Support Binary Authorization. (#8915) (#6256)

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/8915.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+containerattached: added `binary_authorization` field to `google_container_attached_cluster` resource
+```

google-beta/services/containerattached/resource_container_attached_cluster.go

@@ -174,6 +174,23 @@ https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles`
 					},
 				},
 			},
+			"binary_authorization": {
+				Type:        schema.TypeList,
+				Computed:    true,
+				Optional:    true,
+				Description: `Binary Authorization configuration.`,
+				MaxItems:    1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"evaluation_mode": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ValidateFunc: verify.ValidateEnum([]string{"DISABLED", "PROJECT_SINGLETON_POLICY_ENFORCE", ""}),
+							Description:  `Configure Binary Authorization evaluation mode. Possible values: ["DISABLED", "PROJECT_SINGLETON_POLICY_ENFORCE"]`,
+						},
+					},
+				},
+			},
 			"description": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -400,6 +417,12 @@ func resourceContainerAttachedClusterCreate(d *schema.ResourceData, meta interfa
 	} else if v, ok := d.GetOkExists("monitoring_config"); !tpgresource.IsEmptyValue(reflect.ValueOf(monitoringConfigProp)) && (ok || !reflect.DeepEqual(v, monitoringConfigProp)) {
 		obj["monitoringConfig"] = monitoringConfigProp
 	}
+	binaryAuthorizationProp, err := expandContainerAttachedClusterBinaryAuthorization(d.Get("binary_authorization"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("binary_authorization"); !tpgresource.IsEmptyValue(reflect.ValueOf(binaryAuthorizationProp)) && (ok || !reflect.DeepEqual(v, binaryAuthorizationProp)) {
+		obj["binaryAuthorization"] = binaryAuthorizationProp
+	}
 
 	url, err := tpgresource.ReplaceVars(d, config, "{{ContainerAttachedBasePath}}projects/{{project}}/locations/{{location}}/attachedClusters?attached_cluster_id={{name}}")
 	if err != nil {
@@ -572,6 +595,9 @@ func resourceContainerAttachedClusterRead(d *schema.ResourceData, meta interface
 	if err := d.Set("monitoring_config", flattenContainerAttachedClusterMonitoringConfig(res["monitoringConfig"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Cluster: %s", err)
 	}
+	if err := d.Set("binary_authorization", flattenContainerAttachedClusterBinaryAuthorization(res["binaryAuthorization"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Cluster: %s", err)
+	}
 
 	return nil
 }
@@ -640,6 +666,12 @@ func resourceContainerAttachedClusterUpdate(d *schema.ResourceData, meta interfa
 	} else if v, ok := d.GetOkExists("monitoring_config"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, monitoringConfigProp)) {
 		obj["monitoringConfig"] = monitoringConfigProp
 	}
+	binaryAuthorizationProp, err := expandContainerAttachedClusterBinaryAuthorization(d.Get("binary_authorization"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("binary_authorization"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, binaryAuthorizationProp)) {
+		obj["binaryAuthorization"] = binaryAuthorizationProp
+	}
 
 	url, err := tpgresource.ReplaceVars(d, config, "{{ContainerAttachedBasePath}}projects/{{project}}/locations/{{location}}/attachedClusters/{{name}}")
 	if err != nil {
@@ -680,6 +712,10 @@ func resourceContainerAttachedClusterUpdate(d *schema.ResourceData, meta interfa
 	if d.HasChange("monitoring_config") {
 		updateMask = append(updateMask, "monitoringConfig")
 	}
+
+	if d.HasChange("binary_authorization") {
+		updateMask = append(updateMask, "binaryAuthorization")
+	}
 	// updateMask is a URL parameter but not present in the schema, so ReplaceVars
 	// won't set it
 	url, err = transport_tpg.AddQueryParams(url, map[string]string{"updateMask": strings.Join(updateMask, ",")})
@@ -697,9 +733,12 @@ func resourceContainerAttachedClusterUpdate(d *schema.ResourceData, meta interfa
 	if d.HasChange("monitoring_config") {
 		newUpdateMask = append(newUpdateMask, "monitoring_config.managed_prometheus_config.enabled")
 	}
+	if d.HasChange("binary_authorization") {
+		newUpdateMask = append(newUpdateMask, "binary_authorization.evaluation_mode")
+	}
 	// Pull out any other set fields from the generated mask.
 	for _, mask := range updateMask {
-		if mask == "authorization" || mask == "loggingConfig" || mask == "monitoringConfig" {
+		if mask == "authorization" || mask == "loggingConfig" || mask == "monitoringConfig" || mask == "binaryAuthorization" {
 			continue
 		}
 		newUpdateMask = append(newUpdateMask, mask)
@@ -1058,6 +1097,20 @@ func flattenContainerAttachedClusterMonitoringConfigManagedPrometheusConfigEnabl
 	return v
 }
 
+func flattenContainerAttachedClusterBinaryAuthorization(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	transformed := make(map[string]interface{})
+	transformed["evaluation_mode"] =
+		flattenContainerAttachedClusterBinaryAuthorizationEvaluationMode(original["evaluationMode"], d, config)
+	return []interface{}{transformed}
+}
+func flattenContainerAttachedClusterBinaryAuthorizationEvaluationMode(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func expandContainerAttachedClusterName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
@@ -1290,3 +1343,31 @@ func expandContainerAttachedClusterMonitoringConfigManagedPrometheusConfig(v int
 func expandContainerAttachedClusterMonitoringConfigManagedPrometheusConfigEnabled(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
+
+func expandContainerAttachedClusterBinaryAuthorization(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 {
+		return nil, nil
+	}
+
+	if l[0] == nil {
+		transformed := make(map[string]interface{})
+		return transformed, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedEvaluationMode, err := expandContainerAttachedClusterBinaryAuthorizationEvaluationMode(original["evaluation_mode"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedEvaluationMode); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["evaluationMode"] = transformedEvaluationMode
+	}
+
+	return transformed, nil
+}
+
+func expandContainerAttachedClusterBinaryAuthorizationEvaluationMode(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}

google-beta/services/containerattached/resource_container_attached_cluster_generated_test.go

@@ -147,6 +147,9 @@ resource "google_container_attached_cluster" "primary" {
       enabled = true
     }
   }
+  binary_authorization {
+    evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+  }
 }
 `, context)
 }

google-beta/services/containerattached/resource_container_attached_cluster_update_test.go

@@ -92,6 +92,9 @@ resource "google_container_attached_cluster" "primary" {
       enabled = true
     }
   }
+  binary_authorization {
+    evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+  }
 }
 `, context)
 }
@@ -130,6 +133,9 @@ resource "google_container_attached_cluster" "primary" {
   monitoring_config {
     managed_prometheus_config {}
   }
+  binary_authorization {
+    evaluation_mode = "DISABLED"
+  }
   lifecycle {
     prevent_destroy = true
   }
@@ -173,6 +179,9 @@ resource "google_container_attached_cluster" "primary" {
   monitoring_config {
     managed_prometheus_config {}
   }
+  binary_authorization {
+    evaluation_mode = "DISABLED"
+  }
 }
 `, context)
 }

website/docs/r/container_attached_cluster.html.markdown

@@ -108,6 +108,9 @@ resource "google_container_attached_cluster" "primary" {
       enabled = true
     }
   }
+  binary_authorization {
+    evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+  }
 }
 ```
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
@@ -240,6 +243,11 @@ The following arguments are supported:
   Monitoring configuration.
   Structure is [documented below](#nested_monitoring_config).
 
+* `binary_authorization` -
+  (Optional)
+  Binary Authorization configuration.
+  Structure is [documented below](#nested_binary_authorization).
+
 * `project` - (Optional) The ID of the project in which the resource belongs.
     If it is not provided, the provider project is used.
 
@@ -284,6 +292,13 @@ The following arguments are supported:
   (Optional)
   Enable Managed Collection.
 
+<a name="nested_binary_authorization"></a>The `binary_authorization` block supports:
+
+* `evaluation_mode` -
+  (Optional)
+  Configure Binary Authorization evaluation mode.
+  Possible values are: `DISABLED`, `PROJECT_SINGLETON_POLICY_ENFORCE`.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported: