Add admin_groups field to the containerattached resource. (#9300) (#1…

…6307) * Add admin_groups field to the containerattached resource. * Fix whitespace --------- [upstream:2b8e116823807cf5e80bc989ce485f4a68ac9bbf] Signed-off-by: Modular Magician <magic-modules@google.com>
hashicorp · Oct 19, 2023 · b81706d · b81706d
1 parent 117cf22
commit b81706d
Show file tree

Hide file tree

Showing 5 changed files with 67 additions and 1 deletion.
diff --git a/.changelog/9300.txt b/.changelog/9300.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+containerattached: added `admin_groups` field to `google_container_attached_cluster` resource
+```
diff --git a/google/services/containerattached/resource_container_attached_cluster.go b/google/services/containerattached/resource_container_attached_cluster.go
@@ -168,6 +168,19 @@ Please refer to the field 'effective_annotations' for all of the annotations pre
 				MaxItems:    1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
+						"admin_groups": {
+							Type:     schema.TypeList,
+							Optional: true,
+							Description: `Groups that can perform operations as a cluster admin. A managed
+ClusterRoleBinding will be created to grant the 'cluster-admin' ClusterRole
+to the groups. Up to ten admin groups can be provided.
+
+For more info on RBAC, see
+https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles`,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+						},
 						"admin_users": {
 							Type:     schema.TypeList,
 							Optional: true,
@@ -743,9 +756,12 @@ func resourceContainerAttachedClusterUpdate(d *schema.ResourceData, meta interfa
 	}
 	// The generated code sets the wrong masks for the following fields.
 	newUpdateMask := []string{}
-	if d.HasChange("authorization") {
+	if d.HasChange("authorization.0.admin_users") {
 		newUpdateMask = append(newUpdateMask, "authorization.admin_users")
 	}
+	if d.HasChange("authorization.0.admin_groups") {
+		newUpdateMask = append(newUpdateMask, "authorization.admin_groups")
+	}
 	if d.HasChange("logging_config") {
 		newUpdateMask = append(newUpdateMask, "logging_config.component_config.enable_components")
 	}
@@ -1079,6 +1095,10 @@ func flattenContainerAttachedClusterErrorsMessage(v interface{}, d *schema.Resou
 //	     { username = "user1" },
 //	     { username = "user2" }
 //	   ]
+//	   admin_groups [
+//	     { group = "group1" },
+//	     { group = "group2" },
+//	   ]
 //	}
 //
 // The custom flattener transforms input back into something like this:
@@ -1088,6 +1108,10 @@ func flattenContainerAttachedClusterErrorsMessage(v interface{}, d *schema.Resou
 //	     "user1",
 //	     "user2"
 //	   ]
+//	   admin_groups = [
+//	     "group1",
+//	     "group2"
+//	   ],
 //	}
 func flattenContainerAttachedClusterAuthorization(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
@@ -1102,6 +1126,13 @@ func flattenContainerAttachedClusterAuthorization(v interface{}, d *schema.Resou
 			transformed["admin_users"][i] = u.(map[string]interface{})["username"].(string)
 		}
 	}
+	orig = v.(map[string]interface{})["adminGroups"].([]interface{})
+	transformed["admin_groups"] = make([]string, len(orig))
+	for i, u := range orig {
+		if u != nil {
+			transformed["admin_groups"][i] = u.(map[string]interface{})["group"].(string)
+		}
+	}
 
 	return []interface{}{transformed}
 }
@@ -1284,13 +1315,21 @@ type attachedClusterUser struct {
 	Username string `json:"username"`
 }
 
+type attachedClusterGroup struct {
+	Group string `json:"group"`
+}
+
 // The custom expander transforms input into something like this:
 //
 //	authorization {
 //	   admin_users [
 //	     { username = "user1" },
 //	     { username = "user2" }
 //	   ]
+//	   admin_groups [
+//	     { group = "group1" },
+//	     { group = "group2" },
+//	   ]
 //	}
 //
 // The custom flattener transforms input back into something like this:
@@ -1300,6 +1339,10 @@ type attachedClusterUser struct {
 //	     "user1",
 //	     "user2"
 //	   ]
+//	   admin_groups = [
+//	     "group1",
+//	     "group2"
+//	   ],
 //	}
 func expandContainerAttachedClusterAuthorization(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	l := v.([]interface{})
@@ -1315,6 +1358,13 @@ func expandContainerAttachedClusterAuthorization(v interface{}, d tpgresource.Te
 			transformed["admin_users"][i] = attachedClusterUser{Username: u.(string)}
 		}
 	}
+	orig = raw.(map[string]interface{})["admin_groups"].([]interface{})
+	transformed["admin_groups"] = make([]interface{}, len(orig))
+	for i, u := range orig {
+		if u != nil {
+			transformed["admin_groups"][i] = attachedClusterGroup{Group: u.(string)}
+		}
+	}
 	return transformed, nil
 }
 

diff --git a/google/services/containerattached/resource_container_attached_cluster_generated_test.go b/google/services/containerattached/resource_container_attached_cluster_generated_test.go
@@ -128,6 +128,7 @@ resource "google_container_attached_cluster" "primary" {
   }
   authorization {
     admin_users = [ "user1@example.com", "user2@example.com"]
+    admin_groups = [ "group1@example.com", "group2@example.com"]
   }
   oidc_config {
       issuer_url = "https://oidc.issuer.url"

diff --git a/google/services/containerattached/resource_container_attached_cluster_update_test.go b/google/services/containerattached/resource_container_attached_cluster_update_test.go
@@ -73,6 +73,7 @@ resource "google_container_attached_cluster" "primary" {
   }
   authorization {
     admin_users = [ "user1@example.com", "user2@example.com"]
+    admin_groups = [ "group1@example.com", "group2@example.com"]
   }
   oidc_config {
       issuer_url = "https://oidc.issuer.url"
@@ -121,6 +122,7 @@ resource "google_container_attached_cluster" "primary" {
   }
   authorization {
     admin_users = [ "user2@example.com", "user3@example.com"]
+    admin_groups = [ "group3@example.com"]
   }
   oidc_config {
       issuer_url = "https://oidc.issuer.url"
@@ -167,6 +169,7 @@ resource "google_container_attached_cluster" "primary" {
   }
   authorization {
     admin_users = [ "user2@example.com", "user3@example.com"]
+    admin_groups = [ "group3@example.com"]
   }
   oidc_config {
       issuer_url = "https://oidc.issuer.url"

diff --git a/website/docs/r/container_attached_cluster.html.markdown b/website/docs/r/container_attached_cluster.html.markdown
@@ -89,6 +89,7 @@ resource "google_container_attached_cluster" "primary" {
   }
   authorization {
     admin_users = [ "user1@example.com", "user2@example.com"]
+    admin_groups = [ "group1@example.com", "group2@example.com"]
   }
   oidc_config {
       issuer_url = "https://oidc.issuer.url"
@@ -281,6 +282,14 @@ The following arguments are supported:
   For more info on RBAC, see
   https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
 
+* `admin_groups` -
+  (Optional)
+  Groups that can perform operations as a cluster admin. A managed
+  ClusterRoleBinding will be created to grant the `cluster-admin` ClusterRole
+  to the groups. Up to ten admin groups can be provided.
+  For more info on RBAC, see
+  https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+
 <a name="nested_monitoring_config"></a>The `monitoring_config` block supports:
 
 * `managed_prometheus_config` -