public/terraform-provider-google
0
0
Fork 0
mirror of https://github.com/letic/terraform-provider-google.git synced 2024-07-03 08:42:39 +00:00
Code Issues Projects Releases Wiki Activity

Make removals in google_container_cluster (#2395)

Browse Source
This commit is contained in:
The Magician 2018-11-05 08:22:41 -08:00 committed by Nathan McKinley
parent 6e97f6192f
commit 7c3445229c
3 changed files with 28 additions and 383 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

163
google/resource_container_cluster.go
View File

@ -201,10 +201,10 @@ func resourceContainerCluster() *schema.Resource {
},
"enable_binary_authorization": {
Deprecated: "This field is in beta and will be removed from this provider. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.",
Type: schema.TypeBool,
Optional: true,
Default: false,
Removed: "This field is in beta. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.",
Computed: true,
Type: schema.TypeBool,
Optional: true,
},
"enable_kubernetes_alpha": {
@ -215,11 +215,11 @@ func resourceContainerCluster() *schema.Resource {
},
"enable_tpu": {
Deprecated: "This field is in beta and will be removed from this provider. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.",
Type: schema.TypeBool,
Optional: true,
ForceNew: true,
Default: false,
Type: schema.TypeBool,
Optional: true,
ForceNew: true,
Removed: "This field is in beta. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.",
Computed: true,
},
"enable_legacy_abac": {
@ -394,10 +394,11 @@ func resourceContainerCluster() *schema.Resource {
},
"pod_security_policy_config": {
Deprecated: "This field is in beta and will be removed from this provider. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.",
Type: schema.TypeList,
Optional: true,
MaxItems: 1,
// Remove return nil from expand when this is removed for good.
Removed: "This field is in beta. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.",
Type: schema.TypeList,
Optional: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"enabled": {
@ -406,7 +407,6 @@ func resourceContainerCluster() *schema.Resource {
},
},
},
DiffSuppressFunc: podSecurityPolicyCfgSuppress,
},
"project": {
@ -504,12 +504,11 @@ func resourceContainerCluster() *schema.Resource {
},
"private_cluster": {
Deprecated: "Use private_cluster_config.enable_private_nodes instead.",
ConflictsWith: []string{"private_cluster_config"},
Computed: true,
Type: schema.TypeBool,
Optional: true,
ForceNew: true,
Removed: "Use private_cluster_config.enable_private_nodes instead.",
Computed: true,
Type: schema.TypeBool,
Optional: true,
ForceNew: true,
},
"private_cluster_config": {
@ -549,11 +548,10 @@ func resourceContainerCluster() *schema.Resource {
},
"master_ipv4_cidr_block": {
Deprecated: "This field is in beta and will be removed from this provider. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.",
Type: schema.TypeString,
Optional: true,
ForceNew: true,
ValidateFunc: validation.CIDRNetwork(28, 28),
Removed: "Use private_cluster_config.master_ipv4_cidr_block instead.",
Computed: true,
Type: schema.TypeString,
Optional: true,
},
"resource_labels": {
@ -602,16 +600,10 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
NetworkPolicy: expandNetworkPolicy(d.Get("network_policy")),
AddonsConfig: expandClusterAddonsConfig(d.Get("addons_config")),
EnableKubernetesAlpha: d.Get("enable_kubernetes_alpha").(bool),
EnableTpu: d.Get("enable_tpu").(bool),
IpAllocationPolicy: expandIPAllocationPolicy(d.Get("ip_allocation_policy")),
PodSecurityPolicyConfig: expandPodSecurityPolicyConfig(d.Get("pod_security_policy_config")),
MasterIpv4CidrBlock: d.Get("master_ipv4_cidr_block").(string),
BinaryAuthorization: &containerBeta.BinaryAuthorization{
Enabled: d.Get("enable_binary_authorization").(bool),
ForceSendFields: []string{"Enabled"},
},
MasterAuth: expandMasterAuth(d.Get("master_auth")),
ResourceLabels: expandStringMap(d, "resource_labels"),
MasterAuth: expandMasterAuth(d.Get("master_auth")),
ResourceLabels: expandStringMap(d, "resource_labels"),
}
// Only allow setting node_version on create if it's set to the equivalent master version,
@ -676,17 +668,6 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
cluster.NodeConfig = expandNodeConfig(v)
}
if v, ok := d.GetOk("private_cluster"); ok {
if cluster.PrivateCluster = v.(bool); cluster.PrivateCluster {
if cluster.MasterIpv4CidrBlock == "" {
return fmt.Errorf("master_ipv4_cidr_block is mandatory when private_cluster=true")
}
if cluster.IpAllocationPolicy == nil {
return fmt.Errorf("ip_allocation_policy is mandatory when private_cluster=true")
}
}
}
if v, ok := d.GetOk("private_cluster_config"); ok {
cluster.PrivateClusterConfig = expandPrivateClusterConfig(v)
}
@ -791,13 +772,11 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
d.Set("cluster_ipv4_cidr", cluster.ClusterIpv4Cidr)
d.Set("description", cluster.Description)
d.Set("enable_kubernetes_alpha", cluster.EnableKubernetesAlpha)
d.Set("enable_tpu", cluster.EnableTpu)
d.Set("enable_legacy_abac", cluster.LegacyAbac.Enabled)
d.Set("logging_service", cluster.LoggingService)
d.Set("monitoring_service", cluster.MonitoringService)
d.Set("network", cluster.NetworkConfig.Network)
d.Set("subnetwork", cluster.NetworkConfig.Subnetwork)
d.Set("enable_binary_authorization", cluster.BinaryAuthorization != nil && cluster.BinaryAuthorization.Enabled)
if err := d.Set("node_config", flattenNodeConfig(cluster.NodeConfig)); err != nil {
return err
}
@ -829,14 +808,7 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
return err
}
if err := d.Set("pod_security_policy_config", flattenPodSecurityPolicyConfig(cluster.PodSecurityPolicyConfig)); err != nil {
return err
}
d.Set("private_cluster", cluster.PrivateCluster)
d.Set("master_ipv4_cidr_block", cluster.MasterIpv4CidrBlock)
d.Set("resource_labels", cluster.ResourceLabels)
return nil
}
@ -962,28 +934,6 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
}
}
if d.HasChange("enable_binary_authorization") {
enabled := d.Get("enable_binary_authorization").(bool)
req := &containerBeta.UpdateClusterRequest{
Update: &containerBeta.ClusterUpdate{
DesiredBinaryAuthorization: &containerBeta.BinaryAuthorization{
Enabled: enabled,
ForceSendFields: []string{"Enabled"},
},
},
}
updateF := updateFunc(req, "updating GKE binary authorization")
// Call update serially.
if err := lockedCall(lockKey, updateF); err != nil {
return err
}
log.Printf("[INFO] GKE cluster %s's binary authorization has been updated to %v", d.Id(), enabled)
d.SetPartial("enable_binary_authorization")
}
if d.HasChange("maintenance_policy") {
var req *containerBeta.SetMaintenancePolicyRequest
if mp, ok := d.GetOk("maintenance_policy"); ok {
@ -1256,31 +1206,6 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
d.SetPartial("master_auth")
}
if d.HasChange("pod_security_policy_config") {
c := d.Get("pod_security_policy_config")
req := &containerBeta.UpdateClusterRequest{
Update: &containerBeta.ClusterUpdate{
DesiredPodSecurityPolicyConfig: expandPodSecurityPolicyConfig(c),
},
}
updateF := func() error {
name := containerClusterFullName(project, location, clusterName)
op, err := config.clientContainerBeta.Projects.Locations.Clusters.Update(name, req).Do()
if err != nil {
return err
}
// Wait until it's updated
return containerSharedOperationWait(config, op, project, location, "updating GKE cluster pod security policy config", timeoutInMinutes, 2)
}
if err := lockedCall(lockKey, updateF); err != nil {
return err
}
log.Printf("[INFO] GKE cluster %s pod security policy config has been updated", d.Id())
d.SetPartial("pod_security_policy_config")
}
if d.HasChange("resource_labels") {
resourceLabels := d.Get("resource_labels").(map[string]interface{})
req := &containerBeta.SetLabelsRequest{
@ -1572,16 +1497,9 @@ func expandPrivateClusterConfig(configured interface{}) *containerBeta.PrivateCl
}
func expandPodSecurityPolicyConfig(configured interface{}) *containerBeta.PodSecurityPolicyConfig {
l := configured.([]interface{})
if len(l) == 0 || l[0] == nil {
return nil
}
config := l[0].(map[string]interface{})
return &containerBeta.PodSecurityPolicyConfig{
Enabled: config["enabled"].(bool),
ForceSendFields: []string{"Enabled"},
}
// Removing lists is hard - the element count (#) will have a diff from nil -> computed
// If we set this to empty on Read, it will be stable.
return nil
}
func flattenNetworkPolicy(c *containerBeta.NetworkPolicy) []map[string]interface{} {
@ -1740,17 +1658,6 @@ func flattenMasterAuthorizedNetworksConfig(c *containerBeta.MasterAuthorizedNetw
return []map[string]interface{}{result}
}
func flattenPodSecurityPolicyConfig(c *containerBeta.PodSecurityPolicyConfig) []map[string]interface{} {
if c == nil {
return nil
}
return []map[string]interface{}{
{
"enabled": c.Enabled,
},
}
}
func resourceContainerClusterStateImporter(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
parts := strings.Split(d.Id(), "/")
@ -1827,17 +1734,3 @@ func masterAuthClientCertCfgSuppress(k, old, new string, r *schema.ResourceData)
return strings.HasSuffix(k, ".issue_client_certificate") && old == "" && new == "true"
}
func podSecurityPolicyCfgSuppress(k, old, new string, r *schema.ResourceData) bool {
if k == "pod_security_policy_config.#" && old == "1" && new == "0" {
if v, ok := r.GetOk("pod_security_policy_config"); ok {
cfgList := v.([]interface{})
if len(cfgList) > 0 {
d := cfgList[0].(map[string]interface{})
// Suppress if old value was {enabled == false}
return !d["enabled"].(bool)
}
}
}
return false
}

233
google/resource_container_cluster_test.go
View File

@ -458,57 +458,6 @@ func TestAccContainerCluster_withKubernetesAlpha(t *testing.T) {
})
}
func TestAccContainerCluster_withTpu(t *testing.T) {
t.Parallel()
clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10))
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckContainerClusterDestroy,
Steps: []resource.TestStep{
{
Config: testAccContainerCluster_withTpu(clusterName),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("google_container_cluster.with_tpu", "enable_tpu", "true"),
),
},
{
ResourceName: "google_container_cluster.with_tpu",
ImportStateIdPrefix: "us-central1-b/",
ImportState: true,
ImportStateVerify: true,
},
},
})
}
func TestAccContainerCluster_withPrivateCluster(t *testing.T) {
t.Parallel()
clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10))
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckContainerClusterDestroy,
Steps: []resource.TestStep{
{
Config: testAccContainerCluster_withPrivateCluster(clusterName),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("google_container_cluster.with_private_cluster", "private_cluster", "true"),
),
},
{
ResourceName: "google_container_cluster.with_private_cluster",
ImportStateIdPrefix: "us-central1-a/",
ImportState: true,
ImportStateVerify: true,
},
},
})
}
func TestAccContainerCluster_withPrivateClusterConfig(t *testing.T) {
t.Parallel()
@ -1188,46 +1137,6 @@ func TestAccContainerCluster_withIPAllocationPolicy_createSubnetwork(t *testing.
})
}
func TestAccContainerCluster_withPodSecurityPolicy(t *testing.T) {
t.Parallel()
clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10))
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckContainerClusterDestroy,
Steps: []resource.TestStep{
{
Config: testAccContainerCluster_withPodSecurityPolicy(clusterName, true),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("google_container_cluster.with_pod_security_policy",
"pod_security_policy_config.0.enabled", "true"),
),
},
{
ResourceName: "google_container_cluster.with_pod_security_policy",
ImportStateIdPrefix: "us-central1-a/",
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccContainerCluster_withPodSecurityPolicy(clusterName, false),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("google_container_cluster.with_pod_security_policy",
"pod_security_policy_config.0.enabled", "false"),
),
},
{
ResourceName: "google_container_cluster.with_pod_security_policy",
ImportStateIdPrefix: "us-central1-a/",
ImportState: true,
ImportStateVerify: true,
},
},
})
}
func TestAccContainerCluster_sharedVpc(t *testing.T) {
t.Parallel()
@ -1303,38 +1212,6 @@ func TestAccContainerCluster_withResourceLabelsUpdate(t *testing.T) {
})
}
func TestAccContainerCluster_withBinaryAuthorization(t *testing.T) {
t.Parallel()
clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10))
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckContainerClusterDestroy,
Steps: []resource.TestStep{
{
Config: testAccContainerCluster_withBinaryAuthorization(clusterName, true),
},
{
ResourceName: "google_container_cluster.with_binary_authorization",
ImportStateIdPrefix: "us-central1-a/",
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccContainerCluster_withBinaryAuthorization(clusterName, false),
},
{
ResourceName: "google_container_cluster.with_binary_authorization",
ImportStateIdPrefix: "us-central1-a/",
ImportState: true,
ImportStateVerify: true,
},
},
})
}
func testAccCheckContainerClusterDestroy(s *terraform.State) error {
config := testAccProvider.Meta().(*Config)
@ -1750,49 +1627,6 @@ resource "google_container_cluster" "with_kubernetes_alpha" {
}`, clusterName)
}
func testAccContainerCluster_withTpu(clusterName string) string {
return fmt.Sprintf(`
resource "google_compute_network" "container_network" {
name = "container-net-%s"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "container_subnetwork" {
name = "${google_compute_network.container_network.name}"
network = "${google_compute_network.container_network.name}"
ip_cidr_range = "10.0.35.0/24"
region = "us-central1"
secondary_ip_range {
range_name = "pod"
ip_cidr_range = "10.1.0.0/19"
}
secondary_ip_range {
range_name = "svc"
ip_cidr_range = "10.2.0.0/22"
}
}
resource "google_container_cluster" "with_tpu" {
name = "cluster-test-%s"
zone = "us-central1-b"
initial_node_count = 1
enable_tpu = true
network = "${google_compute_network.container_network.name}"
subnetwork = "${google_compute_subnetwork.container_subnetwork.name}"
master_ipv4_cidr_block = "10.42.0.0/28"
master_authorized_networks_config { cidr_blocks = [] }
ip_allocation_policy {
cluster_secondary_range_name = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.0.range_name}"
services_secondary_range_name = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.1.range_name}"
}
}`, clusterName, clusterName)
}
func testAccContainerCluster_defaultLegacyAbac(clusterName string) string {
return fmt.Sprintf(`
resource "google_container_cluster" "default_legacy_abac" {
@ -2375,61 +2209,6 @@ resource "google_container_cluster" "with_ip_allocation_policy" {
}`, cluster)
}
func testAccContainerCluster_withPodSecurityPolicy(clusterName string, enabled bool) string {
return fmt.Sprintf(`
resource "google_container_cluster" "with_pod_security_policy" {
name = "cluster-test-%s"
zone = "us-central1-a"
initial_node_count = 1
pod_security_policy_config {
enabled = %v
}
}`, clusterName, enabled)
}
func testAccContainerCluster_withPrivateCluster(clusterName string) string {
return fmt.Sprintf(`
resource "google_compute_network" "container_network" {
name = "container-net-%s"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "container_subnetwork" {
name = "${google_compute_network.container_network.name}"
network = "${google_compute_network.container_network.name}"
ip_cidr_range = "10.0.36.0/24"
region = "us-central1"
private_ip_google_access = true
secondary_ip_range {
range_name = "pod"
ip_cidr_range = "10.0.0.0/19"
}
secondary_ip_range {
range_name = "svc"
ip_cidr_range = "10.0.32.0/22"
}
}
resource "google_container_cluster" "with_private_cluster" {
name = "cluster-test-%s"
zone = "us-central1-a"
initial_node_count = 1
network = "${google_compute_network.container_network.name}"
subnetwork = "${google_compute_subnetwork.container_subnetwork.name}"
private_cluster = true
master_ipv4_cidr_block = "10.42.0.0/28"
master_authorized_networks_config { cidr_blocks = [] }
ip_allocation_policy {
cluster_secondary_range_name = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.0.range_name}"
services_secondary_range_name = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.1.range_name}"
}
}`, clusterName, clusterName)
}
func testAccContainerCluster_withPrivateClusterConfig(clusterName string) string {
return fmt.Sprintf(`
resource "google_compute_network" "container_network" {
@ -2602,15 +2381,3 @@ resource "google_container_cluster" "with_resource_labels" {
}
`, clusterName)
}
func testAccContainerCluster_withBinaryAuthorization(clusterName string, enabled bool) string {
return fmt.Sprintf(`
resource "google_container_cluster" "with_binary_authorization" {
name = "%s"
zone = "us-central1-a"
initial_node_count = 1
enable_binary_authorization = %v
}
`, clusterName, enabled)
}

15
website/docs/r/container_cluster.html.markdown
View File

@ -136,13 +136,6 @@ output "cluster_ca_certificate" {
for master authorized networks. Omit the nested `cidr_blocks` attribute to disallow
external access (except the cluster node IPs, which GKE automatically whitelists).
* `master_ipv4_cidr_block` - (Optional, Deprecated) Specifies a private
[RFC1918](https://tools.ietf.org/html/rfc1918) block for the master's VPC. The master range must not overlap with any subnet in your cluster's VPC.
The master and your cluster use VPC peering. Must be specified in CIDR notation and must be `/28` subnet.
This property is in beta, and should be used with the terraform-provider-google-beta provider.
See [Provider Versions](https://terraform.io/docs/providers/google/provider_versions.html) for more details on beta fields.
This field is deprecated, use `private_cluster_config.master_ipv4_cidr_block` instead.
* `min_master_version` - (Optional) The minimum version of the master. GKE
will auto-update the master to new versions, so this does not guarantee the
current master version--use the read-only `master_version` field to obtain that.
@ -186,14 +179,6 @@ output "cluster_ca_certificate" {
This property is in beta, and should be used with the terraform-provider-google-beta provider.
See [Provider Versions](https://terraform.io/docs/providers/google/provider_versions.html) for more details on beta fields.
* `private_cluster` - (Optional, Deprecated) If true, a
[private cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters) will be created, meaning
nodes do not get public IP addresses. It is mandatory to specify `master_ipv4_cidr_block` and
`ip_allocation_policy` with this option.
This property is in beta, and should be used with the terraform-provider-google-beta provider.
See [Provider Versions](https://terraform.io/docs/providers/google/provider_versions.html) for more details on beta fields.
This field is deprecated, use `private_cluster_config.enable_private_nodes` instead.
* `project` - (Optional) The ID of the project in which the resource belongs. If it
is not provided, the provider project is used.