[GKE Hub]: Add Fleet binary authorization config (GoogleCloudPlatform…

…#9545)

mmv1/products/gkehub2/Fleet.yaml

@@ -99,6 +99,27 @@ properties:
     name: "defaultClusterConfig"
     description: The default cluster configurations to apply across the fleet.
     properties:
+      - !ruby/object:Api::Type::NestedObject
+        name: "binaryAuthorizationConfig"
+        description: Enable/Disable binary authorization features for the cluster.
+        properties:
+          - !ruby/object:Api::Type::Enum
+            name: "evaluationMode"
+            description: Mode of operation for binauthz policy evaluation.
+            values:
+              - DISABLED
+              - POLICY_BINDINGS
+          - !ruby/object:Api::Type::Array
+            name: "policyBindings"
+            description: Binauthz policies that apply to this cluster.
+            item_type: !ruby/object:Api::Type::NestedObject
+              properties:
+                - !ruby/object:Api::Type::String
+                  name: "name"
+                  description: |
+                    The relative resource name of the binauthz platform policy to audit. GKE
+                    platform policies have the following format:
+                    `projects/{project_number}/platforms/gke/policies/{policy_id}`.
       - !ruby/object:Api::Type::NestedObject
         name: "securityPostureConfig"
         description: Enable/Disable Security Posture features for the cluster.
@@ -109,7 +130,6 @@ properties:
             values:
               - DISABLED
               - BASIC
-              - ENTERPRISE
           - !ruby/object:Api::Type::Enum
             name: "vulnerabilityMode"
             description: Sets which mode to use for vulnerability scanning.

mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb

@@ -48,6 +48,14 @@ func TestAccGKEHub2Fleet_gkehubFleetBasicExample_update(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccGKEHub2Fleet_removedDefaultClusterConfig(context),
+			},
+			{
+				ResourceName:      "google_gke_hub_fleet.default",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -58,6 +66,9 @@ resource "google_gke_hub_fleet" "default" {
   project = google_project.project.project_id
   display_name = "my production fleet"
   default_cluster_config { 
+	binary_authorization_config {
+		evaluation_mode = "DISABLED"
+	}
 	security_posture_config {
 		mode = "DISABLED"
 		vulnerability_mode = "VULNERABILITY_DISABLED"
@@ -72,8 +83,14 @@ func testAccGKEHub2Fleet_update(context map[string]interface{}) string {
 	return gkeHubFleetProjectSetupForGA(context) + acctest.Nprintf(`
 resource "google_gke_hub_fleet" "default" {
   project = google_project.project.project_id
-  display_name = "my staging fleet"
+  display_name = "my updated fleet"
   default_cluster_config {
+	binary_authorization_config {
+		evaluation_mode = "POLICY_BINDINGS"
+		policy_bindings {
+			name = "projects/${google_project.project.project_id}/platforms/gke/policies/policy_id"
+		}
+	}
 	security_posture_config {
 		mode = "BASIC"
 		vulnerability_mode = "VULNERABILITY_BASIC"
@@ -84,6 +101,17 @@ resource "google_gke_hub_fleet" "default" {
 `, context)
 }
 
+func testAccGKEHub2Fleet_removedDefaultClusterConfig(context map[string]interface{}) string {
+	return gkeHubFleetProjectSetupForGA(context) + acctest.Nprintf(`
+resource "google_gke_hub_fleet" "default" {
+  project = google_project.project.project_id
+  display_name = "my updated fleet"
+
+  depends_on = [time_sleep.wait_for_gkehub_enablement]
+}
+`, context)
+}
+
 func gkeHubFleetProjectSetupForGA(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_project" "project" {