diff --git a/.changelog/8492.txt b/.changelog/8492.txt new file mode 100644 index 00000000000..ae0fedc08ec --- /dev/null +++ b/.changelog/8492.txt @@ -0,0 +1,3 @@ +```release-note:enhancement + +``` diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go index 3f96794d739..c898ec06d48 100644 --- a/google/resource_container_cluster_test.go +++ b/google/resource_container_cluster_test.go @@ -4046,15 +4046,6 @@ func TestAccContainerCluster_withEnablePrivateEndpointToggle(t *testing.T) { ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), CheckDestroy: testAccCheckContainerClusterDestroyProducer(t), Steps: []resource.TestStep{ - { - Config: testAccContainerCluster_withoutEnablePrivateEndpoint(clusterName), - }, - { - ResourceName: "google_container_cluster.with_enable_private_endpoint", - ImportState: true, - ImportStateVerify: true, - ImportStateVerifyIgnore: []string{"min_master_version"}, - }, { Config: testAccContainerCluster_withEnablePrivateEndpoint(clusterName, "true"), }, @@ -4129,26 +4120,6 @@ resource "google_container_cluster" "with_enable_private_endpoint" { `, clusterName, flag) } -func testAccContainerCluster_withoutEnablePrivateEndpoint(clusterName string) string { - - return fmt.Sprintf(` -data "google_container_engine_versions" "uscentral1a" { - location = "us-central1-a" -} - -resource "google_container_cluster" "with_enable_private_endpoint" { - name = "%s" - location = "us-central1-a" - min_master_version = data.google_container_engine_versions.uscentral1a.release_channel_latest_version["STABLE"] - initial_node_count = 1 - - master_authorized_networks_config { - gcp_public_cidrs_access_enabled = false - } -} -`, clusterName) -} - func testAccContainerCluster_regionalWithNodePool(cluster, nodePool string) string { return fmt.Sprintf(` resource "google_container_cluster" "regional" { diff --git a/google/services/container/resource_container_cluster.go b/google/services/container/resource_container_cluster.go index 50fcfed0a28..97ae85aaed2 100644 --- a/google/services/container/resource_container_cluster.go +++ b/google/services/container/resource_container_cluster.go @@ -1385,7 +1385,7 @@ func ResourceContainerCluster() *schema.Resource { Optional: true, AtLeastOneOf: privateClusterConfigKeys, DiffSuppressFunc: containerClusterPrivateClusterConfigSuppress, - Description: `When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable_private_nodes is true.`, + Description: `When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used.`, }, "enable_private_nodes": { Type: schema.TypeBool, @@ -2002,6 +2002,13 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er cluster.SecurityPostureConfig = expandSecurityPostureConfig(v) } + // For now PSC based cluster don't support `enable_private_endpoint` on `create`, but only on `update` API call. + // If cluster is PSC based and enable_private_endpoint is set to true we will ignore it on `create` call and update cluster right after creation. + enablePrivateEndpointPSCCluster := isEnablePrivateEndpointPSCCluster(cluster) + if enablePrivateEndpointPSCCluster { + cluster.PrivateClusterConfig.EnablePrivateEndpoint = false + } + req := &container.CreateClusterRequest{ Cluster: cluster, } @@ -2089,6 +2096,35 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er } } + if enablePrivateEndpointPSCCluster { + name := containerClusterFullName(project, location, clusterName) + req := &container.UpdateClusterRequest{ + Update: &container.ClusterUpdate{ + DesiredEnablePrivateEndpoint: true, + ForceSendFields: []string{"DesiredEnablePrivateEndpoint"}, + }, + } + + err = transport_tpg.Retry(transport_tpg.RetryOptions{ + RetryFunc: func() error { + clusterUpdateCall := config.NewContainerClient(userAgent).Projects.Locations.Clusters.Update(name, req) + if config.UserProjectOverride { + clusterUpdateCall.Header().Add("X-Goog-User-Project", project) + } + op, err = clusterUpdateCall.Do() + return err + }, + }) + if err != nil { + return errwrap.Wrapf("Error updating enable private endpoint: {{err}}", err) + } + + err = ContainerOperationWait(config, op, project, location, "updating enable private endpoint", userAgent, d.Timeout(schema.TimeoutCreate)) + if err != nil { + return errwrap.Wrapf("Error while waiting to enable private endpoint: {{err}}", err) + } + } + if err := resourceContainerClusterRead(d, meta); err != nil { return err } @@ -4183,6 +4219,22 @@ func expandNetworkPolicy(configured interface{}) *container.NetworkPolicy { return result } +func isEnablePrivateEndpointPSCCluster(cluster *container.Cluster) bool { + // EnablePrivateEndpoint not provided + if cluster == nil || cluster.PrivateClusterConfig == nil { + return false + } + // Not a PSC cluster + if cluster.PrivateClusterConfig.EnablePrivateNodes || len(cluster.PrivateClusterConfig.MasterIpv4CidrBlock) > 0 { + return false + } + // PSC Cluster with EnablePrivateEndpoint + if cluster.PrivateClusterConfig.EnablePrivateEndpoint { + return true + } + return false +} + func expandPrivateClusterConfig(configured interface{}) *container.PrivateClusterConfig { l := configured.([]interface{}) if len(l) == 0 {