Add deletion_protection to container cluster

.changelog/9013.txt

@@ -0,0 +1,3 @@
+```release-note:breaking-change
+container: `google_container_cluster` now has `deletion_protection` enabled to `true` by default. When enabled, this field prevents Terraform from deleting the resource.
+```

google/services/compute/resource_compute_instance_group_named_port_generated_test.go

@@ -35,7 +35,8 @@ func TestAccComputeInstanceGroupNamedPort_instanceGroupNamedPortGkeExample(t *te
 	t.Parallel()
 
 	context := map[string]interface{}{
-		"random_suffix": acctest.RandString(t, 10),
+		"deletion_protection": false,
+		"random_suffix":       acctest.RandString(t, 10),
 	}
 
 	acctest.VcrTest(t, resource.TestCase{
@@ -98,6 +99,7 @@ resource "google_container_cluster" "my_cluster" {
     cluster_ipv4_cidr_block  = "/19"
     services_ipv4_cidr_block = "/22"
   }
+  deletion_protection  = "%{deletion_protection}"
 }
 `, context)
 }

google/services/compute/resource_compute_network_peering_routes_config_generated_test.go

@@ -90,7 +90,8 @@ func TestAccComputeNetworkPeeringRoutesConfig_networkPeeringRoutesConfigGkeExamp
 	t.Parallel()
 
 	context := map[string]interface{}{
-		"random_suffix": acctest.RandString(t, 10),
+		"deletion_protection": false,
+		"random_suffix":       acctest.RandString(t, 10),
 	}
 
 	acctest.VcrTest(t, resource.TestCase{
@@ -163,6 +164,7 @@ resource "google_container_cluster" "private_cluster" {
     cluster_secondary_range_name  = google_compute_subnetwork.container_subnetwork.secondary_ip_range[0].range_name
     services_secondary_range_name = google_compute_subnetwork.container_subnetwork.secondary_ip_range[1].range_name
   }
+  deletion_protection  = "%{deletion_protection}"
 }
 `, context)
 }

google/services/container/data_source_google_container_cluster_test.go

@@ -28,6 +28,7 @@ func TestAccContainerClusterDatasource_zonal(t *testing.T) {
 							"enable_autopilot":             {},
 							"enable_tpu":                   {},
 							"pod_security_policy_config.#": {},
+							"deletion_protection":          {},
 						},
 					),
 				),
@@ -54,6 +55,7 @@ func TestAccContainerClusterDatasource_regional(t *testing.T) {
 							"enable_autopilot":             {},
 							"enable_tpu":                   {},
 							"pod_security_policy_config.#": {},
+							"deletion_protection":          {},
 						},
 					),
 				),
@@ -68,6 +70,7 @@ resource "google_container_cluster" "kubes" {
   name               = "tf-test-cluster-%s"
   location           = "us-central1-a"
   initial_node_count = 1
+  deletion_protection = false
 }
 
 data "google_container_cluster" "kubes" {
@@ -83,6 +86,7 @@ resource "google_container_cluster" "kubes" {
   name               = "tf-test-cluster-%s"
   location           = "us-central1"
   initial_node_count = 1
+  deletion_protection = false
 }
 
 data "google_container_cluster" "kubes" {

google/services/container/resource_container_cluster.go

@@ -192,8 +192,15 @@ func ResourceContainerCluster() *schema.Resource {
 			Delete: schema.DefaultTimeout(40 * time.Minute),
 		},
 
-		SchemaVersion: 1,
+		SchemaVersion: 2,
 		MigrateState:  resourceContainerClusterMigrateState,
+		StateUpgraders: []schema.StateUpgrader{
+			{
+				Type:    resourceContainerClusterResourceV1().CoreConfigSchema().ImpliedType(),
+				Upgrade: ResourceContainerClusterUpgradeV1,
+				Version: 1,
+			},
+		},
 
 		Importer: &schema.ResourceImporter{
 			State: resourceContainerClusterStateImporter,
@@ -249,6 +256,13 @@ func ResourceContainerCluster() *schema.Resource {
 				Description: `The list of zones in which the cluster's nodes are located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. If this is specified for a zonal cluster, omit the cluster's zone.`,
 			},
 
+			"deletion_protection": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     true,
+				Description: `Whether or not to allow Terraform to destroy the instance. Defaults to true. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail.`,
+			},
+
 			"addons_config": {
 				Type:        schema.TypeList,
 				Optional:    true,
@@ -3636,6 +3650,9 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
 }
 
 func resourceContainerClusterDelete(d *schema.ResourceData, meta interface{}) error {
+	if d.Get("deletion_protection").(bool) {
+		return fmt.Errorf("Cannot destroy cluster because deletion_protection is set to true. Set it to false to proceed with instance deletion.")
+	}
 	config := meta.(*transport_tpg.Config)
 	userAgent, err := tpgresource.GenerateUserAgentString(d, config.UserAgent)
 	if err != nil {
@@ -5394,6 +5411,11 @@ func resourceContainerClusterStateImporter(d *schema.ResourceData, meta interfac
 	if err := d.Set("location", location); err != nil {
 		return nil, fmt.Errorf("Error setting location: %s", err)
 	}
+
+	if err := d.Set("deletion_protection", true); err != nil {
+		return nil, fmt.Errorf("Error setting deletion_protection: %s", err)
+	}
+
 	if _, err := containerClusterAwaitRestingState(config, project, location, clusterName, userAgent, d.Timeout(schema.TimeoutCreate)); err != nil {
 		return nil, err
 	}

google/services/container/resource_container_cluster_migrate.go

@@ -23,6 +23,9 @@ func resourceContainerClusterMigrateState(
 	case 0:
 		log.Println("[INFO] Found Container Cluster State v0; migrating to v1")
 		return migrateClusterStateV0toV1(is)
+	case 1:
+		log.Println("[INFO] Found Container Cluster State v1 in legacy migration function; returning as non-op")
+		return is, nil
 	default:
 		return is, fmt.Errorf("Unexpected schema version: %d", v)
 	}