Adding private_cluster (#1250)

* Updated google.golang.org/api/container/v1beta1

* Added support for private_cluster and master_ipv4_cidr

This is to implement #1174. See
https://groups.google.com/forum/#!topic/google-cloud-sdk-announce/GGW3SQSANIc

* Added simple test for private_cluster and master_ipv4_cidr

* Review replies

* Added some documentation for private_cluster

google/resource_container_cluster.go

@@ -23,6 +23,8 @@ var (
 		{Version: v1beta1, Item: "pod_security_policy_config"},
 		{Version: v1beta1, Item: "node_config.*.taint"},
 		{Version: v1beta1, Item: "node_config.*.workload_metadata_config"},
+		{Version: v1beta1, Item: "private_cluster"},
+		{Version: v1beta1, Item: "master_ipv4_cidr_block"},
 	}
 
 	networkConfig = &schema.Resource{
@@ -426,6 +428,20 @@ func resourceContainerCluster() *schema.Resource {
 				Type:     schema.TypeBool,
 				Optional: true,
 			},
+
+			"private_cluster": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				ForceNew: true,
+				Default:  false,
+			},
+
+			"master_ipv4_cidr_block": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ForceNew:     true,
+				ValidateFunc: validation.CIDRNetwork(28, 28),
+			},
 		},
 	}
 }
@@ -576,6 +592,21 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
 		cluster.PodSecurityPolicyConfig = expandPodSecurityPolicyConfig(v)
 	}
 
+	if v, ok := d.GetOk("master_ipv4_cidr_block"); ok {
+		cluster.MasterIpv4CidrBlock = v.(string)
+	}
+
+	if v, ok := d.GetOk("private_cluster"); ok {
+		if cluster.PrivateCluster = v.(bool); cluster.PrivateCluster {
+			if cluster.MasterIpv4CidrBlock == "" {
+				return fmt.Errorf("master_ipv4_cidr_block is mandatory when private_cluster=true")
+			}
+			if cluster.IpAllocationPolicy == nil {
+				return fmt.Errorf("ip_allocation_policy is mandatory when private_cluster=true")
+			}
+		}
+	}
+
 	req := &containerBeta.CreateClusterRequest{
 		Cluster: cluster,
 	}
@@ -762,6 +793,9 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
 		}
 	}
 
+	d.Set("private_cluster", cluster.PrivateCluster)
+	d.Set("master_ipv4_cidr_block", cluster.MasterIpv4CidrBlock)
+
 	return nil
 }
 
@@ -1431,8 +1465,11 @@ func flattenMaintenancePolicy(mp *containerBeta.MaintenancePolicy) []map[string]
 }
 
 func flattenMasterAuthorizedNetworksConfig(c *containerBeta.MasterAuthorizedNetworksConfig) []map[string]interface{} {
+	if len(c.CidrBlocks) == 0 {
+		return nil
+	}
 	result := make(map[string]interface{})
-	if c.Enabled && len(c.CidrBlocks) > 0 {
+	if c.Enabled {
 		cidrBlocks := make([]interface{}, 0, len(c.CidrBlocks))
 		for _, v := range c.CidrBlocks {
 			cidrBlocks = append(cidrBlocks, map[string]interface{}{

google/resource_container_cluster_test.go

@@ -301,6 +301,35 @@ func TestAccContainerCluster_withKubernetesAlpha(t *testing.T) {
 	})
 }
 
+func TestAccContainerCluster_withPrivateCluster(t *testing.T) {
+	t.Parallel()
+
+	clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckContainerClusterDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccContainerCluster_withPrivateCluster(clusterName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("google_container_cluster.with_private_cluster", "private_cluster", "true"),
+				),
+			},
+			{
+				ResourceName:        "google_container_cluster.with_private_cluster",
+				ImportStateIdPrefix: "us-central1-a/",
+				ImportState:         true,
+				ImportStateVerify:   true,
+				ImportStateVerifyIgnore: []string{
+					"private_cluster",
+					"master_ipv4_cidr_block"},
+			},
+		},
+	})
+}
+
 func TestAccContainerCluster_withLegacyAbac(t *testing.T) {
 	t.Parallel()
 
@@ -1812,3 +1841,45 @@ resource "google_container_cluster" "with_pod_security_policy" {
 	}
 }`, clusterName, enabled)
 }
+
+func testAccContainerCluster_withPrivateCluster(clusterName string) string {
+	return fmt.Sprintf(`
+resource "google_compute_network" "container_network" {
+	name = "container-net-%s"
+	auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "container_subnetwork" {
+	name                     = "${google_compute_network.container_network.name}"
+	network                  = "${google_compute_network.container_network.name}"
+	ip_cidr_range            = "10.0.36.0/24"
+	region                   = "us-central1"
+	private_ip_google_access = true
+
+	secondary_ip_range {
+		range_name    = "pod"
+		ip_cidr_range = "10.0.0.0/19"
+	}
+
+	secondary_ip_range {
+		range_name    = "svc"
+		ip_cidr_range = "10.0.32.0/22"
+	}
+}
+
+resource "google_container_cluster" "with_private_cluster" {
+	name = "cluster-test-%s"
+	zone = "us-central1-a"
+	initial_node_count = 1
+
+	network = "${google_compute_network.container_network.name}"
+	subnetwork = "${google_compute_subnetwork.container_subnetwork.name}"
+
+	private_cluster = true
+	master_ipv4_cidr_block = "10.42.0.0/28"
+	ip_allocation_policy {
+		cluster_secondary_range_name  = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.0.range_name}"
+		services_secondary_range_name = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.1.range_name}"
+	}
+}`, clusterName, clusterName)
+}

vendor/vendor.json

@@ -1292,10 +1292,10 @@
 			"revisionTime": "2017-10-21T00:03:56Z"
 		},
 		{
-			"checksumSHA1": "zYRNW2YMajEwmcwdj24eELyw9Ro=",
+			"checksumSHA1": "Bwdk1H9PYdjqw6l/1To/9ql0eII=",
 			"path": "google.golang.org/api/container/v1beta1",
-			"revision": "ab90adb3efa287b869ecb698db42f923cc734972",
-			"revisionTime": "2018-02-22T00:05:01Z"
+			"revision": "24928b980e6919be4c72647aacd53ebcbb8c4bab",
+			"revisionTime": "2018-03-16T22:16:32Z"
 		},
 		{
 			"checksumSHA1": "pxXDGWhDrfcAOCQCjgxLfZA4NOw=",

website/docs/r/container_cluster.html.markdown

@@ -117,6 +117,10 @@ output "cluster_ca_certificate" {
     for master authorized networks. Omit the nested `cidr_blocks` attribute to disallow
     external access (except the cluster node IPs, which GKE automatically whitelists).
 
+* `master_ipv4_cidr_block` - (Optional, [Beta](/docs/providers/google/index.html#beta-features)) Specifies a private
+    [RFC1918](https://tools.ietf.org/html/rfc1918) block for the master's VPC. The master range must not overlap with any subnet in your cluster's VPC.
+    The master and your cluster use VPC peering. Must be specified in CIDR notation and must be `/28` subnet.
+
 * `min_master_version` - (Optional) The minimum version of the master. GKE
     will auto-update the master to new versions, so this does not guarantee the
     current master version--use the read-only `master_version` field to obtain that.
@@ -152,6 +156,11 @@ output "cluster_ca_certificate" {
     [PodSecurityPolicy](https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies) feature.
     Structure is documented below.
 
+* `private_cluster` - (Optional, [Beta](/docs/providers/google/index.html#beta-features)) If true, a
+    [private cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters) will be created, which makes
+    the master inaccessible from the public internet and nodes do not get public IP addresses either. It is mandatory to specify
+    `master_ipv4_cidr_block` and `ip_allocation_policy` with this option.
+
 * `project` - (Optional) The ID of the project in which the resource belongs. If it
     is not provided, the provider project is used.