From c13e50f4b50a9ab9e5221a8d6187722b30e3e2e5 Mon Sep 17 00:00:00 2001 From: Aleksandr Averbukh Date: Tue, 1 Aug 2023 21:11:23 +0200 Subject: [PATCH] Allow setting enable_private_endpoint on creation time for PSC Based Clusters (#8492) * Allow setting enable_private_endpoint on creation time for PSC Based clusters * Update tests since enablePrivateEndpoint now can be set on cluster creation time * Put back accidentally removed test func --- .../resource_container_cluster.go.erb | 54 ++++++++++++++++++- .../resource_container_cluster_test.go.erb | 29 ---------- 2 files changed, 53 insertions(+), 30 deletions(-) diff --git a/mmv1/third_party/terraform/services/container/resource_container_cluster.go.erb b/mmv1/third_party/terraform/services/container/resource_container_cluster.go.erb index f6acdcf06196..a813d5ba843a 100644 --- a/mmv1/third_party/terraform/services/container/resource_container_cluster.go.erb +++ b/mmv1/third_party/terraform/services/container/resource_container_cluster.go.erb @@ -1592,7 +1592,7 @@ func ResourceContainerCluster() *schema.Resource { Optional: true, AtLeastOneOf: privateClusterConfigKeys, DiffSuppressFunc: containerClusterPrivateClusterConfigSuppress, - Description: `When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable_private_nodes is true.`, + Description: `When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used.`, }, "enable_private_nodes": { Type: schema.TypeBool, @@ -2286,6 +2286,14 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er cluster.SecurityPostureConfig = expandSecurityPostureConfig(v) } + // For now PSC based cluster don't support `enable_private_endpoint` on `create`, but only on `update` API call. + // If cluster is PSC based and enable_private_endpoint is set to true we will ignore it on `create` call and update cluster right after creation. + enablePrivateEndpointPSCCluster := isEnablePrivateEndpointPSCCluster(cluster) + if enablePrivateEndpointPSCCluster { + cluster.PrivateClusterConfig.EnablePrivateEndpoint = false + } + + req := &container.CreateClusterRequest{ Cluster: cluster, } @@ -2373,6 +2381,34 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er } } + if enablePrivateEndpointPSCCluster { + name := containerClusterFullName(project, location, clusterName) + req := &container.UpdateClusterRequest{ + Update: &container.ClusterUpdate{ + DesiredEnablePrivateEndpoint: true, + ForceSendFields: []string{"DesiredEnablePrivateEndpoint"}, + }, + } + + err = transport_tpg.Retry(transport_tpg.RetryOptions{ + RetryFunc: func() error { + clusterUpdateCall := config.NewContainerClient(userAgent).Projects.Locations.Clusters.Update(name, req) + if config.UserProjectOverride { + clusterUpdateCall.Header().Add("X-Goog-User-Project", project) + } + op, err = clusterUpdateCall.Do() + return err + }, + }) + if err != nil { + return errwrap.Wrapf("Error updating enable private endpoint: {{err}}", err) + } + + err = ContainerOperationWait(config, op, project, location, "updating enable private endpoint", userAgent, d.Timeout(schema.TimeoutCreate)) + if err != nil { + return errwrap.Wrapf("Error while waiting to enable private endpoint: {{err}}", err) + } + } if err := resourceContainerClusterRead(d, meta); err != nil { return err @@ -4725,6 +4761,22 @@ func expandNetworkPolicy(configured interface{}) *container.NetworkPolicy { return result } +func isEnablePrivateEndpointPSCCluster(cluster *container.Cluster) bool { + // EnablePrivateEndpoint not provided + if cluster == nil || cluster.PrivateClusterConfig == nil { + return false + } + // Not a PSC cluster + if cluster.PrivateClusterConfig.EnablePrivateNodes || len(cluster.PrivateClusterConfig.MasterIpv4CidrBlock) > 0 { + return false + } + // PSC Cluster with EnablePrivateEndpoint + if cluster.PrivateClusterConfig.EnablePrivateEndpoint { + return true + } + return false +} + func expandPrivateClusterConfig(configured interface{}) *container.PrivateClusterConfig { l := configured.([]interface{}) if len(l) == 0 { diff --git a/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb b/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb index 40ef761dd4a1..cd510fa9f630 100644 --- a/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb +++ b/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb @@ -4745,15 +4745,6 @@ func TestAccContainerCluster_withEnablePrivateEndpointToggle(t *testing.T) { ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), CheckDestroy: testAccCheckContainerClusterDestroyProducer(t), Steps: []resource.TestStep{ - { - Config: testAccContainerCluster_withoutEnablePrivateEndpoint(clusterName), - }, - { - ResourceName: "google_container_cluster.with_enable_private_endpoint", - ImportState: true, - ImportStateVerify: true, - ImportStateVerifyIgnore: []string{"min_master_version"}, - }, { Config: testAccContainerCluster_withEnablePrivateEndpoint(clusterName, "true"), }, @@ -4828,26 +4819,6 @@ resource "google_container_cluster" "with_enable_private_endpoint" { `, clusterName, flag) } -func testAccContainerCluster_withoutEnablePrivateEndpoint(clusterName string) string { - - return fmt.Sprintf(` -data "google_container_engine_versions" "uscentral1a" { - location = "us-central1-a" -} - -resource "google_container_cluster" "with_enable_private_endpoint" { - name = "%s" - location = "us-central1-a" - min_master_version = data.google_container_engine_versions.uscentral1a.release_channel_latest_version["STABLE"] - initial_node_count = 1 - - master_authorized_networks_config { - gcp_public_cidrs_access_enabled = false - } -} -`, clusterName) -} - func testAccContainerCluster_regionalWithNodePool(cluster, nodePool string) string { return fmt.Sprintf(` resource "google_container_cluster" "regional" {