diff --git a/google-beta/node_config.go b/google-beta/node_config.go index 4e90e5cac2..36c13b12b4 100644 --- a/google-beta/node_config.go +++ b/google-beta/node_config.go @@ -147,6 +147,24 @@ var schemaNodeConfig = &schema.Schema{ Elem: &schema.Schema{Type: schema.TypeString}, }, + "shielded_instance_config": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "enable_secure_boot": { + Type: schema.TypeBool, + Optional: true, + }, + "enable_integrity_monitoring": { + Type: schema.TypeBool, + Optional: true, + }, + }, + }, + }, + "taint": { Type: schema.TypeList, Optional: true, @@ -298,6 +316,15 @@ func expandNodeConfig(v interface{}) *containerBeta.NodeConfig { } nc.Tags = tags } + + if v, ok := nodeConfig["shielded_instance_config"]; ok && len(v.([]interface{})) > 0 { + conf := v.([]interface{})[0].(map[string]interface{}) + nc.ShieldedInstanceConfig = &containerBeta.ShieldedInstanceConfig{ + EnableSecureBoot: conf["enable_secure_boot"].(bool), + EnableIntegrityMonitoring: conf["enable_integrity_monitoring"].(bool), + } + } + // Preemptible Is Optional+Default, so it always has a value nc.Preemptible = nodeConfig["preemptible"].(bool) @@ -357,6 +384,7 @@ func flattenNodeConfig(c *containerBeta.NodeConfig) []map[string]interface{} { "tags": c.Tags, "preemptible": c.Preemptible, "min_cpu_platform": c.MinCpuPlatform, + "shielded_instance_config": flattenShieldedInstanceConfig(c.ShieldedInstanceConfig), "taint": flattenTaints(c.Taints), "workload_metadata_config": flattenWorkloadMetadataConfig(c.WorkloadMetadataConfig), "sandbox_config": flattenSandboxConfig(c.SandboxConfig), @@ -380,6 +408,17 @@ func flattenContainerGuestAccelerators(c []*containerBeta.AcceleratorConfig) []m return result } +func flattenShieldedInstanceConfig(c *containerBeta.ShieldedInstanceConfig) []map[string]interface{} { + result := []map[string]interface{}{} + if c != nil { + result = append(result, map[string]interface{}{ + "enable_secure_boot": c.EnableSecureBoot, + "enable_integrity_monitoring": c.EnableIntegrityMonitoring, + }) + } + return result +} + func flattenTaints(c []*containerBeta.NodeTaint) []map[string]interface{} { result := []map[string]interface{}{} for _, taint := range c { diff --git a/google-beta/resource_container_cluster_test.go b/google-beta/resource_container_cluster_test.go index 8f61d7ba67..40b8657c3d 100644 --- a/google-beta/resource_container_cluster_test.go +++ b/google-beta/resource_container_cluster_test.go @@ -744,6 +744,29 @@ func TestAccContainerCluster_withNodeConfigTaints(t *testing.T) { }) } +func TestAccContainerCluster_withNodeConfigShieldedInstanceConfig(t *testing.T) { + t.Parallel() + + clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckContainerClusterDestroy, + Steps: []resource.TestStep{ + { + Config: testAccContainerCluster_withNodeConfigShieldedInstanceConfig(clusterName), + }, + { + ResourceName: "google_container_cluster.with_node_config", + ImportStateIdPrefix: "us-central1-f/", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func TestAccContainerCluster_withWorkloadMetadataConfig(t *testing.T) { t.Parallel() @@ -2283,6 +2306,47 @@ resource "google_container_cluster" "with_node_config" { }`, acctest.RandString(10)) } +func testAccContainerCluster_withNodeConfigShieldedInstanceConfig(clusterName string) string { + return fmt.Sprintf(` +resource "google_container_cluster" "with_node_config" { + name = "%s" + zone = "us-central1-f" + initial_node_count = 1 + + node_config { + machine_type = "n1-standard-1" + disk_size_gb = 15 + disk_type = "pd-ssd" + local_ssd_count = 1 + oauth_scopes = [ + "https://www.googleapis.com/auth/monitoring", + "https://www.googleapis.com/auth/compute", + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write" + ] + service_account = "default" + metadata = { + foo = "bar" + disable-legacy-endpoints = "true" + } + labels = { + foo = "bar" + } + tags = ["foo", "bar"] + preemptible = true + min_cpu_platform = "Intel Broadwell" + + // Updatable fields + image_type = "COS" + + shielded_instance_config { + enable_secure_boot = true + enable_integrity_monitoring = true + } + } +}`, clusterName) +} + func testAccContainerCluster_withWorkloadMetadataConfig() string { return fmt.Sprintf(` data "google_container_engine_versions" "central1a" { diff --git a/google-beta/resource_container_node_pool_test.go b/google-beta/resource_container_node_pool_test.go index ed0c7e5ee2..66a46aa94c 100644 --- a/google-beta/resource_container_node_pool_test.go +++ b/google-beta/resource_container_node_pool_test.go @@ -665,6 +665,30 @@ func TestAccContainerNodePool_EmptyGuestAccelerator(t *testing.T) { }) } +func TestAccContainerNodePool_shieldedInstanceConfig(t *testing.T) { + t.Parallel() + + cluster := fmt.Sprintf("tf-nodepool-test-%s", acctest.RandString(10)) + np := fmt.Sprintf("tf-nodepool-test-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckContainerNodePoolDestroy, + Steps: []resource.TestStep{ + { + Config: testAccContainerNodePool_shieldedInstanceConfig(cluster, np), + }, + { + ResourceName: "google_container_node_pool.np", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"max_pods_per_node"}, + }, + }, + }) +} + func testAccCheckContainerNodePoolDestroy(s *terraform.State) error { config := testAccProvider.Meta().(*Config) @@ -1429,3 +1453,23 @@ resource "google_container_node_pool" "np" { } }`, cluster, np) } + +func testAccContainerNodePool_shieldedInstanceConfig(cluster, np string) string { + return fmt.Sprintf(` +resource "google_container_cluster" "cluster" { + name = "%s" + location = "us-central1-a" + initial_node_count = 3 +} + +resource "google_container_node_pool" "np" { + name = "%s" + location = "us-central1-a" + cluster = "${google_container_cluster.cluster.name}" + initial_node_count = 2 + shielded_instance_config { + enable_secure_boot = true + enable_integrity_monitoring = true + } +}`, cluster, np) +}