Add support for WorkloadALTSConfig in google_container_cluster (Beta) (#9638) (#6762)

* Add support for WorkloadALTSConfig in google_container_cluster

* Fix issues

* Make enable_alts within workload_alts_config required and force-send in JSON

* Update documentation

* Make acceptance test network & subnet names unique

* Remove extra test config

* Fix spacing
[upstream:fffe4b1616a1095d5d95c51f0519a5484c49c216]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/9638.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+container: added `workload_alts_config` field to `google_container_cluster` resource (beta)
+```

google-beta/services/container/resource_container_cluster.go

@@ -2041,6 +2041,22 @@ func ResourceContainerCluster() *schema.Resource {
 					},
 				},
 			},
+			"workload_alts_config": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Computed:    true,
+				MaxItems:    1,
+				Description: `Configuration for direct-path (via ALTS) with workload identity.`,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"enable_alts": {
+							Type:        schema.TypeBool,
+							Required:    true,
+							Description: `Whether the alts handshaker should be enabled or not for direct-path. Requires Workload Identity (workloadPool must be non-empty).`,
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -2364,6 +2380,10 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
 		cluster.AddonsConfig.GcePersistentDiskCsiDriverConfig.Enabled = true
 	}
 
+	if v, ok := d.GetOk("workload_alts_config"); ok {
+		cluster.WorkloadAltsConfig = expandWorkloadAltsConfig(v)
+	}
+
 	req := &container.CreateClusterRequest{
 		Cluster: cluster,
 	}
@@ -2834,6 +2854,10 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
 		return err
 	}
 
+	if err := d.Set("workload_alts_config", flattenWorkloadAltsConfig(cluster.WorkloadAltsConfig)); err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -4129,7 +4153,20 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
 
 		log.Printf("[INFO] GKE cluster %s Protect Config has been updated to %#v", d.Id(), req.Update.DesiredProtectConfig)
 	}
+	if d.HasChange("workload_alts_config") {
+		req := &container.UpdateClusterRequest{
+			Update: &container.ClusterUpdate{
+				DesiredWorkloadAltsConfig: expandWorkloadAltsConfig(d.Get("workload_alts_config")),
+			},
+		}
+
+		updateF := updateFunc(req, "updating GKE cluster WorkloadALTSConfig")
+		if err := transport_tpg.LockedCall(lockKey, updateF); err != nil {
+			return err
+		}
 
+		log.Printf("[INFO] GKE cluster %s's WorkloadALTSConfig has been updated", d.Id())
+	}
 	return resourceContainerClusterRead(d, meta)
 }
 
@@ -5318,6 +5355,19 @@ func expandNodePoolAutoConfigNetworkTags(configured interface{}) *container.Netw
 	return nt
 }
 
+func expandWorkloadAltsConfig(configured interface{}) *container.WorkloadALTSConfig {
+	l := configured.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil
+	}
+
+	config := l[0].(map[string]interface{})
+	return &container.WorkloadALTSConfig{
+		EnableAlts:      config["enable_alts"].(bool),
+		ForceSendFields: []string{"EnableAlts"},
+	}
+}
+
 func flattenNotificationConfig(c *container.NotificationConfig) []map[string]interface{} {
 	if c == nil {
 		return nil
@@ -6067,6 +6117,17 @@ func flattenNodePoolAutoConfigNetworkTags(c *container.NetworkTags) []map[string
 	return []map[string]interface{}{result}
 }
 
+func flattenWorkloadAltsConfig(c *container.WorkloadALTSConfig) []map[string]interface{} {
+	if c == nil {
+		return nil
+	}
+	return []map[string]interface{}{
+		{
+			"enable_alts": c.EnableAlts,
+		},
+	}
+}
+
 func resourceContainerClusterStateImporter(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
 	config := meta.(*transport_tpg.Config)
 

google-beta/services/container/resource_container_cluster_test.go

@@ -4283,6 +4283,44 @@ func TestAccContainerCluster_withFleetConfig(t *testing.T) {
 	})
 }
 
+func TestAccContainerCluster_withWorkloadALTSConfig(t *testing.T) {
+	t.Parallel()
+
+	networkName := "gke-cluster-alts"
+	subnetworkName := "gke-cluster-alts"
+	clusterName := fmt.Sprintf("tf-test-cluster-%s", acctest.RandString(t, 10))
+	pid := envvar.GetTestProjectFromEnv()
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderBetaFactories(t),
+		CheckDestroy:             testAccCheckContainerClusterDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccContainerCluster_withWorkloadALTSConfig(pid, networkName, subnetworkName, clusterName, true),
+			},
+			{
+				ResourceName:            "google_container_cluster.with_workload_alts_config",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+				Check: resource.TestCheckResourceAttr(
+					"google_container_cluster.with_workload_alts_config", "workload_alts_config.enable_alts", "true"),
+			},
+			{
+				Config: testAccContainerCluster_withWorkloadALTSConfig(pid, networkName, subnetworkName, clusterName, false),
+			},
+			{
+				ResourceName:            "google_container_cluster.with_workload_alts_config",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+				Check: resource.TestCheckResourceAttr(
+					"google_container_cluster.with_workload_alts_config", "workload_alts_config.enable_alts", "false"),
+			},
+		},
+	})
+}
+
 func testAccContainerCluster_withFleetConfig(name, projectID string) string {
 	return fmt.Sprintf(`
 resource "google_container_cluster" "primary" {
@@ -9206,3 +9244,40 @@ resource "google_container_cluster" "without_confidential_boot_disk" {
 }
 `, clusterName, npName)
 }
+
+func testAccContainerCluster_withWorkloadALTSConfig(projectID, name, networkName, subnetworkName string, enable bool) string {
+	return fmt.Sprintf(`
+	data "google_project" "project" {
+		provider = google-beta
+		project_id = "%s"
+	}
+	resource "google_compute_network" "network" {
+		provider                 = google-beta
+		name                     = "%s"
+		auto_create_subnetworks  = false
+		enable_ula_internal_ipv6 = true
+	}
+	resource "google_compute_subnetwork" "subnet" {
+		provider         = google-beta
+		name             = "%s"
+		network          = google_compute_network.network.id
+		ip_cidr_range    = "9.12.22.0/24"
+		region           = "us-central1"
+	}
+	resource "google_container_cluster" "with_workload_alts_config" {
+		provider = google-beta
+		name               = "%s"
+		location           = "us-central1-a"
+		initial_node_count = 1
+		network         = google_compute_network.network.name
+		subnetwork      = google_compute_subnetwork.subnet.name
+		workload_alts_config {
+			enable_alts = %v
+		}
+		workload_identity_config {
+			workload_pool = "${data.google_project.project.project_id}.svc.id.goog"
+		}
+		deletion_protection = false
+	}
+`, projectID, networkName, subnetworkName, name, enable)
+}

website/docs/r/container_cluster.html.markdown

@@ -381,6 +381,9 @@ Enable/Disable Security Posture API features for the cluster. Structure is [docu
 * `fleet` - (Optional)
 Fleet configuration for the cluster. Structure is [documented below](#nested_fleet).
 
+* `workload_alts_config` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html))
+  Configuration for [direct-path (via ALTS) with workload identity.](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#workloadaltsconfig). Structure is [documented below](#nested_workload_alts_config).
+
 <a name="nested_default_snat_status"></a>The `default_snat_status` block supports
 
 *  `disabled` - (Required) Whether the cluster disables default in-node sNAT rules. In-node sNAT rules will be disabled when defaultSnatStatus is disabled.When disabled is set to false, default IP masquerade rules will be applied to the nodes to prevent sNAT on cluster internal traffic
@@ -1295,6 +1298,9 @@ linux_node_config {
 
 * `project` - (Optional) The name of the Fleet host project where this cluster will be registered.
 
+<a name="nested_workload_alts_config"></a>The `workload_alts_config` block supports:
+
+* `enable_alts` - (Required) Whether the alts handshaker should be enabled or not for direct-path. Requires Workload Identity ([workloadPool]((#nested_workload_identity_config)) must be non-empty).
 
 ## Attributes Reference