fix: resolve deprecation warning for binary authorization

[wyardley]

enable_binary_authorization is now deprecated in favor of the binary_authorization block. This preserves the module's interface, but updates the underlying behavior

Fixes #1331

[wyardley]

Hi @bharathkkb thanks again.
Let me know if the most recent failures have an error you can pass along (the earlier ones got commented on, but this one just shows a failed status check).

I'm not 100% sure if the tests (e.g.,

terraform-google-kubernetes-engine/test/integration/beta_cluster/controls/gcloud.rb

Lines 82 to 85 in 35b2bf5

	it "has the expected binaryAuthorization config" do
	expect(data['binaryAuthorization']).to eq({
	"enabled" => true,
	})

) will need to be updated as well, but looks like it still is returned under binaryAuthorization even in fairly recent gcloud versions, so guessing it should be Ok (side note: is it just because of an old version of inspec, or why do most of the tests rely on shellouts to gcloud instead of the native inspec resources?)

[wyardley]

Actually, got this after quickly creating a test cluster with binary auth enabled, so updating the test cases as well:

  "binaryAuthorization": {
    "evaluationMode": "PROJECT_SINGLETON_POLICY_ENFORCE"
  },

[comment-bot-dev]

@wyardley
Thanks for the PR! 🚀
✅ Lint checks have passed.

[wyardley]

Also confirmed that a cluster created with the existing version of the module seems to get this:

  "binaryAuthorization": {
    "enabled": true
  },

So we'll need to test whether / how well the upgrade process is (whether it's breaking or not); going to try to do a quick pass to see if I can do some kind of check of that. If not, we could try using the enabled parameter, but just in the binary_authorization block, but that also seems to be deprecated...

[wyardley]

So, I tried creating a cluster with the old version of the module, applying based on my branch. This resulted in the following diff, which was non-destructive and applied cleanly (but slowly).

  # module.gke.google_container_cluster.primary will be updated in-place
  ~ resource "google_container_cluster" "primary" {
      ~ enable_binary_authorization = true -> false
        id                          = "projects/xxx/locations/us-west2-a/clusters/foo"
        name                        = "foo"
        # (26 unchanged attributes hidden)

      ~ addons_config {

          + gke_backup_agent_config {
              + enabled = false
            }

            # (9 unchanged blocks hidden)
        }

      + binary_authorization {
          + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
        }

        # (19 unchanged blocks hidden)
    }

After creating a cluster with the old version of the module:

% gcloud container clusters --zone us-west2-a describe foo  --format=json --project xxx | jq .binaryAuthorization
{
  "enabled": true
}

It's briefly unset during apply, and then after applying the changes:

% gcloud container clusters --zone us-west2-a describe foo  --format=json --project xxx | jq .binaryAuthorization
{
  "evaluationMode": "PROJECT_SINGLETON_POLICY_ENFORCE"
}

Would be great if someone could confirm also that this is the correct setting, though from what I can tell, I think this is the right behavior.

I assume this is Ok to roll out as a "non breaking" change? But may still cause some user confusion, since the new setting is kind of non-obviously named. Also, is it expected that the old resource attribute gets toggled to false vs null in the terraform plan? (the actual result at the API level is fine)

[wyardley]

added a docs fix to provide at least slightly more information in the provider docs
GoogleCloudPlatform/magic-modules#6320

[bharathkkb]

Thanks for the PR @wyardley and thanks for testing out the upgrade path!