Add support for WorkloadALTSConfig in google_container_cluster (Beta) (…

…GoogleCloudPlatform#9638) * Add support for WorkloadALTSConfig in google_container_cluster * Fix issues * Make enable_alts within workload_alts_config required and force-send in JSON * Update documentation * Make acceptance test network & subnet names unique * Remove extra test config * Fix spacing
kapreus · Jan 2, 2024 · c80e0da · c80e0da
1 parent 7d7fd4f
commit c80e0da
Show file tree

Hide file tree

Showing 3 changed files with 158 additions and 0 deletions.
diff --git a/mmv1/third_party/terraform/services/container/resource_container_cluster.go.erb b/mmv1/third_party/terraform/services/container/resource_container_cluster.go.erb
@@ -2072,6 +2072,24 @@ func ResourceContainerCluster() *schema.Resource {
 					},
 				},
 			},
+			<% unless version == 'ga' -%>
+				"workload_alts_config": {
+					Type:             schema.TypeList,
+					Optional:         true,
+					Computed:         true,
+					MaxItems:         1,
+					Description:      `Configuration for direct-path (via ALTS) with workload identity.`,
+					Elem: &schema.Resource{
+							Schema: map[string]*schema.Schema{
+									"enable_alts": {
+											Type:          schema.TypeBool,
+											Required:      true,
+											Description:   `Whether the alts handshaker should be enabled or not for direct-path. Requires Workload Identity (workloadPool must be non-empty).`,
+									},
+							},
+					},
+				},
+				<% end -%>
 		},
 	}
 }
@@ -2405,6 +2423,12 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
 		cluster.AddonsConfig.GcePersistentDiskCsiDriverConfig.Enabled = true
 	}
 
+	<% unless version == 'ga' -%>
+	if v, ok := d.GetOk("workload_alts_config"); ok {
+		cluster.WorkloadAltsConfig = expandWorkloadAltsConfig(v)
+	}
+	<% end -%>
+
 	req := &container.CreateClusterRequest{
 		Cluster: cluster,
 	}
@@ -2881,6 +2905,12 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
 	}
 <% end -%>
 
+<% unless version == 'ga' -%>
+	if err := d.Set("workload_alts_config", flattenWorkloadAltsConfig(cluster.WorkloadAltsConfig)); err != nil {
+		return err
+	}
+<% end -%>
+
 	return nil
 }
 
@@ -4186,7 +4216,22 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
 		log.Printf("[INFO] GKE cluster %s Protect Config has been updated to %#v", d.Id(), req.Update.DesiredProtectConfig)
 	}
 <% end -%>
+<% unless version == 'ga' -%>
+	if d.HasChange("workload_alts_config") {
+		req := &container.UpdateClusterRequest{
+			Update: &container.ClusterUpdate{
+				DesiredWorkloadAltsConfig: expandWorkloadAltsConfig(d.Get("workload_alts_config")),
+			},
+		}
+
+		updateF := updateFunc(req, "updating GKE cluster WorkloadALTSConfig")
+		if err := transport_tpg.LockedCall(lockKey, updateF); err != nil {
+			return err
+		}
 
+		log.Printf("[INFO] GKE cluster %s's WorkloadALTSConfig has been updated", d.Id())
+	}
+<% end -%>
 	return resourceContainerClusterRead(d, meta)
 }
 
@@ -5385,6 +5430,21 @@ func expandNodePoolAutoConfigNetworkTags(configured interface{}) *container.Netw
 	return nt
 }
 
+<% unless version == 'ga' -%>
+func expandWorkloadAltsConfig(configured interface{}) *container.WorkloadALTSConfig {
+	l := configured.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil
+	}
+
+	config := l[0].(map[string]interface{})
+	return &container.WorkloadALTSConfig{
+		EnableAlts:              config["enable_alts"].(bool),
+		ForceSendFields: []string{"EnableAlts"},
+	}
+}
+<% end -%>
+
 func flattenNotificationConfig(c *container.NotificationConfig) []map[string]interface{} {
 	if c == nil {
 		return nil
@@ -6143,6 +6203,19 @@ func flattenNodePoolAutoConfigNetworkTags(c *container.NetworkTags) []map[string
 	return []map[string]interface{}{result}
 }
 
+<% unless version == 'ga' -%>
+func flattenWorkloadAltsConfig(c *container.WorkloadALTSConfig) []map[string]interface{} {
+	if c == nil {
+		return nil
+	}
+	return []map[string]interface{}{
+		{
+			"enable_alts":        c.EnableAlts,
+		},
+	}
+}
+<% end -%>
+
 func resourceContainerClusterStateImporter(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
 	config := meta.(*transport_tpg.Config)
 

diff --git a/mmv1/third_party/terraform/services/container/resource_container_cluster_test.go.erb b/mmv1/third_party/terraform/services/container/resource_container_cluster_test.go.erb
@@ -4307,6 +4307,46 @@ func TestAccContainerCluster_withFleetConfig(t *testing.T) {
 	})
 }
 
+<% unless version == 'ga' -%>
+func TestAccContainerCluster_withWorkloadALTSConfig(t *testing.T) {
+	t.Parallel()
+
+	networkName := "gke-cluster-alts"
+	subnetworkName := "gke-cluster-alts"
+	clusterName := fmt.Sprintf("tf-test-cluster-%s", acctest.RandString(t, 10))
+	pid := envvar.GetTestProjectFromEnv()
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:     func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		CheckDestroy: testAccCheckContainerClusterDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccContainerCluster_withWorkloadALTSConfig(pid, networkName, subnetworkName, clusterName, true),
+			},
+			{
+				ResourceName:      "google_container_cluster.with_workload_alts_config",
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+				Check: resource.TestCheckResourceAttr(
+					"google_container_cluster.with_workload_alts_config", "workload_alts_config.enable_alts", "true"),
+			},
+			{
+				Config: testAccContainerCluster_withWorkloadALTSConfig(pid, networkName, subnetworkName, clusterName, false),
+			},
+			{
+				ResourceName:      "google_container_cluster.with_workload_alts_config",
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+				Check: resource.TestCheckResourceAttr(
+					"google_container_cluster.with_workload_alts_config", "workload_alts_config.enable_alts", "false"),
+			},
+		},
+	})
+}
+<% end -%>
+
 func testAccContainerCluster_withFleetConfig(name, projectID string) string {
 	return fmt.Sprintf(`
 resource "google_container_cluster" "primary" {
@@ -9259,3 +9299,42 @@ resource "google_container_cluster" "without_confidential_boot_disk" {
 `, clusterName, npName)
 }
 <% end -%>
+
+<% unless version == 'ga' -%>
+func testAccContainerCluster_withWorkloadALTSConfig(projectID, name, networkName, subnetworkName string, enable bool) string {
+	return fmt.Sprintf(`
+	data "google_project" "project" {
+		provider = google-beta
+		project_id = "%s"
+	}
+	resource "google_compute_network" "network" {
+		provider                 = google-beta
+		name                     = "%s"
+		auto_create_subnetworks  = false
+		enable_ula_internal_ipv6 = true
+	}
+	resource "google_compute_subnetwork" "subnet" {
+		provider         = google-beta
+		name             = "%s"
+		network          = google_compute_network.network.id
+		ip_cidr_range    = "9.12.22.0/24"
+		region           = "us-central1"
+	}
+	resource "google_container_cluster" "with_workload_alts_config" {
+		provider = google-beta
+		name               = "%s"
+		location           = "us-central1-a"
+		initial_node_count = 1
+		network         = google_compute_network.network.name
+		subnetwork      = google_compute_subnetwork.subnet.name
+		workload_alts_config {
+			enable_alts = %v
+		}
+		workload_identity_config {
+			workload_pool = "${data.google_project.project.project_id}.svc.id.goog"
+		}
+		deletion_protection = false
+	}
+`, projectID, networkName, subnetworkName, name, enable)
+}
+<% end -%>
diff --git a/mmv1/third_party/terraform/website/docs/r/container_cluster.html.markdown b/mmv1/third_party/terraform/website/docs/r/container_cluster.html.markdown
@@ -381,6 +381,9 @@ Enable/Disable Security Posture API features for the cluster. Structure is [docu
 * `fleet` - (Optional)
 Fleet configuration for the cluster. Structure is [documented below](#nested_fleet).
 
+* `workload_alts_config` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html))
+  Configuration for [direct-path (via ALTS) with workload identity.](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#workloadaltsconfig). Structure is [documented below](#nested_workload_alts_config).
+
 <a name="nested_default_snat_status"></a>The `default_snat_status` block supports
 
 *  `disabled` - (Required) Whether the cluster disables default in-node sNAT rules. In-node sNAT rules will be disabled when defaultSnatStatus is disabled.When disabled is set to false, default IP masquerade rules will be applied to the nodes to prevent sNAT on cluster internal traffic
@@ -1295,6 +1298,9 @@ linux_node_config {
 
 * `project` - (Optional) The name of the Fleet host project where this cluster will be registered.
 
+<a name="nested_workload_alts_config"></a>The `workload_alts_config` block supports:
+
+* `enable_alts` - (Required) Whether the alts handshaker should be enabled or not for direct-path. Requires Workload Identity ([workloadPool]((#nested_workload_identity_config)) must be non-empty).
 
 ## Attributes Reference