From 26215c827a40b80a60447bea5fa8209d9417c030 Mon Sep 17 00:00:00 2001 From: Edward Sun Date: Sat, 16 Jul 2022 17:19:32 -0700 Subject: [PATCH 1/3] removed forceNew --- .../resource_container_cluster.go.erb | 29 +++++++- .../resource_container_cluster_test.go.erb | 68 +++++++++++++++++-- 2 files changed, 90 insertions(+), 7 deletions(-) diff --git a/mmv1/third_party/terraform/resources/resource_container_cluster.go.erb b/mmv1/third_party/terraform/resources/resource_container_cluster.go.erb index 70d2ce4f2581..7b13f848362b 100644 --- a/mmv1/third_party/terraform/resources/resource_container_cluster.go.erb +++ b/mmv1/third_party/terraform/resources/resource_container_cluster.go.erb @@ -641,7 +641,6 @@ func resourceContainerCluster() *schema.Resource { Type: schema.TypeList, Optional: true, Computed: true, - ForceNew: true, MaxItems: 1, Description: `Configuration for the Google Groups for GKE feature.`, Elem: &schema.Resource{ @@ -649,7 +648,6 @@ func resourceContainerCluster() *schema.Resource { "security_group": { Type: schema.TypeString, Required: true, - ForceNew: true, Description: `The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com.`, }, }, @@ -2387,6 +2385,21 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er } <% end -%> + if d.HasChange("authenticator_groups_config") { + req := &container.UpdateClusterRequest{ + Update: &container.ClusterUpdate{ + DesiredAuthenticatorGroupsConfig: expandContainerClusterAuthenticatorGroupsConfig(d.Get("authenticator_groups_config")), + }, + } + updateF := updateFunc(req, "updating GKE cluster authenticator groups config") + // Call update serially. + if err := lockedCall(lockKey, updateF); err != nil { + return err + } + + log.Printf("[INFO] GKE cluster %s authenticator groups config has been updated", d.Id()) + } + if d.HasChange("default_snat_status") { req := &container.UpdateClusterRequest{ Update: &container.ClusterUpdate{ @@ -3836,6 +3849,18 @@ func expandContainerClusterTpuConfig(configured interface{}) *container.TpuConfi } <% end -%> +func expandContainerClusterAuthenticatorGroupsConfig(configured interface{}) *container.AuthenticatorGroupsConfig { + l := configured.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil + } + + config := l[0].(map[string]interface{}) + return &container.AuthenticatorGroupsConfig{ + SecurityGroup: config["security_group"].(string), + } +} + func flattenNotificationConfig(c *container.NotificationConfig) []map[string]interface{} { if c == nil { return nil diff --git a/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb b/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb index 5cd33197e354..52c66d27758a 100644 --- a/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb +++ b/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb @@ -361,12 +361,28 @@ func TestAccContainerCluster_withAuthenticatorGroupsConfig(t *testing.T) { CheckDestroy: testAccCheckContainerClusterDestroyProducer(t), Steps: []resource.TestStep{ { - Config: testAccContainerCluster_withAuthenticatorGroupsConfig(containerNetName, clusterName, orgDomain), + Config: testAccContainerCluster_withAuthenticatorGroupsConfig(containerNetName, clusterName), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckNoResourceAttr("google_container_cluster.with_authenticator_groups", + "authenticator_groups_config.0.enabled"), + ), }, { - ResourceName: "google_container_cluster.with_authenticator_groups", - ImportState: true, - ImportStateVerify: true, + ResourceName: "google_container_cluster.with_authenticator_groups", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccContainerCluster_withAuthenticatorGroupsConfigUpdate(containerNetName, clusterName, orgDomain), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("google_container_cluster.with_authenticator_groups", + "authenticator_groups_config.0.security_group", fmt.Sprintf("gke-security-groups@%s", orgDomain)), + ), + }, + { + ResourceName: "google_container_cluster.with_authenticator_groups", + ImportState: true, + ImportStateVerify: true, }, }, }) @@ -3331,7 +3347,48 @@ resource "google_container_cluster" "with_network_policy_enabled" { `, clusterName) } -func testAccContainerCluster_withAuthenticatorGroupsConfig(containerNetName string, clusterName string, orgDomain string) string { +func testAccContainerCluster_withAuthenticatorGroupsConfig(containerNetName string, clusterName string) string { + return fmt.Sprintf(` +resource "google_compute_network" "container_network" { + name = "%s" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "container_subnetwork" { + name = google_compute_network.container_network.name + network = google_compute_network.container_network.name + ip_cidr_range = "10.0.36.0/24" + region = "us-central1" + private_ip_google_access = true + + secondary_ip_range { + range_name = "pod" + ip_cidr_range = "10.0.0.0/19" + } + + secondary_ip_range { + range_name = "svc" + ip_cidr_range = "10.0.32.0/22" + } +} + +resource "google_container_cluster" "with_authenticator_groups" { + name = "%s" + location = "us-central1-a" + initial_node_count = 1 + network = google_compute_network.container_network.name + subnetwork = google_compute_subnetwork.container_subnetwork.name + + networking_mode = "VPC_NATIVE" + ip_allocation_policy { + cluster_secondary_range_name = google_compute_subnetwork.container_subnetwork.secondary_ip_range[0].range_name + services_secondary_range_name = google_compute_subnetwork.container_subnetwork.secondary_ip_range[1].range_name + } +} +`, containerNetName, clusterName) +} + +func testAccContainerCluster_withAuthenticatorGroupsConfigUpdate(containerNetName string, clusterName string, orgDomain string) string { return fmt.Sprintf(` resource "google_compute_network" "container_network" { name = "%s" @@ -3376,6 +3433,7 @@ resource "google_container_cluster" "with_authenticator_groups" { `, containerNetName, clusterName, orgDomain) } + func testAccContainerCluster_withMasterAuthorizedNetworksConfig(clusterName string, cidrs []string, emptyValue string) string { cidrBlocks := emptyValue From 85406962ab56d2835ae4c52cf2eea8597bd1f6e2 Mon Sep 17 00:00:00 2001 From: Edward Sun Date: Fri, 22 Jul 2022 15:38:15 -0700 Subject: [PATCH 2/3] updated a test --- .../resource_container_cluster_test.go.erb | 115 ++++-------------- 1 file changed, 27 insertions(+), 88 deletions(-) diff --git a/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb b/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb index 52c66d27758a..a7fc7701a63a 100644 --- a/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb +++ b/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb @@ -353,7 +353,6 @@ func TestAccContainerCluster_withMasterAuthConfig_NoCert(t *testing.T) { func TestAccContainerCluster_withAuthenticatorGroupsConfig(t *testing.T) { t.Parallel() clusterName := fmt.Sprintf("tf-test-cluster-%s", randString(t, 10)) - containerNetName := fmt.Sprintf("tf-test-container-net-%s", randString(t, 10)) orgDomain := getTestOrgDomainFromEnv(t) vcrTest(t, resource.TestCase{ PreCheck: func() { testAccPreCheck(t) }, @@ -361,26 +360,38 @@ func TestAccContainerCluster_withAuthenticatorGroupsConfig(t *testing.T) { CheckDestroy: testAccCheckContainerClusterDestroyProducer(t), Steps: []resource.TestStep{ { - Config: testAccContainerCluster_withAuthenticatorGroupsConfig(containerNetName, clusterName), + Config: testAccContainerCluster_basic(clusterName), Check: resource.ComposeTestCheckFunc( - resource.TestCheckNoResourceAttr("google_container_cluster.with_authenticator_groups", + resource.TestCheckNoResourceAttr("google_container_cluster.primary", "authenticator_groups_config.0.enabled"), ), }, { - ResourceName: "google_container_cluster.with_authenticator_groups", + ResourceName: "google_container_cluster.primary", ImportState: true, ImportStateVerify: true, }, { - Config: testAccContainerCluster_withAuthenticatorGroupsConfigUpdate(containerNetName, clusterName, orgDomain), + Config: testAccContainerCluster_withAuthenticatorGroupsConfigUpdate(clusterName, orgDomain), Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr("google_container_cluster.with_authenticator_groups", + resource.TestCheckResourceAttr("google_container_cluster.primary", "authenticator_groups_config.0.security_group", fmt.Sprintf("gke-security-groups@%s", orgDomain)), ), }, { - ResourceName: "google_container_cluster.with_authenticator_groups", + ResourceName: "google_container_cluster.primary", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccContainerCluster_basic(clusterName), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckNoResourceAttr("google_container_cluster.primary", + "authenticator_groups_config.0.enabled"), + ), + }, + { + ResourceName: "google_container_cluster.primary", ImportState: true, ImportStateVerify: true, }, @@ -3347,90 +3358,18 @@ resource "google_container_cluster" "with_network_policy_enabled" { `, clusterName) } -func testAccContainerCluster_withAuthenticatorGroupsConfig(containerNetName string, clusterName string) string { - return fmt.Sprintf(` -resource "google_compute_network" "container_network" { - name = "%s" - auto_create_subnetworks = false -} - -resource "google_compute_subnetwork" "container_subnetwork" { - name = google_compute_network.container_network.name - network = google_compute_network.container_network.name - ip_cidr_range = "10.0.36.0/24" - region = "us-central1" - private_ip_google_access = true - - secondary_ip_range { - range_name = "pod" - ip_cidr_range = "10.0.0.0/19" - } - - secondary_ip_range { - range_name = "svc" - ip_cidr_range = "10.0.32.0/22" - } -} - -resource "google_container_cluster" "with_authenticator_groups" { - name = "%s" - location = "us-central1-a" - initial_node_count = 1 - network = google_compute_network.container_network.name - subnetwork = google_compute_subnetwork.container_subnetwork.name - - networking_mode = "VPC_NATIVE" - ip_allocation_policy { - cluster_secondary_range_name = google_compute_subnetwork.container_subnetwork.secondary_ip_range[0].range_name - services_secondary_range_name = google_compute_subnetwork.container_subnetwork.secondary_ip_range[1].range_name - } -} -`, containerNetName, clusterName) -} - -func testAccContainerCluster_withAuthenticatorGroupsConfigUpdate(containerNetName string, clusterName string, orgDomain string) string { +func testAccContainerCluster_withAuthenticatorGroupsConfigUpdate(name string, orgDomain string) string { return fmt.Sprintf(` -resource "google_compute_network" "container_network" { - name = "%s" - auto_create_subnetworks = false -} - -resource "google_compute_subnetwork" "container_subnetwork" { - name = google_compute_network.container_network.name - network = google_compute_network.container_network.name - ip_cidr_range = "10.0.36.0/24" - region = "us-central1" - private_ip_google_access = true - - secondary_ip_range { - range_name = "pod" - ip_cidr_range = "10.0.0.0/19" - } - - secondary_ip_range { - range_name = "svc" - ip_cidr_range = "10.0.32.0/22" - } -} - -resource "google_container_cluster" "with_authenticator_groups" { - name = "%s" - location = "us-central1-a" - initial_node_count = 1 - network = google_compute_network.container_network.name - subnetwork = google_compute_subnetwork.container_subnetwork.name - - authenticator_groups_config { - security_group = "gke-security-groups@%s" - } +resource "google_container_cluster" "primary" { + name = "%s" + location = "us-central1-a" + initial_node_count = 1 - networking_mode = "VPC_NATIVE" - ip_allocation_policy { - cluster_secondary_range_name = google_compute_subnetwork.container_subnetwork.secondary_ip_range[0].range_name - services_secondary_range_name = google_compute_subnetwork.container_subnetwork.secondary_ip_range[1].range_name - } + authenticator_groups_config { + security_group = "gke-security-groups@%s" + } } -`, containerNetName, clusterName, orgDomain) +`, name, orgDomain) } From 7505c0276c7bb50bff6d69ce73904e8ec5a7cb46 Mon Sep 17 00:00:00 2001 From: Edward Sun Date: Tue, 26 Jul 2022 17:09:17 -0700 Subject: [PATCH 3/3] reset security_group with empty --- .../tests/resource_container_cluster_test.go.erb | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb b/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb index a7fc7701a63a..187b206f75f3 100644 --- a/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb +++ b/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb @@ -384,7 +384,7 @@ func TestAccContainerCluster_withAuthenticatorGroupsConfig(t *testing.T) { ImportStateVerify: true, }, { - Config: testAccContainerCluster_basic(clusterName), + Config: testAccContainerCluster_withAuthenticatorGroupsConfigUpdate2(clusterName), Check: resource.ComposeTestCheckFunc( resource.TestCheckNoResourceAttr("google_container_cluster.primary", "authenticator_groups_config.0.enabled"), @@ -3372,6 +3372,20 @@ resource "google_container_cluster" "primary" { `, name, orgDomain) } +func testAccContainerCluster_withAuthenticatorGroupsConfigUpdate2(name string) string { + return fmt.Sprintf(` +resource "google_container_cluster" "primary" { + name = "%s" + location = "us-central1-a" + initial_node_count = 1 + + authenticator_groups_config { + security_group = "" + } +} +`, name) +} + func testAccContainerCluster_withMasterAuthorizedNetworksConfig(clusterName string, cidrs []string, emptyValue string) string {