GoogleCloudPlatform · hao-nan-li · Aug 1, 2023 · Jul 30, 2023 · Jul 31, 2023 · Aug 1, 2023
diff --git a/mmv1/third_party/terraform/services/container/resource_container_cluster.go.erb b/mmv1/third_party/terraform/services/container/resource_container_cluster.go.erb
@@ -1592,7 +1592,7 @@ func ResourceContainerCluster() *schema.Resource {
 							Optional:         true,
 							AtLeastOneOf:     privateClusterConfigKeys,
 							DiffSuppressFunc: containerClusterPrivateClusterConfigSuppress,
-							Description:      `When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable_private_nodes is true.`,
+							Description:      `When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used.`,
 						},
 						"enable_private_nodes": {
 							Type:             schema.TypeBool,
@@ -2286,6 +2286,14 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
 		cluster.SecurityPostureConfig = expandSecurityPostureConfig(v)
 	}
 
+	// For now PSC based cluster don't support `enable_private_endpoint` on `create`, but only on `update` API call.
+    // If cluster is PSC based and enable_private_endpoint is set to true we will ignore it on `create` call and update cluster right after creation.
+	enablePrivateEndpointPSCCluster := isEnablePrivateEndpointPSCCluster(cluster)
+	if enablePrivateEndpointPSCCluster {
+		cluster.PrivateClusterConfig.EnablePrivateEndpoint = false
+	}
+
+
 	req := &container.CreateClusterRequest{
 		Cluster: cluster,
 	}
@@ -2373,6 +2381,34 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
 		}
 	}
 
+	if enablePrivateEndpointPSCCluster {
+		name := containerClusterFullName(project, location, clusterName)
+		req := &container.UpdateClusterRequest{
+			Update: &container.ClusterUpdate{
+				DesiredEnablePrivateEndpoint: true,
+				ForceSendFields:              []string{"DesiredEnablePrivateEndpoint"},
+			},
+		}
+
+		err = transport_tpg.Retry(transport_tpg.RetryOptions{
+			RetryFunc: func() error {
+				clusterUpdateCall := config.NewContainerClient(userAgent).Projects.Locations.Clusters.Update(name, req)
+				if config.UserProjectOverride {
+					clusterUpdateCall.Header().Add("X-Goog-User-Project", project)
+				}
+				op, err = clusterUpdateCall.Do()
+				return err
+			},
+		})
+		if err != nil {
+			return errwrap.Wrapf("Error updating enable private endpoint: {{err}}", err)
+		}
+
+		err = ContainerOperationWait(config, op, project, location, "updating enable private endpoint", userAgent, d.Timeout(schema.TimeoutCreate))
+		if err != nil {
+			return errwrap.Wrapf("Error while waiting to enable private endpoint: {{err}}", err)
+		}
+	}
 
 	if err := resourceContainerClusterRead(d, meta); err != nil {
 		return err
@@ -4725,6 +4761,22 @@ func expandNetworkPolicy(configured interface{}) *container.NetworkPolicy {
 	return result
 }
 
+func isEnablePrivateEndpointPSCCluster(cluster *container.Cluster) bool {
+	// EnablePrivateEndpoint not provided
+	if cluster == nil || cluster.PrivateClusterConfig == nil {
+		return false
+	}
+	// Not a PSC cluster
+	if cluster.PrivateClusterConfig.EnablePrivateNodes || len(cluster.PrivateClusterConfig.MasterIpv4CidrBlock) > 0 {
+		return false
+	}
+	// PSC Cluster with EnablePrivateEndpoint
+	if cluster.PrivateClusterConfig.EnablePrivateEndpoint {
+		return true
+	}
+	return false
+}
+
 func expandPrivateClusterConfig(configured interface{}) *container.PrivateClusterConfig {
 	l := configured.([]interface{})
 	if len(l) == 0 {

diff --git a/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb b/mmv1/third_party/terraform/tests/resource_container_cluster_test.go.erb
@@ -4745,15 +4745,6 @@ func TestAccContainerCluster_withEnablePrivateEndpointToggle(t *testing.T) {
 		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
 		CheckDestroy: testAccCheckContainerClusterDestroyProducer(t),
 		Steps: []resource.TestStep{
-			{
-				Config: testAccContainerCluster_withoutEnablePrivateEndpoint(clusterName),
-			},
-			{
-				ResourceName:				"google_container_cluster.with_enable_private_endpoint",
-				ImportState:				true,
-				ImportStateVerify:			true,
-				ImportStateVerifyIgnore:	[]string{"min_master_version"},
-			},
 			{
 				Config: testAccContainerCluster_withEnablePrivateEndpoint(clusterName, "true"),
 			},
@@ -4828,26 +4819,6 @@ resource "google_container_cluster" "with_enable_private_endpoint" {
 `, clusterName, flag)
 }
 
-func testAccContainerCluster_withoutEnablePrivateEndpoint(clusterName string) string {
-
-	return fmt.Sprintf(`
-data "google_container_engine_versions" "uscentral1a" {
-  location = "us-central1-a"
-}
-
-resource "google_container_cluster" "with_enable_private_endpoint" {
-  name               = "%s"
-  location           = "us-central1-a"
-  min_master_version = data.google_container_engine_versions.uscentral1a.release_channel_latest_version["STABLE"]
-  initial_node_count = 1
-
-  master_authorized_networks_config {
-    gcp_public_cidrs_access_enabled = false
-  }
-}
-`, clusterName)
-}
-
 func testAccContainerCluster_regionalWithNodePool(cluster, nodePool string) string {
 	return fmt.Sprintf(`
 resource "google_container_cluster" "regional" {