded, causing friction when users used GPUs or configured sandbox settings,
337+ actions which added taints. After this change, only "Terraform-managed" taints will be
338+ managed by the ` taint ` field. Other taints, including new taints injected by the
339+ server, will not have drift detected.
340+
341+ Currently, the set of managed taints and their values are immutable in Terraform, and
342+ any changes will cause a recreate to be planned. However, taints can be unmanaged by
343+ simultaneously removing the taint entry from GKE and your Terraform configuration at
344+ the same time.
345+
346+ The set of taints Terraform manages (and their values) will be determined based on
347+ how the cluster or node pool resource was added to your Terraform state file:
348+
349+ * If you created the cluster or node pool with Terraform with Google provider 5.0.0
350+ or later, the set of taints specified during resource creation will be managed.
351+ * If you imported the cluster or node pool with Google provider 5.0.0 or later, no
352+ taints will be managed by Terraform
353+ * If you upgraded from an earlier version, the complete set of taint values applied to the
354+ node pool at the time of your last refresh will be managed by Terraform
355+
356+ Most existing configurations will not be affected with this change as they already specify
357+ the whole set of managed taints, or are already ignoring changes with ` lifecycle.ignore_changes ` ,
358+ preventing a diff.
359+
360+ A limited number of users may see a diff if they are using the ` google-beta ` provider
361+ and have specified a ` sandbox_config ` value. If that's the case, you can safely add the
362+ proposed value to configuration (below) or apply ` lifecycle.ignore_changes ` to the field to resolve.
363+
364+
365+ ``` diff
366+ + taint {
367+ + key = "sandbox.gke.io/runtime"
368+ + value = "gvisor"
369+ + effect = "NO_SCHEDULE"
370+ + }
371+ ```
372+
329373### ` enable_binary_authorization ` is now removed
330374
331375` enable_binary_authorization ` has been removed in favor of ` binary_authorization.enabled ` .
@@ -335,7 +379,6 @@ cluster and/or manually resolve the issues and untaint their failed clusters.
335379Previously ` network_policy.provider ` defaulted to "PROVIDER_UNSPECIFIED". It no longer
336380has a default value.
337381
338-
339382## Resource: ` google_container_node_pool `
340383
341384### ` logging_variant ` no longer has a provider default value
@@ -346,6 +389,49 @@ Previously `logging_variant` defaulted to "DEFAULT". It no longer has a default
346389
347390Previously both fields defaulted to false. They now default to true.
348391
392+ ### ` node_config.0.taint ` field change
393+
394+ The ` taint ` field has been changed to manage a subset of the taint keys on a node pool
395+ and the ` effective_taints ` output field has been added to record the complete set of
396+ taints applied to the node pool by GKE.
397+
398+ Previously, the field was authoritative and would require every taint on the node pool
399+ to be recorded, causing friction when users used GPUs or configured sandbox settings,
400+ actions which added taints. After this change, only "Terraform-managed" taints will be
401+ managed by the ` taint ` field. Other taints, including new taints injected by the
402+ server, will not have drift detected.
403+
404+ Currently, the set of managed taints and their values are immutable in Terraform, and
405+ any changes will cause a recreate to be planned. However, taints can be unmanaged by
406+ simultaneously removing the taint entry from GKE and your Terraform configuration at
407+ the same time.
408+
409+ The set of taints Terraform manages (and their values) will be determined based on
410+ how the cluster or node pool resource was added to your Terraform state file:
411+
412+ * If you created the cluster or node pool with Terraform with Google provider 5.0.0
413+ or later, the set of taints specified during resource creation will be managed.
414+ * If you imported the cluster or node pool with Google provider 5.0.0 or later, no
415+ taints will be managed by Terraform
416+ * If you upgraded from an earlier version, the complete set of taint values applied to the
417+ node pool at the time of your last refresh will be managed by Terraform
418+
419+ Most existing configurations will not be affected with this change as they already specify
420+ the whole set of managed taints, or are already ignoring changes with ` lifecycle.ignore_changes ` ,
421+ preventing a diff.
422+
423+ A limited number of users may see a diff if they are using the ` google-beta ` provider
424+ and have specified a ` sandbox_config ` value. If that's the case, you can safely add the
425+ proposed value to configuration (below) or apply ` lifecycle.ignore_changes ` to the field to resolve.
426+
427+
428+ ``` diff
429+ + taint {
430+ + key = "sandbox.gke.io/runtime"
431+ + value = "gvisor"
432+ + effect = "NO_SCHEDULE"
433+ + }
434+ ```
349435
350436## Resource: ` google_dataplex_datascan `
351437
0 commit comments