GoogleCloudPlatform · slevenick · Dec 15, 2023 · Dec 9, 2023 · Dec 9, 2023 · Dec 13, 2023
diff --git a/mmv1/third_party/terraform/services/container/resource_container_cluster.go.erb b/mmv1/third_party/terraform/services/container/resource_container_cluster.go.erb
@@ -2072,6 +2072,24 @@ func ResourceContainerCluster() *schema.Resource {
 					},
 				},
 			},
+			<% unless version == 'ga' -%>
+				"workload_alts_config": {
+					Type:             schema.TypeList,
+					Optional:         true,
+					Computed:         true,
+					MaxItems:         1,
+					Description:      `Configuration for direct-path (via ALTS) with workload identity.`,
+					Elem: &schema.Resource{
+							Schema: map[string]*schema.Schema{
+									"enable_alts": {
+											Type:          schema.TypeBool,
+											Required:      true,
+											Description:   `Whether the alts handshaker should be enabled or not for direct-path. Requires Workload Identity (workloadPool must be non-empty).`,
+									},
+							},
+					},
+				},
+				<% end -%>
 		},
 	}
 }
@@ -2405,6 +2423,12 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
 		cluster.AddonsConfig.GcePersistentDiskCsiDriverConfig.Enabled = true
 	}
 
+	<% unless version == 'ga' -%>
+	if v, ok := d.GetOk("workload_alts_config"); ok {
+		cluster.WorkloadAltsConfig = expandWorkloadAltsConfig(v)
+	}
+	<% end -%>
+
 	req := &container.CreateClusterRequest{
 		Cluster: cluster,
 	}
@@ -2881,6 +2905,12 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
 	}
 <% end -%>
 
+<% unless version == 'ga' -%>
+	if err := d.Set("workload_alts_config", flattenWorkloadAltsConfig(cluster.WorkloadAltsConfig)); err != nil {
+		return err
+	}
+<% end -%>
+
 	return nil
 }
 
@@ -4186,7 +4216,22 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
 		log.Printf("[INFO] GKE cluster %s Protect Config has been updated to %#v", d.Id(), req.Update.DesiredProtectConfig)
 	}
 <% end -%>
+<% unless version == 'ga' -%>
+	if d.HasChange("workload_alts_config") {
+		req := &container.UpdateClusterRequest{
+			Update: &container.ClusterUpdate{
+				DesiredWorkloadAltsConfig: expandWorkloadAltsConfig(d.Get("workload_alts_config")),
+			},
+		}
+
+		updateF := updateFunc(req, "updating GKE cluster WorkloadALTSConfig")
+		if err := transport_tpg.LockedCall(lockKey, updateF); err != nil {
+			return err
+		}
 
+		log.Printf("[INFO] GKE cluster %s's WorkloadALTSConfig has been updated", d.Id())
+	}
+<% end -%>
 	return resourceContainerClusterRead(d, meta)
 }
 
@@ -5385,6 +5430,21 @@ func expandNodePoolAutoConfigNetworkTags(configured interface{}) *container.Netw
 	return nt
 }
 
+<% unless version == 'ga' -%>
+func expandWorkloadAltsConfig(configured interface{}) *container.WorkloadALTSConfig {
+	l := configured.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil
+	}
+
+	config := l[0].(map[string]interface{})
+	return &container.WorkloadALTSConfig{
+		EnableAlts:              config["enable_alts"].(bool),
+		ForceSendFields: []string{"EnableAlts"},
+	}
+}
+<% end -%>
+
 func flattenNotificationConfig(c *container.NotificationConfig) []map[string]interface{} {
 	if c == nil {
 		return nil
@@ -6143,6 +6203,19 @@ func flattenNodePoolAutoConfigNetworkTags(c *container.NetworkTags) []map[string
 	return []map[string]interface{}{result}
 }
 
+<% unless version == 'ga' -%>
+func flattenWorkloadAltsConfig(c *container.WorkloadALTSConfig) []map[string]interface{} {
+	if c == nil {
+		return nil
+	}
+	return []map[string]interface{}{
+		{
+			"enable_alts":        c.EnableAlts,
+		},
+	}
+}
+<% end -%>
+
 func resourceContainerClusterStateImporter(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
 	config := meta.(*transport_tpg.Config)
 

diff --git a/mmv1/third_party/terraform/services/container/resource_container_cluster_test.go.erb b/mmv1/third_party/terraform/services/container/resource_container_cluster_test.go.erb
@@ -4307,6 +4307,46 @@ func TestAccContainerCluster_withFleetConfig(t *testing.T) {
 	})
 }
 
+<% unless version == 'ga' -%>
+func TestAccContainerCluster_withWorkloadALTSConfig(t *testing.T) {
+	t.Parallel()
+
+	networkName := "gke-cluster-alts"
+	subnetworkName := "gke-cluster-alts"
+	clusterName := fmt.Sprintf("tf-test-cluster-%s", acctest.RandString(t, 10))
+	pid := envvar.GetTestProjectFromEnv()
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:     func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		CheckDestroy: testAccCheckContainerClusterDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccContainerCluster_withWorkloadALTSConfig(pid, networkName, subnetworkName, clusterName, true),
+			},
+			{
+				ResourceName:      "google_container_cluster.with_workload_alts_config",
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+				Check: resource.TestCheckResourceAttr(
+					"google_container_cluster.with_workload_alts_config", "workload_alts_config.enable_alts", "true"),
+			},
+			{
+				Config: testAccContainerCluster_withWorkloadALTSConfig(pid, networkName, subnetworkName, clusterName, false),
+			},
+			{
+				ResourceName:      "google_container_cluster.with_workload_alts_config",
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+				Check: resource.TestCheckResourceAttr(
+					"google_container_cluster.with_workload_alts_config", "workload_alts_config.enable_alts", "false"),
+			},
+		},
+	})
+}
+<% end -%>
+
 func testAccContainerCluster_withFleetConfig(name, projectID string) string {
 	return fmt.Sprintf(`
 resource "google_container_cluster" "primary" {
@@ -9259,3 +9299,42 @@ resource "google_container_cluster" "without_confidential_boot_disk" {
 `, clusterName, npName)
 }
 <% end -%>
+
+<% unless version == 'ga' -%>
+func testAccContainerCluster_withWorkloadALTSConfig(projectID, name, networkName, subnetworkName string, enable bool) string {
+	return fmt.Sprintf(`
+	data "google_project" "project" {
+		provider = google-beta
+		project_id = "%s"
+	}
+	resource "google_compute_network" "network" {
+		provider                 = google-beta
+		name                     = "%s"
+		auto_create_subnetworks  = false
+		enable_ula_internal_ipv6 = true
+	}
+	resource "google_compute_subnetwork" "subnet" {
+		provider         = google-beta
+		name             = "%s"
+		network          = google_compute_network.network.id
+		ip_cidr_range    = "9.12.22.0/24"
+		region           = "us-central1"
+	}
+	resource "google_container_cluster" "with_workload_alts_config" {
+		provider = google-beta
+		name               = "%s"
+		location           = "us-central1-a"
+		initial_node_count = 1
+		network         = google_compute_network.network.name
+		subnetwork      = google_compute_subnetwork.subnet.name
+		workload_alts_config {
+			enable_alts = %v
+		}
+		workload_identity_config {
+			workload_pool = "${data.google_project.project.project_id}.svc.id.goog"
+		}
+		deletion_protection = false
+	}
+`, projectID, networkName, subnetworkName, name, enable)
+}
+<% end -%>
diff --git a/mmv1/third_party/terraform/website/docs/r/container_cluster.html.markdown b/mmv1/third_party/terraform/website/docs/r/container_cluster.html.markdown
@@ -381,6 +381,9 @@ Enable/Disable Security Posture API features for the cluster. Structure is [docu
 * `fleet` - (Optional)
 Fleet configuration for the cluster. Structure is [documented below](#nested_fleet).
 
+* `workload_alts_config` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html))
+  Configuration for [direct-path (via ALTS) with workload identity.](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#workloadaltsconfig). Structure is [documented below](#nested_workload_alts_config).
+
 <a name="nested_default_snat_status"></a>The `default_snat_status` block supports
 
 *  `disabled` - (Required) Whether the cluster disables default in-node sNAT rules. In-node sNAT rules will be disabled when defaultSnatStatus is disabled.When disabled is set to false, default IP masquerade rules will be applied to the nodes to prevent sNAT on cluster internal traffic
@@ -1295,6 +1298,9 @@ linux_node_config {
 
 * `project` - (Optional) The name of the Fleet host project where this cluster will be registered.
 
+<a name="nested_workload_alts_config"></a>The `workload_alts_config` block supports:
+
+* `enable_alts` - (Required) Whether the alts handshaker should be enabled or not for direct-path. Requires Workload Identity ([workloadPool]((#nested_workload_identity_config)) must be non-empty).
 
 ## Attributes Reference