From 2cc07c6d40f2ea7c64207c35599adbb17a782a8f Mon Sep 17 00:00:00 2001
From: The Magician <magic-modules@google.com>
Date: Tue, 4 Jun 2019 13:42:01 -0700
Subject: [PATCH] [terraform] Add AuthenticatorGroupsConfig to
 google_container_cluster (#669)

Signed-off-by: Modular Magician <magic-modules@google.com>
---
 google-beta/resource_container_cluster.go     | 49 ++++++++++++++
 .../resource_container_cluster_test.go        | 65 +++++++++++++++++++
 .../docs/r/container_cluster.html.markdown    |  8 +++
 3 files changed, 122 insertions(+)

diff --git a/google-beta/resource_container_cluster.go b/google-beta/resource_container_cluster.go
index b9029cf477..27c4bfb213 100644
--- a/google-beta/resource_container_cluster.go
+++ b/google-beta/resource_container_cluster.go
@@ -317,6 +317,23 @@ func resourceContainerCluster() *schema.Resource {
 				Default:  false,
 			},
 
+			"authenticator_groups_config": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Computed: true,
+				ForceNew: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"security_group": {
+							Type:     schema.TypeString,
+							Required: true,
+							ForceNew: true,
+						},
+					},
+				},
+			},
+
 			"initial_node_count": {
 				Type:     schema.TypeInt,
 				Optional: true,
@@ -876,6 +893,10 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
 		cluster.NodeConfig = expandNodeConfig(v)
 	}
 
+	if v, ok := d.GetOk("authenticator_groups_config"); ok {
+		cluster.AuthenticatorGroupsConfig = expandAuthenticatorGroupsConfig(v)
+	}
+
 	if v, ok := d.GetOk("private_cluster_config"); ok {
 		cluster.PrivateClusterConfig = expandPrivateClusterConfig(v)
 	}
@@ -1025,6 +1046,9 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
 	if cluster.DefaultMaxPodsConstraint != nil {
 		d.Set("default_max_pods_per_node", cluster.DefaultMaxPodsConstraint.MaxPodsPerNode)
 	}
+	if err := d.Set("authenticator_groups_config", flattenAuthenticatorGroupsConfig(cluster.AuthenticatorGroupsConfig)); err != nil {
+		return err
+	}
 	if err := d.Set("node_config", flattenNodeConfig(cluster.NodeConfig)); err != nil {
 		return err
 	}
@@ -1921,6 +1945,20 @@ func expandClusterAutoscaling(configured interface{}, d *schema.ResourceData) *c
 	return r
 }
 
+func expandAuthenticatorGroupsConfig(configured interface{}) *containerBeta.AuthenticatorGroupsConfig {
+	l := configured.([]interface{})
+	if len(l) == 0 {
+		return nil
+	}
+	result := &containerBeta.AuthenticatorGroupsConfig{}
+	config := l[0].(map[string]interface{})
+	if securityGroup, ok := config["security_group"]; ok {
+		result.Enabled = true
+		result.SecurityGroup = securityGroup.(string)
+	}
+	return result
+}
+
 func expandMasterAuth(configured interface{}) *containerBeta.MasterAuth {
 	l := configured.([]interface{})
 	if len(l) == 0 || l[0] == nil {
@@ -2130,6 +2168,17 @@ func flattenClusterNodePools(d *schema.ResourceData, config *Config, c []*contai
 	return nodePools, nil
 }
 
+func flattenAuthenticatorGroupsConfig(c *containerBeta.AuthenticatorGroupsConfig) []map[string]interface{} {
+	if c == nil {
+		return nil
+	}
+	return []map[string]interface{}{
+		{
+			"security_group": c.SecurityGroup,
+		},
+	}
+}
+
 func flattenPrivateClusterConfig(c *containerBeta.PrivateClusterConfig) []map[string]interface{} {
 	if c == nil {
 		return nil
diff --git a/google-beta/resource_container_cluster_test.go b/google-beta/resource_container_cluster_test.go
index 2dc1473bd9..963581ea44 100644
--- a/google-beta/resource_container_cluster_test.go
+++ b/google-beta/resource_container_cluster_test.go
@@ -316,6 +316,27 @@ func TestAccContainerCluster_withCloudRunEnabled(t *testing.T) {
 	})
 }
 
+func TestAccContainerCluster_withAuthenticatorGroupsConfig(t *testing.T) {
+	t.Parallel()
+	clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10))
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckContainerClusterDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccContainerCluster_withAuthenticatorGroupsConfig(clusterName),
+			},
+			{
+				ResourceName:        "google_container_cluster.with_authenticator_groups",
+				ImportStateIdPrefix: "us-central1-a/",
+				ImportState:         true,
+				ImportStateVerify:   true,
+			},
+		},
+	})
+}
+
 func TestAccContainerCluster_withNetworkPolicyEnabled(t *testing.T) {
 	t.Parallel()
 
@@ -2102,6 +2123,50 @@ resource "google_container_cluster" "with_cloudrun_enabled" {
 }`, clusterName)
 }
 
+func testAccContainerCluster_withAuthenticatorGroupsConfig(clusterName string) string {
+	return fmt.Sprintf(`
+resource "google_compute_network" "container_network" {
+	name = "container-net-%s"
+	auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "container_subnetwork" {
+	name					 = "${google_compute_network.container_network.name}"
+	network					 = "${google_compute_network.container_network.name}"
+	ip_cidr_range			 = "10.0.36.0/24"
+	region					 = "us-central1"
+	private_ip_google_access = true
+
+	secondary_ip_range {
+		range_name	  = "pod"
+		ip_cidr_range = "10.0.0.0/19"
+	}
+
+	secondary_ip_range {
+		range_name	  = "svc"
+		ip_cidr_range = "10.0.32.0/22"
+	}
+}
+
+resource "google_container_cluster" "with_authenticator_groups" {
+	name = "%s"
+	zone = "us-central1-a"
+	initial_node_count = 1
+	network = "${google_compute_network.container_network.name}"
+	subnetwork = "${google_compute_subnetwork.container_subnetwork.name}"
+
+	authenticator_groups_config {
+		security_group = "gke-security-groups@mydomain.tld"
+	}
+
+	ip_allocation_policy {
+		cluster_secondary_range_name  = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.0.range_name}"
+		services_secondary_range_name = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.1.range_name}"
+	}
+}
+`, clusterName, clusterName)
+}
+
 func testAccContainerCluster_withMasterAuthorizedNetworksConfig(clusterName string, cidrs []string, emptyValue string) string {
 
 	cidrBlocks := emptyValue
diff --git a/website/docs/r/container_cluster.html.markdown b/website/docs/r/container_cluster.html.markdown
index 48dc2b3231..8873c1e289 100644
--- a/website/docs/r/container_cluster.html.markdown
+++ b/website/docs/r/container_cluster.html.markdown
@@ -267,6 +267,10 @@ to the datasource. A `region` can have a different set of supported versions tha
     [PodSecurityPolicy](https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies) feature.
     Structure is documented below.
 
+* `authenticator_groups_config` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)) Configuration for the
+    [Google Groups for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control#groups-setup-gsuite) feature.
+    Structure is documented below.
+
 * `private_cluster_config` - (Optional) A set of options for creating
     a private cluster. Structure is documented below.
 
@@ -361,6 +365,10 @@ The `resource_limits` block supports:
 
 * `maximum` - (Optional) The maximum value for the resource type specified.
 
+The `authenticator_groups_config` block supports:
+
+* `security_group` - (Required) The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format `gke-security-groups@yourdomain.com`.
+
 The `maintenance_policy` block supports:
 
 * `daily_maintenance_window` - (Required) Time window specified for daily maintenance operations.