From 7c3445229cd0eb420dea39563bca0094572e06ca Mon Sep 17 00:00:00 2001 From: The Magician Date: Mon, 5 Nov 2018 08:22:41 -0800 Subject: [PATCH] Make removals in google_container_cluster (#2395) --- google/resource_container_cluster.go | 163 +++--------- google/resource_container_cluster_test.go | 233 ------------------ .../docs/r/container_cluster.html.markdown | 15 -- 3 files changed, 28 insertions(+), 383 deletions(-) diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go index 4e917625..fc6e515a 100644 --- a/google/resource_container_cluster.go +++ b/google/resource_container_cluster.go @@ -201,10 +201,10 @@ func resourceContainerCluster() *schema.Resource { }, "enable_binary_authorization": { - Deprecated: "This field is in beta and will be removed from this provider. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.", - Type: schema.TypeBool, - Optional: true, - Default: false, + Removed: "This field is in beta. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.", + Computed: true, + Type: schema.TypeBool, + Optional: true, }, "enable_kubernetes_alpha": { @@ -215,11 +215,11 @@ func resourceContainerCluster() *schema.Resource { }, "enable_tpu": { - Deprecated: "This field is in beta and will be removed from this provider. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.", - Type: schema.TypeBool, - Optional: true, - ForceNew: true, - Default: false, + Type: schema.TypeBool, + Optional: true, + ForceNew: true, + Removed: "This field is in beta. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.", + Computed: true, }, "enable_legacy_abac": { @@ -394,10 +394,11 @@ func resourceContainerCluster() *schema.Resource { }, "pod_security_policy_config": { - Deprecated: "This field is in beta and will be removed from this provider. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.", - Type: schema.TypeList, - Optional: true, - MaxItems: 1, + // Remove return nil from expand when this is removed for good. + Removed: "This field is in beta. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.", + Type: schema.TypeList, + Optional: true, + MaxItems: 1, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "enabled": { @@ -406,7 +407,6 @@ func resourceContainerCluster() *schema.Resource { }, }, }, - DiffSuppressFunc: podSecurityPolicyCfgSuppress, }, "project": { @@ -504,12 +504,11 @@ func resourceContainerCluster() *schema.Resource { }, "private_cluster": { - Deprecated: "Use private_cluster_config.enable_private_nodes instead.", - ConflictsWith: []string{"private_cluster_config"}, - Computed: true, - Type: schema.TypeBool, - Optional: true, - ForceNew: true, + Removed: "Use private_cluster_config.enable_private_nodes instead.", + Computed: true, + Type: schema.TypeBool, + Optional: true, + ForceNew: true, }, "private_cluster_config": { @@ -549,11 +548,10 @@ func resourceContainerCluster() *schema.Resource { }, "master_ipv4_cidr_block": { - Deprecated: "This field is in beta and will be removed from this provider. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.", - Type: schema.TypeString, - Optional: true, - ForceNew: true, - ValidateFunc: validation.CIDRNetwork(28, 28), + Removed: "Use private_cluster_config.master_ipv4_cidr_block instead.", + Computed: true, + Type: schema.TypeString, + Optional: true, }, "resource_labels": { @@ -602,16 +600,10 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er NetworkPolicy: expandNetworkPolicy(d.Get("network_policy")), AddonsConfig: expandClusterAddonsConfig(d.Get("addons_config")), EnableKubernetesAlpha: d.Get("enable_kubernetes_alpha").(bool), - EnableTpu: d.Get("enable_tpu").(bool), IpAllocationPolicy: expandIPAllocationPolicy(d.Get("ip_allocation_policy")), PodSecurityPolicyConfig: expandPodSecurityPolicyConfig(d.Get("pod_security_policy_config")), - MasterIpv4CidrBlock: d.Get("master_ipv4_cidr_block").(string), - BinaryAuthorization: &containerBeta.BinaryAuthorization{ - Enabled: d.Get("enable_binary_authorization").(bool), - ForceSendFields: []string{"Enabled"}, - }, - MasterAuth: expandMasterAuth(d.Get("master_auth")), - ResourceLabels: expandStringMap(d, "resource_labels"), + MasterAuth: expandMasterAuth(d.Get("master_auth")), + ResourceLabels: expandStringMap(d, "resource_labels"), } // Only allow setting node_version on create if it's set to the equivalent master version, @@ -676,17 +668,6 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er cluster.NodeConfig = expandNodeConfig(v) } - if v, ok := d.GetOk("private_cluster"); ok { - if cluster.PrivateCluster = v.(bool); cluster.PrivateCluster { - if cluster.MasterIpv4CidrBlock == "" { - return fmt.Errorf("master_ipv4_cidr_block is mandatory when private_cluster=true") - } - if cluster.IpAllocationPolicy == nil { - return fmt.Errorf("ip_allocation_policy is mandatory when private_cluster=true") - } - } - } - if v, ok := d.GetOk("private_cluster_config"); ok { cluster.PrivateClusterConfig = expandPrivateClusterConfig(v) } @@ -791,13 +772,11 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro d.Set("cluster_ipv4_cidr", cluster.ClusterIpv4Cidr) d.Set("description", cluster.Description) d.Set("enable_kubernetes_alpha", cluster.EnableKubernetesAlpha) - d.Set("enable_tpu", cluster.EnableTpu) d.Set("enable_legacy_abac", cluster.LegacyAbac.Enabled) d.Set("logging_service", cluster.LoggingService) d.Set("monitoring_service", cluster.MonitoringService) d.Set("network", cluster.NetworkConfig.Network) d.Set("subnetwork", cluster.NetworkConfig.Subnetwork) - d.Set("enable_binary_authorization", cluster.BinaryAuthorization != nil && cluster.BinaryAuthorization.Enabled) if err := d.Set("node_config", flattenNodeConfig(cluster.NodeConfig)); err != nil { return err } @@ -829,14 +808,7 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro return err } - if err := d.Set("pod_security_policy_config", flattenPodSecurityPolicyConfig(cluster.PodSecurityPolicyConfig)); err != nil { - return err - } - - d.Set("private_cluster", cluster.PrivateCluster) - d.Set("master_ipv4_cidr_block", cluster.MasterIpv4CidrBlock) d.Set("resource_labels", cluster.ResourceLabels) - return nil } @@ -962,28 +934,6 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er } } - if d.HasChange("enable_binary_authorization") { - enabled := d.Get("enable_binary_authorization").(bool) - req := &containerBeta.UpdateClusterRequest{ - Update: &containerBeta.ClusterUpdate{ - DesiredBinaryAuthorization: &containerBeta.BinaryAuthorization{ - Enabled: enabled, - ForceSendFields: []string{"Enabled"}, - }, - }, - } - - updateF := updateFunc(req, "updating GKE binary authorization") - // Call update serially. - if err := lockedCall(lockKey, updateF); err != nil { - return err - } - - log.Printf("[INFO] GKE cluster %s's binary authorization has been updated to %v", d.Id(), enabled) - - d.SetPartial("enable_binary_authorization") - } - if d.HasChange("maintenance_policy") { var req *containerBeta.SetMaintenancePolicyRequest if mp, ok := d.GetOk("maintenance_policy"); ok { @@ -1256,31 +1206,6 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er d.SetPartial("master_auth") } - if d.HasChange("pod_security_policy_config") { - c := d.Get("pod_security_policy_config") - req := &containerBeta.UpdateClusterRequest{ - Update: &containerBeta.ClusterUpdate{ - DesiredPodSecurityPolicyConfig: expandPodSecurityPolicyConfig(c), - }, - } - - updateF := func() error { - name := containerClusterFullName(project, location, clusterName) - op, err := config.clientContainerBeta.Projects.Locations.Clusters.Update(name, req).Do() - if err != nil { - return err - } - // Wait until it's updated - return containerSharedOperationWait(config, op, project, location, "updating GKE cluster pod security policy config", timeoutInMinutes, 2) - } - if err := lockedCall(lockKey, updateF); err != nil { - return err - } - log.Printf("[INFO] GKE cluster %s pod security policy config has been updated", d.Id()) - - d.SetPartial("pod_security_policy_config") - } - if d.HasChange("resource_labels") { resourceLabels := d.Get("resource_labels").(map[string]interface{}) req := &containerBeta.SetLabelsRequest{ @@ -1572,16 +1497,9 @@ func expandPrivateClusterConfig(configured interface{}) *containerBeta.PrivateCl } func expandPodSecurityPolicyConfig(configured interface{}) *containerBeta.PodSecurityPolicyConfig { - l := configured.([]interface{}) - if len(l) == 0 || l[0] == nil { - return nil - } - - config := l[0].(map[string]interface{}) - return &containerBeta.PodSecurityPolicyConfig{ - Enabled: config["enabled"].(bool), - ForceSendFields: []string{"Enabled"}, - } + // Removing lists is hard - the element count (#) will have a diff from nil -> computed + // If we set this to empty on Read, it will be stable. + return nil } func flattenNetworkPolicy(c *containerBeta.NetworkPolicy) []map[string]interface{} { @@ -1740,17 +1658,6 @@ func flattenMasterAuthorizedNetworksConfig(c *containerBeta.MasterAuthorizedNetw return []map[string]interface{}{result} } -func flattenPodSecurityPolicyConfig(c *containerBeta.PodSecurityPolicyConfig) []map[string]interface{} { - if c == nil { - return nil - } - return []map[string]interface{}{ - { - "enabled": c.Enabled, - }, - } -} - func resourceContainerClusterStateImporter(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) { parts := strings.Split(d.Id(), "/") @@ -1827,17 +1734,3 @@ func masterAuthClientCertCfgSuppress(k, old, new string, r *schema.ResourceData) return strings.HasSuffix(k, ".issue_client_certificate") && old == "" && new == "true" } - -func podSecurityPolicyCfgSuppress(k, old, new string, r *schema.ResourceData) bool { - if k == "pod_security_policy_config.#" && old == "1" && new == "0" { - if v, ok := r.GetOk("pod_security_policy_config"); ok { - cfgList := v.([]interface{}) - if len(cfgList) > 0 { - d := cfgList[0].(map[string]interface{}) - // Suppress if old value was {enabled == false} - return !d["enabled"].(bool) - } - } - } - return false -} diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go index e1ba9f88..7028c9ff 100644 --- a/google/resource_container_cluster_test.go +++ b/google/resource_container_cluster_test.go @@ -458,57 +458,6 @@ func TestAccContainerCluster_withKubernetesAlpha(t *testing.T) { }) } -func TestAccContainerCluster_withTpu(t *testing.T) { - t.Parallel() - - clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10)) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testAccCheckContainerClusterDestroy, - Steps: []resource.TestStep{ - { - Config: testAccContainerCluster_withTpu(clusterName), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr("google_container_cluster.with_tpu", "enable_tpu", "true"), - ), - }, - { - ResourceName: "google_container_cluster.with_tpu", - ImportStateIdPrefix: "us-central1-b/", - ImportState: true, - ImportStateVerify: true, - }, - }, - }) -} - -func TestAccContainerCluster_withPrivateCluster(t *testing.T) { - t.Parallel() - - clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10)) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testAccCheckContainerClusterDestroy, - Steps: []resource.TestStep{ - { - Config: testAccContainerCluster_withPrivateCluster(clusterName), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr("google_container_cluster.with_private_cluster", "private_cluster", "true"), - ), - }, - { - ResourceName: "google_container_cluster.with_private_cluster", - ImportStateIdPrefix: "us-central1-a/", - ImportState: true, - ImportStateVerify: true, - }, - }, - }) -} func TestAccContainerCluster_withPrivateClusterConfig(t *testing.T) { t.Parallel() @@ -1188,46 +1137,6 @@ func TestAccContainerCluster_withIPAllocationPolicy_createSubnetwork(t *testing. }) } -func TestAccContainerCluster_withPodSecurityPolicy(t *testing.T) { - t.Parallel() - - clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10)) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testAccCheckContainerClusterDestroy, - Steps: []resource.TestStep{ - { - Config: testAccContainerCluster_withPodSecurityPolicy(clusterName, true), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr("google_container_cluster.with_pod_security_policy", - "pod_security_policy_config.0.enabled", "true"), - ), - }, - { - ResourceName: "google_container_cluster.with_pod_security_policy", - ImportStateIdPrefix: "us-central1-a/", - ImportState: true, - ImportStateVerify: true, - }, - { - Config: testAccContainerCluster_withPodSecurityPolicy(clusterName, false), - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr("google_container_cluster.with_pod_security_policy", - "pod_security_policy_config.0.enabled", "false"), - ), - }, - { - ResourceName: "google_container_cluster.with_pod_security_policy", - ImportStateIdPrefix: "us-central1-a/", - ImportState: true, - ImportStateVerify: true, - }, - }, - }) -} - func TestAccContainerCluster_sharedVpc(t *testing.T) { t.Parallel() @@ -1303,38 +1212,6 @@ func TestAccContainerCluster_withResourceLabelsUpdate(t *testing.T) { }) } -func TestAccContainerCluster_withBinaryAuthorization(t *testing.T) { - t.Parallel() - - clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10)) - - resource.Test(t, resource.TestCase{ - PreCheck: func() { testAccPreCheck(t) }, - Providers: testAccProviders, - CheckDestroy: testAccCheckContainerClusterDestroy, - Steps: []resource.TestStep{ - { - Config: testAccContainerCluster_withBinaryAuthorization(clusterName, true), - }, - { - ResourceName: "google_container_cluster.with_binary_authorization", - ImportStateIdPrefix: "us-central1-a/", - ImportState: true, - ImportStateVerify: true, - }, - { - Config: testAccContainerCluster_withBinaryAuthorization(clusterName, false), - }, - { - ResourceName: "google_container_cluster.with_binary_authorization", - ImportStateIdPrefix: "us-central1-a/", - ImportState: true, - ImportStateVerify: true, - }, - }, - }) -} - func testAccCheckContainerClusterDestroy(s *terraform.State) error { config := testAccProvider.Meta().(*Config) @@ -1750,49 +1627,6 @@ resource "google_container_cluster" "with_kubernetes_alpha" { }`, clusterName) } -func testAccContainerCluster_withTpu(clusterName string) string { - return fmt.Sprintf(` -resource "google_compute_network" "container_network" { - name = "container-net-%s" - auto_create_subnetworks = false -} - -resource "google_compute_subnetwork" "container_subnetwork" { - name = "${google_compute_network.container_network.name}" - network = "${google_compute_network.container_network.name}" - ip_cidr_range = "10.0.35.0/24" - region = "us-central1" - - secondary_ip_range { - range_name = "pod" - ip_cidr_range = "10.1.0.0/19" - } - - secondary_ip_range { - range_name = "svc" - ip_cidr_range = "10.2.0.0/22" - } -} - -resource "google_container_cluster" "with_tpu" { - name = "cluster-test-%s" - zone = "us-central1-b" - initial_node_count = 1 - - enable_tpu = true - - network = "${google_compute_network.container_network.name}" - subnetwork = "${google_compute_subnetwork.container_subnetwork.name}" - - master_ipv4_cidr_block = "10.42.0.0/28" - master_authorized_networks_config { cidr_blocks = [] } - ip_allocation_policy { - cluster_secondary_range_name = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.0.range_name}" - services_secondary_range_name = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.1.range_name}" - } -}`, clusterName, clusterName) -} - func testAccContainerCluster_defaultLegacyAbac(clusterName string) string { return fmt.Sprintf(` resource "google_container_cluster" "default_legacy_abac" { @@ -2375,61 +2209,6 @@ resource "google_container_cluster" "with_ip_allocation_policy" { }`, cluster) } -func testAccContainerCluster_withPodSecurityPolicy(clusterName string, enabled bool) string { - return fmt.Sprintf(` -resource "google_container_cluster" "with_pod_security_policy" { - name = "cluster-test-%s" - zone = "us-central1-a" - initial_node_count = 1 - - pod_security_policy_config { - enabled = %v - } -}`, clusterName, enabled) -} - -func testAccContainerCluster_withPrivateCluster(clusterName string) string { - return fmt.Sprintf(` -resource "google_compute_network" "container_network" { - name = "container-net-%s" - auto_create_subnetworks = false -} - -resource "google_compute_subnetwork" "container_subnetwork" { - name = "${google_compute_network.container_network.name}" - network = "${google_compute_network.container_network.name}" - ip_cidr_range = "10.0.36.0/24" - region = "us-central1" - private_ip_google_access = true - - secondary_ip_range { - range_name = "pod" - ip_cidr_range = "10.0.0.0/19" - } - - secondary_ip_range { - range_name = "svc" - ip_cidr_range = "10.0.32.0/22" - } -} - -resource "google_container_cluster" "with_private_cluster" { - name = "cluster-test-%s" - zone = "us-central1-a" - initial_node_count = 1 - - network = "${google_compute_network.container_network.name}" - subnetwork = "${google_compute_subnetwork.container_subnetwork.name}" - - private_cluster = true - master_ipv4_cidr_block = "10.42.0.0/28" - master_authorized_networks_config { cidr_blocks = [] } - ip_allocation_policy { - cluster_secondary_range_name = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.0.range_name}" - services_secondary_range_name = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.1.range_name}" - } -}`, clusterName, clusterName) -} func testAccContainerCluster_withPrivateClusterConfig(clusterName string) string { return fmt.Sprintf(` resource "google_compute_network" "container_network" { @@ -2602,15 +2381,3 @@ resource "google_container_cluster" "with_resource_labels" { } `, clusterName) } - -func testAccContainerCluster_withBinaryAuthorization(clusterName string, enabled bool) string { - return fmt.Sprintf(` -resource "google_container_cluster" "with_binary_authorization" { - name = "%s" - zone = "us-central1-a" - initial_node_count = 1 - - enable_binary_authorization = %v -} -`, clusterName, enabled) -} diff --git a/website/docs/r/container_cluster.html.markdown b/website/docs/r/container_cluster.html.markdown index 1682d891..aba768da 100644 --- a/website/docs/r/container_cluster.html.markdown +++ b/website/docs/r/container_cluster.html.markdown @@ -136,13 +136,6 @@ output "cluster_ca_certificate" { for master authorized networks. Omit the nested `cidr_blocks` attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists). -* `master_ipv4_cidr_block` - (Optional, Deprecated) Specifies a private - [RFC1918](https://tools.ietf.org/html/rfc1918) block for the master's VPC. The master range must not overlap with any subnet in your cluster's VPC. - The master and your cluster use VPC peering. Must be specified in CIDR notation and must be `/28` subnet. - This property is in beta, and should be used with the terraform-provider-google-beta provider. - See [Provider Versions](https://terraform.io/docs/providers/google/provider_versions.html) for more details on beta fields. - This field is deprecated, use `private_cluster_config.master_ipv4_cidr_block` instead. - * `min_master_version` - (Optional) The minimum version of the master. GKE will auto-update the master to new versions, so this does not guarantee the current master version--use the read-only `master_version` field to obtain that. @@ -186,14 +179,6 @@ output "cluster_ca_certificate" { This property is in beta, and should be used with the terraform-provider-google-beta provider. See [Provider Versions](https://terraform.io/docs/providers/google/provider_versions.html) for more details on beta fields. -* `private_cluster` - (Optional, Deprecated) If true, a - [private cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters) will be created, meaning - nodes do not get public IP addresses. It is mandatory to specify `master_ipv4_cidr_block` and - `ip_allocation_policy` with this option. - This property is in beta, and should be used with the terraform-provider-google-beta provider. - See [Provider Versions](https://terraform.io/docs/providers/google/provider_versions.html) for more details on beta fields. - This field is deprecated, use `private_cluster_config.enable_private_nodes` instead. - * `project` - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.