Support security posture config

[DDDDarrenWB]

Add support of GKE Security Posture Config.

1. Add security_posture_config.mode field in schema.
2. Add security_posture_config.vulnerability_mode field in schema.

They both talks to GKE API - Security Posture Config.
The behavior of terraform matches with how user will use gcloud to manage our feature.

Fixes hashicorp/terraform-provider-google#14973

If this PR is for Terraform, I acknowledge that I have:

• [X ] Searched through the issue tracker for an open issue that this either resolves or contributes to, commented on it to claim it, and written "fixes {url}" or "part of {url}" in this PR description. If there were no relevant open issues, I opened one and commented that I would like to work on it (not necessary for very small changes).
• [ X] Ensured that all new fields I added that can be set by a user appear in at least one example (for generated resources) or third_party test (for handwritten resources or update tests).
• [ X] Generated Terraform providers, and ran make test and make lint in the generated providers to ensure it passes unit and linter tests.
• [ X] Ran relevant acceptance tests using my own Google Cloud project and credentials (If the acceptance tests do not yet pass or you are unable to run them, please let your reviewer know).
• [ X] Read Write release notes before writing my release note below.

Release Note Template for Downstream PRs (will be copied)

container: added field `security_posture_config` to resource `google_container_cluster`

[modular-magician]

Oops! It looks like you're using an unknown release-note type in your changelog entries:

• REPLACEME

Please only use the types listed in https://github.com/GoogleCloudPlatform/magic-modules/blob/master/.ci/RELEASE_NOTES_GUIDE.md.

[modular-magician]

Hello! I am a robot who works on Magic Modules PRs.

I've detected that you're a community contributor. @zli82016, a repository maintainer, has been assigned to assist you and help review your changes.

❓ First time contributing? Click here for more details

---

Your assigned reviewer will help review your code by:

• Ensuring it's backwards compatible, covers common error cases, etc.
• Summarizing the change into a user-facing changelog note.
• Passes tests, either our "VCR" suite, a set of presubmit tests, or with manual test runs.

You can help make sure that review is quick by running local tests and ensuring they're passing in between each push you make to your PR's branch. Also, try to leave a comment with each push you make, as pushes generally don't generate emails.

If your reviewer doesn't get back to you within a week after your most recent change, please feel free to leave a comment on the issue asking them to take a look! In the absence of a dedicated review dashboard most maintainers manage their pending reviews through email, and those will sometimes get lost in their inbox.

---

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 5 files changed, 174 insertions(+), 4 deletions(-))
Terraform Beta: Diff ( 5 files changed, 174 insertions(+), 4 deletions(-))
TF Conversion: Diff ( 2 files changed, 9 insertions(+), 9 deletions(-))

[modular-magician]

Tests analytics

Total tests: 2799
Passed tests 2495
Skipped tests: 301
Affected tests: 3

Action taken

Found 3 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccContainerCluster_withSecurityPostureConfig|TestAccComputeFirewallPolicyRule_multipleRules|TestAccComputeNetworkEndpoints_networkEndpointsBasic

Get to know how VCR tests work

[modular-magician]

Tests passed during RECORDING mode:
TestAccContainerCluster_withSecurityPostureConfig[Debug log]
TestAccComputeNetworkEndpoints_networkEndpointsBasic[Debug log]

Tests failed during RECORDING mode:
TestAccComputeFirewallPolicyRule_multipleRules[Error message] [Debug log]

Please fix these to complete your PR
View the build log or the debug log for each test

[DDDDarrenWB]

The failed test seems not related to my changes? My changes are tested only in TestAccContainerCluster_withSecurityPostureConfig.

I have also updated the release note.

[zli82016]

The failed test seems not related to my changes? My changes are tested only in TestAccContainerCluster_withSecurityPostureConfig.

I have also updated the release note.

Right, the failed test is not related to this PR.

[DDDDarrenWB]

Thanks @zli82016 Anything else I should do at this point?

[zli82016]

Thanks @zli82016 Anything else I should do at this point?

Thanks for working on it. Not now. I will review it and give you update soon.

[zli82016]

Hello, @DDDDarrenWB , I am a little confused about this PR. I may miss something.

In the API for the resource cluster, I do not see the two new fields. https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters

Also, terraform-google-modules/terraform-google-kubernetes-engine#1586 is already closed. In this issue, it requested to add protect_config instead of the two new fields security_posture and workload_vulnerability_scanning

[DDDDarrenWB]

Hi @zli82016

1. The new fields are documented here, https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#securitypostureconfig

2. You are right. That is issue is for protect_config. I opened a new issue for this PR, Add support for SecurityPostureConfig to GKE hashicorp/terraform-provider-google#14973. Thank you!

[zli82016]

Hi @zli82016

1. The new fields are documented here, https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#securitypostureconfig
2. You are right. That is issue is for protect_config. I opened a new issue for this PR, Add support for SecurityPostureConfig hashicorp/terraform-provider-google#14973. Thank you!

Thanks for the information.
Instead of adding these two fields to the top level of the schema, it is better to wrap them into the field security_posture_config, similar to protect_config

[zli82016]

I wonder what is the reason to set Computed: true here? Computed: true is used in the case that the API will returns default value if no value is specified in the request.

[DDDDarrenWB]

Good question! I couldn't pass the Acceptance test locally if I don't set the Computed:true. Although, it didn't return error when I did manual test without Computed:true. I really could use your advice on this.

Could it be the configurations I have in my local development environment?

[zli82016]

Did you get any error in the logs when running the acceptance test locally without Computed:true?

[DDDDarrenWB]

Yes.

Error log like below,

error=
  | After applying this test step, the plan was not empty.
  | stdout:
  | 
  | 
  | Terraform used the selected providers to generate the following execution
  | plan. Resource actions are indicated with the following symbols:
  |   ~ update in-place
  | 
  | Terraform will perform the following actions:
  | 
  |   # google_container_cluster.with_security_posture_config will be updated in-place
  |   ~ resource "google_container_cluster" "with_security_posture_config" {
  |         id                              = "projects/wangbei-gke-dev/locations/us-central1-c/clusters/tf-test-cluster-6mwho946jg"
  |         name                            = "tf-test-cluster-6mwho946jg"
  |       - workload_vulnerability_scanning = "DISABLED" -> null
  |         # (25 unchanged attributes hidden)
  | 
  |         # (16 unchanged blocks hidden)
  |     }
  | 
  | Plan: 0 to add, 1 to change, 0 to destroy.

[zli82016]

I think the Computed: true is needed.

[DDDDarrenWB]

Hi @zli82016

1. The new fields are documented here, https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#securitypostureconfig
2. You are right. That is issue is for protect_config. I opened a new issue for this PR, Add support for SecurityPostureConfig hashicorp/terraform-provider-google#14973. Thank you!

Thanks for the information. Instead of adding these two fields to the top level of the schema, it is better to wrap them into the field security_posture_config, similar to protect_config

I want to make the behavior of terraform matches to how user will use gcloud to manage our feature.
We offer two flags for user to enable our features via gcloud, --workload-vulnerability-scanning and --security-posture.

If the rule of Terraform is to make it similar to API, I'll also be happy to change my codes.

[zli82016]

Hi @zli82016

1. The new fields are documented here, https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#securitypostureconfig
2. You are right. That is issue is for protect_config. I opened a new issue for this PR, Add support for SecurityPostureConfig hashicorp/terraform-provider-google#14973. Thank you!

Thanks for the information. Instead of adding these two fields to the top level of the schema, it is better to wrap them into the field security_posture_config, similar to protect_config

I want to make the behavior of terraform matches to how user will use gcloud to manage our feature. We offer two flags for user to enable our features via gcloud, --workload-vulnerability-scanning and --security-posture.

If the rule of Terraform is to make it similar to API, I'll also be happy to change my codes.

I see. In Terraform, we will make it similar to API.

[zli82016]

I wonder what is the reason to set Computed: true here?

[zli82016]

Computed: true is needed. Sorry for the confusion.

[zli82016]

Did you get any error in the logs when running the acceptance test locally without Computed:true?

[zli82016]

Also, in Terraform, the field name will match the name in the API. For example, the field will look like:

security_posture_config {
   mode               = "DISABLED"
   vulnerability_mode = "DISABLED"
}

[DDDDarrenWB]

Also, in Terraform, the field name will match the name in the API. For example, the field will look like:

security_posture_config {
   mode               = "DISABLED"
   vulnerability_mode = "DISABLED"
}

Understood. I'll make the change.

[DDDDarrenWB]

reopen due to false close.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 5 files changed, 174 insertions(+), 2 deletions(-))
Terraform Beta: Diff ( 5 files changed, 174 insertions(+), 2 deletions(-))
TF Conversion: Diff ( 2 files changed, 9 insertions(+), 9 deletions(-))

[modular-magician]

Tests analytics

Total tests: 2822
Passed tests 2518
Skipped tests: 301
Affected tests: 3

Action taken

Found 3 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccContainerCluster_withSecurityPostureConfig|TestAccComputeNetworkEndpoints_networkEndpointsBasic|TestAccComputeFirewallPolicyRule_multipleRules

Get to know how VCR tests work

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

Terraform GA: Diff ( 5 files changed, 174 insertions(+), 2 deletions(-))
Terraform Beta: Diff ( 5 files changed, 174 insertions(+), 2 deletions(-))
TF Conversion: Diff ( 2 files changed, 9 insertions(+), 9 deletions(-))

[modular-magician]

Tests analytics

Total tests: 2822
Passed tests 2519
Skipped tests: 301
Affected tests: 2

Action taken

Found 2 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

TestAccComputeFirewallPolicyRule_multipleRules|TestAccComputeNetworkEndpoints_networkEndpointsBasic

Get to know how VCR tests work

[modular-magician]

Tests passed during RECORDING mode:
TestAccComputeNetworkEndpoints_networkEndpointsBasic[Debug log]

Tests failed during RECORDING mode:
TestAccComputeFirewallPolicyRule_multipleRules[Error message] [Debug log]

Please fix these to complete your PR
View the build log or the debug log for each test

[zli82016]

I run the test TestAccContainerCluster_withSecurityPostureConfig in the teamcity and it passed.

https://ci-oss.hashicorp.engineering/viewLog.html?buildId=412914&buildTypeId=GoogleCloudBeta_ProviderGoogleCloudBetaMmUpstream&tab=testsInfo

[zli82016]

LGTM. Thanks.