diff --git a/modules/gke-cluster-autopilot/README.md b/modules/gke-cluster-autopilot/README.md
index ac8cfe8af..37c11fe1a 100644
--- a/modules/gke-cluster-autopilot/README.md
+++ b/modules/gke-cluster-autopilot/README.md
@@ -272,7 +272,7 @@ module "cluster-1" {
 | [name](variables.tf#L226) | Cluster name. | <code>string</code> | ✓ |  |
 | [project_id](variables.tf#L258) | Cluster project ID. | <code>string</code> | ✓ |  |
 | [vpc_config](variables.tf#L274) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  disable_default_snat &#61; optional&#40;bool&#41;&#10;  network              &#61; string&#10;  subnetwork           &#61; string&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string&#41;&#10;    services &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  additional_ranges &#61; optional&#40;list&#40;string&#41;&#41;&#10;  stack_type        &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | <code title="object&#40;&#123;&#10;  dns_access &#61; optional&#40;bool, true&#41;&#10;  ip_access &#61; optional&#40;object&#40;&#123;&#10;    authorized_ranges               &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;    disable_public_endpoint         &#61; optional&#40;bool, true&#41;&#10;    gcp_public_cidrs_access_enabled &#61; optional&#40;bool, false&#41;&#10;    private_endpoint_config &#61; optional&#40;object&#40;&#123;&#10;      endpoint_subnetwork &#61; optional&#40;string&#41;&#10;      global_access       &#61; optional&#40;bool, true&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;&#10;  private_nodes &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | <code title="object&#40;&#123;&#10;  dns_access &#61; optional&#40;bool, true&#41;&#10;  ip_access &#61; optional&#40;object&#40;&#123;&#10;    authorized_ranges               &#61; optional&#40;map&#40;string&#41;&#41;&#10;    disable_public_endpoint         &#61; optional&#40;bool&#41;&#10;    gcp_public_cidrs_access_enabled &#61; optional&#40;bool&#41;&#10;    private_endpoint_config &#61; optional&#40;object&#40;&#123;&#10;      endpoint_subnetwork &#61; optional&#40;string&#41;&#10;      global_access       &#61; optional&#40;bool, true&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  private_nodes &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [backup_configs](variables.tf#L43) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10;  enable_backup_agent &#61; optional&#40;bool, false&#41;&#10;  backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10;    encryption_key                    &#61; optional&#40;string&#41;&#10;    include_secrets                   &#61; optional&#40;bool, true&#41;&#10;    include_volume_data               &#61; optional&#40;bool, true&#41;&#10;    labels                            &#61; optional&#40;map&#40;string&#41;&#41;&#10;    namespaces                        &#61; optional&#40;list&#40;string&#41;&#41;&#10;    region                            &#61; string&#10;    schedule                          &#61; string&#10;    retention_policy_days             &#61; optional&#40;string&#41;&#10;    retention_policy_lock             &#61; optional&#40;bool, false&#41;&#10;    retention_policy_delete_lock_days &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [deletion_protection](variables.tf#L64) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | <code>bool</code> |  | <code>true</code> |
 | [description](variables.tf#L71) | Cluster description. | <code>string</code> |  | <code>null</code> |
diff --git a/modules/gke-cluster-autopilot/main.tf b/modules/gke-cluster-autopilot/main.tf
index 85e7c629a..9b772a841 100644
--- a/modules/gke-cluster-autopilot/main.tf
+++ b/modules/gke-cluster-autopilot/main.tf
@@ -218,7 +218,7 @@ resource "google_container_cluster" "cluster" {
       gcp_public_cidrs_access_enabled = try(var.access_config.ip_access.gcp_public_cidrs_access_enabled, null)
 
       dynamic "cidr_blocks" {
-        for_each = try(var.access_config.ip_access.authorized_ranges, {})
+        for_each = coalesce(var.access_config.ip_access.authorized_ranges, {})
         iterator = range
         content {
           cidr_block   = range.value
@@ -282,11 +282,12 @@ resource "google_container_cluster" "cluster" {
     for_each = var.access_config.private_nodes == true ? [""] : []
     content {
       enable_private_nodes = true
-      enable_private_endpoint = try(
-        var.access_config.ip_access.disable_public_endpoint,
-        # this should be null, but when ip_access is disabled, the API
-        # returns true. We return true to avoid a permadiff
-        true
+      enable_private_endpoint = (
+        var.access_config.ip_access == null
+        # when ip_access is disabled, the API returns true. We return
+        # true to avoid a permadiff
+        ? true
+        : try(var.access_config.ip_access.disable_public_endpoint, null)
       )
       private_endpoint_subnetwork = try(
         var.access_config.ip_access.private_endpoint_config.endpoint_subnetwork,
diff --git a/modules/gke-cluster-autopilot/variables.tf b/modules/gke-cluster-autopilot/variables.tf
index 83da6e385..1225ea9ef 100644
--- a/modules/gke-cluster-autopilot/variables.tf
+++ b/modules/gke-cluster-autopilot/variables.tf
@@ -19,13 +19,13 @@ variable "access_config" {
   type = object({
     dns_access = optional(bool, true)
     ip_access = optional(object({
-      authorized_ranges               = optional(map(string), {})
-      disable_public_endpoint         = optional(bool, true)
-      gcp_public_cidrs_access_enabled = optional(bool, false)
+      authorized_ranges               = optional(map(string))
+      disable_public_endpoint         = optional(bool)
+      gcp_public_cidrs_access_enabled = optional(bool)
       private_endpoint_config = optional(object({
         endpoint_subnetwork = optional(string)
         global_access       = optional(bool, true)
-      }), {})
+      }))
     }))
     private_nodes = optional(bool, true)
   })
diff --git a/modules/gke-cluster-standard/README.md b/modules/gke-cluster-standard/README.md
index 9b6d961a2..f79d0be80 100644
--- a/modules/gke-cluster-standard/README.md
+++ b/modules/gke-cluster-standard/README.md
@@ -47,10 +47,6 @@ module "cluster-1" {
       authorized_ranges = {
         internal-vms = "10.0.0.0/8"
       }
-      # disable_public_endpoint = true
-      # private_endpoint_config = {
-      #   global_access = true
-      # }
     }
     # private_nodes = true
   }
@@ -86,7 +82,8 @@ module "cluster-1" {
       authorized_ranges = {
         "corporate proxy" = "8.8.8.8/32"
       }
-      disable_public_endpoint = false
+      gcp_public_cidrs_access_enabled = false
+      disable_public_endpoint         = false
     }
     private_nodes = false
   }
@@ -117,13 +114,13 @@ module "cluster-1" {
   name       = "cluster-1"
   location   = "europe-west1-b"
   access_config = {
-    dns_access                      = false
-    gcp_public_cidrs_access_enabled = true
+    dns_access = false
     ip_access = {
       authorized_ranges = {
         internal-vms = "10.0.0.0/8"
       }
-      disable_public_endpoint = false
+      gcp_public_cidrs_access_enabled = true
+      disable_public_endpoint         = false
     }
     private_nodes = false
   }
@@ -154,13 +151,6 @@ module "cluster-1" {
   name           = "cluster-1"
   location       = "europe-west1"
   node_locations = ["europe-west1-b"]
-  access_config = {
-    ip_access = {
-      authorized_ranges = {
-        internal-vms = "10.0.0.0/8"
-      }
-    }
-  }
   vpc_config = {
     network    = var.vpc.self_link
     subnetwork = var.subnet.self_link
@@ -500,7 +490,7 @@ module "cluster-1" {
 | [name](variables.tf#L382) | Cluster name. | <code>string</code> | ✓ |  |
 | [project_id](variables.tf#L416) | Cluster project id. | <code>string</code> | ✓ |  |
 | [vpc_config](variables.tf#L427) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  disable_default_snat &#61; optional&#40;bool&#41;&#10;  network              &#61; string&#10;  subnetwork           &#61; string&#10;  secondary_range_blocks &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; string&#10;    services &#61; string&#10;  &#125;&#41;&#41;&#10;  secondary_range_names &#61; optional&#40;object&#40;&#123;&#10;    pods     &#61; optional&#40;string&#41;&#10;    services &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  additional_ranges &#61; optional&#40;list&#40;string&#41;&#41;&#10;  stack_type        &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | <code title="object&#40;&#123;&#10;  dns_access &#61; optional&#40;bool, true&#41;&#10;  ip_access &#61; optional&#40;object&#40;&#123;&#10;    authorized_ranges               &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41;&#10;    disable_public_endpoint         &#61; optional&#40;bool, true&#41;&#10;    gcp_public_cidrs_access_enabled &#61; optional&#40;bool, false&#41;&#10;    private_endpoint_config &#61; optional&#40;object&#40;&#123;&#10;      endpoint_subnetwork &#61; optional&#40;string&#41;&#10;      global_access       &#61; optional&#40;bool, true&#41;&#10;    &#125;&#41;, &#123;&#125;&#41;&#10;  &#125;&#41;&#41;&#10;  private_nodes &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | <code title="object&#40;&#123;&#10;  dns_access &#61; optional&#40;bool, true&#41;&#10;  ip_access &#61; optional&#40;object&#40;&#123;&#10;    authorized_ranges               &#61; optional&#40;map&#40;string&#41;&#41;&#10;    disable_public_endpoint         &#61; optional&#40;bool&#41;&#10;    gcp_public_cidrs_access_enabled &#61; optional&#40;bool&#41;&#10;    private_endpoint_config &#61; optional&#40;object&#40;&#123;&#10;      endpoint_subnetwork &#61; optional&#40;string&#41;&#10;      global_access       &#61; optional&#40;bool, true&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  private_nodes &#61; optional&#40;bool, true&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [backup_configs](variables.tf#L43) | Configuration for Backup for GKE. | <code title="object&#40;&#123;&#10;  enable_backup_agent &#61; optional&#40;bool, false&#41;&#10;  backup_plans &#61; optional&#40;map&#40;object&#40;&#123;&#10;    region                            &#61; string&#10;    applications                      &#61; optional&#40;map&#40;list&#40;string&#41;&#41;&#41;&#10;    encryption_key                    &#61; optional&#40;string&#41;&#10;    include_secrets                   &#61; optional&#40;bool, true&#41;&#10;    include_volume_data               &#61; optional&#40;bool, true&#41;&#10;    labels                            &#61; optional&#40;map&#40;string&#41;&#41;&#10;    namespaces                        &#61; optional&#40;list&#40;string&#41;&#41;&#10;    schedule                          &#61; optional&#40;string&#41;&#10;    retention_policy_days             &#61; optional&#40;number&#41;&#10;    retention_policy_lock             &#61; optional&#40;bool, false&#41;&#10;    retention_policy_delete_lock_days &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [cluster_autoscaling](variables.tf#L65) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | <code title="object&#40;&#123;&#10;  enabled             &#61; optional&#40;bool, true&#41;&#10;  autoscaling_profile &#61; optional&#40;string, &#34;BALANCED&#34;&#41;&#10;  auto_provisioning_defaults &#61; optional&#40;object&#40;&#123;&#10;    boot_disk_kms_key &#61; optional&#40;string&#41;&#10;    disk_size         &#61; optional&#40;number&#41;&#10;    disk_type         &#61; optional&#40;string, &#34;pd-standard&#34;&#41;&#10;    image_type        &#61; optional&#40;string&#41;&#10;    oauth_scopes      &#61; optional&#40;list&#40;string&#41;&#41;&#10;    service_account   &#61; optional&#40;string&#41;&#10;    management &#61; optional&#40;object&#40;&#123;&#10;      auto_repair  &#61; optional&#40;bool, true&#41;&#10;      auto_upgrade &#61; optional&#40;bool, true&#41;&#10;    &#125;&#41;&#41;&#10;    shielded_instance_config &#61; optional&#40;object&#40;&#123;&#10;      integrity_monitoring &#61; optional&#40;bool, true&#41;&#10;      secure_boot          &#61; optional&#40;bool, false&#41;&#10;    &#125;&#41;&#41;&#10;    upgrade_settings &#61; optional&#40;object&#40;&#123;&#10;      blue_green &#61; optional&#40;object&#40;&#123;&#10;        node_pool_soak_duration &#61; optional&#40;string&#41;&#10;        standard_rollout_policy &#61; optional&#40;object&#40;&#123;&#10;          batch_percentage    &#61; optional&#40;number&#41;&#10;          batch_node_count    &#61; optional&#40;number&#41;&#10;          batch_soak_duration &#61; optional&#40;string&#41;&#10;        &#125;&#41;&#41;&#10;      &#125;&#41;&#41;&#10;      surge &#61; optional&#40;object&#40;&#123;&#10;        max         &#61; optional&#40;number&#41;&#10;        unavailable &#61; optional&#40;number&#41;&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  auto_provisioning_locations &#61; optional&#40;list&#40;string&#41;&#41;&#10;  cpu_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; optional&#40;number, 0&#41;&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  mem_limits &#61; optional&#40;object&#40;&#123;&#10;    min &#61; optional&#40;number, 0&#41;&#10;    max &#61; number&#10;  &#125;&#41;&#41;&#10;  accelerator_resources &#61; optional&#40;list&#40;object&#40;&#123;&#10;    resource_type &#61; string&#10;    min           &#61; optional&#40;number, 0&#41;&#10;    max           &#61; number&#10;  &#125;&#41;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [default_nodepool](variables.tf#L145) | Enable default nodepool. | <code title="object&#40;&#123;&#10;  remove_pool        &#61; optional&#40;bool, true&#41;&#10;  initial_node_count &#61; optional&#40;number, 1&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
diff --git a/modules/gke-cluster-standard/main.tf b/modules/gke-cluster-standard/main.tf
index 2ea4515c7..f2cb8a087 100644
--- a/modules/gke-cluster-standard/main.tf
+++ b/modules/gke-cluster-standard/main.tf
@@ -404,7 +404,7 @@ resource "google_container_cluster" "cluster" {
       gcp_public_cidrs_access_enabled = try(var.access_config.ip_access.gcp_public_cidrs_access_enabled, null)
 
       dynamic "cidr_blocks" {
-        for_each = try(var.access_config.ip_access.authorized_ranges, {})
+        for_each = coalesce(var.access_config.ip_access.authorized_ranges, {})
         iterator = range
         content {
           cidr_block   = range.value
@@ -485,11 +485,12 @@ resource "google_container_cluster" "cluster" {
     for_each = var.access_config.private_nodes == true ? [""] : []
     content {
       enable_private_nodes = true
-      enable_private_endpoint = try(
-        var.access_config.ip_access.disable_public_endpoint,
-        # this should be null, but when ip_access is disabled, the API
-        # returns true. We return true to avoid a permadiff
-        true
+      enable_private_endpoint = (
+        var.access_config.ip_access == null
+        # when ip_access is disabled, the API returns true. We return
+        # true to avoid a permadiff
+        ? true
+        : try(var.access_config.ip_access.disable_public_endpoint, null)
       )
       private_endpoint_subnetwork = try(
         var.access_config.ip_access.private_endpoint_config.endpoint_subnetwork,
diff --git a/modules/gke-cluster-standard/variables.tf b/modules/gke-cluster-standard/variables.tf
index c2c989065..35009974f 100644
--- a/modules/gke-cluster-standard/variables.tf
+++ b/modules/gke-cluster-standard/variables.tf
@@ -19,13 +19,13 @@ variable "access_config" {
   type = object({
     dns_access = optional(bool, true)
     ip_access = optional(object({
-      authorized_ranges               = optional(map(string), {})
-      disable_public_endpoint         = optional(bool, true)
-      gcp_public_cidrs_access_enabled = optional(bool, false)
+      authorized_ranges               = optional(map(string))
+      disable_public_endpoint         = optional(bool)
+      gcp_public_cidrs_access_enabled = optional(bool)
       private_endpoint_config = optional(object({
         endpoint_subnetwork = optional(string)
         global_access       = optional(bool, true)
-      }), {})
+      }))
     }))
     private_nodes = optional(bool, true)
   })
diff --git a/tests/modules/gke_cluster_autopilot/examples/access-google.yaml b/tests/modules/gke_cluster_autopilot/examples/access-google.yaml
index 5ce9fd4c4..04d1ac2a7 100644
--- a/tests/modules/gke_cluster_autopilot/examples/access-google.yaml
+++ b/tests/modules/gke_cluster_autopilot/examples/access-google.yaml
@@ -50,6 +50,7 @@ values:
     - enabled: true
     deletion_protection: true
     description: null
+    disable_l4_lb_firewall_reconciliation: false
     dns_config: []
     effective_labels:
       environment: dev
@@ -100,12 +101,16 @@ values:
     network: projects/xxx/global/networks/aaa
     network_policy: []
     networking_mode: VPC_NATIVE
+    node_pool_auto_config:
+    - linux_node_config: []
+      network_tags: []
+      node_kubelet_config:
+      - insecure_kubelet_readonly_port_enabled: 'TRUE'
+      resource_manager_tags: null
     pod_security_policy_config: []
     private_cluster_config:
-    - enable_private_endpoint: true
+    - enable_private_endpoint: null
       enable_private_nodes: true
-      master_global_access_config:
-      - enabled: true
       private_endpoint_subnetwork: null
     project: myproject
     release_channel:
diff --git a/tests/modules/gke_cluster_autopilot/examples/basic.yaml b/tests/modules/gke_cluster_autopilot/examples/basic.yaml
index 845e89a57..3e7bba989 100644
--- a/tests/modules/gke_cluster_autopilot/examples/basic.yaml
+++ b/tests/modules/gke_cluster_autopilot/examples/basic.yaml
@@ -50,6 +50,7 @@ values:
     - enabled: true
     deletion_protection: true
     description: null
+    disable_l4_lb_firewall_reconciliation: false
     dns_config: []
     effective_labels:
       environment: dev
@@ -89,7 +90,6 @@ values:
     - cidr_blocks:
       - cidr_block: 10.0.0.0/8
         display_name: internal-vms
-      gcp_public_cidrs_access_enabled: false
     min_master_version: null
     monitoring_config:
     - enable_components:
@@ -100,12 +100,16 @@ values:
     network: projects/xxx/global/networks/aaa
     network_policy: []
     networking_mode: VPC_NATIVE
+    node_pool_auto_config:
+    - linux_node_config: []
+      network_tags: []
+      node_kubelet_config:
+      - insecure_kubelet_readonly_port_enabled: 'TRUE'
+      resource_manager_tags: null
     pod_security_policy_config: []
     private_cluster_config:
-    - enable_private_endpoint: true
+    - enable_private_endpoint: null
       enable_private_nodes: true
-      master_global_access_config:
-      - enabled: true
       private_endpoint_subnetwork: null
     project: myproject
     release_channel:
diff --git a/tests/modules/gke_cluster_standard/examples/access-google.yaml b/tests/modules/gke_cluster_standard/examples/access-google.yaml
index 6480b86ce..6dd745444 100644
--- a/tests/modules/gke_cluster_standard/examples/access-google.yaml
+++ b/tests/modules/gke_cluster_standard/examples/access-google.yaml
@@ -56,6 +56,7 @@ values:
     default_max_pods_per_node: 32
     deletion_protection: true
     description: null
+    disable_l4_lb_firewall_reconciliation: false
     dns_config: []
     effective_labels:
       environment: dev
@@ -94,7 +95,7 @@ values:
     - cidr_blocks:
       - cidr_block: 10.0.0.0/8
         display_name: internal-vms
-      gcp_public_cidrs_access_enabled: false
+      gcp_public_cidrs_access_enabled: true
     min_master_version: null
     monitoring_config:
     - enable_components:
@@ -112,6 +113,7 @@ values:
       ephemeral_storage_config: []
       ephemeral_storage_local_ssd_config: []
       fast_socket: []
+      flex_start: null
       gvnic: []
       host_maintenance_policy: []
       linux_node_config: []
@@ -135,6 +137,7 @@ values:
       - containerd_config: []
         gcfs_config:
         - enabled: false
+        insecure_kubelet_readonly_port_enabled: 'TRUE'
     pod_security_policy_config: []
     private_cluster_config: []
     project: myproject
diff --git a/tests/modules/gke_cluster_standard/examples/access-private.yaml b/tests/modules/gke_cluster_standard/examples/access-private.yaml
index 26b5817d8..dfe998a62 100644
--- a/tests/modules/gke_cluster_standard/examples/access-private.yaml
+++ b/tests/modules/gke_cluster_standard/examples/access-private.yaml
@@ -56,6 +56,7 @@ values:
     default_max_pods_per_node: 32
     deletion_protection: true
     description: null
+    disable_l4_lb_firewall_reconciliation: false
     dns_config: []
     effective_labels:
       environment: dev
@@ -94,7 +95,6 @@ values:
     - cidr_blocks:
       - cidr_block: 10.0.0.0/8
         display_name: internal-vms
-      gcp_public_cidrs_access_enabled: false
     min_master_version: null
     monitoring_config:
     - enable_components:
@@ -112,6 +112,7 @@ values:
       ephemeral_storage_config: []
       ephemeral_storage_local_ssd_config: []
       fast_socket: []
+      flex_start: null
       gvnic: []
       host_maintenance_policy: []
       linux_node_config: []
@@ -135,12 +136,11 @@ values:
       - containerd_config: []
         gcfs_config:
         - enabled: false
+        insecure_kubelet_readonly_port_enabled: 'TRUE'
     pod_security_policy_config: []
     private_cluster_config:
-    - enable_private_endpoint: true
+    - enable_private_endpoint: null
       enable_private_nodes: true
-      master_global_access_config:
-      - enabled: true
       private_endpoint_subnetwork: null
     project: myproject
     remove_default_node_pool: true
diff --git a/tests/modules/gke_cluster_standard/examples/access-public.yaml b/tests/modules/gke_cluster_standard/examples/access-public.yaml
index dd500303d..ed1296fcd 100644
--- a/tests/modules/gke_cluster_standard/examples/access-public.yaml
+++ b/tests/modules/gke_cluster_standard/examples/access-public.yaml
@@ -56,6 +56,7 @@ values:
     default_max_pods_per_node: 32
     deletion_protection: true
     description: null
+    disable_l4_lb_firewall_reconciliation: false
     dns_config: []
     effective_labels:
       environment: dev
@@ -112,6 +113,7 @@ values:
       ephemeral_storage_config: []
       ephemeral_storage_local_ssd_config: []
       fast_socket: []
+      flex_start: null
       gvnic: []
       host_maintenance_policy: []
       linux_node_config: []
@@ -135,6 +137,7 @@ values:
       - containerd_config: []
         gcfs_config:
         - enabled: false
+        insecure_kubelet_readonly_port_enabled: 'TRUE'
     pod_security_policy_config: []
     private_cluster_config: []
     project: myproject
diff --git a/tests/modules/gke_cluster_standard/examples/regional.yaml b/tests/modules/gke_cluster_standard/examples/regional.yaml
index 79bc83942..bb4275a86 100644
--- a/tests/modules/gke_cluster_standard/examples/regional.yaml
+++ b/tests/modules/gke_cluster_standard/examples/regional.yaml
@@ -49,13 +49,14 @@ values:
     - dns_endpoint_config:
       - allow_external_traffic: true
       ip_endpoints_config:
-      - enabled: true
+      - enabled: false
     cost_management_config:
     - enabled: true
     datapath_provider: ADVANCED_DATAPATH
     default_max_pods_per_node: 32
     deletion_protection: true
     description: null
+    disable_l4_lb_firewall_reconciliation: false
     dns_config: []
     effective_labels:
       environment: dev
@@ -90,11 +91,6 @@ values:
     master_auth:
     - client_certificate_config:
       - issue_client_certificate: false
-    master_authorized_networks_config:
-    - cidr_blocks:
-      - cidr_block: 10.0.0.0/8
-        display_name: internal-vms
-      gcp_public_cidrs_access_enabled: false
     min_master_version: null
     monitoring_config:
     - enable_components:
@@ -112,6 +108,7 @@ values:
       ephemeral_storage_config: []
       ephemeral_storage_local_ssd_config: []
       fast_socket: []
+      flex_start: null
       gvnic: []
       host_maintenance_policy: []
       linux_node_config: []
@@ -137,12 +134,11 @@ values:
       - containerd_config: []
         gcfs_config:
         - enabled: false
+        insecure_kubelet_readonly_port_enabled: 'TRUE'
     pod_security_policy_config: []
     private_cluster_config:
     - enable_private_endpoint: true
       enable_private_nodes: true
-      master_global_access_config:
-      - enabled: true
       private_endpoint_subnetwork: null
     project: myproject
     remove_default_node_pool: true
diff --git a/tests/modules/gke_hub/examples/full.yaml b/tests/modules/gke_hub/examples/full.yaml
index f6cb1fde0..586bb815c 100644
--- a/tests/modules/gke_hub/examples/full.yaml
+++ b/tests/modules/gke_hub/examples/full.yaml
@@ -48,12 +48,15 @@ values:
     control_plane_endpoints_config:
     - dns_endpoint_config:
       - allow_external_traffic: true
+      ip_endpoints_config:
+      - enabled: true
     cost_management_config:
     - enabled: true
     datapath_provider: ADVANCED_DATAPATH
     default_max_pods_per_node: 110
     deletion_protection: true
     description: null
+    disable_l4_lb_firewall_reconciliation: false
     dns_config: []
     effective_labels:
       goog-terraform-provisioned: 'true'
@@ -102,6 +105,7 @@ values:
       ephemeral_storage_config: []
       ephemeral_storage_local_ssd_config: []
       fast_socket: []
+      flex_start: null
       gvnic: []
       host_maintenance_policy: []
       linux_node_config: []
@@ -125,12 +129,11 @@ values:
       - containerd_config: []
         gcfs_config:
         - enabled: false
+        insecure_kubelet_readonly_port_enabled: 'TRUE'
     pod_security_policy_config: []
     private_cluster_config:
-    - enable_private_endpoint: true
+    - enable_private_endpoint: null
       enable_private_nodes: true
-      master_global_access_config:
-      - enabled: true
       private_endpoint_subnetwork: null
     project: gkehub-test
     remove_default_node_pool: true
@@ -158,7 +161,8 @@ values:
   module.hub.google_gke_hub_feature_membership.default["cluster-1"]:
     configmanagement:
     - config_sync:
-      - enabled: true
+      - deployment_overrides: []
+        enabled: true
         git:
         - gcp_service_account_email: null
           https_proxy: null
@@ -320,6 +324,19 @@ values:
     project: gkehub-test
     routing_mode: GLOBAL
     timeouts: null
+  module.vpc.google_compute_route.gateway["directpath-googleapis"]:
+    description: Terraform-managed.
+    dest_range: 34.126.0.0/18
+    name: network-directpath-googleapis
+    network: network
+    next_hop_gateway: default-internet-gateway
+    next_hop_ilb: null
+    next_hop_instance: null
+    next_hop_vpn_tunnel: null
+    priority: 1000
+    project: gkehub-test
+    tags: null
+    timeouts: null
   module.vpc.google_compute_route.gateway["private-googleapis"]:
     description: Terraform-managed.
     dest_range: 199.36.153.8/30
@@ -349,6 +366,7 @@ values:
   module.vpc.google_compute_subnetwork.subnetwork["europe-west1/cluster-1"]:
     description: Terraform-managed.
     ip_cidr_range: 10.0.0.0/24
+    ip_collection: null
     ipv6_access_type: null
     log_config: []
     name: cluster-1