Add update support for pod security policy (#1195)

* move setid calls back * Revert "move setid calls back" This reverts commit 0c7b2dbf92aff33dac8c5beb95568c2bc86dd7de. * add update support for pod security policy * update test * add comment about updates
2024-07-03 08:42:39 +00:00 · 2018-03-23 11:27:37 -07:00 · 2018-03-23 11:27:37 -07:00 · 685842410e
commit 685842410e
parent b645ecf0cc
2 changed files with 44 additions and 2 deletions
--- a/google/resource_container_cluster.go
+++ b/google/resource_container_cluster.go
@ -359,13 +359,11 @@ func resourceContainerCluster() *schema.Resource {
 				Type:     schema.TypeList,
 				Optional: true,
 				MaxItems: 1,
-				ForceNew: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"enabled": {
 							Type:     schema.TypeBool,
 							Required: true,
-							ForceNew: true,
 						},
 					},
 				},
@ -785,6 +783,10 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er

 	lockKey := containerClusterMutexKey(project, zoneName, clusterName)

+	// The ClusterUpdate object that we use for most of these updates only allows updating one field at a time,
+	// so we have to make separate calls for each field that we want to update. The order here is fairly arbitrary-
+	// if the order of updating fields does matter, it is called out explicitly.
+
 	if d.HasChange("master_authorized_networks_config") {
 		c := d.Get("master_authorized_networks_config")
 		conf := &container.MasterAuthorizedNetworksConfig{}
@ -1125,6 +1127,31 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
 		d.SetPartial("logging_service")
 	}

+	if d.HasChange("pod_security_policy_config") {
+		c := d.Get("pod_security_policy_config")
+		req := &containerBeta.UpdateClusterRequest{
+			Update: &containerBeta.ClusterUpdate{
+				DesiredPodSecurityPolicyConfig: expandPodSecurityPolicyConfig(c),
+			},
+		}
+
+		updateF := func() error {
+			op, err := config.clientContainerBeta.Projects.Zones.Clusters.Update(
+				project, zoneName, clusterName, req).Do()
+			if err != nil {
+				return err
+			}
+			// Wait until it's updated
+			return containerSharedOperationWait(config, op, project, zoneName, "updating GKE cluster pod security policy config", timeoutInMinutes, 2)
+		}
+		if err := lockedCall(lockKey, updateF); err != nil {
+			return err
+		}
+		log.Printf("[INFO] GKE cluster %s pod security policy config has been updated", d.Id())
+
+		d.SetPartial("pod_security_policy_config")
+	}
+
 	if d.HasChange("remove_default_node_pool") && d.Get("remove_default_node_pool").(bool) {
 		op, err := config.clientContainer.Projects.Zones.Clusters.NodePools.Delete(project, zoneName, clusterName, "default-pool").Do()
 		if err != nil {
--- a/google/resource_container_cluster_test.go
+++ b/google/resource_container_cluster_test.go
@ -941,6 +941,21 @@ func TestAccContainerCluster_withPodSecurityPolicy(t *testing.T) {
 				// Import always uses the v1 API, so beta features don't get imported.
 				ImportStateVerifyIgnore: []string{"pod_security_policy_config.#", "pod_security_policy_config.0.enabled"},
 			},
+			{
+				Config: testAccContainerCluster_withPodSecurityPolicy(clusterName, false),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("google_container_cluster.with_pod_security_policy",
+						"pod_security_policy_config.0.enabled", "false"),
+				),
+			},
+			{
+				ResourceName:        "google_container_cluster.with_pod_security_policy",
+				ImportStateIdPrefix: "us-central1-a/",
+				ImportState:         true,
+				ImportStateVerify:   true,
+				// Import always uses the v1 API, so beta features don't get imported.
+				ImportStateVerifyIgnore: []string{"pod_security_policy_config.#", "pod_security_policy_config.0.enabled"},
+			},
 		},
 	})
 }