From 23e9c96e0b8b50eecb40b3948804e01df6f05e92 Mon Sep 17 00:00:00 2001
From: Grant Sorbo <gtsorbo@mac.com>
Date: Wed, 1 Mar 2023 12:36:00 -0600
Subject: [PATCH] feat: allow setting network tags on autopilot clusters
 (#1572)

---
 autogen/main/cluster.tf.tmpl                           | 10 ++++++++++
 autogen/main/variables.tf.tmpl                         |  7 +++++++
 examples/simple_autopilot_private/main.tf              |  1 +
 examples/simple_autopilot_public/main.tf               |  1 +
 modules/beta-autopilot-private-cluster/README.md       |  1 +
 modules/beta-autopilot-private-cluster/cluster.tf      |  8 ++++++++
 modules/beta-autopilot-private-cluster/variables.tf    |  5 +++++
 modules/beta-autopilot-public-cluster/README.md        |  1 +
 modules/beta-autopilot-public-cluster/cluster.tf       |  8 ++++++++
 modules/beta-autopilot-public-cluster/variables.tf     |  5 +++++
 .../simple_autopilot_private_test.go                   |  1 +
 .../simple_autopiliot_public_test.go                   |  2 +-
 12 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
index 3c89358ec..dc5bc2f07 100644
--- a/autogen/main/cluster.tf.tmpl
+++ b/autogen/main/cluster.tf.tmpl
@@ -222,6 +222,16 @@ resource "google_container_cluster" "primary" {
       }
     }
   }
+{% if autopilot_cluster %}
+  dynamic "node_pool_auto_config" {
+    for_each = length(var.network_tags) > 0 ? [1] : []
+    content {
+      network_tags {
+        tags = var.network_tags
+      }
+    }
+  }
+{% endif %}
 
   master_auth {
     client_certificate_config {
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
index 70bff0bcb..c0f83fba1 100644
--- a/autogen/main/variables.tf.tmpl
+++ b/autogen/main/variables.tf.tmpl
@@ -292,6 +292,13 @@ variable "node_pools_oauth_scopes" {
 }
 {% endif %}
 
+{% if autopilot_cluster %}
+variable "network_tags" {
+  description = "(Optional, Beta) - List of network tags applied to auto-provisioned node pools."
+  type = list(string)
+  default = []
+}
+{% endif %}
 variable "stub_domains" {
   type        = map(list(string))
   description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server"
diff --git a/examples/simple_autopilot_private/main.tf b/examples/simple_autopilot_private/main.tf
index ffbcd2e10..f732e5ec7 100644
--- a/examples/simple_autopilot_private/main.tf
+++ b/examples/simple_autopilot_private/main.tf
@@ -48,6 +48,7 @@ module "gke" {
   enable_private_endpoint         = true
   enable_private_nodes            = true
   master_ipv4_cidr_block          = "172.16.0.0/28"
+  network_tags                    = [local.cluster_type]
 
   master_authorized_networks = [
     {
diff --git a/examples/simple_autopilot_public/main.tf b/examples/simple_autopilot_public/main.tf
index fd55d5ff7..8d3214686 100644
--- a/examples/simple_autopilot_public/main.tf
+++ b/examples/simple_autopilot_public/main.tf
@@ -44,4 +44,5 @@ module "gke" {
   ip_range_services               = local.svc_range_name
   release_channel                 = "REGULAR"
   enable_vertical_pod_autoscaling = true
+  network_tags                    = [local.cluster_type]
 }
diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md
index eac371538..08372212c 100644
--- a/modules/beta-autopilot-private-cluster/README.md
+++ b/modules/beta-autopilot-private-cluster/README.md
@@ -115,6 +115,7 @@ Then perform the following commands on the root folder:
 | name | The name of the cluster (required) | `string` | n/a | yes |
 | network | The VPC network to host the cluster in (required) | `string` | n/a | yes |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
+| network\_tags | (Optional, Beta) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no |
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | <pre>[<br>  "10.0.0.0/8",<br>  "172.16.0.0/12",<br>  "192.168.0.0/16"<br>]</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf
index 2c4a80cb1..9d40a5aa5 100644
--- a/modules/beta-autopilot-private-cluster/cluster.tf
+++ b/modules/beta-autopilot-private-cluster/cluster.tf
@@ -94,6 +94,14 @@ resource "google_container_cluster" "primary" {
       }
     }
   }
+  dynamic "node_pool_auto_config" {
+    for_each = length(var.network_tags) > 0 ? [1] : []
+    content {
+      network_tags {
+        tags = var.network_tags
+      }
+    }
+  }
 
   master_auth {
     client_certificate_config {
diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf
index 4bdde1afe..fa6fa4453 100644
--- a/modules/beta-autopilot-private-cluster/variables.tf
+++ b/modules/beta-autopilot-private-cluster/variables.tf
@@ -167,6 +167,11 @@ variable "enable_resource_consumption_export" {
 }
 
 
+variable "network_tags" {
+  description = "(Optional, Beta) - List of network tags applied to auto-provisioned node pools."
+  type        = list(string)
+  default     = []
+}
 variable "stub_domains" {
   type        = map(list(string))
   description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server"
diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md
index a15bd541a..59adfa9ee 100644
--- a/modules/beta-autopilot-public-cluster/README.md
+++ b/modules/beta-autopilot-public-cluster/README.md
@@ -104,6 +104,7 @@ Then perform the following commands on the root folder:
 | name | The name of the cluster (required) | `string` | n/a | yes |
 | network | The VPC network to host the cluster in (required) | `string` | n/a | yes |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
+| network\_tags | (Optional, Beta) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no |
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | <pre>[<br>  "10.0.0.0/8",<br>  "172.16.0.0/12",<br>  "192.168.0.0/16"<br>]</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf
index a24d5020e..e6d4920b4 100644
--- a/modules/beta-autopilot-public-cluster/cluster.tf
+++ b/modules/beta-autopilot-public-cluster/cluster.tf
@@ -94,6 +94,14 @@ resource "google_container_cluster" "primary" {
       }
     }
   }
+  dynamic "node_pool_auto_config" {
+    for_each = length(var.network_tags) > 0 ? [1] : []
+    content {
+      network_tags {
+        tags = var.network_tags
+      }
+    }
+  }
 
   master_auth {
     client_certificate_config {
diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf
index 1de73f649..4d3034f48 100644
--- a/modules/beta-autopilot-public-cluster/variables.tf
+++ b/modules/beta-autopilot-public-cluster/variables.tf
@@ -167,6 +167,11 @@ variable "enable_resource_consumption_export" {
 }
 
 
+variable "network_tags" {
+  description = "(Optional, Beta) - List of network tags applied to auto-provisioned node pools."
+  type        = list(string)
+  default     = []
+}
 variable "stub_domains" {
   type        = map(list(string))
   description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server"
diff --git a/test/integration/simple_autopilot_private/simple_autopilot_private_test.go b/test/integration/simple_autopilot_private/simple_autopilot_private_test.go
index ac731f35d..57aa5207d 100644
--- a/test/integration/simple_autopilot_private/simple_autopilot_private_test.go
+++ b/test/integration/simple_autopilot_private/simple_autopilot_private_test.go
@@ -54,6 +54,7 @@ func TestSimpleAutopilotPrivate(t *testing.T) {
 			g.JSONEq(assert, op, pth)
 		}
 		assert.Contains([]string{"RUNNING", "RECONCILING"}, op.Get("status").String())
+		assert.Contains(op.Get("nodePoolAutoConfig.networkTags.tags").String(), "simple-autopilot-private")
 	})
 
 	bpt.Test()
diff --git a/test/integration/simple_autopilot_public/simple_autopiliot_public_test.go b/test/integration/simple_autopilot_public/simple_autopiliot_public_test.go
index 005002ad1..d2c86ecec 100644
--- a/test/integration/simple_autopilot_public/simple_autopiliot_public_test.go
+++ b/test/integration/simple_autopilot_public/simple_autopiliot_public_test.go
@@ -54,7 +54,7 @@ func TestSimpleAutopilotPublic(t *testing.T) {
 			g.JSONEq(assert, op, pth)
 		}
 		assert.Contains([]string{"RUNNING", "RECONCILING"}, op.Get("status").String())
-
+		assert.Contains(op.Get("nodePoolAutoConfig.networkTags.tags").String(), "simple-autopilot-public")
 	})
 
 	bpt.Test()