From f59b22d7589af2908945adea4f40c94cd9f2d138 Mon Sep 17 00:00:00 2001 From: Chris Stephens Date: Mon, 3 Jun 2019 15:15:56 -0700 Subject: [PATCH] Support for GKE intranode visibility Also cleand up some erb syntax --- .../resource_container_cluster.go.erb | 54 +++++++++++++++- .../resource_container_cluster_test.go.erb | 64 +++++++++++++++++++ .../docs/r/container_cluster.html.markdown | 6 +- 3 files changed, 120 insertions(+), 4 deletions(-) diff --git a/third_party/terraform/resources/resource_container_cluster.go.erb b/third_party/terraform/resources/resource_container_cluster.go.erb index 895845e7ea6c..ce2949ef3561 100644 --- a/third_party/terraform/resources/resource_container_cluster.go.erb +++ b/third_party/terraform/resources/resource_container_cluster.go.erb @@ -299,7 +299,7 @@ func resourceContainerCluster() *schema.Resource { }, "enable_binary_authorization": { -<% if version.nil? || version == 'ga' -%> +<% if version == 'ga' -%> Removed: "This field is in beta. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.", Computed: true, <% else -%> @@ -321,7 +321,7 @@ func resourceContainerCluster() *schema.Resource { Type: schema.TypeBool, Optional: true, ForceNew: true, -<% if version.nil? || version == 'ga' -%> +<% if version == 'ga' -%> Removed: "This field is in beta. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.", Computed: true, <% else -%> @@ -523,7 +523,7 @@ func resourceContainerCluster() *schema.Resource { }, "pod_security_policy_config": { -<% if version.nil? || version == 'ga' -%> +<% if version == 'ga' -%> // Remove return nil from expand when this is removed for good. Removed: "This field is in beta. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.", <% else -%> @@ -753,6 +753,16 @@ func resourceContainerCluster() *schema.Resource { }, }, <% end -%> + + "enable_intranode_visibility": { +<% if version == 'ga' -%> + Removed: "This field is in beta. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.", +<% end -%> + Type: schema.TypeBool, + Default: false, + Optional: true, + + }, }, } } @@ -836,6 +846,9 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er ForceSendFields: []string{"Enabled"}, }, Autoscaling: expandClusterAutoscaling(d.Get("cluster_autoscaling"), d), + NetworkConfig: &containerBeta.NetworkConfig{ + EnableIntraNodeVisibility: d.Get("enable_intranode_visibility").(bool), + }, <% end -%> MasterAuth: expandMasterAuth(d.Get("master_auth")), ResourceLabels: expandStringMap(d, "resource_labels"), @@ -1085,6 +1098,7 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro if err := d.Set("authenticator_groups_config", flattenAuthenticatorGroupsConfig(cluster.AuthenticatorGroupsConfig)); err != nil { return err } + d.Set("enable_intranode_visibility", cluster.NetworkConfig.EnableIntraNodeVisibility) <% else -%> if err := d.Set("cluster_autoscaling", nil); err != nil { return err @@ -1249,6 +1263,40 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er d.SetPartial("cluster_autoscaling") } + + if d.HasChange("enable_intranode_visibility") { + enabled := d.Get("enable_intranode_visibility").(bool) + req := &containerBeta.UpdateClusterRequest{ + Update: &containerBeta.ClusterUpdate{ + DesiredIntraNodeVisibilityConfig: &containerBeta.IntraNodeVisibilityConfig{ + Enabled: enabled, + ForceSendFields: []string{"Enabled"}, + }, + }, + } + updateF := func() error { + log.Println("[DEBUG] updating enable_intranode_visibility") + name := containerClusterFullName(project, location, clusterName) + op, err := config.clientContainerBeta.Projects.Locations.Clusters.Update(name, req).Do() + if err != nil { + return err + } + + // Wait until it's updated + err = containerOperationWait(config, op, project, location, "updating GKE Intra Node Visibility", timeoutInMinutes) + log.Println("[DEBUG] done updating enable_intranode_visibility") + return err + } + + // Call update serially. + if err := lockedCall(lockKey, updateF); err != nil { + return err + } + + log.Printf("[INFO] GKE cluster %s Intra Node Visibility has been updated to %v", d.Id(), enabled) + + d.SetPartial("enable_intranode_visibility") + } <% end -%> if d.HasChange("maintenance_policy") { diff --git a/third_party/terraform/tests/resource_container_cluster_test.go.erb b/third_party/terraform/tests/resource_container_cluster_test.go.erb index ffed95060fba..d7a42d131dc5 100644 --- a/third_party/terraform/tests/resource_container_cluster_test.go.erb +++ b/third_party/terraform/tests/resource_container_cluster_test.go.erb @@ -699,6 +699,46 @@ func TestAccContainerCluster_withLegacyAbac(t *testing.T) { }) } +<% unless version == 'ga' -%> +func TestAccContainerCluster_withIntraNodeVisibility(t *testing.T) { + t.Parallel() + + clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckContainerClusterDestroy, + Steps: []resource.TestStep{ + { + Config: testAccContainerCluster_withIntraNodeVisibility(clusterName), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("google_container_cluster.with_intranode_visibility", "enable_intranode_visibility", "true"), + ), + }, + { + ResourceName: "google_container_cluster.with_intranode_visibility", + ImportStateIdPrefix: "us-central1-a/", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccContainerCluster_updateIntraNodeVisibility(clusterName), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("google_container_cluster.with_intranode_visibility", "enable_intranode_visibility", "false"), + ), + }, + { + ResourceName: "google_container_cluster.with_intranode_visibility", + ImportStateIdPrefix: "us-central1-a/", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} +<% end -%> + /* Since GKE disables legacy ABAC by default in Kubernetes version 1.8+, and the default Kubernetes version for GKE is also 1.8+, this test will ensure that legacy ABAC is disabled by default to be @@ -2390,6 +2430,30 @@ resource "google_container_cluster" "with_legacy_abac" { }`, clusterName) } +<% unless version == 'ga' -%> + +func testAccContainerCluster_withIntraNodeVisibility(clusterName string) string { + return fmt.Sprintf(` +resource "google_container_cluster" "with_intranode_visibility" { + name = "cluster-test-%s" + zone = "us-central1-a" + initial_node_count = 1 + enable_intranode_visibility = true +}`, clusterName) +} + +func testAccContainerCluster_updateIntraNodeVisibility(clusterName string) string { + return fmt.Sprintf(` +resource "google_container_cluster" "with_intranode_visibility" { + name = "cluster-test-%s" + zone = "us-central1-a" + initial_node_count = 1 + enable_intranode_visibility = false +}`, clusterName) +} + +<% end -%> + func testAccContainerCluster_withVersion(clusterName string) string { return fmt.Sprintf(` data "google_container_engine_versions" "central1a" { diff --git a/third_party/terraform/website/docs/r/container_cluster.html.markdown b/third_party/terraform/website/docs/r/container_cluster.html.markdown index 8873c1e289ce..612ed1455da5 100644 --- a/third_party/terraform/website/docs/r/container_cluster.html.markdown +++ b/third_party/terraform/website/docs/r/container_cluster.html.markdown @@ -287,9 +287,13 @@ to the datasource. A `region` can have a different set of supported versions tha * `subnetwork` - (Optional) The name or self_link of the Google Compute Engine subnetwork in which the cluster's instances are launched. -* `vertical_pod_autoscaling` - Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it. +* `vertical_pod_autoscaling` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)) + Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it. Structure is documented below. +* `enable_intranode_visibility` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)) + Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network. + The `addons_config` block supports: * `horizontal_pod_autoscaling` - (Optional) The status of the Horizontal Pod Autoscaling