diff --git a/mmv1/products/containerattached/Cluster.yaml b/mmv1/products/containerattached/Cluster.yaml index 25e24de25699..126fb11001e0 100644 --- a/mmv1/products/containerattached/Cluster.yaml +++ b/mmv1/products/containerattached/Cluster.yaml @@ -293,6 +293,16 @@ properties: ClusterRoleBinding will be created to grant the `cluster-admin` ClusterRole to the users. Up to ten admin users can be provided. + For more info on RBAC, see + https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + item_type: Api::Type::String + - !ruby/object:Api::Type::Array + name: adminGroups + description: | + Groups that can perform operations as a cluster admin. A managed + ClusterRoleBinding will be created to grant the `cluster-admin` ClusterRole + to the groups. Up to ten admin groups can be provided. + For more info on RBAC, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles item_type: Api::Type::String diff --git a/mmv1/templates/terraform/custom_expand/containerattached_cluster_authorization_user.go.erb b/mmv1/templates/terraform/custom_expand/containerattached_cluster_authorization_user.go.erb index 83a5c1252680..6b837990ea41 100644 --- a/mmv1/templates/terraform/custom_expand/containerattached_cluster_authorization_user.go.erb +++ b/mmv1/templates/terraform/custom_expand/containerattached_cluster_authorization_user.go.erb @@ -17,12 +17,20 @@ type attachedClusterUser struct { Username string `json:"username"` } +type attachedClusterGroup struct { + Group string `json:"group"` +} + // The custom expander transforms input into something like this: // authorization { // admin_users [ // { username = "user1" }, // { username = "user2" } // ] +// admin_groups [ +// { group = "group1" }, +// { group = "group2" }, +// ] // } // The custom flattener transforms input back into something like this: // authorization { @@ -30,13 +38,17 @@ type attachedClusterUser struct { // "user1", // "user2" // ] +// admin_groups = [ +// "group1", +// "group2" +// ], // } func expand<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) { - l := v.([]interface{}) + l := v.([]interface{}) if len(l) == 0 || l[0] == nil { return nil, nil } - raw := l[0] + raw := l[0] orig := raw.(map[string]interface{})["admin_users"].([]interface{}) transformed := make(map[string][]interface{}) transformed["admin_users"] = make([]interface{}, len(orig)) @@ -45,5 +57,12 @@ func expand<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d t transformed["admin_users"][i] = attachedClusterUser{ Username: u.(string) } } } + orig = raw.(map[string]interface{})["admin_groups"].([]interface{}) + transformed["admin_groups"] = make([]interface{}, len(orig)) + for i, u := range orig { + if u != nil { + transformed["admin_groups"][i] = attachedClusterGroup{ Group: u.(string) } + } + } return transformed, nil } diff --git a/mmv1/templates/terraform/custom_flatten/containerattached_cluster_authorization_user.go.erb b/mmv1/templates/terraform/custom_flatten/containerattached_cluster_authorization_user.go.erb index 3b01755ecd18..9c796dcc2fd7 100644 --- a/mmv1/templates/terraform/custom_flatten/containerattached_cluster_authorization_user.go.erb +++ b/mmv1/templates/terraform/custom_flatten/containerattached_cluster_authorization_user.go.erb @@ -19,6 +19,10 @@ // { username = "user1" }, // { username = "user2" } // ] +// admin_groups [ +// { group = "group1" }, +// { group = "group2" }, +// ] // } // The custom flattener transforms input back into something like this: // authorization { @@ -26,6 +30,10 @@ // "user1", // "user2" // ] +// admin_groups = [ +// "group1", +// "group2" +// ], // } func flatten<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} { if v == nil { @@ -40,6 +48,13 @@ func flatten<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d transformed["admin_users"][i] = u.(map[string]interface{})["username"].(string) } } + orig = v.(map[string]interface{})["adminGroups"].([]interface{}) + transformed["admin_groups"] = make([]string, len(orig)) + for i, u := range orig { + if u != nil { + transformed["admin_groups"][i] = u.(map[string]interface{})["group"].(string) + } + } return []interface{}{transformed} } diff --git a/mmv1/templates/terraform/examples/container_attached_cluster_full.tf.erb b/mmv1/templates/terraform/examples/container_attached_cluster_full.tf.erb index 09a593035331..8c55f267114b 100644 --- a/mmv1/templates/terraform/examples/container_attached_cluster_full.tf.erb +++ b/mmv1/templates/terraform/examples/container_attached_cluster_full.tf.erb @@ -17,6 +17,7 @@ resource "google_container_attached_cluster" "primary" { } authorization { admin_users = [ "user1@example.com", "user2@example.com"] + admin_groups = [ "group1@example.com", "group2@example.com"] } oidc_config { issuer_url = "https://oidc.issuer.url" diff --git a/mmv1/templates/terraform/pre_update/containerattached_update.go.erb b/mmv1/templates/terraform/pre_update/containerattached_update.go.erb index 6829140b837a..4c3c3a4cbe86 100644 --- a/mmv1/templates/terraform/pre_update/containerattached_update.go.erb +++ b/mmv1/templates/terraform/pre_update/containerattached_update.go.erb @@ -1,8 +1,11 @@ // The generated code sets the wrong masks for the following fields. newUpdateMask := []string{} -if d.HasChange("authorization") { +if d.HasChange("authorization.0.admin_users") { newUpdateMask = append(newUpdateMask, "authorization.admin_users") } +if d.HasChange("authorization.0.admin_groups") { + newUpdateMask = append(newUpdateMask, "authorization.admin_groups") +} if d.HasChange("logging_config") { newUpdateMask = append(newUpdateMask, "logging_config.component_config.enable_components") } diff --git a/mmv1/third_party/terraform/services/containerattached/resource_container_attached_cluster_update_test.go b/mmv1/third_party/terraform/services/containerattached/resource_container_attached_cluster_update_test.go index b5b28747a872..1ffd4f727393 100644 --- a/mmv1/third_party/terraform/services/containerattached/resource_container_attached_cluster_update_test.go +++ b/mmv1/third_party/terraform/services/containerattached/resource_container_attached_cluster_update_test.go @@ -71,6 +71,7 @@ resource "google_container_attached_cluster" "primary" { } authorization { admin_users = [ "user1@example.com", "user2@example.com"] + admin_groups = [ "group1@example.com", "group2@example.com"] } oidc_config { issuer_url = "https://oidc.issuer.url" @@ -119,6 +120,7 @@ resource "google_container_attached_cluster" "primary" { } authorization { admin_users = [ "user2@example.com", "user3@example.com"] + admin_groups = [ "group3@example.com"] } oidc_config { issuer_url = "https://oidc.issuer.url" @@ -165,6 +167,7 @@ resource "google_container_attached_cluster" "primary" { } authorization { admin_users = [ "user2@example.com", "user3@example.com"] + admin_groups = [ "group3@example.com"] } oidc_config { issuer_url = "https://oidc.issuer.url"