diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go index 6058084e330..71a9adfad0e 100644 --- a/google/resource_container_cluster.go +++ b/google/resource_container_cluster.go @@ -290,6 +290,23 @@ func resourceContainerCluster() *schema.Resource { Default: false, }, + "authenticator_groups_config": { + Type: schema.TypeList, + Optional: true, + Computed: true, + ForceNew: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "security_group": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + }, + }, + }, + }, + "initial_node_count": { Type: schema.TypeInt, Optional: true, @@ -817,6 +834,10 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er cluster.NodeConfig = expandNodeConfig(v) } + if v, ok := d.GetOk("authenticator_groups_config"); ok { + cluster.AuthenticatorGroupsConfig = expandAuthenticatorGroupsConfig(v) + } + if v, ok := d.GetOk("private_cluster_config"); ok { cluster.PrivateClusterConfig = expandPrivateClusterConfig(v) } @@ -948,6 +969,9 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro if err := d.Set("cluster_autoscaling", nil); err != nil { return err } + if err := d.Set("authenticator_groups_config", flattenAuthenticatorGroupsConfig(cluster.AuthenticatorGroupsConfig)); err != nil { + return err + } if cluster.DefaultMaxPodsConstraint != nil { d.Set("default_max_pods_per_node", cluster.DefaultMaxPodsConstraint.MaxPodsPerNode) } @@ -1667,6 +1691,20 @@ func expandMaintenancePolicy(d *schema.ResourceData, meta interface{}) *containe return nil } +func expandAuthenticatorGroupsConfig(configured interface{}) *containerBeta.AuthenticatorGroupsConfig { + l := configured.([]interface{}) + if len(l) == 0 { + return nil + } + result := &containerBeta.AuthenticatorGroupsConfig{} + config := l[0].(map[string]interface{}) + if securityGroup, ok := config["security_group"]; ok { + result.Enabled = true + result.SecurityGroup = securityGroup.(string) + } + return result +} + func expandMasterAuth(configured interface{}) *containerBeta.MasterAuth { l := configured.([]interface{}) if len(l) == 0 || l[0] == nil { @@ -1825,6 +1863,17 @@ func flattenClusterNodePools(d *schema.ResourceData, config *Config, c []*contai return nodePools, nil } +func flattenAuthenticatorGroupsConfig(c *containerBeta.AuthenticatorGroupsConfig) []map[string]interface{} { + if c == nil { + return nil + } + return []map[string]interface{}{ + { + "security_group": c.SecurityGroup, + }, + } +} + func flattenPrivateClusterConfig(c *containerBeta.PrivateClusterConfig) []map[string]interface{} { if c == nil { return nil diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go index 1dd610bc74d..4b78ab30ee5 100644 --- a/google/resource_container_cluster_test.go +++ b/google/resource_container_cluster_test.go @@ -194,6 +194,26 @@ func TestAccContainerCluster_withMasterAuthConfig_NoCert(t *testing.T) { }) } +func TestAccContainerCluster_withAuthenticatorGroupsConfig(t *testing.T) { + t.Parallel() + clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10)) + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckContainerClusterDestroy, + Steps: []resource.TestStep{ + { + Config: testAccContainerCluster_withAuthenticatorGroupsConfig(clusterName), + }, + { + ResourceName: "google_container_cluster.with_authenticator_groups", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func TestAccContainerCluster_withNetworkPolicyEnabled(t *testing.T) { t.Parallel() @@ -1390,6 +1410,50 @@ resource "google_container_cluster" "with_network_policy_enabled" { `, clusterName) } +func testAccContainerCluster_withAuthenticatorGroupsConfig(clusterName string) string { + return fmt.Sprintf(` +resource "google_compute_network" "container_network" { + name = "container-net-%s" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "container_subnetwork" { + name = google_compute_network.container_network.name + network = google_compute_network.container_network.name + ip_cidr_range = "10.0.36.0/24" + region = "us-central1" + private_ip_google_access = true + + secondary_ip_range { + range_name = "pod" + ip_cidr_range = "10.0.0.0/19" + } + + secondary_ip_range { + range_name = "svc" + ip_cidr_range = "10.0.32.0/22" + } +} + +resource "google_container_cluster" "with_authenticator_groups" { + name = "%s" + location = "us-central1-a" + initial_node_count = 1 + network = google_compute_network.container_network.name + subnetwork = google_compute_subnetwork.container_subnetwork.name + + authenticator_groups_config { + security_group = "gke-security-groups@mydomain.tld" + } + + ip_allocation_policy { + cluster_secondary_range_name = google_compute_subnetwork.container_subnetwork.secondary_ip_range[0].range_name + services_secondary_range_name = google_compute_subnetwork.container_subnetwork.secondary_ip_range[1].range_name + } +} +`, clusterName, clusterName) +} + func testAccContainerCluster_withMasterAuthorizedNetworksConfig(clusterName string, cidrs []string, emptyValue string) string { cidrBlocks := emptyValue diff --git a/website/docs/r/container_cluster.html.markdown b/website/docs/r/container_cluster.html.markdown index c5e52302666..c35b0a0913d 100644 --- a/website/docs/r/container_cluster.html.markdown +++ b/website/docs/r/container_cluster.html.markdown @@ -258,7 +258,7 @@ region are guaranteed to support the same version. [PodSecurityPolicy](https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies) feature. Structure is documented below. -* `authenticator_groups_config` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Configuration for the +* `authenticator_groups_config` - (Optional) Configuration for the [Google Groups for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control#groups-setup-gsuite) feature. Structure is documented below.