From a80412432d9efa80052ab80a87d194256730cf93 Mon Sep 17 00:00:00 2001 From: Modular Magician Date: Wed, 20 Dec 2023 19:02:53 +0000 Subject: [PATCH] Only set enabled bool if evaluation mode is unspecified (#9629) * Only set enabled bool if evaluation mode is unspecified * Only trigger one cluster update event if both both legacy and struct blocks have diffs. * remove inadvertant modifications * Pass legacy bool to expandBinaryAuthorization fn * move fn for diff readability * reformat * reformat * Only get enable_binary_authorization if its been changed * remove commas * fix logic * Remove enable_binary_authorization condition * Add upgrade path docs * Add comma * Update mmv1/third_party/terraform/website/docs/guides/version_5_upgrade.html.markdown --------- Co-authored-by: Stephen Lewis (Burrows) [upstream:c1e45b10619f22ab5dff5d29f5b429a787389f45] Signed-off-by: Modular Magician --- .changelog/9629.txt | 3 +++ .../container/resource_container_cluster.go | 20 ------------------- .../guides/version_5_upgrade.html.markdown | 10 +++++++++- 3 files changed, 12 insertions(+), 21 deletions(-) create mode 100644 .changelog/9629.txt diff --git a/.changelog/9629.txt b/.changelog/9629.txt new file mode 100644 index 0000000000..a668c93644 --- /dev/null +++ b/.changelog/9629.txt @@ -0,0 +1,3 @@ +```release-note:bug +container: fixed an issue in which migrating from the deprecated Binauthz enablement bool to the new evaluation mode enum inadvertently caused two cluster update events, instead of none. +``` diff --git a/google-beta/services/container/resource_container_cluster.go b/google-beta/services/container/resource_container_cluster.go index 1cdaf54a89..3c7e5763d9 100644 --- a/google-beta/services/container/resource_container_cluster.go +++ b/google-beta/services/container/resource_container_cluster.go @@ -2991,26 +2991,6 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er log.Printf("[INFO] GKE cluster %s's autopilot workload policy config allow_net_admin has been set to %v", d.Id(), allowed) } - if d.HasChange("enable_binary_authorization") { - enabled := d.Get("enable_binary_authorization").(bool) - req := &container.UpdateClusterRequest{ - Update: &container.ClusterUpdate{ - DesiredBinaryAuthorization: &container.BinaryAuthorization{ - Enabled: enabled, - ForceSendFields: []string{"Enabled"}, - }, - }, - } - - updateF := updateFunc(req, "updating GKE binary authorization") - // Call update serially. - if err := transport_tpg.LockedCall(lockKey, updateF); err != nil { - return err - } - - log.Printf("[INFO] GKE cluster %s's binary authorization has been updated to %v", d.Id(), enabled) - } - if d.HasChange("private_cluster_config.0.enable_private_endpoint") { enabled := d.Get("private_cluster_config.0.enable_private_endpoint").(bool) req := &container.UpdateClusterRequest{ diff --git a/website/docs/guides/version_5_upgrade.html.markdown b/website/docs/guides/version_5_upgrade.html.markdown index d82b2bf62e..6a559e63c0 100644 --- a/website/docs/guides/version_5_upgrade.html.markdown +++ b/website/docs/guides/version_5_upgrade.html.markdown @@ -636,7 +636,15 @@ resource "google_container_cluster" "primary" { ### `enable_binary_authorization` is now removed -`enable_binary_authorization` has been removed in favor of `binary_authorization.enabled`. +`enable_binary_authorization` has been removed in favor of `binary_authorization.evaluation_mode`. +To enable Binary Authorization, set evaluation mode to "PROJECT_SINGLETON_POLICY_ENFORCE" +as shown in the example below. To disable it, set evaluation mode to "DISABLED". + +``` + binary_authorization { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } +``` ### Default value of `network_policy.provider` is now removed