How to get GKE cluster Hash value to update GCP firewall rules

Question

We are creating a GKE cluster using Terraform module and then deploying Istio on top of it using modules. But before deploying Istio we need to update the gke-<cluster-name>-<cluster-hash>-master firewall rule which is automatically created with the cluster, to open ports 15017 and 15021 to the target nodes. Is there a way to do it natively via terraform i.e. after creating the GKE cluster, the same terraform template should be able to update the firewall rules subsequently?

We are facing challenges to fetch and create strings locally for the below:

Master firewall rule name - gke-cluster-b00977fd-master

Target node tags - gke-cluster-b00977fd-node

If we are able to create these strings then we will be able to update or create a desired firewall rule.

Answer 1

It appears to the first 8 characters of the cluster's ID.

I assume you can craft either of the following commands in the form of a Terraform script:

PROJECT="[YOUR-PROJECT]"
LOCATION="[CLUSTER-LOCATION]"
CLUSTER="[CLUSTER-NAME]"

And:

HASH=$(\
  gcloud container clusters describe  ${NAME} \
--project=${PROJECT} \
--zone=${LOCATION} \
--format="value(id)") && \
HASH=${HASH:0:8} && \
echo ${HASH}

Or:

NAME="projects/${PROJECT}/locations/${LOCATION}/clusters/${CLUSTER}"

HASH=$(\
  curl \
  --silent \
  --header "Authorization: Bearer $(gcloud auth print-access-token)" \
  --header 'Accept: application/json' \
  --compressed \
  https://container.googleapis.com/v1/${NAME}  \
  | jq -r .id[:8]) && \
echo ${HASH}

NOTE It's hacky and Google could revise this approach. I'm surprised that this isn't already solved by Istio deployments given that Google's a contributor and provides way to deploy Istio to GKE.