Only set enabled bool if evaluation mode is unspecified (#9629)

* Only set enabled bool if evaluation mode is unspecified * Only trigger one cluster update event if both both legacy and struct blocks have diffs. * remove inadvertant modifications * Pass legacy bool to expandBinaryAuthorization fn * move fn for diff readability * reformat * reformat * Only get enable_binary_authorization if its been changed * remove commas * fix logic * Remove enable_binary_authorization condition * Add upgrade path docs * Add comma * Update mmv1/third_party/terraform/website/docs/guides/version_5_upgrade.html.markdown --------- Co-authored-by: Stephen Lewis (Burrows) <[email protected]> [upstream:c1e45b10619f22ab5dff5d29f5b429a787389f45] Signed-off-by: Modular Magician <[email protected]>
hashicorp · Dec 20, 2023 · a804124 · a804124
1 parent d50dd59
commit a804124
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 21 deletions.
diff --git a/.changelog/9629.txt b/.changelog/9629.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+container: fixed an issue in which migrating from the deprecated Binauthz enablement bool to the new evaluation mode enum inadvertently caused two cluster update events, instead of none.
+```
diff --git a/google-beta/services/container/resource_container_cluster.go b/google-beta/services/container/resource_container_cluster.go
@@ -2991,26 +2991,6 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
 		log.Printf("[INFO] GKE cluster %s's autopilot workload policy config allow_net_admin has been set to %v", d.Id(), allowed)
 	}
 
-	if d.HasChange("enable_binary_authorization") {
-		enabled := d.Get("enable_binary_authorization").(bool)
-		req := &container.UpdateClusterRequest{
-			Update: &container.ClusterUpdate{
-				DesiredBinaryAuthorization: &container.BinaryAuthorization{
-					Enabled:         enabled,
-					ForceSendFields: []string{"Enabled"},
-				},
-			},
-		}
-
-		updateF := updateFunc(req, "updating GKE binary authorization")
-		// Call update serially.
-		if err := transport_tpg.LockedCall(lockKey, updateF); err != nil {
-			return err
-		}
-
-		log.Printf("[INFO] GKE cluster %s's binary authorization has been updated to %v", d.Id(), enabled)
-	}
-
 	if d.HasChange("private_cluster_config.0.enable_private_endpoint") {
 		enabled := d.Get("private_cluster_config.0.enable_private_endpoint").(bool)
 		req := &container.UpdateClusterRequest{

diff --git a/website/docs/guides/version_5_upgrade.html.markdown b/website/docs/guides/version_5_upgrade.html.markdown
@@ -636,7 +636,15 @@ resource "google_container_cluster" "primary" {
 
 ### `enable_binary_authorization` is now removed
 
-`enable_binary_authorization` has been removed in favor of `binary_authorization.enabled`.
+`enable_binary_authorization` has been removed in favor of `binary_authorization.evaluation_mode`.
+To enable Binary Authorization, set evaluation mode to "PROJECT_SINGLETON_POLICY_ENFORCE"
+as shown in the example below. To disable it, set evaluation mode to "DISABLED".
+
+```
+  binary_authorization {
+    evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+  }
+```
 
 ### Default value of `network_policy.provider` is now removed