hashicorp · modular-magician · Oct 4, 2021 · Oct 4, 2021
diff --git a/.changelog/5259.txt b/.changelog/5259.txt
@@ -0,0 +1,6 @@
+```release-note:deprecation
+container: deprecated `workload_metadata_configuration.node_metadata` in favor of `workload_metadata_configuration.mode` in `google_container_cluster`
+```
+```release-note:enhancement
+container: added support for `workload_metadata_configuration.mode` in `google_container_cluster`
+```
diff --git a/google/node_config.go b/google/node_config.go
@@ -225,6 +225,8 @@ func schemaNodeConfig() *schema.Schema {
 					},
 				},
 
+				// Note that ExactlyOneOf can't be set because this schema is reused by
+				// two different resources.
 				"workload_metadata_config": {
 					Computed:    true,
 					Type:        schema.TypeList,
@@ -235,10 +237,18 @@ func schemaNodeConfig() *schema.Schema {
 						Schema: map[string]*schema.Schema{
 							"node_metadata": {
 								Type:         schema.TypeString,
-								Required:     true,
+								Optional:     true,
+								Computed:     true,
+								Deprecated:   "Deprecated in favor of mode.",
 								ValidateFunc: validation.StringInSlice([]string{"UNSPECIFIED", "SECURE", "EXPOSE", "GKE_METADATA_SERVER"}, false),
 								Description:  `NodeMetadata is the configuration for how to expose metadata to the workloads running on the node.`,
 							},
+							"mode": {
+								Type:         schema.TypeString,
+								Optional:     true,
+								ValidateFunc: validation.StringInSlice([]string{"MODE_UNSPECIFIED", "GCE_METADATA", "GKE_METADATA"}, false),
+								Description:  `Mode is the configuration for how to expose metadata to workloads running on the node.`,
+							},
 						},
 					},
 				},
@@ -381,11 +391,19 @@ func expandWorkloadMetadataConfig(v interface{}) *containerBeta.WorkloadMetadata
 	if len(ls) == 0 {
 		return nil
 	}
+	wmc := &containerBeta.WorkloadMetadataConfig{}
 
 	cfg := ls[0].(map[string]interface{})
-	return &containerBeta.WorkloadMetadataConfig{
-		NodeMetadata: cfg["node_metadata"].(string),
+
+	if v, ok := cfg["mode"]; ok {
+		wmc.Mode = v.(string)
 	}
+
+	if v, ok := cfg["node_metadata"]; ok {
+		wmc.NodeMetadata = v.(string)
+	}
+
+	return wmc
 }
 
 func flattenNodeConfig(c *containerBeta.NodeConfig) []map[string]interface{} {
@@ -458,6 +476,7 @@ func flattenWorkloadMetadataConfig(c *containerBeta.WorkloadMetadataConfig) []ma
 	result := []map[string]interface{}{}
 	if c != nil {
 		result = append(result, map[string]interface{}{
+			"mode":          c.Mode,
 			"node_metadata": c.NodeMetadata,
 		})
 	}

diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go
@@ -717,7 +717,7 @@ func TestAccContainerCluster_withWorkloadMetadataConfig(t *testing.T) {
 				Config: testAccContainerCluster_withWorkloadMetadataConfig(clusterName),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("google_container_cluster.with_workload_metadata_config",
-						"node_config.0.workload_metadata_config.0.node_metadata", "SECURE"),
+						"node_config.0.workload_metadata_config.0.mode", "GCE_METADATA"),
 				),
 			},
 			{
@@ -2486,7 +2486,7 @@ resource "google_container_cluster" "with_workload_metadata_config" {
     ]
 
     workload_metadata_config {
-      node_metadata = "SECURE"
+      mode = "GCE_METADATA"
     }
   }
 }

diff --git a/google/resource_container_node_pool_test.go b/google/resource_container_node_pool_test.go
@@ -204,6 +204,45 @@ func TestAccContainerNodePool_withWorkloadIdentityConfig(t *testing.T) {
 		Steps: []resource.TestStep{
 			{
 				Config: testAccContainerNodePool_withWorkloadMetadataConfig(cluster, np),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("google_container_node_pool.with_workload_metadata_config",
+						"node_config.0.workload_metadata_config.0.mode", "GCE_METADATA"),
+				),
+			},
+			{
+				ResourceName:      "google_container_node_pool.with_workload_metadata_config",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccContainerNodePool_withWorkloadMetadataConfig_gkeMetadata(pid, cluster, np),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("google_container_node_pool.with_workload_metadata_config",
+						"node_config.0.workload_metadata_config.0.mode", "GKE_METADATA"),
+				),
+			},
+			{
+				ResourceName:      "google_container_node_pool.with_workload_metadata_config",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccContainerNodePool_withWorkloadIdentityConfigDeprecated(t *testing.T) {
+	t.Parallel()
+
+	cluster := fmt.Sprintf("tf-test-cluster-%s", randString(t, 10))
+	np := fmt.Sprintf("tf-test-np-%s", randString(t, 10))
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckContainerClusterDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccContainerNodePool_withWorkloadMetadataConfigNodeMetadata(cluster, np),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("google_container_node_pool.with_workload_metadata_config",
 						"node_config.0.workload_metadata_config.0.node_metadata", "SECURE"),
@@ -213,17 +252,12 @@ func TestAccContainerNodePool_withWorkloadIdentityConfig(t *testing.T) {
 				ResourceName:      "google_container_node_pool.with_workload_metadata_config",
 				ImportState:       true,
 				ImportStateVerify: true,
-				// Import always uses the v1 API, so beta features don't get imported.
-				ImportStateVerifyIgnore: []string{
-					"node_config.0.workload_metadata_config.#",
-					"node_config.0.workload_metadata_config.0.node_metadata",
-				},
 			},
 			{
-				Config: testAccContainerNodePool_withWorkloadMetadataConfig_gkeMetadataServer(pid, cluster, np),
+				Config: testAccContainerNodePool_withWorkloadMetadataConfig(cluster, np),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("google_container_node_pool.with_workload_metadata_config",
-						"node_config.0.workload_metadata_config.0.node_metadata", "GKE_METADATA_SERVER"),
+						"node_config.0.workload_metadata_config.0.mode", "GCE_METADATA"),
 				),
 			},
 			{
@@ -1166,6 +1200,38 @@ resource "google_container_cluster" "cluster" {
   min_master_version = data.google_container_engine_versions.central1a.latest_master_version
 }
 
+resource "google_container_node_pool" "with_workload_metadata_config" {
+  name               = "%s"
+  location           = "us-central1-a"
+  cluster            = google_container_cluster.cluster.name
+  initial_node_count = 1
+  node_config {
+    oauth_scopes = [
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring",
+    ]
+
+    workload_metadata_config {
+      mode = "GCE_METADATA"
+    }
+  }
+}
+`, cluster, np)
+}
+
+func testAccContainerNodePool_withWorkloadMetadataConfigNodeMetadata(cluster, np string) string {
+	return fmt.Sprintf(`
+data "google_container_engine_versions" "central1a" {
+  location = "us-central1-a"
+}
+
+resource "google_container_cluster" "cluster" {
+  name               = "%s"
+  location           = "us-central1-a"
+  initial_node_count = 1
+  min_master_version = data.google_container_engine_versions.central1a.latest_master_version
+}
+
 resource "google_container_node_pool" "with_workload_metadata_config" {
   name               = "%s"
   location           = "us-central1-a"
@@ -1185,7 +1251,7 @@ resource "google_container_node_pool" "with_workload_metadata_config" {
 `, cluster, np)
 }
 
-func testAccContainerNodePool_withWorkloadMetadataConfig_gkeMetadataServer(projectID, cluster, np string) string {
+func testAccContainerNodePool_withWorkloadMetadataConfig_gkeMetadata(projectID, cluster, np string) string {
 	return fmt.Sprintf(`
 data "google_project" "project" {
   project_id = "%s"
@@ -1218,7 +1284,7 @@ resource "google_container_node_pool" "with_workload_metadata_config" {
     ]
 
     workload_metadata_config {
-      node_metadata = "GKE_METADATA_SERVER"
+      mode = "GKE_METADATA"
     }
   }
 }

diff --git a/website/docs/guides/version_4_upgrade.html.markdown b/website/docs/guides/version_4_upgrade.html.markdown
@@ -15,8 +15,8 @@ description: |-
     - [Provider-level change example](#provider-level-change-example)
   - [Datasource: `google_product_resource`](#datasource-google_product_resource)
     - [Datasource-level change example](#datasource-level-change-example)
-  - [Resource: `google_product_resource`](#resource-google_product_resource)
-    - [Resource-level change example](#resource-level-change-example)
+  - [Resource: `google_container_cluster`](#resource-google_container_cluster)
+    - [`node_config.workload_metadata_config.node_metadata` is now removed](#node_configworkload_metadata_confignode_metadata-is-now-removed)
 
 <!-- /TOC -->
 
@@ -152,8 +152,8 @@ resource "google_runtimeconfig_config" "my-runtime-config" {
 
 Description of the change and how users should adjust their configuration (if needed).
 
-## Resource: `google_product_resource`
+## Resource: `google_container_cluster`
 
-### Resource-level change example
+### `node_config.workload_metadata_config.node_metadata` is now removed
 
-Description of the change and how users should adjust their configuration (if needed).
+Removed in favor of `node_config.workload_metadata_config.mode`.
diff --git a/website/docs/r/container_cluster.html.markdown b/website/docs/r/container_cluster.html.markdown
@@ -868,15 +868,21 @@ The `taint` block supports:
 
 * `effect` (Required) Effect for taint. Accepted values are `NO_SCHEDULE`, `PREFER_NO_SCHEDULE`, and `NO_EXECUTE`.
 
-The `workload_metadata_config` block supports:
+The `workload_metadata_config` must have exactly one of `node_metadata` (deprecated) or `mode` set. This block supports:
 
-* `node_metadata` (Required) How to expose the node metadata to the workload running on the node.
+* `node_metadata` (Optional, Deprecated) How to expose the node metadata to the workload running on the node. This is deprecated in favor of `mode`
     Accepted values are:
     * UNSPECIFIED: Not Set
     * SECURE: Prevent workloads not in hostNetwork from accessing certain VM metadata, specifically kube-env, which contains Kubelet credentials, and the instance identity token. See [Metadata Concealment](https://cloud.google.com/kubernetes-engine/docs/how-to/metadata-proxy) documentation.
     * EXPOSE: Expose all VM metadata to pods.
     * GKE_METADATA_SERVER: Enables [workload identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) on the node.
 
+* `mode` (Optional) How to expose the node metadata to the workload running on the node.
+    Accepted values are:
+    * UNSPECIFIED: Not Set
+    * GCE_METADATA: Expose all Compute Engine metadata to pods.
+    * GKE_METADATA: Run the GKE Metadata Server on this node. The GKE Metadata Server exposes a metadata API to workloads that is compatible with the V1 Compute Metadata APIs exposed by the Compute Engine and App Engine Metadata Servers. This feature can only be enabled if [workload identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) is enabled at the cluster level.
+
 The `kubelet_config` block supports:
 
 * `cpu_manager_policy` - (Required) The CPU management policy on the node. See