From 0c7b2dbf92aff33dac8c5beb95568c2bc86dd7de Mon Sep 17 00:00:00 2001 From: Dana Hoffman Date: Tue, 6 Mar 2018 17:41:34 -0800 Subject: [PATCH 1/6] move setid calls back --- google/resource_container_cluster.go | 4 ++-- google/resource_container_node_pool.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go index 6a0bf337a0c..109cba93d63 100644 --- a/google/resource_container_cluster.go +++ b/google/resource_container_cluster.go @@ -567,8 +567,6 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er } } - d.SetId(clusterName) - // Wait until it's created waitErr := containerSharedOperationWait(config, op, project, zoneName, "creating GKE cluster", timeoutInMinutes, 3) if waitErr != nil { @@ -579,6 +577,8 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er log.Printf("[INFO] GKE cluster %s has been created", clusterName) + d.SetId(clusterName) + return resourceContainerClusterRead(d, meta) } diff --git a/google/resource_container_node_pool.go b/google/resource_container_node_pool.go index aa733d92fb8..6815aac055c 100644 --- a/google/resource_container_node_pool.go +++ b/google/resource_container_node_pool.go @@ -189,8 +189,6 @@ func resourceContainerNodePoolCreate(d *schema.ResourceData, meta interface{}) e } } - d.SetId(fmt.Sprintf("%s/%s/%s", zone, cluster, nodePool.Name)) - timeoutInMinutes := int(d.Timeout(schema.TimeoutCreate).Minutes()) waitErr := containerSharedOperationWait(config, op, project, zone, "creating GKE NodePool", timeoutInMinutes, 3) if waitErr != nil { @@ -201,6 +199,8 @@ func resourceContainerNodePoolCreate(d *schema.ResourceData, meta interface{}) e log.Printf("[INFO] GKE NodePool %s has been created", nodePool.Name) + d.SetId(fmt.Sprintf("%s/%s/%s", zone, cluster, nodePool.Name)) + return resourceContainerNodePoolRead(d, meta) } From 27a24d4cc3f58877aaa5d162d4d3eab2f2c4318f Mon Sep 17 00:00:00 2001 From: Dana Hoffman Date: Wed, 14 Mar 2018 11:20:55 -0700 Subject: [PATCH 2/6] add support for pod security policy --- google/config.go | 7 +++ google/resource_container_cluster.go | 74 ++++++++++++++++++++++- google/resource_container_cluster_test.go | 44 ++++++++++++++ 3 files changed, 124 insertions(+), 1 deletion(-) diff --git a/google/config.go b/google/config.go index a2910a1ee11..78935c9fd78 100644 --- a/google/config.go +++ b/google/config.go @@ -167,6 +167,13 @@ func (c *Config) loadAndValidate() error { } c.clientContainer.UserAgent = userAgent + log.Printf("[INFO] Instantiating GKE Beta client...") + c.clientContainerBeta, err = containerBeta.New(client) + if err != nil { + return err + } + c.clientContainerBeta.UserAgent = userAgent + log.Printf("[INFO] Instantiating Google Cloud DNS client...") c.clientDns, err = dns.New(client) if err != nil { diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go index 109cba93d63..8e8901efcad 100644 --- a/google/resource_container_cluster.go +++ b/google/resource_container_cluster.go @@ -18,7 +18,7 @@ import ( var ( instanceGroupManagerURL = regexp.MustCompile("^https://www.googleapis.com/compute/v1/projects/([a-z][a-z0-9-]{5}(?:[-a-z0-9]{0,23}[a-z0-9])?)/zones/([a-z0-9-]*)/instanceGroupManagers/([^/]*)") ContainerClusterBaseApiVersion = v1 - ContainerClusterVersionedFeatures = []Feature{} + ContainerClusterVersionedFeatures = []Feature{Feature{Version: v1beta1, Item: "pod_security_policy_config"}} networkConfig = &schema.Resource{ Schema: map[string]*schema.Schema{ @@ -337,6 +337,23 @@ func resourceContainerCluster() *schema.Resource { Computed: true, }, + "pod_security_policy_config": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + // Remove update support for now: https://issuetracker.google.com/74063492 + ForceNew: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "enabled": { + Type: schema.TypeBool, + Optional: true, + ForceNew: true, + }, + }, + }, + }, + "project": { Type: schema.TypeString, Optional: true, @@ -534,6 +551,10 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er } } + if v, ok := d.GetOk("pod_security_policy_config"); ok { + cluster.PodSecurityPolicyConfig = expandPodSecurityPolicyConfig(v) + } + req := &containerBeta.CreateClusterRequest{ Cluster: cluster, } @@ -701,6 +722,12 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro d.Set("instance_group_urls", igUrls) } + if cluster.PodSecurityPolicyConfig != nil { + if err := d.Set("pod_security_policy_config", flattenPodSecurityPolicyConfig(cluster.PodSecurityPolicyConfig)); err != nil { + return err + } + } + return nil } @@ -1063,6 +1090,32 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er d.SetPartial("logging_service") } + // Remove update support for now: https://issuetracker.google.com/74063492 + // if d.HasChange("pod_security_policy_config") { + // c := d.Get("pod_security_policy_config") + // req := &containerBeta.UpdateClusterRequest{ + // Update: &containerBeta.ClusterUpdate{ + // DesiredPodSecurityPolicyConfig: expandPodSecurityPolicyConfig(c), + // }, + // } + + // updateF := func() error { + // op, err := config.clientContainerBeta.Projects.Zones.Clusters.Update( + // project, zoneName, clusterName, req).Do() + // if err != nil { + // return err + // } + // // Wait until it's updated + // return containerSharedOperationWait(config, op, project, zoneName, "updating GKE cluster pod security policy config", timeoutInMinutes, 2) + // } + // if err := lockedCall(lockKey, updateF); err != nil { + // return err + // } + // log.Printf("[INFO] GKE cluster %s pod security policy config has been updated", d.Id()) + + // d.SetPartial("pod_security_policy_config") + // } + d.Partial(false) return resourceContainerClusterRead(d, meta) @@ -1229,6 +1282,16 @@ func expandNetworkPolicy(configured interface{}) *containerBeta.NetworkPolicy { return result } +func expandPodSecurityPolicyConfig(configured interface{}) *containerBeta.PodSecurityPolicyConfig { + result := &containerBeta.PodSecurityPolicyConfig{} + if len(configured.([]interface{})) > 0 { + config := configured.([]interface{})[0].(map[string]interface{}) + result.Enabled = config["enabled"].(bool) + result.ForceSendFields = []string{"Enabled"} + } + return result +} + func flattenNetworkPolicy(c *containerBeta.NetworkPolicy) []map[string]interface{} { result := []map[string]interface{}{} if c != nil { @@ -1317,6 +1380,15 @@ func flattenMasterAuthorizedNetworksConfig(c *containerBeta.MasterAuthorizedNetw return []map[string]interface{}{result} } +func flattenPodSecurityPolicyConfig(c *containerBeta.PodSecurityPolicyConfig) []map[string]interface{} { + d := []map[string]interface{}{ + { + "enabled": c.Enabled, + }, + } + return d +} + func resourceContainerClusterStateImporter(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { parts := strings.Split(d.Id(), "/") if len(parts) != 2 { diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go index 2e4f3d94a85..538213433e6 100644 --- a/google/resource_container_cluster_test.go +++ b/google/resource_container_cluster_test.go @@ -719,6 +719,37 @@ func TestAccContainerCluster_withIPAllocationPolicy(t *testing.T) { }) } +func TestAccContainerCluster_withPodSecurityPolicy(t *testing.T) { + t.Parallel() + + clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10)) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckContainerClusterDestroy, + Steps: []resource.TestStep{ + { + Config: testAccContainerCluster_withPodSecurityPolicy(clusterName, true), + Check: resource.ComposeTestCheckFunc( + testAccCheckContainerCluster( + "google_container_cluster.with_pod_security_policy"), + resource.TestCheckResourceAttr("google_container_cluster.with_pod_security_policy", + "pod_security_policy_config.0.enabled", "true"), + ), + }, + // Remove update support for now: https://issuetracker.google.com/74063492 + // { + // Config: testAccContainerCluster_withPodSecurityPolicy(clusterName, false), + // Check: resource.ComposeTestCheckFunc( + // testAccCheckContainerCluster( + // "google_container_cluster.with_pod_security_policy"), + // ), + // }, + }, + }) +} + func testAccCheckContainerClusterDestroy(s *terraform.State) error { config := testAccProvider.Meta().(*Config) @@ -1643,3 +1674,16 @@ resource "google_container_cluster" "with_ip_allocation_policy" { } }`, acctest.RandString(10), secondaryRanges.String(), cluster, ipAllocationPolicy.String()) } + +func testAccContainerCluster_withPodSecurityPolicy(clusterName string, enabled bool) string { + return fmt.Sprintf(` +resource "google_container_cluster" "with_pod_security_policy" { + name = "cluster-test-%s" + zone = "us-central1-a" + initial_node_count = 1 + + pod_security_policy_config { + enabled = %v + } +}`, clusterName, enabled) +} From 1a567a8ffe0a722176851c08ffdd594bde5b5fbe Mon Sep 17 00:00:00 2001 From: Dana Hoffman Date: Wed, 14 Mar 2018 11:29:01 -0700 Subject: [PATCH 3/6] pod security policy docs --- google/resource_container_cluster.go | 2 +- website/docs/r/container_cluster.html.markdown | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go index 8e8901efcad..c40e4bd6b0a 100644 --- a/google/resource_container_cluster.go +++ b/google/resource_container_cluster.go @@ -347,7 +347,7 @@ func resourceContainerCluster() *schema.Resource { Schema: map[string]*schema.Schema{ "enabled": { Type: schema.TypeBool, - Optional: true, + Required: true, ForceNew: true, }, }, diff --git a/website/docs/r/container_cluster.html.markdown b/website/docs/r/container_cluster.html.markdown index 559ee9806a8..ee67d1c70f6 100644 --- a/website/docs/r/container_cluster.html.markdown +++ b/website/docs/r/container_cluster.html.markdown @@ -148,6 +148,10 @@ output "cluster_ca_certificate" { or set to the same value as `min_master_version` on create. Defaults to the default version set by GKE which is not necessarily the latest version. +* `pod_security_policy_config` - (Optional, [Beta](/docs/providers/google/index.html#beta-features)) Configuration for the + [PodSecurityPolicy](https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies) feature. + Structure is documented below. + * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used. @@ -292,6 +296,11 @@ The `guest_accelerator` block supports: * `count` (Required) - The number of the guest accelerator cards exposed to this instance. +The `pod_security_policy_config` block supports: + +* `enabled` (Required) - Enable the PodSecurityPolicy controller for this cluster. + If enabled, pods must be valid under a PodSecurityPolicy to be created. + ## Attributes Reference In addition to the arguments listed above, the following computed attributes are From 31881eb95514f00447fb4a50c124ca329f2b5082 Mon Sep 17 00:00:00 2001 From: Dana Hoffman Date: Wed, 14 Mar 2018 11:34:16 -0700 Subject: [PATCH 4/6] Revert "move setid calls back" This reverts commit 0c7b2dbf92aff33dac8c5beb95568c2bc86dd7de. --- google/resource_container_cluster.go | 4 ++-- google/resource_container_node_pool.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go index c40e4bd6b0a..3191fb5c66e 100644 --- a/google/resource_container_cluster.go +++ b/google/resource_container_cluster.go @@ -588,6 +588,8 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er } } + d.SetId(clusterName) + // Wait until it's created waitErr := containerSharedOperationWait(config, op, project, zoneName, "creating GKE cluster", timeoutInMinutes, 3) if waitErr != nil { @@ -598,8 +600,6 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er log.Printf("[INFO] GKE cluster %s has been created", clusterName) - d.SetId(clusterName) - return resourceContainerClusterRead(d, meta) } diff --git a/google/resource_container_node_pool.go b/google/resource_container_node_pool.go index 6815aac055c..aa733d92fb8 100644 --- a/google/resource_container_node_pool.go +++ b/google/resource_container_node_pool.go @@ -189,6 +189,8 @@ func resourceContainerNodePoolCreate(d *schema.ResourceData, meta interface{}) e } } + d.SetId(fmt.Sprintf("%s/%s/%s", zone, cluster, nodePool.Name)) + timeoutInMinutes := int(d.Timeout(schema.TimeoutCreate).Minutes()) waitErr := containerSharedOperationWait(config, op, project, zone, "creating GKE NodePool", timeoutInMinutes, 3) if waitErr != nil { @@ -199,8 +201,6 @@ func resourceContainerNodePoolCreate(d *schema.ResourceData, meta interface{}) e log.Printf("[INFO] GKE NodePool %s has been created", nodePool.Name) - d.SetId(fmt.Sprintf("%s/%s/%s", zone, cluster, nodePool.Name)) - return resourceContainerNodePoolRead(d, meta) } From c64f4f281058ca82ce10b15312026adcdfe4901c Mon Sep 17 00:00:00 2001 From: Dana Hoffman Date: Wed, 14 Mar 2018 11:36:15 -0700 Subject: [PATCH 5/6] cleanup --- google/resource_container_cluster.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go index 3191fb5c66e..ab123fb0b1e 100644 --- a/google/resource_container_cluster.go +++ b/google/resource_container_cluster.go @@ -341,7 +341,7 @@ func resourceContainerCluster() *schema.Resource { Type: schema.TypeList, Optional: true, MaxItems: 1, - // Remove update support for now: https://issuetracker.google.com/74063492 + // Disable update support for now: https://issuetracker.google.com/74063492 ForceNew: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ @@ -1090,7 +1090,7 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er d.SetPartial("logging_service") } - // Remove update support for now: https://issuetracker.google.com/74063492 + // Disable update support for now: https://issuetracker.google.com/74063492 // if d.HasChange("pod_security_policy_config") { // c := d.Get("pod_security_policy_config") // req := &containerBeta.UpdateClusterRequest{ @@ -1381,12 +1381,11 @@ func flattenMasterAuthorizedNetworksConfig(c *containerBeta.MasterAuthorizedNetw } func flattenPodSecurityPolicyConfig(c *containerBeta.PodSecurityPolicyConfig) []map[string]interface{} { - d := []map[string]interface{}{ + return []map[string]interface{}{ { "enabled": c.Enabled, }, } - return d } func resourceContainerClusterStateImporter(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { From 3d5b0aed4e1c85e0adb4a0031cd6a33972dbc985 Mon Sep 17 00:00:00 2001 From: Dana Hoffman Date: Wed, 14 Mar 2018 13:48:49 -0700 Subject: [PATCH 6/6] remove comments about disabling update --- google/resource_container_cluster.go | 27 ----------------------- google/resource_container_cluster_test.go | 8 ------- 2 files changed, 35 deletions(-) diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go index ab123fb0b1e..84ee93e643c 100644 --- a/google/resource_container_cluster.go +++ b/google/resource_container_cluster.go @@ -341,7 +341,6 @@ func resourceContainerCluster() *schema.Resource { Type: schema.TypeList, Optional: true, MaxItems: 1, - // Disable update support for now: https://issuetracker.google.com/74063492 ForceNew: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ @@ -1090,32 +1089,6 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er d.SetPartial("logging_service") } - // Disable update support for now: https://issuetracker.google.com/74063492 - // if d.HasChange("pod_security_policy_config") { - // c := d.Get("pod_security_policy_config") - // req := &containerBeta.UpdateClusterRequest{ - // Update: &containerBeta.ClusterUpdate{ - // DesiredPodSecurityPolicyConfig: expandPodSecurityPolicyConfig(c), - // }, - // } - - // updateF := func() error { - // op, err := config.clientContainerBeta.Projects.Zones.Clusters.Update( - // project, zoneName, clusterName, req).Do() - // if err != nil { - // return err - // } - // // Wait until it's updated - // return containerSharedOperationWait(config, op, project, zoneName, "updating GKE cluster pod security policy config", timeoutInMinutes, 2) - // } - // if err := lockedCall(lockKey, updateF); err != nil { - // return err - // } - // log.Printf("[INFO] GKE cluster %s pod security policy config has been updated", d.Id()) - - // d.SetPartial("pod_security_policy_config") - // } - d.Partial(false) return resourceContainerClusterRead(d, meta) diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go index 538213433e6..24b8660064c 100644 --- a/google/resource_container_cluster_test.go +++ b/google/resource_container_cluster_test.go @@ -738,14 +738,6 @@ func TestAccContainerCluster_withPodSecurityPolicy(t *testing.T) { "pod_security_policy_config.0.enabled", "true"), ), }, - // Remove update support for now: https://issuetracker.google.com/74063492 - // { - // Config: testAccContainerCluster_withPodSecurityPolicy(clusterName, false), - // Check: resource.ComposeTestCheckFunc( - // testAccCheckContainerCluster( - // "google_container_cluster.with_pod_security_policy"), - // ), - // }, }, }) }