Add support for dataproc cluster resource_manager_tags (#15634) (#11021)

modular-magician · web-flow · commit 495ee1bb05c0 · 2025-11-06T11:02:15.000-08:00
[upstream:c3a208fae52af4fd93dd13a6259b956e7faf189d]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/15634.txt b/.changelog/15634.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+dataproc: added `resource_manager_tags` to `google_dataproc_cluster` resource
+```
diff --git a/google-beta/services/dataproc/resource_dataproc_cluster.go b/google-beta/services/dataproc/resource_dataproc_cluster.go
@@ -77,6 +77,7 @@ var (
 		"cluster_config.0.gce_cluster_config.0.internal_ip_only",
 		"cluster_config.0.gce_cluster_config.0.shielded_instance_config",
 		"cluster_config.0.gce_cluster_config.0.metadata",
+		"cluster_config.0.gce_cluster_config.0.resource_manager_tags",
 		"cluster_config.0.gce_cluster_config.0.reservation_affinity",
 		"cluster_config.0.gce_cluster_config.0.node_group_affinity",
 		"cluster_config.0.gce_cluster_config.0.confidential_instance_config",
@@ -697,6 +698,16 @@ func ResourceDataprocCluster() *schema.Resource {
 										Description:  `A map of the Compute Engine metadata entries to add to all instances`,
 									},
 
+									"resource_manager_tags": {
+										Type:         schema.TypeMap,
+										Optional:     true,
+										Computed:     true,
+										AtLeastOneOf: gceClusterConfigKeys,
+										Elem:         &schema.Schema{Type: schema.TypeString},
+										ForceNew:     true,
+										Description:  `A map of resource manager tags to add to all instances. Keys must be in the format tagKeys/{tag_key_id} and values in the format tagValues/{tag_value_id}.`,
+									},
+
 									"shielded_instance_config": {
 										Type:         schema.TypeList,
 										Optional:     true,
@@ -2293,6 +2304,9 @@ func expandGceClusterConfig(d *schema.ResourceData, config *transport_tpg.Config
 	if v, ok := cfg["metadata"]; ok {
 		conf.Metadata = tpgresource.ConvertStringMap(v.(map[string]interface{}))
 	}
+	if v, ok := cfg["resource_manager_tags"]; ok {
+		conf.ResourceManagerTags = tpgresource.ConvertStringMap(v.(map[string]interface{}))
+	}
 	if v, ok := d.GetOk("cluster_config.0.gce_cluster_config.0.shielded_instance_config"); ok {
 		cfgSic := v.([]interface{})[0].(map[string]interface{})
 		conf.ShieldedInstanceConfig = &dataproc.ShieldedInstanceConfig{}
@@ -3274,11 +3288,12 @@ func flattenGceClusterConfig(d *schema.ResourceData, gcc *dataproc.GceClusterCon
 	}
 
 	gceConfig := map[string]interface{}{
-		"tags":             schema.NewSet(schema.HashString, tpgresource.ConvertStringArrToInterface(gcc.Tags)),
-		"service_account":  gcc.ServiceAccount,
-		"zone":             tpgresource.GetResourceNameFromSelfLink(gcc.ZoneUri),
-		"internal_ip_only": gcc.InternalIpOnly,
-		"metadata":         gcc.Metadata,
+		"tags":                  schema.NewSet(schema.HashString, tpgresource.ConvertStringArrToInterface(gcc.Tags)),
+		"service_account":       gcc.ServiceAccount,
+		"zone":                  tpgresource.GetResourceNameFromSelfLink(gcc.ZoneUri),
+		"internal_ip_only":      gcc.InternalIpOnly,
+		"metadata":              gcc.Metadata,
+		"resource_manager_tags": gcc.ResourceManagerTags,
 	}
 
 	if gcc.NetworkUri != "" {
diff --git a/google-beta/services/dataproc/resource_dataproc_cluster_meta.yaml b/google-beta/services/dataproc/resource_dataproc_cluster_meta.yaml
@@ -32,6 +32,7 @@ fields:
   - field: 'cluster_config.gce_cluster_config.reservation_affinity.consume_reservation_type'
   - field: 'cluster_config.gce_cluster_config.reservation_affinity.key'
   - field: 'cluster_config.gce_cluster_config.reservation_affinity.values'
+  - field: 'cluster_config.gce_cluster_config.resource_manager_tags'
   - field: 'cluster_config.gce_cluster_config.service_account'
   - field: 'cluster_config.gce_cluster_config.service_account_scopes'
   - field: 'cluster_config.gce_cluster_config.shielded_instance_config.enable_integrity_monitoring'
diff --git a/google-beta/services/dataproc/resource_dataproc_cluster_test.go b/google-beta/services/dataproc/resource_dataproc_cluster_test.go
@@ -368,6 +368,41 @@ func TestAccDataprocCluster_withMetadataAndTags(t *testing.T) {
 	})
 }
 
+func TestAccDataprocCluster_withResourceManagerTags(t *testing.T) {
+	t.Parallel()
+
+	var cluster dataproc.Cluster
+	pid := envvar.GetTestProjectFromEnv()
+	projectNumber := envvar.GetTestProjectNumberFromEnv()
+	rnd := acctest.RandString(t, 10)
+	networkName := acctest.BootstrapSharedTestNetwork(t, "dataproc-cluster")
+	subnetworkName := acctest.BootstrapSubnet(t, "dataproc-cluster", networkName)
+	acctest.BootstrapFirewallForDataprocSharedNetwork(t, "dataproc-cluster", networkName)
+	// TODO: remove this IAM binding once tagUser permissions are present in Dataproc Service Agent role.
+	acctest.BootstrapIamMembers(t, []acctest.IamMember{
+		{
+			Member: fmt.Sprintf("serviceAccount:service-%s@dataproc-accounts.iam.gserviceaccount.com", projectNumber),
+			Role:   "roles/resourcemanager.tagUser",
+		},
+	})
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckDataprocClusterDestroy(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataprocCluster_withResourceManagerTags(pid, rnd, subnetworkName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckDataprocClusterExists(t, "google_dataproc_cluster.basic", &cluster),
+
+					testAccCheckDataprocClusterResourceManagerTags(t, "google_dataproc_cluster.basic"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccDataprocCluster_withMinNumInstances(t *testing.T) {
 	t.Parallel()
 
@@ -1538,6 +1573,40 @@ func testAccCheckDataprocClusterExists(t *testing.T, n string, cluster *dataproc
 	}
 }
 
+func testAccCheckDataprocClusterResourceManagerTags(t *testing.T, n string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Terraform resource Not found: %s", n)
+		}
+
+		// Find the tags and validate key/value formats.
+		tagPrefix := "cluster_config.0.gce_cluster_config.0.resource_manager_tags."
+		keyRegex := regexp.MustCompile(`^tagKeys/`)
+		valueRegex := regexp.MustCompile(`^tagValues/`)
+
+		foundTags := 0
+		for attr, value := range rs.Primary.Attributes {
+			if strings.HasPrefix(attr, tagPrefix) && !strings.HasSuffix(attr, ".#") && !strings.HasSuffix(attr, ".%") {
+				foundTags++
+				key := strings.TrimPrefix(attr, tagPrefix)
+
+				if !keyRegex.MatchString(key) {
+					return fmt.Errorf("resource manager tag key %q does not have expected prefix 'tagKeys/'", key)
+				}
+				if !valueRegex.MatchString(value) {
+					return fmt.Errorf("resource manager tag value %q for key %q does not have expected prefix 'tagValues/'", value, key)
+				}
+			}
+		}
+
+		if foundTags != 2 {
+			return fmt.Errorf("expected to find 2 resource manager tags, but found %d", foundTags)
+		}
+
+		return nil
+	}
+}
 func testAccCheckDataproc_missingZoneGlobalRegion1(rnd string) string {
 	return fmt.Sprintf(`
 resource "google_dataproc_cluster" "basic" {
@@ -1822,6 +1891,45 @@ resource "google_dataproc_cluster" "basic" {
 `, rnd, subnetworkName)
 }
 
+func testAccDataprocCluster_withResourceManagerTags(pid, rnd, subnetworkName string) string {
+	return fmt.Sprintf(`
+resource "google_tags_tag_key" "tag_key" {
+  parent = "projects/%s"
+  short_name = "key-%s"
+}
+
+resource "google_tags_tag_value" "tag_value" {
+  parent = "tagKeys/${google_tags_tag_key.tag_key.name}"
+  short_name = "val-%s"
+}
+
+resource "google_tags_tag_key" "tag_key_2" {
+  parent = "projects/%s"
+  short_name = "key-2-%s"
+}
+
+resource "google_tags_tag_value" "tag_value_2" {
+  parent = "tagKeys/${google_tags_tag_key.tag_key_2.name}"
+  short_name = "val-2-%s"
+}
+
+resource "google_dataproc_cluster" "basic" {
+  name   = "tf-test-dproc-%s"
+  region = "us-central1"
+
+  cluster_config {
+    gce_cluster_config {
+      subnetwork = "%s"
+      resource_manager_tags = {
+		"${google_tags_tag_key.tag_key.id}" = "${google_tags_tag_value.tag_value.id}",
+		"${google_tags_tag_key.tag_key_2.id}" = "${google_tags_tag_value.tag_value_2.id}"
+      }
+    }
+  }
+}
+`, pid, rnd, rnd, pid, rnd, rnd, rnd, subnetworkName)
+}
+
 func testAccDataprocCluster_withMinNumInstances(rnd, subnetworkName string) string {
 	return fmt.Sprintf(`
 resource "google_dataproc_cluster" "with_min_num_instances" {
diff --git a/website/docs/r/dataproc_cluster.html.markdown b/website/docs/r/dataproc_cluster.html.markdown
@@ -458,6 +458,10 @@ resource "google_dataproc_cluster" "accelerated_cluster" {
 * `metadata` - (Optional) A map of the Compute Engine metadata entries to add to all instances
    (see [Project and instance metadata](https://cloud.google.com/compute/docs/storing-retrieving-metadata#project_and_instance_metadata)).
 
+* `resource_manager_tags` - (Optional) A map of resource manager tags to add to all instances.
+   Keys must be in the format `tagKeys/{tag_key_id}` and values in the format `tagValues/{tag_value_id}`
+   (see [Secure tags](https://cloud.google.com/dataproc/docs/guides/use-secure-tags)).
+
 * `reservation_affinity` - (Optional) Reservation Affinity for consuming zonal reservation.
     * `consume_reservation_type` - (Optional) Corresponds to the type of reservation consumption.
     * `key` - (Optional) Corresponds to the label key of reservation resource.

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	+dataproc: added `resource_manager_tags` to `google_dataproc_cluster` resource
	`3`	+```