[GKE Hub]: Add Fleet binary authorization config (#9545) (#6705)

[upstream:482b1ab5d76a240ab9777e03535276ee7cf0df19] Signed-off-by: Modular Magician <[email protected]>
hashicorp · Dec 4, 2023 · 1759085 · 1759085
1 parent f207ccb
commit 1759085
Show file tree

Hide file tree

Showing 4 changed files with 199 additions and 4 deletions.
diff --git a/.changelog/9545.txt b/.changelog/9545.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+gkehub: added `binary_authorization_config` to `google_gke_hub_fleet`
+```
diff --git a/google-beta/services/gkehub2/resource_gke_hub_fleet.go b/google-beta/services/gkehub2/resource_gke_hub_fleet.go
@@ -61,6 +61,38 @@ func ResourceGKEHub2Fleet() *schema.Resource {
 				MaxItems:    1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
+						"binary_authorization_config": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: `Enable/Disable binary authorization features for the cluster.`,
+							MaxItems:    1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"evaluation_mode": {
+										Type:         schema.TypeString,
+										Optional:     true,
+										ValidateFunc: verify.ValidateEnum([]string{"DISABLED", "POLICY_BINDINGS", ""}),
+										Description:  `Mode of operation for binauthz policy evaluation. Possible values: ["DISABLED", "POLICY_BINDINGS"]`,
+									},
+									"policy_bindings": {
+										Type:        schema.TypeList,
+										Optional:    true,
+										Description: `Binauthz policies that apply to this cluster.`,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"name": {
+													Type:     schema.TypeString,
+													Optional: true,
+													Description: `The relative resource name of the binauthz platform policy to audit. GKE
+platform policies have the following format:
+'projects/{project_number}/platforms/gke/policies/{policy_id}'.`,
+												},
+											},
+										},
+									},
+								},
+							},
+						},
 						"security_posture_config": {
 							Type:        schema.TypeList,
 							Optional:    true,
@@ -71,8 +103,8 @@ func ResourceGKEHub2Fleet() *schema.Resource {
 									"mode": {
 										Type:         schema.TypeString,
 										Optional:     true,
-										ValidateFunc: verify.ValidateEnum([]string{"DISABLED", "BASIC", "ENTERPRISE", ""}),
-										Description:  `Sets which mode to use for Security Posture features. Possible values: ["DISABLED", "BASIC", "ENTERPRISE"]`,
+										ValidateFunc: verify.ValidateEnum([]string{"DISABLED", "BASIC", ""}),
+										Description:  `Sets which mode to use for Security Posture features. Possible values: ["DISABLED", "BASIC"]`,
 									},
 									"vulnerability_mode": {
 										Type:         schema.TypeString,
@@ -483,10 +515,53 @@ func flattenGKEHub2FleetDefaultClusterConfig(v interface{}, d *schema.ResourceDa
 		return nil
 	}
 	transformed := make(map[string]interface{})
+	transformed["binary_authorization_config"] =
+		flattenGKEHub2FleetDefaultClusterConfigBinaryAuthorizationConfig(original["binaryAuthorizationConfig"], d, config)
 	transformed["security_posture_config"] =
 		flattenGKEHub2FleetDefaultClusterConfigSecurityPostureConfig(original["securityPostureConfig"], d, config)
 	return []interface{}{transformed}
 }
+func flattenGKEHub2FleetDefaultClusterConfigBinaryAuthorizationConfig(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["evaluation_mode"] =
+		flattenGKEHub2FleetDefaultClusterConfigBinaryAuthorizationConfigEvaluationMode(original["evaluationMode"], d, config)
+	transformed["policy_bindings"] =
+		flattenGKEHub2FleetDefaultClusterConfigBinaryAuthorizationConfigPolicyBindings(original["policyBindings"], d, config)
+	return []interface{}{transformed}
+}
+func flattenGKEHub2FleetDefaultClusterConfigBinaryAuthorizationConfigEvaluationMode(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenGKEHub2FleetDefaultClusterConfigBinaryAuthorizationConfigPolicyBindings(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return v
+	}
+	l := v.([]interface{})
+	transformed := make([]interface{}, 0, len(l))
+	for _, raw := range l {
+		original := raw.(map[string]interface{})
+		if len(original) < 1 {
+			// Do not include empty json objects coming back from the api
+			continue
+		}
+		transformed = append(transformed, map[string]interface{}{
+			"name": flattenGKEHub2FleetDefaultClusterConfigBinaryAuthorizationConfigPolicyBindingsName(original["name"], d, config),
+		})
+	}
+	return transformed
+}
+func flattenGKEHub2FleetDefaultClusterConfigBinaryAuthorizationConfigPolicyBindingsName(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenGKEHub2FleetDefaultClusterConfigSecurityPostureConfig(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return nil
@@ -523,6 +598,13 @@ func expandGKEHub2FleetDefaultClusterConfig(v interface{}, d tpgresource.Terrafo
 	original := raw.(map[string]interface{})
 	transformed := make(map[string]interface{})
 
+	transformedBinaryAuthorizationConfig, err := expandGKEHub2FleetDefaultClusterConfigBinaryAuthorizationConfig(original["binary_authorization_config"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedBinaryAuthorizationConfig); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["binaryAuthorizationConfig"] = transformedBinaryAuthorizationConfig
+	}
+
 	transformedSecurityPostureConfig, err := expandGKEHub2FleetDefaultClusterConfigSecurityPostureConfig(original["security_posture_config"], d, config)
 	if err != nil {
 		return nil, err
@@ -533,6 +615,62 @@ func expandGKEHub2FleetDefaultClusterConfig(v interface{}, d tpgresource.Terrafo
 	return transformed, nil
 }
 
+func expandGKEHub2FleetDefaultClusterConfigBinaryAuthorizationConfig(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedEvaluationMode, err := expandGKEHub2FleetDefaultClusterConfigBinaryAuthorizationConfigEvaluationMode(original["evaluation_mode"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedEvaluationMode); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["evaluationMode"] = transformedEvaluationMode
+	}
+
+	transformedPolicyBindings, err := expandGKEHub2FleetDefaultClusterConfigBinaryAuthorizationConfigPolicyBindings(original["policy_bindings"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedPolicyBindings); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["policyBindings"] = transformedPolicyBindings
+	}
+
+	return transformed, nil
+}
+
+func expandGKEHub2FleetDefaultClusterConfigBinaryAuthorizationConfigEvaluationMode(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandGKEHub2FleetDefaultClusterConfigBinaryAuthorizationConfigPolicyBindings(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	req := make([]interface{}, 0, len(l))
+	for _, raw := range l {
+		if raw == nil {
+			continue
+		}
+		original := raw.(map[string]interface{})
+		transformed := make(map[string]interface{})
+
+		transformedName, err := expandGKEHub2FleetDefaultClusterConfigBinaryAuthorizationConfigPolicyBindingsName(original["name"], d, config)
+		if err != nil {
+			return nil, err
+		} else if val := reflect.ValueOf(transformedName); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+			transformed["name"] = transformedName
+		}
+
+		req = append(req, transformed)
+	}
+	return req, nil
+}
+
+func expandGKEHub2FleetDefaultClusterConfigBinaryAuthorizationConfigPolicyBindingsName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandGKEHub2FleetDefaultClusterConfigSecurityPostureConfig(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	l := v.([]interface{})
 	if len(l) == 0 || l[0] == nil {

diff --git a/google-beta/services/gkehub2/resource_gke_hub_fleet_test.go b/google-beta/services/gkehub2/resource_gke_hub_fleet_test.go
@@ -49,6 +49,14 @@ func TestAccGKEHub2Fleet_gkehubFleetBasicExample_update(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccGKEHub2Fleet_removedDefaultClusterConfig(context),
+			},
+			{
+				ResourceName:      "google_gke_hub_fleet.default",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
 		},
 	})
 }
@@ -59,6 +67,9 @@ resource "google_gke_hub_fleet" "default" {
   project = google_project.project.project_id
   display_name = "my production fleet"
   default_cluster_config { 
+	binary_authorization_config {
+		evaluation_mode = "DISABLED"
+	}
 	security_posture_config {
 		mode = "DISABLED"
 		vulnerability_mode = "VULNERABILITY_DISABLED"
@@ -73,8 +84,14 @@ func testAccGKEHub2Fleet_update(context map[string]interface{}) string {
 	return gkeHubFleetProjectSetupForGA(context) + acctest.Nprintf(`
 resource "google_gke_hub_fleet" "default" {
   project = google_project.project.project_id
-  display_name = "my staging fleet"
+  display_name = "my updated fleet"
   default_cluster_config {
+	binary_authorization_config {
+		evaluation_mode = "POLICY_BINDINGS"
+		policy_bindings {
+			name = "projects/${google_project.project.project_id}/platforms/gke/policies/policy_id"
+		}
+	}
 	security_posture_config {
 		mode = "BASIC"
 		vulnerability_mode = "VULNERABILITY_BASIC"
@@ -85,6 +102,17 @@ resource "google_gke_hub_fleet" "default" {
 `, context)
 }
 
+func testAccGKEHub2Fleet_removedDefaultClusterConfig(context map[string]interface{}) string {
+	return gkeHubFleetProjectSetupForGA(context) + acctest.Nprintf(`
+resource "google_gke_hub_fleet" "default" {
+  project = google_project.project.project_id
+  display_name = "my updated fleet"
+
+  depends_on = [time_sleep.wait_for_gkehub_enablement]
+}
+`, context)
+}
+
 func gkeHubFleetProjectSetupForGA(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_project" "project" {

diff --git a/website/docs/r/gke_hub_fleet.html.markdown b/website/docs/r/gke_hub_fleet.html.markdown
@@ -68,18 +68,44 @@ The following arguments are supported:
 
 <a name="nested_default_cluster_config"></a>The `default_cluster_config` block supports:
 
+* `binary_authorization_config` -
+  (Optional)
+  Enable/Disable binary authorization features for the cluster.
+  Structure is [documented below](#nested_binary_authorization_config).
+
 * `security_posture_config` -
   (Optional)
   Enable/Disable Security Posture features for the cluster.
   Structure is [documented below](#nested_security_posture_config).
 
 
+<a name="nested_binary_authorization_config"></a>The `binary_authorization_config` block supports:
+
+* `evaluation_mode` -
+  (Optional)
+  Mode of operation for binauthz policy evaluation.
+  Possible values are: `DISABLED`, `POLICY_BINDINGS`.
+
+* `policy_bindings` -
+  (Optional)
+  Binauthz policies that apply to this cluster.
+  Structure is [documented below](#nested_policy_bindings).
+
+
+<a name="nested_policy_bindings"></a>The `policy_bindings` block supports:
+
+* `name` -
+  (Optional)
+  The relative resource name of the binauthz platform policy to audit. GKE
+  platform policies have the following format:
+  `projects/{project_number}/platforms/gke/policies/{policy_id}`.
+
 <a name="nested_security_posture_config"></a>The `security_posture_config` block supports:
 
 * `mode` -
   (Optional)
   Sets which mode to use for Security Posture features.
-  Possible values are: `DISABLED`, `BASIC`, `ENTERPRISE`.
+  Possible values are: `DISABLED`, `BASIC`.
 
 * `vulnerability_mode` -
   (Optional)