From ae5324da8a910c064272e3a1b0061900b9b2bcaa Mon Sep 17 00:00:00 2001 From: Modular Magician Date: Wed, 15 Nov 2023 18:19:57 +0000 Subject: [PATCH] Add policycontroller fields to fleet default configs for GKE Hub Feature resource (#9426) [upstream:5c38dcbd15dc04776819a4e6c40ed09482acdba5] Signed-off-by: Modular Magician --- .changelog/9426.txt | 3 + .../gkehub2/resource_gke_hub_feature.go | 1006 +++++++++++++++++ .../gkehub2/resource_gke_hub_feature_test.go | 168 +++ website/docs/r/gke_hub_feature.html.markdown | 289 +++++ 4 files changed, 1466 insertions(+) create mode 100644 .changelog/9426.txt diff --git a/.changelog/9426.txt b/.changelog/9426.txt new file mode 100644 index 0000000000..9e88533fb7 --- /dev/null +++ b/.changelog/9426.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +gkehub2: added `policycontroller` field to `fleet_default_member_config` under the `google_gke_hub_feature` resource. Users can now configure a default Policy Controller configuration for new memberships added to the fleet. +``` diff --git a/google-beta/services/gkehub2/resource_gke_hub_feature.go b/google-beta/services/gkehub2/resource_gke_hub_feature.go index 1d0cd8ee93..f37f0ecbab 100644 --- a/google-beta/services/gkehub2/resource_gke_hub_feature.go +++ b/google-beta/services/gkehub2/resource_gke_hub_feature.go @@ -199,6 +199,246 @@ func ResourceGKEHub2Feature() *schema.Resource { }, }, }, + "policycontroller": { + Type: schema.TypeList, + Optional: true, + Description: `Policy Controller spec`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "policy_controller_hub_config": { + Type: schema.TypeList, + Required: true, + Description: `Configuration of Policy Controller`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "install_spec": { + Type: schema.TypeString, + Required: true, + ValidateFunc: verify.ValidateEnum([]string{"INSTALL_SPEC_UNSPECIFIED", "INSTALL_SPEC_NOT_INSTALLED", "INSTALL_SPEC_ENABLED", "INSTALL_SPEC_SUSPENDED", "INSTALL_SPEC_DETACHED"}), + Description: `Configures the mode of the Policy Controller installation Possible values: ["INSTALL_SPEC_UNSPECIFIED", "INSTALL_SPEC_NOT_INSTALLED", "INSTALL_SPEC_ENABLED", "INSTALL_SPEC_SUSPENDED", "INSTALL_SPEC_DETACHED"]`, + }, + "audit_interval_seconds": { + Type: schema.TypeInt, + Optional: true, + Description: `Interval for Policy Controller Audit scans (in seconds). When set to 0, this disables audit functionality altogether.`, + }, + "constraint_violation_limit": { + Type: schema.TypeInt, + Optional: true, + Description: `The maximum number of audit violations to be stored in a constraint. If not set, the internal default of 20 will be used.`, + }, + "deployment_configs": { + Type: schema.TypeSet, + Computed: true, + Optional: true, + Description: `Map of deployment configs to deployments ("admission", "audit", "mutation").`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "component": { + Type: schema.TypeString, + Required: true, + }, + "container_resources": { + Type: schema.TypeList, + Optional: true, + Description: `Container resource requirements.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "limits": { + Type: schema.TypeList, + Optional: true, + Description: `Limits describes the maximum amount of compute resources allowed for use by the running container.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "cpu": { + Type: schema.TypeString, + Optional: true, + Description: `CPU requirement expressed in Kubernetes resource units.`, + }, + "memory": { + Type: schema.TypeString, + Optional: true, + Description: `Memory requirement expressed in Kubernetes resource units.`, + }, + }, + }, + }, + "requests": { + Type: schema.TypeList, + Optional: true, + Description: `Requests describes the amount of compute resources reserved for the container by the kube-scheduler.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "cpu": { + Type: schema.TypeString, + Optional: true, + Description: `CPU requirement expressed in Kubernetes resource units.`, + }, + "memory": { + Type: schema.TypeString, + Optional: true, + Description: `Memory requirement expressed in Kubernetes resource units.`, + }, + }, + }, + }, + }, + }, + }, + "pod_affinity": { + Type: schema.TypeString, + Computed: true, + Optional: true, + ValidateFunc: verify.ValidateEnum([]string{"AFFINITY_UNSPECIFIED", "NO_AFFINITY", "ANTI_AFFINITY", ""}), + Description: `Pod affinity configuration. Possible values: ["AFFINITY_UNSPECIFIED", "NO_AFFINITY", "ANTI_AFFINITY"]`, + }, + "pod_toleration": { + Type: schema.TypeList, + Optional: true, + Description: `Pod tolerations of node taints.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "effect": { + Type: schema.TypeString, + Optional: true, + Description: `Matches a taint effect.`, + }, + "key": { + Type: schema.TypeString, + Optional: true, + Description: `Matches a taint key (not necessarily unique).`, + }, + "operator": { + Type: schema.TypeString, + Optional: true, + Description: `Matches a taint operator.`, + }, + "value": { + Type: schema.TypeString, + Optional: true, + Description: `Matches a taint value.`, + }, + }, + }, + }, + "replica_count": { + Type: schema.TypeInt, + Computed: true, + Optional: true, + Description: `Pod replica count.`, + }, + }, + }, + }, + "exemptable_namespaces": { + Type: schema.TypeList, + Optional: true, + Description: `The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "log_denies_enabled": { + Type: schema.TypeBool, + Optional: true, + Description: `Logs all denies and dry run failures.`, + }, + "monitoring": { + Type: schema.TypeList, + Computed: true, + Optional: true, + Description: `Monitoring specifies the configuration of monitoring Policy Controller.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "backends": { + Type: schema.TypeList, + Computed: true, + Optional: true, + Description: `Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export. Possible values: ["MONITORING_BACKEND_UNSPECIFIED", "PROMETHEUS", "CLOUD_MONITORING"]`, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateFunc: verify.ValidateEnum([]string{"MONITORING_BACKEND_UNSPECIFIED", "PROMETHEUS", "CLOUD_MONITORING"}), + }, + }, + }, + }, + }, + "mutation_enabled": { + Type: schema.TypeBool, + Optional: true, + Description: `Enables the ability to mutate resources using Policy Controller.`, + }, + "policy_content": { + Type: schema.TypeList, + Optional: true, + Description: `Specifies the desired policy content on the cluster.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "bundles": { + Type: schema.TypeSet, + Optional: true, + Description: `Configures which bundles to install and their corresponding install specs.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "bundle": { + Type: schema.TypeString, + Required: true, + }, + "exempted_namespaces": { + Type: schema.TypeList, + Optional: true, + Description: `The set of namespaces to be exempted from the bundle.`, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, + "template_library": { + Type: schema.TypeList, + Computed: true, + Optional: true, + Description: `Configures the installation of the Template Library.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "installation": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: verify.ValidateEnum([]string{"INSTALATION_UNSPECIFIED", "NOT_INSTALLED", "ALL", ""}), + Description: `Configures the manner in which the template library is installed on the cluster. Possible values: ["INSTALATION_UNSPECIFIED", "NOT_INSTALLED", "ALL"]`, + }, + }, + }, + }, + }, + }, + }, + "referential_rules_enabled": { + Type: schema.TypeBool, + Optional: true, + Description: `Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.`, + }, + }, + }, + }, + "version": { + Type: schema.TypeString, + Computed: true, + Optional: true, + Description: `Configures the version of Policy Controller`, + }, + }, + }, + }, }, }, }, @@ -872,6 +1112,8 @@ func flattenGKEHub2FeatureFleetDefaultMemberConfig(v interface{}, d *schema.Reso flattenGKEHub2FeatureFleetDefaultMemberConfigMesh(original["mesh"], d, config) transformed["configmanagement"] = flattenGKEHub2FeatureFleetDefaultMemberConfigConfigmanagement(original["configmanagement"], d, config) + transformed["policycontroller"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontroller(original["policycontroller"], d, config) return []interface{}{transformed} } func flattenGKEHub2FeatureFleetDefaultMemberConfigMesh(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { @@ -1031,6 +1273,315 @@ func flattenGKEHub2FeatureFleetDefaultMemberConfigConfigmanagementConfigSyncOciV return v } +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontroller(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["version"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerVersion(original["version"], d, config) + transformed["policy_controller_hub_config"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfig(original["policyControllerHubConfig"], d, config) + return []interface{}{transformed} +} +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerVersion(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfig(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["install_spec"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigInstallSpec(original["installSpec"], d, config) + transformed["audit_interval_seconds"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigAuditIntervalSeconds(original["auditIntervalSeconds"], d, config) + transformed["exemptable_namespaces"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigExemptableNamespaces(original["exemptableNamespaces"], d, config) + transformed["log_denies_enabled"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigLogDeniesEnabled(original["logDeniesEnabled"], d, config) + transformed["mutation_enabled"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigMutationEnabled(original["mutationEnabled"], d, config) + transformed["referential_rules_enabled"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigReferentialRulesEnabled(original["referentialRulesEnabled"], d, config) + transformed["monitoring"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigMonitoring(original["monitoring"], d, config) + transformed["constraint_violation_limit"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigConstraintViolationLimit(original["constraintViolationLimit"], d, config) + transformed["deployment_configs"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigs(original["deploymentConfigs"], d, config) + transformed["policy_content"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContent(original["policyContent"], d, config) + return []interface{}{transformed} +} +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigInstallSpec(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigAuditIntervalSeconds(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + // Handles the string fixed64 format + if strVal, ok := v.(string); ok { + if intVal, err := tpgresource.StringToFixed64(strVal); err == nil { + return intVal + } + } + + // number values are represented as float64 + if floatVal, ok := v.(float64); ok { + intVal := int(floatVal) + return intVal + } + + return v // let terraform core handle it otherwise +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigExemptableNamespaces(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigLogDeniesEnabled(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigMutationEnabled(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigReferentialRulesEnabled(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigMonitoring(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["backends"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigMonitoringBackends(original["backends"], d, config) + return []interface{}{transformed} +} +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigMonitoringBackends(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigConstraintViolationLimit(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + // Handles the string fixed64 format + if strVal, ok := v.(string); ok { + if intVal, err := tpgresource.StringToFixed64(strVal); err == nil { + return intVal + } + } + + // number values are represented as float64 + if floatVal, ok := v.(float64); ok { + intVal := int(floatVal) + return intVal + } + + return v // let terraform core handle it otherwise +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigs(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v + } + l := v.(map[string]interface{}) + transformed := make([]interface{}, 0, len(l)) + for k, raw := range l { + original := raw.(map[string]interface{}) + transformed = append(transformed, map[string]interface{}{ + "component": k, + "replica_count": flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsReplicaCount(original["replicaCount"], d, config), + "container_resources": flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResources(original["containerResources"], d, config), + "pod_affinity": flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodAffinity(original["podAffinity"], d, config), + "pod_toleration": flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodToleration(original["podTolerations"], d, config), + }) + } + return transformed +} +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsReplicaCount(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + // Handles the string fixed64 format + if strVal, ok := v.(string); ok { + if intVal, err := tpgresource.StringToFixed64(strVal); err == nil { + return intVal + } + } + + // number values are represented as float64 + if floatVal, ok := v.(float64); ok { + intVal := int(floatVal) + return intVal + } + + return v // let terraform core handle it otherwise +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResources(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["limits"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesLimits(original["limits"], d, config) + transformed["requests"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesRequests(original["requests"], d, config) + return []interface{}{transformed} +} +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesLimits(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["memory"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesLimitsMemory(original["memory"], d, config) + transformed["cpu"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesLimitsCpu(original["cpu"], d, config) + return []interface{}{transformed} +} +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesLimitsMemory(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesLimitsCpu(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesRequests(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["memory"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesRequestsMemory(original["memory"], d, config) + transformed["cpu"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesRequestsCpu(original["cpu"], d, config) + return []interface{}{transformed} +} +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesRequestsMemory(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesRequestsCpu(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodAffinity(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodToleration(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v + } + l := v.([]interface{}) + transformed := make([]interface{}, 0, len(l)) + for _, raw := range l { + original := raw.(map[string]interface{}) + if len(original) < 1 { + // Do not include empty json objects coming back from the api + continue + } + transformed = append(transformed, map[string]interface{}{ + "key": flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodTolerationKey(original["key"], d, config), + "operator": flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodTolerationOperator(original["operator"], d, config), + "value": flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodTolerationValue(original["value"], d, config), + "effect": flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodTolerationEffect(original["effect"], d, config), + }) + } + return transformed +} +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodTolerationKey(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodTolerationOperator(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodTolerationValue(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodTolerationEffect(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContent(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["template_library"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContentTemplateLibrary(original["templateLibrary"], d, config) + transformed["bundles"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContentBundles(original["bundles"], d, config) + return []interface{}{transformed} +} +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContentTemplateLibrary(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return nil + } + original := v.(map[string]interface{}) + if len(original) == 0 { + return nil + } + transformed := make(map[string]interface{}) + transformed["installation"] = + flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContentTemplateLibraryInstallation(original["installation"], d, config) + return []interface{}{transformed} +} +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContentTemplateLibraryInstallation(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContentBundles(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + if v == nil { + return v + } + l := v.(map[string]interface{}) + transformed := make([]interface{}, 0, len(l)) + for k, raw := range l { + original := raw.(map[string]interface{}) + transformed = append(transformed, map[string]interface{}{ + "bundle": k, + "exempted_namespaces": flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContentBundlesExemptedNamespaces(original["exemptedNamespaces"], d, config), + }) + } + return transformed +} +func flattenGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContentBundlesExemptedNamespaces(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { + return v +} + func flattenGKEHub2FeatureState(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { if v == nil { return nil @@ -1267,6 +1818,13 @@ func expandGKEHub2FeatureFleetDefaultMemberConfig(v interface{}, d tpgresource.T transformed["configmanagement"] = transformedConfigmanagement } + transformedPolicycontroller, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontroller(original["policycontroller"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedPolicycontroller); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["policycontroller"] = transformedPolicycontroller + } + return transformed, nil } @@ -1527,6 +2085,454 @@ func expandGKEHub2FeatureFleetDefaultMemberConfigConfigmanagementConfigSyncOciVe return v, nil } +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontroller(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedVersion, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerVersion(original["version"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedVersion); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["version"] = transformedVersion + } + + transformedPolicyControllerHubConfig, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfig(original["policy_controller_hub_config"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedPolicyControllerHubConfig); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["policyControllerHubConfig"] = transformedPolicyControllerHubConfig + } + + return transformed, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerVersion(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfig(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedInstallSpec, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigInstallSpec(original["install_spec"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedInstallSpec); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["installSpec"] = transformedInstallSpec + } + + transformedAuditIntervalSeconds, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigAuditIntervalSeconds(original["audit_interval_seconds"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedAuditIntervalSeconds); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["auditIntervalSeconds"] = transformedAuditIntervalSeconds + } + + transformedExemptableNamespaces, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigExemptableNamespaces(original["exemptable_namespaces"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedExemptableNamespaces); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["exemptableNamespaces"] = transformedExemptableNamespaces + } + + transformedLogDeniesEnabled, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigLogDeniesEnabled(original["log_denies_enabled"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedLogDeniesEnabled); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["logDeniesEnabled"] = transformedLogDeniesEnabled + } + + transformedMutationEnabled, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigMutationEnabled(original["mutation_enabled"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMutationEnabled); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["mutationEnabled"] = transformedMutationEnabled + } + + transformedReferentialRulesEnabled, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigReferentialRulesEnabled(original["referential_rules_enabled"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedReferentialRulesEnabled); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["referentialRulesEnabled"] = transformedReferentialRulesEnabled + } + + transformedMonitoring, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigMonitoring(original["monitoring"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMonitoring); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["monitoring"] = transformedMonitoring + } + + transformedConstraintViolationLimit, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigConstraintViolationLimit(original["constraint_violation_limit"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedConstraintViolationLimit); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["constraintViolationLimit"] = transformedConstraintViolationLimit + } + + transformedDeploymentConfigs, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigs(original["deployment_configs"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedDeploymentConfigs); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["deploymentConfigs"] = transformedDeploymentConfigs + } + + transformedPolicyContent, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContent(original["policy_content"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedPolicyContent); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["policyContent"] = transformedPolicyContent + } + + return transformed, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigInstallSpec(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigAuditIntervalSeconds(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigExemptableNamespaces(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigLogDeniesEnabled(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigMutationEnabled(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigReferentialRulesEnabled(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigMonitoring(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedBackends, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigMonitoringBackends(original["backends"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedBackends); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["backends"] = transformedBackends + } + + return transformed, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigMonitoringBackends(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigConstraintViolationLimit(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigs(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]interface{}, error) { + if v == nil { + return map[string]interface{}{}, nil + } + m := make(map[string]interface{}) + for _, raw := range v.(*schema.Set).List() { + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedReplicaCount, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsReplicaCount(original["replica_count"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedReplicaCount); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["replicaCount"] = transformedReplicaCount + } + + transformedContainerResources, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResources(original["container_resources"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedContainerResources); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["containerResources"] = transformedContainerResources + } + + transformedPodAffinity, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodAffinity(original["pod_affinity"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedPodAffinity); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["podAffinity"] = transformedPodAffinity + } + + transformedPodToleration, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodToleration(original["pod_toleration"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedPodToleration); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["podTolerations"] = transformedPodToleration + } + + transformedComponent, err := tpgresource.ExpandString(original["component"], d, config) + if err != nil { + return nil, err + } + m[transformedComponent] = transformed + } + return m, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsReplicaCount(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResources(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedLimits, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesLimits(original["limits"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedLimits); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["limits"] = transformedLimits + } + + transformedRequests, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesRequests(original["requests"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedRequests); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["requests"] = transformedRequests + } + + return transformed, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesLimits(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedMemory, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesLimitsMemory(original["memory"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMemory); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["memory"] = transformedMemory + } + + transformedCpu, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesLimitsCpu(original["cpu"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedCpu); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["cpu"] = transformedCpu + } + + return transformed, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesLimitsMemory(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesLimitsCpu(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesRequests(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedMemory, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesRequestsMemory(original["memory"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedMemory); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["memory"] = transformedMemory + } + + transformedCpu, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesRequestsCpu(original["cpu"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedCpu); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["cpu"] = transformedCpu + } + + return transformed, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesRequestsMemory(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsContainerResourcesRequestsCpu(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodAffinity(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodToleration(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + req := make([]interface{}, 0, len(l)) + for _, raw := range l { + if raw == nil { + continue + } + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedKey, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodTolerationKey(original["key"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedKey); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["key"] = transformedKey + } + + transformedOperator, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodTolerationOperator(original["operator"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedOperator); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["operator"] = transformedOperator + } + + transformedValue, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodTolerationValue(original["value"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedValue); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["value"] = transformedValue + } + + transformedEffect, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodTolerationEffect(original["effect"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedEffect); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["effect"] = transformedEffect + } + + req = append(req, transformed) + } + return req, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodTolerationKey(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodTolerationOperator(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodTolerationValue(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigDeploymentConfigsPodTolerationEffect(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContent(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedTemplateLibrary, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContentTemplateLibrary(original["template_library"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedTemplateLibrary); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["templateLibrary"] = transformedTemplateLibrary + } + + transformedBundles, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContentBundles(original["bundles"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedBundles); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["bundles"] = transformedBundles + } + + return transformed, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContentTemplateLibrary(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + l := v.([]interface{}) + if len(l) == 0 || l[0] == nil { + return nil, nil + } + raw := l[0] + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedInstallation, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContentTemplateLibraryInstallation(original["installation"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedInstallation); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["installation"] = transformedInstallation + } + + return transformed, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContentTemplateLibraryInstallation(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContentBundles(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]interface{}, error) { + if v == nil { + return map[string]interface{}{}, nil + } + m := make(map[string]interface{}) + for _, raw := range v.(*schema.Set).List() { + original := raw.(map[string]interface{}) + transformed := make(map[string]interface{}) + + transformedExemptedNamespaces, err := expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContentBundlesExemptedNamespaces(original["exempted_namespaces"], d, config) + if err != nil { + return nil, err + } else if val := reflect.ValueOf(transformedExemptedNamespaces); val.IsValid() && !tpgresource.IsEmptyValue(val) { + transformed["exemptedNamespaces"] = transformedExemptedNamespaces + } + + transformedBundle, err := tpgresource.ExpandString(original["bundle"], d, config) + if err != nil { + return nil, err + } + m[transformedBundle] = transformed + } + return m, nil +} + +func expandGKEHub2FeatureFleetDefaultMemberConfigPolicycontrollerPolicyControllerHubConfigPolicyContentBundlesExemptedNamespaces(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { + return v, nil +} + func expandGKEHub2FeatureEffectiveLabels(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]string, error) { if v == nil { return map[string]string{}, nil diff --git a/google-beta/services/gkehub2/resource_gke_hub_feature_test.go b/google-beta/services/gkehub2/resource_gke_hub_feature_test.go index e1e74f7920..9574d2ef99 100644 --- a/google-beta/services/gkehub2/resource_gke_hub_feature_test.go +++ b/google-beta/services/gkehub2/resource_gke_hub_feature_test.go @@ -503,6 +503,169 @@ resource "google_gke_hub_feature" "feature" { `, context) } +func TestAccGKEHubFeature_FleetDefaultMemberConfigPolicyController(t *testing.T) { + // VCR fails to handle batched project services + acctest.SkipIfVcr(t) + t.Parallel() + + context := map[string]interface{}{ + "random_suffix": acctest.RandString(t, 10), + "org_id": envvar.GetTestOrgFromEnv(t), + "billing_account": envvar.GetTestBillingAccountFromEnv(t), + } + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckGKEHubFeatureDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccGKEHubFeature_FleetDefaultMemberConfigPolicyController(context), + }, + { + ResourceName: "google_gke_hub_feature.feature", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"project", "update_time"}, + }, + { + Config: testAccGKEHubFeature_FleetDefaultMemberConfigPolicyControllerUpdate(context), + }, + { + ResourceName: "google_gke_hub_feature.feature", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccGKEHubFeature_FleetDefaultMemberConfigPolicyControllerUpdateSetEmpty(context), + }, + { + ResourceName: "google_gke_hub_feature.feature", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccGKEHubFeature_FleetDefaultMemberConfigPolicyController(context map[string]interface{}) string { + return gkeHubFeatureProjectSetupForGA(context) + acctest.Nprintf(` +resource "google_gke_hub_feature" "feature" { + name = "policycontroller" + location = "global" + fleet_default_member_config { + policycontroller { + policy_controller_hub_config { + install_spec = "INSTALL_SPEC_ENABLED" + exemptable_namespaces = ["foo"] + policy_content { + bundles { + bundle = "policy-essentials-v2022" + exempted_namespaces = ["foo", "bar"] + } + } + audit_interval_seconds = 30 + referential_rules_enabled = true + } + } + } + depends_on = [google_project_service.anthos, google_project_service.gkehub, google_project_service.poco] + project = google_project.project.project_id +} +`, context) +} + +func testAccGKEHubFeature_FleetDefaultMemberConfigPolicyControllerUpdate(context map[string]interface{}) string { + return gkeHubFeatureProjectSetupForGA(context) + acctest.Nprintf(` +resource "google_gke_hub_feature" "feature" { + name = "policycontroller" + location = "global" + fleet_default_member_config { + policycontroller { + policy_controller_hub_config { + install_spec = "INSTALL_SPEC_SUSPENDED" + policy_content { + bundles { + bundle = "pci-dss-v3.2.1" + exempted_namespaces = ["baz", "bar"] + } + bundles { + bundle = "nist-sp-800-190" + exempted_namespaces = [] + } + template_library { + installation = "ALL" + } + } + constraint_violation_limit = 50 + referential_rules_enabled = true + log_denies_enabled = true + mutation_enabled = true + deployment_configs { + component = "admission" + replica_count = 2 + pod_affinity = "ANTI_AFFINITY" + } + deployment_configs { + component = "audit" + container_resources { + limits { + memory = "1Gi" + cpu = "1.5" + } + requests { + memory = "500Mi" + cpu = "150m" + } + } + pod_toleration { + key = "key1" + operator = "Equal" + value = "value1" + effect = "NoSchedule" + } + } + monitoring { + backends = [ + "PROMETHEUS" + ] + } + } + } + } + depends_on = [google_project_service.anthos, google_project_service.gkehub, google_project_service.poco] + project = google_project.project.project_id +} +`, context) +} + +func testAccGKEHubFeature_FleetDefaultMemberConfigPolicyControllerUpdateSetEmpty(context map[string]interface{}) string { + return gkeHubFeatureProjectSetupForGA(context) + acctest.Nprintf(` +resource "google_gke_hub_feature" "feature" { + name = "policycontroller" + location = "global" + fleet_default_member_config { + policycontroller { + policy_controller_hub_config { + install_spec = "INSTALL_SPEC_ENABLED" + policy_content {} + constraint_violation_limit = 50 + referential_rules_enabled = true + log_denies_enabled = true + mutation_enabled = true + deployment_configs { + component = "admission" + } + monitoring {} + } + } + } + depends_on = [google_project_service.anthos, google_project_service.gkehub, google_project_service.poco] + project = google_project.project.project_id +} +`, context) +} + func TestAccGKEHubFeature_gkehubFeatureMcsd(t *testing.T) { // VCR fails to handle batched project services acctest.SkipIfVcr(t) @@ -594,6 +757,11 @@ resource "google_project_service" "acm" { service = "anthosconfigmanagement.googleapis.com" } +resource "google_project_service" "poco" { + project = google_project.project.project_id + service = "anthospolicycontroller.googleapis.com" +} + resource "google_project_service" "mcsd" { project = google_project.project.project_id service = "multiclusterservicediscovery.googleapis.com" diff --git a/website/docs/r/gke_hub_feature.html.markdown b/website/docs/r/gke_hub_feature.html.markdown index 89bd68e5e3..85cb9c9801 100644 --- a/website/docs/r/gke_hub_feature.html.markdown +++ b/website/docs/r/gke_hub_feature.html.markdown @@ -168,6 +168,121 @@ resource "google_gke_hub_feature" "feature" { } } ``` +## Example Usage - Enable Fleet Default Member Config Policycontroller + + +```hcl +resource "google_gke_hub_feature" "feature" { + name = "policycontroller" + location = "global" + fleet_default_member_config { + policycontroller { + policy_controller_hub_config { + install_spec = "INSTALL_SPEC_ENABLED" + exemptable_namespaces = ["foo"] + policy_content { + bundles { + bundle = "policy-essentials-v2022" + exempted_namespaces = ["foo", "bar"] + } + template_library { + installation = "ALL" + } + } + audit_interval_seconds = 30 + referential_rules_enabled = true + } + } + } +} +``` +## Example Usage - Enable Fleet Default Member Config Policycontroller Update + + +```hcl +resource "google_gke_hub_feature" "feature" { + name = "policycontroller" + location = "global" + fleet_default_member_config { + policycontroller { + policy_controller_hub_config { + install_spec = "INSTALL_SPEC_SUSPENDED" + policy_content { + bundles { + bundle = "pci-dss-v3.2.1" + exempted_namespaces = ["baz", "bar"] + } + bundles { + bundle = "nist-sp-800-190" + exempted_namespaces = [] + } + template_library { + installation = "ALL" + } + } + constraint_violation_limit = 50 + referential_rules_enabled = true + log_denies_enabled = true + mutation_enabled = true + deployment_configs { + component = "admission" + replica_count = 2 + pod_affinity = "ANTI_AFFINITY" + } + deployment_configs { + component = "audit" + container_resources { + limits { + memory = "1Gi" + cpu = "1.5" + } + requests { + memory = "500Mi" + cpu = "150m" + } + } + pod_toleration { + key = "key1" + operator = "Equal" + value = "value1" + effect = "NoSchedule" + } + } + monitoring { + backends = [ + "PROMETHEUS" + ] + } + } + } + } +} +``` +## Example Usage - Enable Fleet Default Member Config Policycontroller Set Empty + + +```hcl +resource "google_gke_hub_feature" "feature" { + name = "policycontroller" + location = "global" + fleet_default_member_config { + policycontroller { + policy_controller_hub_config { + install_spec = "INSTALL_SPEC_ENABLED" + policy_content {} + constraint_violation_limit = 50 + referential_rules_enabled = true + log_denies_enabled = true + mutation_enabled = true + deployment_configs { + component = "admission" + } + monitoring {} + } + } + } +} +``` ## Argument Reference @@ -272,6 +387,11 @@ The following arguments are supported: Config Management spec Structure is [documented below](#nested_configmanagement). +* `policycontroller` - + (Optional) + Policy Controller spec + Structure is [documented below](#nested_policycontroller). + The `mesh` block supports: @@ -365,6 +485,175 @@ The following arguments are supported: (Optional) Version of ACM installed +The `policycontroller` block supports: + +* `version` - + (Optional) + Configures the version of Policy Controller + +* `policy_controller_hub_config` - + (Required) + Configuration of Policy Controller + Structure is [documented below](#nested_policy_controller_hub_config). + + +The `policy_controller_hub_config` block supports: + +* `install_spec` - + (Required) + Configures the mode of the Policy Controller installation + Possible values are: `INSTALL_SPEC_UNSPECIFIED`, `INSTALL_SPEC_NOT_INSTALLED`, `INSTALL_SPEC_ENABLED`, `INSTALL_SPEC_SUSPENDED`, `INSTALL_SPEC_DETACHED`. + +* `audit_interval_seconds` - + (Optional) + Interval for Policy Controller Audit scans (in seconds). When set to 0, this disables audit functionality altogether. + +* `exemptable_namespaces` - + (Optional) + The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster. + +* `log_denies_enabled` - + (Optional) + Logs all denies and dry run failures. + +* `mutation_enabled` - + (Optional) + Enables the ability to mutate resources using Policy Controller. + +* `referential_rules_enabled` - + (Optional) + Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated. + +* `monitoring` - + (Optional) + Monitoring specifies the configuration of monitoring Policy Controller. + Structure is [documented below](#nested_monitoring). + +* `constraint_violation_limit` - + (Optional) + The maximum number of audit violations to be stored in a constraint. If not set, the internal default of 20 will be used. + +* `deployment_configs` - + (Optional) + Map of deployment configs to deployments ("admission", "audit", "mutation"). + Structure is [documented below](#nested_deployment_configs). + +* `policy_content` - + (Optional) + Specifies the desired policy content on the cluster. + Structure is [documented below](#nested_policy_content). + + +The `monitoring` block supports: + +* `backends` - + (Optional) + Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export. + Each value may be one of: `MONITORING_BACKEND_UNSPECIFIED`, `PROMETHEUS`, `CLOUD_MONITORING`. + +The `deployment_configs` block supports: + +* `component` - (Required) The identifier for this object. Format specified above. + +* `replica_count` - + (Optional) + Pod replica count. + +* `container_resources` - + (Optional) + Container resource requirements. + Structure is [documented below](#nested_container_resources). + +* `pod_affinity` - + (Optional) + Pod affinity configuration. + Possible values are: `AFFINITY_UNSPECIFIED`, `NO_AFFINITY`, `ANTI_AFFINITY`. + +* `pod_toleration` - + (Optional) + Pod tolerations of node taints. + Structure is [documented below](#nested_pod_toleration). + + +The `container_resources` block supports: + +* `limits` - + (Optional) + Limits describes the maximum amount of compute resources allowed for use by the running container. + Structure is [documented below](#nested_limits). + +* `requests` - + (Optional) + Requests describes the amount of compute resources reserved for the container by the kube-scheduler. + Structure is [documented below](#nested_requests). + + +The `limits` block supports: + +* `memory` - + (Optional) + Memory requirement expressed in Kubernetes resource units. + +* `cpu` - + (Optional) + CPU requirement expressed in Kubernetes resource units. + +The `requests` block supports: + +* `memory` - + (Optional) + Memory requirement expressed in Kubernetes resource units. + +* `cpu` - + (Optional) + CPU requirement expressed in Kubernetes resource units. + +The `pod_toleration` block supports: + +* `key` - + (Optional) + Matches a taint key (not necessarily unique). + +* `operator` - + (Optional) + Matches a taint operator. + +* `value` - + (Optional) + Matches a taint value. + +* `effect` - + (Optional) + Matches a taint effect. + +The `policy_content` block supports: + +* `template_library` - + (Optional) + Configures the installation of the Template Library. + Structure is [documented below](#nested_template_library). + +* `bundles` - + (Optional) + Configures which bundles to install and their corresponding install specs. + Structure is [documented below](#nested_bundles). + + +The `template_library` block supports: + +* `installation` - + (Optional) + Configures the manner in which the template library is installed on the cluster. + Possible values are: `INSTALATION_UNSPECIFIED`, `NOT_INSTALLED`, `ALL`. + +The `bundles` block supports: + +* `bundle` - (Required) The identifier for this object. Format specified above. + +* `exempted_namespaces` - + (Optional) + The set of namespaces to be exempted from the bundle. + ## Attributes Reference In addition to the arguments listed above, the following computed attributes are exported: