hashicorp · modular-magician · Dec 3, 2024 · Dec 3, 2024
@@ -0,0 +1,15 @@
+```release-note:enhancement
+cloudbuild: added `private_service_connect` field to `google_cloudbuild_worker_pool` resource
+```
+```release-note:enhancement
+clouddeploy: added `associated_entities` field to `google_clouddeploy_target` resource
+```
+```release-note:enhancement
+clouddeploy: added `serial_pipeline.strategy.canary.runtime_config.kubernetes.gateway_service_mesh.route_destinations` field to `google_clouddeploy_delivery_pipeline` resource
+```
+```release-note:enhancement
+gkehub: added `configmanagement.config_sync.stop_syncing` field to `google_gke_hub_feature_membership` resource
+```
+```release-note:deprecation
+gkehub: deprecated `configmanagement.config_sync.metrics_gcp_service_account_email` in `google_gke_hub_feature_membership` resource
+```
@@ -4,7 +4,7 @@ go 1.23
 
 require (
 	cloud.google.com/go/bigtable v1.33.0
-	github.com/GoogleCloudPlatform/declarative-resource-client-library v1.75.0
+	github.com/GoogleCloudPlatform/declarative-resource-client-library v1.76.0
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/davecgh/go-spew v1.1.1
 	github.com/dnaeon/go-vcr v1.0.1

@@ -22,8 +22,8 @@ cloud.google.com/go/monitoring v1.21.2/go.mod h1:hS3pXvaG8KgWTSz+dAdyzPrGUYmi2Q+
 dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
 dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/GoogleCloudPlatform/declarative-resource-client-library v1.75.0 h1:7tFkHNjfjm7dYnjqyuzMon+31lPaMTjca3OuamWd0Oo=
-github.com/GoogleCloudPlatform/declarative-resource-client-library v1.75.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.76.0 h1:VH/j8GmTsvPds/NkGfo4OYr9C7R8ysikaqq4rcDUT0s=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.76.0/go.mod h1:pL2Qt5HT+x6xrTd806oMiM3awW6kNIXB/iiuClz6m6k=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/ProtonMail/go-crypto v1.1.0-alpha.2 h1:bkyFVUP+ROOARdgCiJzNQo2V2kiB97LyUpzH9P6Hrlg=

@@ -60,7 +60,7 @@ func ResourceAssuredWorkloadsWorkload() *schema.Resource {
 				Type:        schema.TypeString,
 				Required:    true,
 				ForceNew:    true,
-				Description: "Required. Immutable. Compliance Regime associated with this workload. Possible values: COMPLIANCE_REGIME_UNSPECIFIED, IL4, CJIS, FEDRAMP_HIGH, FEDRAMP_MODERATE, US_REGIONAL_ACCESS, HIPAA, HITRUST, EU_REGIONS_AND_SUPPORT, CA_REGIONS_AND_SUPPORT, ITAR, AU_REGIONS_AND_US_SUPPORT, ASSURED_WORKLOADS_FOR_PARTNERS, ISR_REGIONS, ISR_REGIONS_AND_SUPPORT, CA_PROTECTED_B, IL5, IL2, JP_REGIONS_AND_SUPPORT, KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS, REGIONAL_CONTROLS, HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS, HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_WITH_US_SUPPORT",
+				Description: "Required. Immutable. Compliance Regime associated with this workload. Possible values: COMPLIANCE_REGIME_UNSPECIFIED, IL4, CJIS, FEDRAMP_HIGH, FEDRAMP_MODERATE, US_REGIONAL_ACCESS, HIPAA, HITRUST, EU_REGIONS_AND_SUPPORT, CA_REGIONS_AND_SUPPORT, ITAR, AU_REGIONS_AND_US_SUPPORT, ASSURED_WORKLOADS_FOR_PARTNERS, ISR_REGIONS, ISR_REGIONS_AND_SUPPORT, CA_PROTECTED_B, IL5, IL2, JP_REGIONS_AND_SUPPORT, KSA_REGIONS_AND_SUPPORT_WITH_SOVEREIGNTY_CONTROLS, REGIONAL_CONTROLS, HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS, HEALTHCARE_AND_LIFE_SCIENCES_CONTROLS_WITH_US_SUPPORT, IRS_1075",
 			},
 
 			"display_name": {

@@ -84,12 +84,23 @@ func ResourceCloudbuildWorkerPool() *schema.Resource {
 			},
 
 			"network_config": {
-				Type:        schema.TypeList,
-				Optional:    true,
-				ForceNew:    true,
-				Description: "Network configuration for the `WorkerPool`.",
-				MaxItems:    1,
-				Elem:        CloudbuildWorkerPoolNetworkConfigSchema(),
+				Type:          schema.TypeList,
+				Optional:      true,
+				ForceNew:      true,
+				Description:   "Network configuration for the `WorkerPool`.",
+				MaxItems:      1,
+				Elem:          CloudbuildWorkerPoolNetworkConfigSchema(),
+				ConflictsWith: []string{"private_service_connect"},
+			},
+
+			"private_service_connect": {
+				Type:          schema.TypeList,
+				Optional:      true,
+				ForceNew:      true,
+				Description:   "Private Service Connect configuration for the pool.",
+				MaxItems:      1,
+				Elem:          CloudbuildWorkerPoolPrivateServiceConnectSchema(),
+				ConflictsWith: []string{"network_config"},
 			},
 
 			"project": {
@@ -171,6 +182,27 @@ func CloudbuildWorkerPoolNetworkConfigSchema() *schema.Resource {
 	}
 }
 
+func CloudbuildWorkerPoolPrivateServiceConnectSchema() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"network_attachment": {
+				Type:             schema.TypeString,
+				Required:         true,
+				ForceNew:         true,
+				DiffSuppressFunc: tpgresource.CompareSelfLinkOrResourceName,
+				Description:      "Required. Immutable. The network attachment that the worker network interface is connected to. Must be in the format `projects/{project}/regions/{region}/networkAttachments/{networkAttachment}`. The region of network attachment must be the same as the worker pool. See [Network Attachments](https://cloud.google.com/vpc/docs/about-network-attachments)",
+			},
+
+			"route_all_traffic": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				ForceNew:    true,
+				Description: "Immutable. Route all traffic through PSC interface. Enable this if you want full control of traffic in the private pool. Configure Cloud NAT for the subnet of network attachment if you need to access public Internet. If false, Only route private IPs, e.g. 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 through PSC interface.",
+			},
+		},
+	}
+}
+
 func CloudbuildWorkerPoolWorkerConfigSchema() *schema.Resource {
 	return &schema.Resource{
 		Schema: map[string]*schema.Schema{
@@ -204,13 +236,14 @@ func resourceCloudbuildWorkerPoolCreate(d *schema.ResourceData, meta interface{}
 	}
 
 	obj := &cloudbuild.WorkerPool{
-		Location:      dcl.String(d.Get("location").(string)),
-		Name:          dcl.String(d.Get("name").(string)),
-		DisplayName:   dcl.String(d.Get("display_name").(string)),
-		Annotations:   tpgresource.CheckStringMap(d.Get("effective_annotations")),
-		NetworkConfig: expandCloudbuildWorkerPoolNetworkConfig(d.Get("network_config")),
-		Project:       dcl.String(project),
-		WorkerConfig:  expandCloudbuildWorkerPoolWorkerConfig(d.Get("worker_config")),
+		Location:              dcl.String(d.Get("location").(string)),
+		Name:                  dcl.String(d.Get("name").(string)),
+		DisplayName:           dcl.String(d.Get("display_name").(string)),
+		Annotations:           tpgresource.CheckStringMap(d.Get("effective_annotations")),
+		NetworkConfig:         expandCloudbuildWorkerPoolNetworkConfig(d.Get("network_config")),
+		PrivateServiceConnect: expandCloudbuildWorkerPoolPrivateServiceConnect(d.Get("private_service_connect")),
+		Project:               dcl.String(project),
+		WorkerConfig:          expandCloudbuildWorkerPoolWorkerConfig(d.Get("worker_config")),
 	}
 
 	id, err := obj.ID()
@@ -258,13 +291,14 @@ func resourceCloudbuildWorkerPoolRead(d *schema.ResourceData, meta interface{})
 	}
 
 	obj := &cloudbuild.WorkerPool{
-		Location:      dcl.String(d.Get("location").(string)),
-		Name:          dcl.String(d.Get("name").(string)),
-		DisplayName:   dcl.String(d.Get("display_name").(string)),
-		Annotations:   tpgresource.CheckStringMap(d.Get("effective_annotations")),
-		NetworkConfig: expandCloudbuildWorkerPoolNetworkConfig(d.Get("network_config")),
-		Project:       dcl.String(project),
-		WorkerConfig:  expandCloudbuildWorkerPoolWorkerConfig(d.Get("worker_config")),
+		Location:              dcl.String(d.Get("location").(string)),
+		Name:                  dcl.String(d.Get("name").(string)),
+		DisplayName:           dcl.String(d.Get("display_name").(string)),
+		Annotations:           tpgresource.CheckStringMap(d.Get("effective_annotations")),
+		NetworkConfig:         expandCloudbuildWorkerPoolNetworkConfig(d.Get("network_config")),
+		PrivateServiceConnect: expandCloudbuildWorkerPoolPrivateServiceConnect(d.Get("private_service_connect")),
+		Project:               dcl.String(project),
+		WorkerConfig:          expandCloudbuildWorkerPoolWorkerConfig(d.Get("worker_config")),
 	}
 
 	userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
@@ -304,6 +338,9 @@ func resourceCloudbuildWorkerPoolRead(d *schema.ResourceData, meta interface{})
 	if err = d.Set("network_config", flattenCloudbuildWorkerPoolNetworkConfig(res.NetworkConfig)); err != nil {
 		return fmt.Errorf("error setting network_config in state: %s", err)
 	}
+	if err = d.Set("private_service_connect", flattenCloudbuildWorkerPoolPrivateServiceConnect(res.PrivateServiceConnect)); err != nil {
+		return fmt.Errorf("error setting private_service_connect in state: %s", err)
+	}
 	if err = d.Set("project", res.Project); err != nil {
 		return fmt.Errorf("error setting project in state: %s", err)
 	}
@@ -339,13 +376,14 @@ func resourceCloudbuildWorkerPoolUpdate(d *schema.ResourceData, meta interface{}
 	}
 
 	obj := &cloudbuild.WorkerPool{
-		Location:      dcl.String(d.Get("location").(string)),
-		Name:          dcl.String(d.Get("name").(string)),
-		DisplayName:   dcl.String(d.Get("display_name").(string)),
-		Annotations:   tpgresource.CheckStringMap(d.Get("effective_annotations")),
-		NetworkConfig: expandCloudbuildWorkerPoolNetworkConfig(d.Get("network_config")),
-		Project:       dcl.String(project),
-		WorkerConfig:  expandCloudbuildWorkerPoolWorkerConfig(d.Get("worker_config")),
+		Location:              dcl.String(d.Get("location").(string)),
+		Name:                  dcl.String(d.Get("name").(string)),
+		DisplayName:           dcl.String(d.Get("display_name").(string)),
+		Annotations:           tpgresource.CheckStringMap(d.Get("effective_annotations")),
+		NetworkConfig:         expandCloudbuildWorkerPoolNetworkConfig(d.Get("network_config")),
+		PrivateServiceConnect: expandCloudbuildWorkerPoolPrivateServiceConnect(d.Get("private_service_connect")),
+		Project:               dcl.String(project),
+		WorkerConfig:          expandCloudbuildWorkerPoolWorkerConfig(d.Get("worker_config")),
 	}
 	directive := tpgdclresource.UpdateDirective
 	userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
@@ -388,13 +426,14 @@ func resourceCloudbuildWorkerPoolDelete(d *schema.ResourceData, meta interface{}
 	}
 
 	obj := &cloudbuild.WorkerPool{
-		Location:      dcl.String(d.Get("location").(string)),
-		Name:          dcl.String(d.Get("name").(string)),
-		DisplayName:   dcl.String(d.Get("display_name").(string)),
-		Annotations:   tpgresource.CheckStringMap(d.Get("effective_annotations")),
-		NetworkConfig: expandCloudbuildWorkerPoolNetworkConfig(d.Get("network_config")),
-		Project:       dcl.String(project),
-		WorkerConfig:  expandCloudbuildWorkerPoolWorkerConfig(d.Get("worker_config")),
+		Location:              dcl.String(d.Get("location").(string)),
+		Name:                  dcl.String(d.Get("name").(string)),
+		DisplayName:           dcl.String(d.Get("display_name").(string)),
+		Annotations:           tpgresource.CheckStringMap(d.Get("effective_annotations")),
+		NetworkConfig:         expandCloudbuildWorkerPoolNetworkConfig(d.Get("network_config")),
+		PrivateServiceConnect: expandCloudbuildWorkerPoolPrivateServiceConnect(d.Get("private_service_connect")),
+		Project:               dcl.String(project),
+		WorkerConfig:          expandCloudbuildWorkerPoolWorkerConfig(d.Get("worker_config")),
 	}
 
 	log.Printf("[DEBUG] Deleting WorkerPool %q", d.Id())
@@ -471,6 +510,34 @@ func flattenCloudbuildWorkerPoolNetworkConfig(obj *cloudbuild.WorkerPoolNetworkC
 
 }
 
+func expandCloudbuildWorkerPoolPrivateServiceConnect(o interface{}) *cloudbuild.WorkerPoolPrivateServiceConnect {
+	if o == nil {
+		return cloudbuild.EmptyWorkerPoolPrivateServiceConnect
+	}
+	objArr := o.([]interface{})
+	if len(objArr) == 0 || objArr[0] == nil {
+		return cloudbuild.EmptyWorkerPoolPrivateServiceConnect
+	}
+	obj := objArr[0].(map[string]interface{})
+	return &cloudbuild.WorkerPoolPrivateServiceConnect{
+		NetworkAttachment: dcl.String(obj["network_attachment"].(string)),
+		RouteAllTraffic:   dcl.Bool(obj["route_all_traffic"].(bool)),
+	}
+}
+
+func flattenCloudbuildWorkerPoolPrivateServiceConnect(obj *cloudbuild.WorkerPoolPrivateServiceConnect) interface{} {
+	if obj == nil || obj.Empty() {
+		return nil
+	}
+	transformed := map[string]interface{}{
+		"network_attachment": obj.NetworkAttachment,
+		"route_all_traffic":  obj.RouteAllTraffic,
+	}
+
+	return []interface{}{transformed}
+
+}
+
 func expandCloudbuildWorkerPoolWorkerConfig(o interface{}) *cloudbuild.WorkerPoolWorkerConfig {
 	if o == nil {
 		return nil

@@ -59,9 +59,17 @@ func TestAccCloudbuildWorkerPool_withComputedAnnotations(t *testing.T) {
 func TestAccCloudbuildWorkerPool_basic(t *testing.T) {
 	t.Parallel()
 
+	testNetworkName := acctest.BootstrapSharedTestNetwork(t, "attachment-network")
+	subnetName := acctest.BootstrapSubnet(t, "tf-test-subnet", testNetworkName)
+	networkAttachmentName := acctest.BootstrapNetworkAttachment(t, "tf-test-attachment", subnetName)
+
+	// Need to have the full network attachment name in the format project/{project_id}/regions/{region_id}/networkAttachments/{networkAttachmentName}
+	fullFormNetworkAttachmentName := fmt.Sprintf("projects/%s/regions/%s/networkAttachments/%s", envvar.GetTestProjectFromEnv(), envvar.GetTestRegionFromEnv(), networkAttachmentName)
+
 	context := map[string]interface{}{
-		"random_suffix": acctest.RandString(t, 10),
-		"project":       envvar.GetTestProjectFromEnv(),
+		"random_suffix":      acctest.RandString(t, 10),
+		"project":            envvar.GetTestProjectFromEnv(),
+		"network_attachment": fullFormNetworkAttachmentName,
 	}
 
 	acctest.VcrTest(t, resource.TestCase{
@@ -108,6 +116,11 @@ resource "google_cloudbuild_worker_pool" "pool" {
 		machine_type = "e2-standard-8"
 		no_external_ip = true
 	}
+
+	private_service_connect {
+		network_attachment = "%{network_attachment}"
+		route_all_traffic = false
+	}
 }
 `, context)
 }

@@ -537,6 +537,14 @@ func ClouddeployDeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigK
 				Description: "Optional. The label to use when selecting Pods for the Deployment and Service resources. This label must already be present in both resources.",
 			},
 
+			"route_destinations": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "Optional. Route destinations allow configuring the Gateway API HTTPRoute to be deployed to additional clusters. This option is available for multi-cluster service mesh set ups that require the route to exist in the clusters that call the service. If unspecified, the HTTPRoute will only be deployed to the Target cluster.",
+				MaxItems:    1,
+				Elem:        ClouddeployDeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigKubernetesGatewayServiceMeshRouteDestinationsSchema(),
+			},
+
 			"route_update_wait_time": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -552,6 +560,25 @@ func ClouddeployDeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigK
 	}
 }
 
+func ClouddeployDeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigKubernetesGatewayServiceMeshRouteDestinationsSchema() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"destination_ids": {
+				Type:        schema.TypeList,
+				Required:    true,
+				Description: "Required. The clusters where the Gateway API HTTPRoute resource will be deployed to. Valid entries include the associated entities IDs configured in the Target resource and \"@self\" to include the Target cluster.",
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+
+			"propagate_service": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "Optional. Whether to propagate the Kubernetes Service to the route destination clusters. The Service will always be deployed to the Target cluster even if the HTTPRoute is not. This option may be used to facilitiate successful DNS lookup in the route destination clusters. Can only be set to true if destinations are specified.",
+			},
+		},
+	}
+}
+
 func ClouddeployDeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigKubernetesServiceNetworkingSchema() *schema.Resource {
 	return &schema.Resource{
 		Schema: map[string]*schema.Schema{
@@ -1515,6 +1542,7 @@ func expandClouddeployDeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeC
 		HttpRoute:             dcl.String(obj["http_route"].(string)),
 		Service:               dcl.String(obj["service"].(string)),
 		PodSelectorLabel:      dcl.String(obj["pod_selector_label"].(string)),
+		RouteDestinations:     expandClouddeployDeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigKubernetesGatewayServiceMeshRouteDestinations(obj["route_destinations"]),
 		RouteUpdateWaitTime:   dcl.String(obj["route_update_wait_time"].(string)),
 		StableCutbackDuration: dcl.String(obj["stable_cutback_duration"].(string)),
 	}
@@ -1529,6 +1557,7 @@ func flattenClouddeployDeliveryPipelineSerialPipelineStagesStrategyCanaryRuntime
 		"http_route":              obj.HttpRoute,
 		"service":                 obj.Service,
 		"pod_selector_label":      obj.PodSelectorLabel,
+		"route_destinations":      flattenClouddeployDeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigKubernetesGatewayServiceMeshRouteDestinations(obj.RouteDestinations),
 		"route_update_wait_time":  obj.RouteUpdateWaitTime,
 		"stable_cutback_duration": obj.StableCutbackDuration,
 	}
@@ -1537,6 +1566,34 @@ func flattenClouddeployDeliveryPipelineSerialPipelineStagesStrategyCanaryRuntime
 
 }
 
+func expandClouddeployDeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigKubernetesGatewayServiceMeshRouteDestinations(o interface{}) *clouddeploy.DeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigKubernetesGatewayServiceMeshRouteDestinations {
+	if o == nil {
+		return clouddeploy.EmptyDeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigKubernetesGatewayServiceMeshRouteDestinations
+	}
+	objArr := o.([]interface{})
+	if len(objArr) == 0 || objArr[0] == nil {
+		return clouddeploy.EmptyDeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigKubernetesGatewayServiceMeshRouteDestinations
+	}
+	obj := objArr[0].(map[string]interface{})
+	return &clouddeploy.DeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigKubernetesGatewayServiceMeshRouteDestinations{
+		DestinationIds:   tpgdclresource.ExpandStringArray(obj["destination_ids"]),
+		PropagateService: dcl.Bool(obj["propagate_service"].(bool)),
+	}
+}
+
+func flattenClouddeployDeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigKubernetesGatewayServiceMeshRouteDestinations(obj *clouddeploy.DeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigKubernetesGatewayServiceMeshRouteDestinations) interface{} {
+	if obj == nil || obj.Empty() {
+		return nil
+	}
+	transformed := map[string]interface{}{
+		"destination_ids":   obj.DestinationIds,
+		"propagate_service": obj.PropagateService,
+	}
+
+	return []interface{}{transformed}
+
+}
+
 func expandClouddeployDeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigKubernetesServiceNetworking(o interface{}) *clouddeploy.DeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigKubernetesServiceNetworking {
 	if o == nil {
 		return clouddeploy.EmptyDeliveryPipelineSerialPipelineStagesStrategyCanaryRuntimeConfigKubernetesServiceNetworking