Skip to content

Commit

Permalink
Handle GKE cluster client cert settings correctly
Browse files Browse the repository at this point in the history
Signed-off-by: Modular Magician <magic-modules@google.com>
  • Loading branch information
rileykarson authored and modular-magician committed May 30, 2019
1 parent 1f5ab66 commit 84a496e
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 42 deletions.
67 changes: 28 additions & 39 deletions google/resource_container_cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -342,19 +342,22 @@ func resourceContainerCluster() *schema.Resource {
Optional: true,
},

// Ideally, this would be Optional (and not Computed).
// In past versions (incl. 2.X series) of the provider
// though, being unset was considered identical to set
// and the issue_client_certificate value being true.
"client_certificate_config": {
Type: schema.TypeList,
MaxItems: 1,
Optional: true,
DiffSuppressFunc: masterAuthClientCertCfgSuppress,
ForceNew: true,
Type: schema.TypeList,
MaxItems: 1,
Optional: true,
Computed: true,
ForceNew: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"issue_client_certificate": {
Type: schema.TypeBool,
Required: true,
ForceNew: true,
DiffSuppressFunc: masterAuthClientCertCfgSuppress,
Type: schema.TypeBool,
Required: true,
ForceNew: true,
},
},
},
Expand Down Expand Up @@ -1660,12 +1663,15 @@ func expandMasterAuth(configured interface{}) *containerBeta.MasterAuth {
Username: masterAuth["username"].(string),
Password: masterAuth["password"].(string),
}

if _, ok := masterAuth["client_certificate_config"]; ok {
if len(masterAuth["client_certificate_config"].([]interface{})) > 0 {
clientCertificateConfig := masterAuth["client_certificate_config"].([]interface{})[0].(map[string]interface{})
if _, ok := clientCertificateConfig["issue_client_certificate"]; ok {

// The value will be in the map whether true or false
if v, ok := clientCertificateConfig["issue_client_certificate"]; ok {
result.ClientCertificateConfig = &containerBeta.ClientCertificateConfig{
IssueClientCertificate: clientCertificateConfig["issue_client_certificate"].(bool),
IssueClientCertificate: v.(bool),
}
}
}
Expand Down Expand Up @@ -1879,11 +1885,18 @@ func flattenMasterAuth(ma *containerBeta.MasterAuth) []map[string]interface{} {
"cluster_ca_certificate": ma.ClusterCaCertificate,
},
}
if len(ma.ClientCertificate) == 0 {
masterAuth[0]["client_certificate_config"] = []map[string]interface{}{
{"issue_client_certificate": false},
}

// No version of the GKE API returns the client_certificate_config value.
// Instead, we need to infer whether or not it was set based on the
// client cert being returned from the API or not.
// Previous versions of the provider didn't record anything in state when
// a client cert was enabled, only setting the block when it was false.
masterAuth[0]["client_certificate_config"] = []map[string]interface{}{
{
"issue_client_certificate": len(ma.ClientCertificate) != 0,
},
}

return masterAuth
}

Expand Down Expand Up @@ -1975,30 +1988,6 @@ func cidrOrSizeDiffSuppress(k, old, new string, d *schema.ResourceData) bool {
return strings.HasPrefix(new, "/") && strings.HasSuffix(old, new)
}

// We want to suppress diffs for empty or default client certificate configs, i.e:
// [{ "issue_client_certificate": true}] --> []
// [] -> [{ "issue_client_certificate": true}]
func masterAuthClientCertCfgSuppress(k, old, new string, r *schema.ResourceData) bool {
var clientConfig map[string]interface{}
if v, ok := r.GetOk("master_auth"); ok {
masterAuths := v.([]interface{})
masterAuth := masterAuths[0].(map[string]interface{})
cfgs := masterAuth["client_certificate_config"].([]interface{})
if len(cfgs) > 0 {
clientConfig = cfgs[0].(map[string]interface{})
}
}

if strings.HasSuffix(k, "client_certificate_config.#") && old == "0" && new == "1" {
// nil --> { "issue_client_certificate": true }
if issueCert, ok := clientConfig["issue_client_certificate"]; ok {
return issueCert.(bool)
}
}

return strings.HasSuffix(k, ".issue_client_certificate") && old == "" && new == "true"
}

// We want to suppress diffs for empty/disabled private cluster config.
func containerClusterPrivateClusterConfigSuppress(k, old, new string, d *schema.ResourceData) bool {
o, n := d.GetChange("private_cluster_config.0.enable_private_endpoint")
Expand Down
6 changes: 3 additions & 3 deletions website/docs/getting_started.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ resource "google_compute_instance" "vm_instance" {
network_interface {
# A default network is created for all GCP projects
network = "default"
access_config {
access_config = {
}
}
}
Expand Down Expand Up @@ -135,7 +135,7 @@ network_interface {
- # A default network is created for all GCP projects
- network = "default"
+ network = "${google_compute_network.vpc_network.self_link}"
access_config {
access_config = {
```

This means that when we create the VM instance, it will use
Expand Down Expand Up @@ -190,7 +190,7 @@ resource "google_compute_instance" "vm_instance" {
network_interface {
# A default network is created for all GCP projects
network = "${google_compute_network.vpc_network.self_link}"
access_config {
access_config = {
}
}
}
Expand Down

0 comments on commit 84a496e

Please sign in to comment.