From 2bfe01409fc15fc9631b1e703514d8f04d364af8 Mon Sep 17 00:00:00 2001 From: Aaron Liberatore Date: Wed, 15 Nov 2023 06:47:50 +0000 Subject: [PATCH 01/10] [GKE Hub]: Retrigger review --- mmv1/templates/terraform/examples/gkehub_fleet_basic.tf.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/mmv1/templates/terraform/examples/gkehub_fleet_basic.tf.erb b/mmv1/templates/terraform/examples/gkehub_fleet_basic.tf.erb index b31d3770c71c..b1988b53c8e6 100644 --- a/mmv1/templates/terraform/examples/gkehub_fleet_basic.tf.erb +++ b/mmv1/templates/terraform/examples/gkehub_fleet_basic.tf.erb @@ -1,5 +1,6 @@ resource "google_gke_hub_fleet" "default" { display_name = "my production fleet" + default_cluster_config { security_posture_config { mode = "DISABLED" From 389d65d0a658b9d17aab837b055223e2ad0059ae Mon Sep 17 00:00:00 2001 From: Aaron Liberatore Date: Wed, 15 Nov 2023 16:46:35 +0000 Subject: [PATCH 02/10] [GKE Hub]: Retrigger review --- mmv1/templates/terraform/examples/gkehub_fleet_basic.tf.erb | 1 - 1 file changed, 1 deletion(-) diff --git a/mmv1/templates/terraform/examples/gkehub_fleet_basic.tf.erb b/mmv1/templates/terraform/examples/gkehub_fleet_basic.tf.erb index b1988b53c8e6..b31d3770c71c 100644 --- a/mmv1/templates/terraform/examples/gkehub_fleet_basic.tf.erb +++ b/mmv1/templates/terraform/examples/gkehub_fleet_basic.tf.erb @@ -1,6 +1,5 @@ resource "google_gke_hub_fleet" "default" { display_name = "my production fleet" - default_cluster_config { security_posture_config { mode = "DISABLED" From c9ea42d9481f5f37d77eb5e3206dbdd097b6b636 Mon Sep 17 00:00:00 2001 From: Aaron Liberatore Date: Thu, 30 Nov 2023 00:41:12 +0000 Subject: [PATCH 03/10] [GKE Hub]: Add binary authorization config --- mmv1/products/gkehub2/Fleet.yaml | 22 +++++++++++++++++++ .../resource_gke_hub_fleet_test.go.erb | 9 ++++++++ 2 files changed, 31 insertions(+) diff --git a/mmv1/products/gkehub2/Fleet.yaml b/mmv1/products/gkehub2/Fleet.yaml index 0c9de65f03b6..abfe34ad0f2f 100644 --- a/mmv1/products/gkehub2/Fleet.yaml +++ b/mmv1/products/gkehub2/Fleet.yaml @@ -99,6 +99,28 @@ properties: name: "defaultClusterConfig" description: The default cluster configurations to apply across the fleet. properties: + - !ruby/object:Api::Type::NestedObject + name: "binaryAuthorizationConfig" + description: Enable/Disable binary authorization features for the cluster. + properties: + - !ruby/object:Api::Type::Enum + name: "evaluationMode" + description: Mode of operation for binauthz policy evaluation. + values: + - DISABLED + - POLICY_BINDINGS + - !ruby/object:Api::Type::Array + name: "policyBindings" + description: Binauthz policies that apply to this cluster. + output: false + item_type: !ruby/object:Api::Type::NestedObject + properties: + - !ruby/object:Api::Type::String + name: "name" + description: | + The relative resource name of the binauthz platform policy to audit. GKE + platform policies have the following format: + `projects/{project_number}/platforms/gke/policies/{policy_id}`. - !ruby/object:Api::Type::NestedObject name: "securityPostureConfig" description: Enable/Disable Security Posture features for the cluster. diff --git a/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb b/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb index d0f91aca472a..fe4d3c9cbdef 100755 --- a/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb +++ b/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb @@ -58,6 +58,9 @@ resource "google_gke_hub_fleet" "default" { project = google_project.project.project_id display_name = "my production fleet" default_cluster_config { + binary_authorization_config { + evaluationMode = "DISABLED" + } security_posture_config { mode = "DISABLED" vulnerability_mode = "VULNERABILITY_DISABLED" @@ -74,6 +77,12 @@ resource "google_gke_hub_fleet" "default" { project = google_project.project.project_id display_name = "my staging fleet" default_cluster_config { + binary_authorization_config { + evaluationMode = "POLICY_BINDINGS" + policy_bindings = { + name = "projects/${google_project.project.project_id}/platforms/gke/policies/policy_id + } + } security_posture_config { mode = "BASIC" vulnerability_mode = "VULNERABILITY_BASIC" From 20a84678edd13b2f49682ee9be3696f780b0b028 Mon Sep 17 00:00:00 2001 From: Aaron Liberatore Date: Thu, 30 Nov 2023 01:13:58 +0000 Subject: [PATCH 04/10] [GKE Hub]: Remove unsupported enum field --- mmv1/products/gkehub2/Fleet.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/mmv1/products/gkehub2/Fleet.yaml b/mmv1/products/gkehub2/Fleet.yaml index abfe34ad0f2f..8edad0080adf 100644 --- a/mmv1/products/gkehub2/Fleet.yaml +++ b/mmv1/products/gkehub2/Fleet.yaml @@ -131,7 +131,6 @@ properties: values: - DISABLED - BASIC - - ENTERPRISE - !ruby/object:Api::Type::Enum name: "vulnerabilityMode" description: Sets which mode to use for vulnerability scanning. From 5c6f391b840afab51e9ea8960618ea64370cf83c Mon Sep 17 00:00:00 2001 From: Aaron Liberatore Date: Thu, 30 Nov 2023 05:02:28 +0000 Subject: [PATCH 05/10] [GKE Hub]: Remove unsupported enum field --- .../services/gkehub2/resource_gke_hub_fleet_test.go.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb b/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb index fe4d3c9cbdef..f5c47060fbd9 100755 --- a/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb +++ b/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb @@ -59,7 +59,7 @@ resource "google_gke_hub_fleet" "default" { display_name = "my production fleet" default_cluster_config { binary_authorization_config { - evaluationMode = "DISABLED" + evaluation_mode = "DISABLED" } security_posture_config { mode = "DISABLED" @@ -78,7 +78,7 @@ resource "google_gke_hub_fleet" "default" { display_name = "my staging fleet" default_cluster_config { binary_authorization_config { - evaluationMode = "POLICY_BINDINGS" + evaluation_mode = "POLICY_BINDINGS" policy_bindings = { name = "projects/${google_project.project.project_id}/platforms/gke/policies/policy_id } From 3ded6315de9a7a8a9135d99590ab1bf9dc5ca3e2 Mon Sep 17 00:00:00 2001 From: Aaron Liberatore Date: Fri, 1 Dec 2023 00:16:35 +0000 Subject: [PATCH 06/10] [GKE Hub]: Close string --- .../services/gkehub2/resource_gke_hub_fleet_test.go.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb b/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb index f5c47060fbd9..d6689ed36dc0 100755 --- a/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb +++ b/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb @@ -80,7 +80,7 @@ resource "google_gke_hub_fleet" "default" { binary_authorization_config { evaluation_mode = "POLICY_BINDINGS" policy_bindings = { - name = "projects/${google_project.project.project_id}/platforms/gke/policies/policy_id + name = "projects/${google_project.project.project_id}/platforms/gke/policies/policy_id" } } security_posture_config { From 5f52b37e4d470c8ed78f02ceeca38782103bb552 Mon Sep 17 00:00:00 2001 From: Aaron Liberatore Date: Fri, 1 Dec 2023 00:58:15 +0000 Subject: [PATCH 07/10] [GKE Hub]: Remove output false --- mmv1/products/gkehub2/Fleet.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/mmv1/products/gkehub2/Fleet.yaml b/mmv1/products/gkehub2/Fleet.yaml index 8edad0080adf..88f2b389233c 100644 --- a/mmv1/products/gkehub2/Fleet.yaml +++ b/mmv1/products/gkehub2/Fleet.yaml @@ -112,7 +112,6 @@ properties: - !ruby/object:Api::Type::Array name: "policyBindings" description: Binauthz policies that apply to this cluster. - output: false item_type: !ruby/object:Api::Type::NestedObject properties: - !ruby/object:Api::Type::String From 5b30e6ba2586122e4607ad9995963de99e6f8951 Mon Sep 17 00:00:00 2001 From: Aaron Liberatore Date: Fri, 1 Dec 2023 15:30:30 +0000 Subject: [PATCH 08/10] [GKE Hub]: Fix list block --- .../services/gkehub2/resource_gke_hub_fleet_test.go.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb b/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb index d6689ed36dc0..495de8feb906 100755 --- a/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb +++ b/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb @@ -79,7 +79,7 @@ resource "google_gke_hub_fleet" "default" { default_cluster_config { binary_authorization_config { evaluation_mode = "POLICY_BINDINGS" - policy_bindings = { + policy_bindings { name = "projects/${google_project.project.project_id}/platforms/gke/policies/policy_id" } } From 7b4652a80c8210c59d03424c962d853a7b0d946c Mon Sep 17 00:00:00 2001 From: Aaron Liberatore Date: Fri, 1 Dec 2023 17:56:13 +0000 Subject: [PATCH 09/10] [GKE Hub]: Retest --- .../services/gkehub2/resource_gke_hub_fleet_test.go.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb b/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb index 495de8feb906..ef59c695e0cf 100755 --- a/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb +++ b/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb @@ -75,7 +75,7 @@ func testAccGKEHub2Fleet_update(context map[string]interface{}) string { return gkeHubFleetProjectSetupForGA(context) + acctest.Nprintf(` resource "google_gke_hub_fleet" "default" { project = google_project.project.project_id - display_name = "my staging fleet" + display_name = "my updated fleet" default_cluster_config { binary_authorization_config { evaluation_mode = "POLICY_BINDINGS" From ff9fb8d44822ad3c3d2f614aa863e9a2f64b40e7 Mon Sep 17 00:00:00 2001 From: Aaron Liberatore Date: Fri, 1 Dec 2023 21:13:32 +0000 Subject: [PATCH 10/10] [GKE Hub]: Add test step without a default cluster config --- .../resource_gke_hub_fleet_test.go.erb | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb b/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb index ef59c695e0cf..ca516876d0a7 100755 --- a/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb +++ b/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb @@ -48,6 +48,14 @@ func TestAccGKEHub2Fleet_gkehubFleetBasicExample_update(t *testing.T) { ImportState: true, ImportStateVerify: true, }, + { + Config: testAccGKEHub2Fleet_removedDefaultClusterConfig(context), + }, + { + ResourceName: "google_gke_hub_fleet.default", + ImportState: true, + ImportStateVerify: true, + }, }, }) } @@ -93,6 +101,17 @@ resource "google_gke_hub_fleet" "default" { `, context) } +func testAccGKEHub2Fleet_removedDefaultClusterConfig(context map[string]interface{}) string { + return gkeHubFleetProjectSetupForGA(context) + acctest.Nprintf(` +resource "google_gke_hub_fleet" "default" { + project = google_project.project.project_id + display_name = "my updated fleet" + + depends_on = [time_sleep.wait_for_gkehub_enablement] +} +`, context) +} + func gkeHubFleetProjectSetupForGA(context map[string]interface{}) string { return acctest.Nprintf(` resource "google_project" "project" {