Update fields for ACM and Config Sync to bring them to feature parity

examples/simple_zonal_with_acm/main.tf

@@ -35,6 +35,16 @@ module "gke" {
   ip_range_pods     = var.ip_range_pods
   ip_range_services = var.ip_range_services
   service_account   = "create"
+  node_pools = [
+    {
+      name         = "acm-node-pool"
+      autoscaling  = false
+      auto_upgrade = true
+      # Trying larger node pool for ACM to prevent against test flakiness
+      node_count   = 4
+      machine_type = "e2-standard-4"
+    },
+  ]
 }
 
 data "google_client_config" "default" {

modules/acm/README.md

@@ -47,14 +47,17 @@ By default, this module will attempt to download the ACM operator from Google di
 | cluster\_endpoint | Kubernetes cluster endpoint. | string | n/a | yes |
 | cluster\_name | GCP cluster Name used to reach cluster and which becomes the cluster name in the Config Sync kubernetes custom resource. | string | n/a | yes |
 | create\_ssh\_key | Controls whether a key will be generated for Git authentication | bool | `"true"` | no |
+| enable\_log\_denies | Whether to enable logging of all denies and dryrun failures for ACM Policy Controller. | bool | `"false"` | no |
 | enable\_policy\_controller | Whether to enable the ACM Policy Controller on the cluster | bool | `"true"` | no |
+| hierarchy\_controller | Configurations for Hierarchy Controller. See [Hierarchy Controller docs](https://cloud.google.com/anthos-config-management/docs/how-to/installing-hierarchy-controller) for more details | map | `"null"` | no |
 | install\_template\_library | Whether to install the default Policy Controller template library | bool | `"true"` | no |
 | location | GCP location used to reach cluster. | string | n/a | yes |
 | operator\_path | Path to the operator yaml config. If unset, will download from GCS releases. | string | `"null"` | no |
 | policy\_dir | Subfolder containing configs in ACM Git repo. If un-set, uses Config Management default. | string | `""` | no |
 | project\_id | GCP project_id used to reach cluster. | string | n/a | yes |
 | secret\_type | git authentication secret type, is passed through to ConfigManagement spec.git.secretType. Overriden to value 'ssh' if `create_ssh_key` is true | string | `"ssh"` | no |
 | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"true"` | no |
+| source\_format | Configures a non-hierarchical repo if set to 'unstructured'. Uses [ACM defaults](https://cloud.google.com/anthos-config-management/docs/how-to/installing#configuring-config-management-operator) when unset. | string | `""` | no |
 | ssh\_auth\_key | Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function. | string | `"null"` | no |
 | sync\_branch | ACM repo Git branch. If un-set, uses Config Management default. | string | `""` | no |
 | sync\_repo | ACM Git repo address | string | n/a | yes |

modules/acm/main.tf

@@ -32,6 +32,9 @@ module "acm_operator" {
   enable_policy_controller = var.enable_policy_controller
   install_template_library = var.install_template_library
   skip_gcloud_download     = var.skip_gcloud_download
+  source_format            = var.source_format
+  hierarchy_controller     = var.hierarchy_controller
+  enable_log_denies        = var.enable_log_denies
 
   operator_latest_manifest_url  = "gs://config-management-release/released/latest/config-management-operator.yaml"
   operator_cr_template_path     = "${path.module}/templates/acm-config.yml.tpl"

modules/acm/templates/acm-config.yml.tpl

@@ -8,8 +8,11 @@ spec:
   policyController:
     enabled: ${enable_policy_controller}
     templateLibraryInstalled: ${install_template_library}
+    logDeniesEnabled: ${enable_log_denies}
   git:
     syncRepo: ${sync_repo}
     secretType: ${secret_type}
     ${policy_dir_node}
     ${sync_branch_node}
+  ${source_format_node}
+  ${hierarchy_controller_map_node}

modules/acm/variables.tf

@@ -92,3 +92,21 @@ variable "skip_gcloud_download" {
   type        = bool
   default     = true
 }
+
+variable "source_format" {
+  description = "Configures a non-hierarchical repo if set to 'unstructured'. Uses [ACM defaults](https://cloud.google.com/anthos-config-management/docs/how-to/installing#configuring-config-management-operator) when unset."
+  type        = string
+  default     = ""
+}
+
+variable "hierarchy_controller" {
+  description = "Configurations for Hierarchy Controller. See [Hierarchy Controller docs](https://cloud.google.com/anthos-config-management/docs/how-to/installing-hierarchy-controller) for more details"
+  type        = map
+  default     = null
+}
+
+variable "enable_log_denies" {
+  description = "Whether to enable logging of all denies and dryrun failures for ACM Policy Controller."
+  type        = bool
+  default     = false
+}

modules/config-sync/README.md

@@ -50,12 +50,14 @@ To deploy this config:
 | cluster\_endpoint | Kubernetes cluster endpoint. | string | n/a | yes |
 | cluster\_name | GCP cluster name used to reach cluster and which becomes the cluster name in the Config Sync kubernetes custom resource. | string | n/a | yes |
 | create\_ssh\_key | Controls whether a key will be generated for Git authentication | bool | `"true"` | no |
+| hierarchy\_controller | Configurations for Hierarchy Controller. See [Hierarchy Controller docs](https://cloud.google.com/kubernetes-engine/docs/add-on/config-sync/how-to/installing-hierarchy-controller) for more details. | map | `"null"` | no |
 | location | GCP location used to reach cluster. | string | n/a | yes |
 | operator\_path | Path to the operator yaml config. If unset, will download from GCS releases. | string | `"null"` | no |
 | policy\_dir | Subfolder containing configs in ACM Git repo. If un-set, uses Config Management default. | string | `""` | no |
 | project\_id | GCP project_id used to reach cluster. | string | n/a | yes |
 | secret\_type | credential secret type, passed through to ConfigManagement spec.git.secretType. Overriden to value 'ssh' if `create_ssh_key` is true | string | n/a | yes |
 | skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"true"` | no |
+| source\_format | Configures a non-hierarchical repo if set to 'unstructured'. Uses [Config Sync defaults](https://cloud.google.com/kubernetes-engine/docs/add-on/config-sync/how-to/installing#configuring-config-management-operator) when unset. | string | `""` | no |
 | ssh\_auth\_key | Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function. | string | `"null"` | no |
 | sync\_branch | ACM repo Git branch. If un-set, uses Config Management default. | string | `""` | no |
 | sync\_repo | ACM Git repo address | string | n/a | yes |

modules/config-sync/main.tf

@@ -30,6 +30,8 @@ module "configsync_operator" {
   secret_type          = var.secret_type
   ssh_auth_key         = var.ssh_auth_key
   skip_gcloud_download = var.skip_gcloud_download
+  source_format        = var.source_format
+  hierarchy_controller = var.hierarchy_controller
 
   operator_latest_manifest_url  = "gs://config-management-release/released/latest/config-sync-operator.yaml"
   operator_cr_template_path     = "${path.module}/templates/config-sync-config.yml.tpl"

modules/config-sync/templates/config-sync-config.yml.tpl

@@ -10,3 +10,5 @@ spec:
     secretType: ${secret_type}
     ${sync_branch_node}
     ${policy_dir_node}
+  ${source_format_node}
+  ${hierarchy_controller_map_node}

modules/config-sync/variables.tf

@@ -79,3 +79,15 @@ variable "skip_gcloud_download" {
   type        = bool
   default     = true
 }
+
+variable "source_format" {
+  description = "Configures a non-hierarchical repo if set to 'unstructured'. Uses [Config Sync defaults](https://cloud.google.com/kubernetes-engine/docs/add-on/config-sync/how-to/installing#configuring-config-management-operator) when unset."
+  type        = string
+  default     = ""
+}
+
+variable "hierarchy_controller" {
+  description = "Configurations for Hierarchy Controller. See [Hierarchy Controller docs](https://cloud.google.com/kubernetes-engine/docs/add-on/config-sync/how-to/installing-hierarchy-controller) for more details."
+  type        = map
+  default     = null
+}

modules/k8s-operator-crd-support/main.tf

@@ -15,13 +15,15 @@
  */
 
 locals {
-  cluster_endpoint         = "https://${var.cluster_endpoint}"
-  private_key              = var.create_ssh_key && var.ssh_auth_key == null ? tls_private_key.k8sop_creds[0].private_key_pem : var.ssh_auth_key
-  k8sop_creds_secret_key   = var.secret_type == "cookiefile" ? "cookie_file" : var.secret_type
-  should_download_manifest = var.operator_path == null ? true : false
-  manifest_path            = local.should_download_manifest ? "${path.root}/.terraform/tmp/config-management-operator.yaml" : var.operator_path
-  sync_branch_node         = var.sync_branch != "" ? format("syncBranch: %s", var.sync_branch) : ""
-  policy_dir_node          = var.policy_dir != "" ? format("policyDir: %s", var.policy_dir) : ""
+  cluster_endpoint              = "https://${var.cluster_endpoint}"
+  private_key                   = var.create_ssh_key && var.ssh_auth_key == null ? tls_private_key.k8sop_creds[0].private_key_pem : var.ssh_auth_key
+  k8sop_creds_secret_key        = var.secret_type == "cookiefile" ? "cookie_file" : var.secret_type
+  should_download_manifest      = var.operator_path == null ? true : false
+  manifest_path                 = local.should_download_manifest ? "${path.root}/.terraform/tmp/config-management-operator.yaml" : var.operator_path
+  sync_branch_node              = var.sync_branch != "" ? format("syncBranch: %s", var.sync_branch) : ""
+  policy_dir_node               = var.policy_dir != "" ? format("policyDir: %s", var.policy_dir) : ""
+  hierarchy_controller_map_node = var.hierarchy_controller == null ? "" : format("hierarchy_controller:\n    %s", yamlencode(var.hierarchy_controller))
+  source_format_node            = var.source_format != "" ? format("sourceFormat: %s", var.source_format) : ""
 }
 
 module "k8sop_manifest" {
@@ -75,13 +77,16 @@ data "template_file" "k8sop_config" {
 
   template = file(var.operator_cr_template_path)
   vars = {
-    cluster_name             = var.cluster_name
-    sync_repo                = var.sync_repo
-    sync_branch_node         = local.sync_branch_node
-    policy_dir_node          = local.policy_dir_node
-    secret_type              = var.create_ssh_key ? "ssh" : var.secret_type
-    enable_policy_controller = var.enable_policy_controller ? "true" : "false"
-    install_template_library = var.install_template_library ? "true" : "false"
+    cluster_name                  = var.cluster_name
+    sync_repo                     = var.sync_repo
+    sync_branch_node              = local.sync_branch_node
+    policy_dir_node               = local.policy_dir_node
+    secret_type                   = var.create_ssh_key ? "ssh" : var.secret_type
+    enable_policy_controller      = var.enable_policy_controller ? "true" : "false"
+    install_template_library      = var.install_template_library ? "true" : "false"
+    source_format_node            = local.source_format_node
+    hierarchy_controller_map_node = local.hierarchy_controller_map_node
+    enable_log_denies             = var.enable_log_denies
   }
 }
 

modules/k8s-operator-crd-support/variables.tf

@@ -111,3 +111,26 @@ variable "skip_gcloud_download" {
   default     = true
 }
 
+variable "source_format" {
+  description = <<EOF
+    Configures a non-hierarchical repo if set to 'unstructured'. Uses [Config Sync defaults](https://cloud.google.com/kubernetes-engine/docs/add-on/config-sync/how-to/installing#configuring-config-management-operator)
+    when unset.
+  EOF
+  type        = string
+  default     = ""
+}
+
+variable "hierarchy_controller" {
+  description = <<EOF
+    Configurations for Hierarchy Controller. See [Hierarchy Controller docs](https://cloud.google.com/kubernetes-engine/docs/add-on/config-sync/how-to/installing-hierarchy-controller)
+    for more details
+  EOF
+  type        = map
+  default     = null
+}
+
+variable "enable_log_denies" {
+  description = "Whether to enable logging of all denies and dryrun failures for ACM Policy Controller."
+  type        = bool
+  default     = false
+}

test/integration/simple_zonal/controls/gcloud.rb

@@ -85,41 +85,19 @@
         )
       end
 
-      it "has autoscaling enabled" do
+      it "has the expected initial node count" do
         expect(node_pools).to include(
           including(
-            "autoscaling" => including(
-              "enabled" => true,
-            ),
-          )
-        )
-      end
-
-      it "has the expected minimum node count" do
-        expect(node_pools).to include(
-          including(
-            "autoscaling" => including(
-              "minNodeCount" => 1,
-            ),
+              "initialNodeCount" => 4,
+            )
           )
-        )
-      end
-
-      it "has the expected maximum node count" do
-        expect(node_pools).to include(
-          including(
-            "autoscaling" => including(
-              "maxNodeCount" => 100,
-            ),
-          )
-        )
       end
 
       it "is the expected machine type" do
         expect(node_pools).to include(
           including(
             "config" => including(
-              "machineType" => "e2-medium",
+              "machineType" => "e2-standard-4",
             ),
           )
         )
@@ -141,7 +119,7 @@
             "config" => including(
               "labels" => including(
                 "cluster_name" => cluster_name,
-                "node_pool" => "default-node-pool",
+                "node_pool" => "acm-node-pool",
               ),
             ),
           )
@@ -154,7 +132,7 @@
             "config" => including(
               "tags" => match_array([
                 "gke-#{cluster_name}",
-                "gke-#{cluster_name}-default-node-pool",
+                "gke-#{cluster_name}-acm-node-pool",
               ]),
             ),
           )