fix(fleetscope): depends on mcs feature and poco

4-fleetscope/modules/env_baseline/acm.tf

@@ -57,7 +57,7 @@ resource "google_gke_hub_feature_membership" "acm_feature_member" {
   membership_location = regex(local.membership_re, each.key)[1]
 
   configmanagement {
-    version = "1.17.2"
+    version = "1.18.0"
     config_sync {
       source_format = "unstructured"
       git {
@@ -66,11 +66,6 @@ resource "google_gke_hub_feature_membership" "acm_feature_member" {
         gcp_service_account_email = google_service_account.root_reconciler.email
       }
     }
-    policy_controller {
-      enabled                    = true
-      template_library_installed = true
-      referential_rules_enabled  = true
-    }
   }
 
   depends_on = [

4-fleetscope/modules/env_baseline/mcg.tf

@@ -71,4 +71,6 @@ resource "google_project_iam_member" "cluster_network_viewer_mcs" {
   project  = var.cluster_project_id
   role     = each.key
   member   = "serviceAccount:${var.cluster_project_id}.svc.id.goog[gke-mcs/gke-mcs-importer]"
+
+  depends_on = [google_gke_hub_feature.mcs]
 }

4-fleetscope/modules/env_baseline/policy.tf

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-resource "google_gke_hub_feature" "feature" {
+resource "google_gke_hub_feature" "poco_feature" {
   name     = "policycontroller"
   location = "global"
   project  = var.fleet_project_id
@@ -27,6 +27,9 @@ resource "google_gke_hub_feature" "feature" {
           bundles {
             bundle = "pss-baseline-v2022"
           }
+          bundles {
+            bundle = "policy-essentials-v2022"
+          }
           template_library {
             installation = "ALL"
           }
@@ -35,3 +38,31 @@ resource "google_gke_hub_feature" "feature" {
     }
   }
 }
+
+resource "google_gke_hub_feature_membership" "poco_feature_member" {
+  for_each = toset(var.cluster_membership_ids)
+  location = "global"
+  project  = var.cluster_project_id
+
+  feature             = google_gke_hub_feature.poco_feature.name
+  membership          = regex(local.membership_re, each.key)[2]
+  membership_location = regex(local.membership_re, each.key)[1]
+
+  policycontroller {
+    policy_controller_hub_config {
+      policy_content {
+        bundles {
+          bundle_name = "pss-baseline-v2022"
+        }
+        bundles {
+          bundle_name = "policy-essentials-v2022"
+        }
+        template_library {
+          installation = "ALL"
+        }
+      }
+    }
+  }
+
+  depends_on = [google_gke_hub_feature_membership.acm_feature_member]
+}

test/integration/fleetscope/fleetscope_test.go

@@ -125,7 +125,7 @@ func TestFleetscope(t *testing.T) {
 
 								assert.Equal("gcpserviceaccount", gkeFeatureOp.Get(configmanagementPath+".configSync.git.secretType").String(), fmt.Sprintf("Hub Feature %s should have git secret type equal to gcpserviceaccount", membershipName))
 								assert.Equal("unstructured", gkeFeatureOp.Get(configmanagementPath+".configSync.sourceFormat").String(), fmt.Sprintf("Hub Feature %s should have source format equal to unstructured", membershipName))
-								assert.Equal("1.17.2", gkeFeatureOp.Get(configmanagementPath+".version").String(), fmt.Sprintf("Hub Feature %s should have source format equal to unstructured", membershipName))
+								assert.Equal("1.18.0", gkeFeatureOp.Get(configmanagementPath+".version").String(), fmt.Sprintf("Hub Feature %s should have source format equal to unstructured", membershipName))
 								assert.Equal(rootReconcilerSa, gkeFeatureOp.Get(configmanagementPath+".configSync.git.gcpServiceAccountEmail").String(), fmt.Sprintf("Hub Feature %s should have git service account type equal to %s", membershipName, rootReconcilerSa))
 								assert.True(gkeFeatureOp.Get(configmanagementPath+".policyController.enabled").Bool(), fmt.Sprintf("Hub Feature %s  policy controler should be enabled", membershipName))
 								assert.True(gkeFeatureOp.Get(configmanagementPath+".policyController.referentialRulesEnabled").Bool(), fmt.Sprintf("Hub Feature %s  referencial rule should be enabled", membershipName))