Creating a private cluster in GKE, terraform vs console

According to Google Cloud Platform documentation here, it should be possible to have both private and public endpoints, and the master_authorized_networks_config argument should have networks which can reach either of those endpoints.

If setting the enable_private_endpoint argument to false means that the private endpoint is created, but it also creates the public endpoint, then that is a horribly mis-named argument; enable_private_endpoint is actually flipping the public endpoint off and on, not the private one. Apparently, specifying a private_cluster_config is sufficient to enable the private endpoint, and the flag toggles the public endpoint, if reported behavior is to be believed.

That is certainly the experience that I had: specifying my local IP address in the master_authorized_networks_config caused cluster creation to fail when enable_private_endpoint is true. When I set it to false, I get both endpoints and the config. is not rejected.

I've had the same issue recently.

The solution I found is to set the enable_private_endpoint = false.

In this case the private endpoint created anyway, but you are allowed to add CIDR with external addresses to master authorized networks.

master_authorized_networks_config {
}

private_cluster_config {
  enable_private_endpoint = true
  enable_private_nodes    = true
  master_ipv4_cidr_block  = "<cidr>"
}

Should create the private_end_point and it won't complain about Invalid master authorized networks. The one you tried, is passing up the external CIDR for the whitelist to access the public endpoint while at the same time you want it to be strictly private.