Add support for master authorized networks in google_container_cluster

[davidquarles]

Fixes #619.

• Update container/v1 API (handled independently in Update container/v1 API #624)
• Add support for master_authorized_networks in google_container_cluster

$ make testacc TEST=./google TESTARGS='-run=TestAccContainerCluster_withMasterAuthorizedNetworks'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./google -v -run=TestAccContainerCluster_withMasterAuthorizedNetworks -timeout 120m
=== RUN   TestAccContainerCluster_withMasterAuthorizedNetworksConfig
--- PASS: TestAccContainerCluster_withMasterAuthorizedNetworksConfig (390.52s)
PASS
ok  	github.com/terraform-providers/terraform-provider-google/google	390.539s

[davidquarles]

I wasn't entirely sure what made sense here for Optional / Computed / Required / Default. In the end, Required: true made the most sense to me, but only marginally so. I'll test upstream for implicit requirements/defaults tomorrow.

[danawillow]

I'd actually recommend not having an enabled field at all, and instead just relying on the presence of any master_authorized_networks_configs to determine what that value should be, similar to how we do autoscaling. The reason for this is that when enabled is false, GCP won't return anything for cidrBlocks:

"masterAuthorizedNetworksConfig": {},

This means that a config like this:

  master_authorized_networks_config {
    enabled     = false
    cidr_blocks = ["172.16.0.0/12", "10.0.0.0/8"]
  }

is equivalent to:

  master_authorized_networks_config {
    enabled     = false
  }

Because we want to set the state based on what's actually true in GCP, the state will always resemble the second config above, and thus planning immediately after applying with the first config will show a diff.

"But wait!" you might ask, "I added a test for the enabled=false case and it passed!" Ah yes, and this tripped me up for a while too. I'll explain in a comment below.

[davidquarles]

Totally, I almost did that, but wasn't sure and opted for mimicking the API. I'll follow that pattern elsewhere.

[davidquarles]

the two failures below happen on master as well. I'm guessing this is a known issue?

$ make testacc TEST=./google TESTARGS='-run=TestAccContainerCluster'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./google -v -run=TestAccContainerCluster -timeout 120m
=== RUN   TestAccContainerCluster_import
=== RUN   TestAccContainerCluster_basic
=== RUN   TestAccContainerCluster_withTimeout
=== RUN   TestAccContainerCluster_withAddons
=== RUN   TestAccContainerCluster_withMasterAuth
=== RUN   TestAccContainerCluster_withMasterAuthorizedNetworksConfig
=== RUN   TestAccContainerCluster_withAdditionalZones
=== RUN   TestAccContainerCluster_withLegacyAbac
=== RUN   TestAccContainerCluster_withVersion
=== RUN   TestAccContainerCluster_updateVersion
=== RUN   TestAccContainerCluster_withNodeConfig
=== RUN   TestAccContainerCluster_withNodeConfigScopeAlias
=== RUN   TestAccContainerCluster_network
=== RUN   TestAccContainerCluster_backend
=== RUN   TestAccContainerCluster_withLogging
=== RUN   TestAccContainerCluster_withMonitoring
=== RUN   TestAccContainerCluster_withNodePoolBasic
=== RUN   TestAccContainerCluster_withNodePoolResize
=== RUN   TestAccContainerCluster_withNodePoolAutoscaling
=== RUN   TestAccContainerCluster_withNodePoolNamePrefix
=== RUN   TestAccContainerCluster_withNodePoolMultiple
=== RUN   TestAccContainerCluster_withNodePoolConflictingNameFields
=== RUN   TestAccContainerCluster_withNodePoolNodeConfig
--- PASS: TestAccContainerCluster_withVersion (358.25s)
--- PASS: TestAccContainerCluster_withNodePoolNodeConfig (406.36s)
--- PASS: TestAccContainerCluster_withNodeConfigScopeAlias (408.32s)
--- PASS: TestAccContainerCluster_import (478.31s)
--- PASS: TestAccContainerCluster_withAdditionalZones (483.29s)
--- PASS: TestAccContainerCluster_withLegacyAbac (625.03s)
--- FAIL: TestAccContainerCluster_network (714.98s)
	testing.go:494: Error destroying resource! WARNING: Dangling resources
		may exist. The full state and error is shown below.

		Error: Error applying: 1 error(s) occurred:

		* google_compute_network.container_network (destroy): 1 error(s) occurred:

		* google_compute_network.container_network: Error waiting for Deleting Network: timeout while waiting for state to become 'DONE' (last state: 'RUNNING', timeout: 4m0s)

		State: google_compute_network.container_network:
		  ID = container-net-izw2yl82rx
		  auto_create_subnetworks = true
		  gateway_ipv4 =
		  name = container-net-izw2yl82rx
		  self_link = https://www.googleapis.com/compute/v1/projects/nordstrom-k8s/global/networks/container-net-izw2yl82rx
--- PASS: TestAccContainerCluster_withNodePoolConflictingNameFields (559.19s)
--- PASS: TestAccContainerCluster_updateVersion (933.94s)
--- PASS: TestAccContainerCluster_withNodePoolNamePrefix (526.78s)
--- FAIL: TestAccContainerCluster_withNodePoolMultiple (529.43s)
	testing.go:434: Step 0 error: Check failed: Check 1/1 error: Cluster has mismatched node_pool.1.node_config.0.oauth_scopes[0].
		TF State:
		GCP State: https://www.googleapis.com/auth/logging.write
--- PASS: TestAccContainerCluster_withNodeConfig (345.72s)
--- PASS: TestAccContainerCluster_withNodePoolBasic (417.79s)
--- PASS: TestAccContainerCluster_withNodePoolResize (663.22s)
--- PASS: TestAccContainerCluster_withNodePoolAutoscaling (834.72s)
--- PASS: TestAccContainerCluster_basic (356.24s)
--- PASS: TestAccContainerCluster_backend (392.66s)
--- PASS: TestAccContainerCluster_withTimeout (395.95s)
--- PASS: TestAccContainerCluster_withMasterAuth (406.47s)
--- PASS: TestAccContainerCluster_withLogging (615.11s)
--- PASS: TestAccContainerCluster_withMonitoring (645.08s)
--- PASS: TestAccContainerCluster_withMasterAuthorizedNetworksConfig (418.33s)
--- PASS: TestAccContainerCluster_withAddons (584.49s)
FAIL
exit status 1
FAIL	github.com/terraform-providers/terraform-provider-google/google	1897.568s
make: *** [testacc] Error 1

[danawillow]

Where did the numbers 11 and 19 come from? (I want to make sure we don't break any existing configs with this change)

[davidquarles]

Good call – I was extrapolating API-level constraints based on my experience with the console/UI, which requires a mask in that range, but now that I'm hitting the API directly, you're right -- it doesn't seem to be a thing! RFC1918 is a strict requirement here, though, and I added logic specifically to validate this attribute against those ranges, then lost it on rebase. I'll add it back + remove this constraint.

[davidquarles]

Done.

[danawillow]

Do you think anyone would want to set the displayName field inside of cidr block?

[davidquarles]

For sure, I'll add that now.

[davidquarles]

Done.

[danawillow]

I'd actually recommend not having an enabled field at all, and instead just relying on the presence of any master_authorized_networks_configs to determine what that value should be, similar to how we do autoscaling. The reason for this is that when enabled is false, GCP won't return anything for cidrBlocks:

"masterAuthorizedNetworksConfig": {},

This means that a config like this:

  master_authorized_networks_config {
    enabled     = false
    cidr_blocks = ["172.16.0.0/12", "10.0.0.0/8"]
  }

is equivalent to:

  master_authorized_networks_config {
    enabled     = false
  }

Because we want to set the state based on what's actually true in GCP, the state will always resemble the second config above, and thus planning immediately after applying with the first config will show a diff.

"But wait!" you might ask, "I added a test for the enabled=false case and it passed!" Ah yes, and this tripped me up for a while too. I'll explain in a comment below.

[danawillow]

Turns out, if flattenMasterAuthorizedNetworksConfig returns something that looks like this:

result: [map[enabled:false cidr_blocks:[]]]

d.Set will actually return an error: Invalid address to set: []string{"master_authorized_networks_config", "0", "cidr_blocks"} This is fairly cryptic, but it basically just means that you can't set an empty slice in config, you have to just set no slice at all.

[davidquarles]

Hrmmmmm, alright. I'll add that as a test case, too.

[davidquarles]

Done.

[danawillow]

This means that if a user removes the master_authorized_networks_config block from their config, nothing actually changes. Is that intentional? I'd assume it would remove the configuration.

[davidquarles]

That was definitely not intentional, and is now fixed.

[davidquarles]

@danawillow I worked through your comments, and left this second round of changes is in a separate commit for now. I can squash/rebase once everything's ready to merge.

Do you think it makes sense to collapse the schema a bit, as below? I've basically translated the upstream structure, and the result feels a bit verbose to me. I know how painful backwards compatibility issues can be, though. I'll defer to you.

resource "google_container_cluster" "foo" {
    master_authorized_network {
        cidr_block = "1.2.3.4/32"
    }
    master_authorized_network {
        cidr_block = "5.6.7.8/32"
    }
}

Test output:

$ make testacc TEST=./google TESTARGS='-run=TestAccContainerCluster_withMasterAuthorized'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./google -v -run=TestAccContainerCluster_withMasterAuthorized -timeout 120m
=== RUN   TestAccContainerCluster_withMasterAuthorizedNetworksConfig
--- PASS: TestAccContainerCluster_withMasterAuthorizedNetworksConfig (390.30s)
PASS
ok  	github.com/terraform-providers/terraform-provider-google/google	390.340s

[danawillow]

This validation has enough logic in it that I wouldn't mind seeing a unit test.

[davidquarles]

Done.

[danawillow]

nit: indentation

[danawillow]

I think you want to check that the block is there though, right?

[davidquarles]

Right. Fixed.

[danawillow]

I'm not quite sure what this comment is for

[davidquarles]

Oh, that definitely wasn't supposed to make it in. 😺

[danawillow]

I'm fine with the schema as-is.

Also feel free to just always do separate commits- I default to "squash and merge" for the final merge :)

[danawillow]

$ make testacc TEST=./google TESTARGS='-run=TestAccContainerCluster_withMasterAuthorizedN'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./google -v -run=TestAccContainerCluster_withMasterAuthorizedN -timeout 120m
=== RUN   TestAccContainerCluster_withMasterAuthorizedNetworksConfig
--- PASS: TestAccContainerCluster_withMasterAuthorizedNetworksConfig (404.72s)
PASS
ok  	github.com/terraform-providers/terraform-provider-google/google	404.944s

$ make testacc TEST=./google TESTARGS='-run=TestValidateRFC'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./google -v -run=TestValidateRFC -timeout 120m
=== RUN   TestValidateRFC1918Network
--- PASS: TestValidateRFC1918Network (0.00s)
PASS
ok  	github.com/terraform-providers/terraform-provider-google/google	0.201s

Thanks @davidquarles! Looks good!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!