fix(fleetscope): depends on mcs feature and other fixes

GoogleCloudPlatform · May 13, 2024 · 6222b21 · 6222b21
1 parent b7954e1
commit 6222b21
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 7 deletions.
diff --git a/4-fleetscope/modules/env_baseline/acm.tf b/4-fleetscope/modules/env_baseline/acm.tf
@@ -57,7 +57,6 @@ resource "google_gke_hub_feature_membership" "acm_feature_member" {
   membership_location = regex(local.membership_re, each.key)[1]
 
   configmanagement {
-    version = "1.17.2"
     config_sync {
       source_format = "unstructured"
       git {
@@ -66,11 +65,6 @@ resource "google_gke_hub_feature_membership" "acm_feature_member" {
         gcp_service_account_email = google_service_account.root_reconciler.email
       }
     }
-    policy_controller {
-      enabled                    = true
-      template_library_installed = true
-      referential_rules_enabled  = true
-    }
   }
 
   depends_on = [

diff --git a/4-fleetscope/modules/env_baseline/mcg.tf b/4-fleetscope/modules/env_baseline/mcg.tf
@@ -71,4 +71,6 @@ resource "google_project_iam_member" "cluster_network_viewer_mcs" {
   project  = var.cluster_project_id
   role     = each.key
   member   = "serviceAccount:${var.cluster_project_id}.svc.id.goog[gke-mcs/gke-mcs-importer]"
+
+  depends_on = [google_gke_hub_feature.mcs]
 }
diff --git a/4-fleetscope/modules/env_baseline/policy.tf b/4-fleetscope/modules/env_baseline/policy.tf
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-resource "google_gke_hub_feature" "feature" {
+resource "google_gke_hub_feature" "poco_feature" {
   name     = "policycontroller"
   location = "global"
   project  = var.fleet_project_id
@@ -35,3 +35,26 @@ resource "google_gke_hub_feature" "feature" {
     }
   }
 }
+
+resource "google_gke_hub_feature_membership" "poco_feature_member" {
+  for_each = toset(var.cluster_membership_ids)
+  location = "global"
+  project  = var.cluster_project_id
+
+  feature             = google_gke_hub_feature.poco_feature.name
+  membership          = regex(local.membership_re, each.key)[2]
+  membership_location = regex(local.membership_re, each.key)[1]
+
+  policycontroller {
+    policy_controller_hub_config {
+      policy_content {
+        bundles {
+          bundle_name = "pss-baseline-v2022"
+        }
+        template_library {
+          installation = "ALL"
+        }
+      }
+    }
+  }
+}