Skip to content

Commit

Permalink
[terraform] Add AuthenticatorGroupsConfig to google_container_cluster (
Browse files Browse the repository at this point in the history
…hashicorp#669)

Signed-off-by: Modular Magician <magic-modules@google.com>
  • Loading branch information
modular-magician authored and rileykarson committed Jun 4, 2019
1 parent c030c9c commit 2cc07c6
Show file tree
Hide file tree
Showing 3 changed files with 122 additions and 0 deletions.
49 changes: 49 additions & 0 deletions google-beta/resource_container_cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -317,6 +317,23 @@ func resourceContainerCluster() *schema.Resource {
Default: false,
},

"authenticator_groups_config": {
Type: schema.TypeList,
Optional: true,
Computed: true,
ForceNew: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"security_group": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
},
},
},
},

"initial_node_count": {
Type: schema.TypeInt,
Optional: true,
Expand Down Expand Up @@ -876,6 +893,10 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
cluster.NodeConfig = expandNodeConfig(v)
}

if v, ok := d.GetOk("authenticator_groups_config"); ok {
cluster.AuthenticatorGroupsConfig = expandAuthenticatorGroupsConfig(v)
}

if v, ok := d.GetOk("private_cluster_config"); ok {
cluster.PrivateClusterConfig = expandPrivateClusterConfig(v)
}
Expand Down Expand Up @@ -1025,6 +1046,9 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
if cluster.DefaultMaxPodsConstraint != nil {
d.Set("default_max_pods_per_node", cluster.DefaultMaxPodsConstraint.MaxPodsPerNode)
}
if err := d.Set("authenticator_groups_config", flattenAuthenticatorGroupsConfig(cluster.AuthenticatorGroupsConfig)); err != nil {
return err
}
if err := d.Set("node_config", flattenNodeConfig(cluster.NodeConfig)); err != nil {
return err
}
Expand Down Expand Up @@ -1921,6 +1945,20 @@ func expandClusterAutoscaling(configured interface{}, d *schema.ResourceData) *c
return r
}

func expandAuthenticatorGroupsConfig(configured interface{}) *containerBeta.AuthenticatorGroupsConfig {
l := configured.([]interface{})
if len(l) == 0 {
return nil
}
result := &containerBeta.AuthenticatorGroupsConfig{}
config := l[0].(map[string]interface{})
if securityGroup, ok := config["security_group"]; ok {
result.Enabled = true
result.SecurityGroup = securityGroup.(string)
}
return result
}

func expandMasterAuth(configured interface{}) *containerBeta.MasterAuth {
l := configured.([]interface{})
if len(l) == 0 || l[0] == nil {
Expand Down Expand Up @@ -2130,6 +2168,17 @@ func flattenClusterNodePools(d *schema.ResourceData, config *Config, c []*contai
return nodePools, nil
}

func flattenAuthenticatorGroupsConfig(c *containerBeta.AuthenticatorGroupsConfig) []map[string]interface{} {
if c == nil {
return nil
}
return []map[string]interface{}{
{
"security_group": c.SecurityGroup,
},
}
}

func flattenPrivateClusterConfig(c *containerBeta.PrivateClusterConfig) []map[string]interface{} {
if c == nil {
return nil
Expand Down
65 changes: 65 additions & 0 deletions google-beta/resource_container_cluster_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,27 @@ func TestAccContainerCluster_withCloudRunEnabled(t *testing.T) {
})
}

func TestAccContainerCluster_withAuthenticatorGroupsConfig(t *testing.T) {
t.Parallel()
clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10))
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckContainerClusterDestroy,
Steps: []resource.TestStep{
{
Config: testAccContainerCluster_withAuthenticatorGroupsConfig(clusterName),
},
{
ResourceName: "google_container_cluster.with_authenticator_groups",
ImportStateIdPrefix: "us-central1-a/",
ImportState: true,
ImportStateVerify: true,
},
},
})
}

func TestAccContainerCluster_withNetworkPolicyEnabled(t *testing.T) {
t.Parallel()

Expand Down Expand Up @@ -2102,6 +2123,50 @@ resource "google_container_cluster" "with_cloudrun_enabled" {
}`, clusterName)
}

func testAccContainerCluster_withAuthenticatorGroupsConfig(clusterName string) string {
return fmt.Sprintf(`
resource "google_compute_network" "container_network" {
name = "container-net-%s"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "container_subnetwork" {
name = "${google_compute_network.container_network.name}"
network = "${google_compute_network.container_network.name}"
ip_cidr_range = "10.0.36.0/24"
region = "us-central1"
private_ip_google_access = true
secondary_ip_range {
range_name = "pod"
ip_cidr_range = "10.0.0.0/19"
}
secondary_ip_range {
range_name = "svc"
ip_cidr_range = "10.0.32.0/22"
}
}
resource "google_container_cluster" "with_authenticator_groups" {
name = "%s"
zone = "us-central1-a"
initial_node_count = 1
network = "${google_compute_network.container_network.name}"
subnetwork = "${google_compute_subnetwork.container_subnetwork.name}"
authenticator_groups_config {
security_group = "gke-security-groups@mydomain.tld"
}
ip_allocation_policy {
cluster_secondary_range_name = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.0.range_name}"
services_secondary_range_name = "${google_compute_subnetwork.container_subnetwork.secondary_ip_range.1.range_name}"
}
}
`, clusterName, clusterName)
}

func testAccContainerCluster_withMasterAuthorizedNetworksConfig(clusterName string, cidrs []string, emptyValue string) string {

cidrBlocks := emptyValue
Expand Down
8 changes: 8 additions & 0 deletions website/docs/r/container_cluster.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,10 @@ to the datasource. A `region` can have a different set of supported versions tha
[PodSecurityPolicy](https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies) feature.
Structure is documented below.

* `authenticator_groups_config` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)) Configuration for the
[Google Groups for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control#groups-setup-gsuite) feature.
Structure is documented below.

* `private_cluster_config` - (Optional) A set of options for creating
a private cluster. Structure is documented below.

Expand Down Expand Up @@ -361,6 +365,10 @@ The `resource_limits` block supports:

* `maximum` - (Optional) The maximum value for the resource type specified.

The `authenticator_groups_config` block supports:

* `security_group` - (Required) The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format `gke-security-groups@yourdomain.com`.

The `maintenance_policy` block supports:

* `daily_maintenance_window` - (Required) Time window specified for daily maintenance operations.
Expand Down

0 comments on commit 2cc07c6

Please sign in to comment.