From b8adcc28fec785ca15a041573b0c901dc4cafe12 Mon Sep 17 00:00:00 2001 From: Michael Parker Date: Wed, 4 Apr 2018 12:58:08 -0500 Subject: [PATCH] Updates container_cluster to set enable_legacy_abac to false by default (#1281) * Updates the default GKE legacy ABAC setting to false * Updates docs for container_cluster * Update test comments * Format fix * Adds ImportState test step to default legacy ABAC test --- google/resource_container_cluster.go | 2 +- google/resource_container_cluster_test.go | 38 +++++++++++++++++++ .../docs/r/container_cluster.html.markdown | 2 +- 3 files changed, 40 insertions(+), 2 deletions(-) diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go index 35c26f33..8fd33f0d 100644 --- a/google/resource_container_cluster.go +++ b/google/resource_container_cluster.go @@ -206,7 +206,7 @@ func resourceContainerCluster() *schema.Resource { "enable_legacy_abac": { Type: schema.TypeBool, Optional: true, - Default: true, + Default: false, }, "initial_node_count": { diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go index 498f0dff..82d81a0b 100644 --- a/google/resource_container_cluster_test.go +++ b/google/resource_container_cluster_test.go @@ -374,6 +374,35 @@ func TestAccContainerCluster_withLegacyAbac(t *testing.T) { }) } +/* + Since GKE disables legacy ABAC by default in Kubernetes version 1.8+, and the default Kubernetes + version for GKE is also 1.8+, this test will ensure that legacy ABAC is disabled by default to be + more consistent with default settings in the Cloud Console +*/ +func TestAccContainerCluster_withDefaultLegacyAbac(t *testing.T) { + t.Parallel() + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckContainerClusterDestroy, + Steps: []resource.TestStep{ + { + Config: testAccContainerCluster_defaultLegacyAbac(acctest.RandString(10)), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("google_container_cluster.default_legacy_abac", "enable_legacy_abac", "false"), + ), + }, + { + ResourceName: "google_container_cluster.default_legacy_abac", + ImportStateIdPrefix: "us-central1-a/", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func TestAccContainerCluster_withVersion(t *testing.T) { t.Parallel() @@ -1320,6 +1349,15 @@ resource "google_container_cluster" "with_kubernetes_alpha" { }`, clusterName) } +func testAccContainerCluster_defaultLegacyAbac(clusterName string) string { + return fmt.Sprintf(` +resource "google_container_cluster" "default_legacy_abac" { + name = "cluster-test-%s" + zone = "us-central1-a" + initial_node_count = 1 +}`, clusterName) +} + func testAccContainerCluster_withLegacyAbac(clusterName string) string { return fmt.Sprintf(` resource "google_container_cluster" "with_legacy_abac" { diff --git a/website/docs/r/container_cluster.html.markdown b/website/docs/r/container_cluster.html.markdown index 08c6770c..61fc47dc 100644 --- a/website/docs/r/container_cluster.html.markdown +++ b/website/docs/r/container_cluster.html.markdown @@ -94,7 +94,7 @@ output "cluster_ca_certificate" { * `enable_legacy_abac` - (Optional) Whether the ABAC authorizer is enabled for this cluster. When enabled, identities in the system, including service accounts, nodes, and controllers, will have statically granted permissions beyond those provided by the RBAC configuration or IAM. - Defaults to `true` + Defaults to `false` * `initial_node_count` - (Optional) The number of nodes to create in this cluster (not including the Kubernetes master). Must be set if `node_pool` is not set.