From f78d7a5f5d32fddcf6530665a13d28296ad86443 Mon Sep 17 00:00:00 2001 From: The Magician Date: Wed, 2 Nov 2022 10:47:04 -0700 Subject: [PATCH] Add support for shielded instance config on auto provisioned GKE nodes (#6754) (#12930) Signed-off-by: Modular Magician Signed-off-by: Modular Magician --- .changelog/6754.txt | 3 ++ google/resource_container_cluster.go | 39 ++++++++++++++ google/resource_container_cluster_test.go | 53 +++++++++++++++++++ .../docs/r/container_cluster.html.markdown | 2 + 4 files changed, 97 insertions(+) create mode 100644 .changelog/6754.txt diff --git a/.changelog/6754.txt b/.changelog/6754.txt new file mode 100644 index 00000000000..40879373d74 --- /dev/null +++ b/.changelog/6754.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +container: Added support for Shielded Instance configuration for node auto-provisioning to `google_container_cluster` +``` diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go index 03cd6785e8a..c1f4d6cfe51 100644 --- a/google/resource_container_cluster.go +++ b/google/resource_container_cluster.go @@ -395,6 +395,36 @@ func resourceContainerCluster() *schema.Resource { ForceNew: true, Description: `The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool.`, }, + "shielded_instance_config": { + Type: schema.TypeList, + Optional: true, + Description: `Shielded Instance options.`, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "enable_secure_boot": { + Type: schema.TypeBool, + Optional: true, + Default: false, + Description: `Defines whether the instance has Secure Boot enabled.`, + AtLeastOneOf: []string{ + "cluster_autoscaling.0.auto_provisioning_defaults.0.shielded_instance_config.0.enable_secure_boot", + "cluster_autoscaling.0.auto_provisioning_defaults.0.shielded_instance_config.0.enable_integrity_monitoring", + }, + }, + "enable_integrity_monitoring": { + Type: schema.TypeBool, + Optional: true, + Default: true, + Description: `Defines whether the instance has integrity monitoring enabled.`, + AtLeastOneOf: []string{ + "cluster_autoscaling.0.auto_provisioning_defaults.0.shielded_instance_config.0.enable_secure_boot", + "cluster_autoscaling.0.auto_provisioning_defaults.0.shielded_instance_config.0.enable_integrity_monitoring", + }, + }, + }, + }, + }, }, }, }, @@ -3180,6 +3210,14 @@ func expandAutoProvisioningDefaults(configured interface{}, d *schema.ResourceDa BootDiskKmsKey: config["boot_disk_kms_key"].(string), } + if v, ok := config["shielded_instance_config"]; ok && len(v.([]interface{})) > 0 { + conf := v.([]interface{})[0].(map[string]interface{}) + npd.ShieldedInstanceConfig = &container.ShieldedInstanceConfig{ + EnableSecureBoot: conf["enable_secure_boot"].(bool), + EnableIntegrityMonitoring: conf["enable_integrity_monitoring"].(bool), + } + } + return npd } @@ -3944,6 +3982,7 @@ func flattenAutoProvisioningDefaults(a *container.AutoprovisioningNodePoolDefaul r["disk_type"] = a.DiskType r["image_type"] = a.ImageType r["boot_disk_kms_key"] = a.BootDiskKmsKey + r["shielded_instance_config"] = flattenShieldedInstanceConfig(a.ShieldedInstanceConfig) return []map[string]interface{}{r} } diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go index 9f934acc103..79b1af46ae7 100644 --- a/google/resource_container_cluster_test.go +++ b/google/resource_container_cluster_test.go @@ -2184,6 +2184,29 @@ func TestAccContainerCluster_nodeAutoprovisioningDefaultsBootDiskKmsKey(t *testi }) } +func TestAccContainerCluster_nodeAutoprovisioningDefaultsShieldedInstance(t *testing.T) { + t.Parallel() + + clusterName := fmt.Sprintf("tf-test-cluster-%s", randString(t, 10)) + + vcrTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckContainerClusterDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccContainerCluster_autoprovisioningDefaultsShieldedInstance(clusterName), + }, + { + ResourceName: "google_container_cluster.nap_shielded_instance", + ImportState: true, + ImportStateVerify: true, + ImportStateVerifyIgnore: []string{"min_master_version"}, + }, + }, + }) +} + func TestAccContainerCluster_errorCleanDanglingCluster(t *testing.T) { t.Parallel() @@ -4054,6 +4077,36 @@ resource "google_container_cluster" "nap_boot_disk_kms_key" { `, project, clusterName, kmsKeyName) } +func testAccContainerCluster_autoprovisioningDefaultsShieldedInstance(cluster string) string { + return fmt.Sprintf(` +data "google_container_engine_versions" "central1a" { + location = "us-central1-a" +} +resource "google_container_cluster" "nap_shielded_instance" { + name = "%s" + location = "us-central1-a" + initial_node_count = 1 + min_master_version = data.google_container_engine_versions.central1a.latest_master_version + cluster_autoscaling { + enabled = true + resource_limits { + resource_type = "cpu" + maximum = 2 + } + resource_limits { + resource_type = "memory" + maximum = 2048 + } + auto_provisioning_defaults { + shielded_instance_config { + enable_integrity_monitoring = true + enable_secure_boot = true + } + } + } +}`, cluster) +} + func testAccContainerCluster_withNodePoolAutoscaling(cluster, np string) string { return fmt.Sprintf(` resource "google_container_cluster" "with_node_pool" { diff --git a/website/docs/r/container_cluster.html.markdown b/website/docs/r/container_cluster.html.markdown index 9aaf53bb0ad..ad239c011e5 100644 --- a/website/docs/r/container_cluster.html.markdown +++ b/website/docs/r/container_cluster.html.markdown @@ -517,6 +517,8 @@ as "Intel Haswell" or "Intel Sandy Bridge". * `image_type` - (Optional) The default image type used by NAP once a new node pool is being created. Please note that according to the [official documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-provisioning#default-image-type) the value must be one of the [COS_CONTAINERD, COS, UBUNTU_CONTAINERD, UBUNTU]. __NOTE__ : COS AND UBUNTU are deprecated as of `GKE 1.24` +* `shielded_instance_config` - (Optional) Shielded Instance options. Structure is [documented below](#nested_shielded_instance_config). + The `authenticator_groups_config` block supports: * `security_group` - (Required) The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format `gke-security-groups@yourdomain.com`.