(GA) support for SM-GKE Auto rotation (#15040) (#24244)

modular-magician · web-flow · commit 69e2d0a3307e · 2025-09-02T11:40:47.000-07:00
[upstream:78ad34e2dbe6679c108ab9cf33de9bf0d08f96c8]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/15040.txt b/.changelog/15040.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+container: added `secret_manager_config.rotation_config` field to `google_container_cluster` resource
+```
diff --git a/google/services/container/resource_container_cluster.go b/google/services/container/resource_container_cluster.go
@@ -1534,6 +1534,28 @@ func ResourceContainerCluster() *schema.Resource {
 							Required:    true,
 							Description: `Enable the Secret manager csi component.`,
 						},
+						"rotation_config": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Computed:    true,
+							MaxItems:    1,
+							Description: `Configuration for Secret Manager auto rotation.`,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"enabled": {
+										Type:        schema.TypeBool,
+										Required:    true,
+										Description: `Enable the Secret manager auto rotation.`,
+									},
+									"rotation_interval": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Computed:    true,
+										Description: `The interval between two consecutive rotations. Default rotation interval is 2 minutes`,
+									},
+								},
+							},
+						},
 					},
 				},
 			},
@@ -5963,6 +5985,23 @@ func expandSecretManagerConfig(configured interface{}) *container.SecretManagerC
 		Enabled:         config["enabled"].(bool),
 		ForceSendFields: []string{"Enabled"},
 	}
+	if autoRotation, ok := config["rotation_config"]; ok {
+		if autoRotationList, ok := autoRotation.([]interface{}); ok {
+			if len(autoRotationList) > 0 {
+				autoRotationConfig := autoRotationList[0].(map[string]interface{})
+				if rotationInterval, ok := autoRotationConfig["rotation_interval"].(string); ok && rotationInterval != "" {
+					sc.RotationConfig = &container.RotationConfig{
+						Enabled:          autoRotationConfig["enabled"].(bool),
+						RotationInterval: rotationInterval,
+					}
+				} else {
+					sc.RotationConfig = &container.RotationConfig{
+						Enabled: autoRotationConfig["enabled"].(bool),
+					}
+				}
+			}
+		}
+	}
 	return sc
 }
 
@@ -6941,6 +6980,18 @@ func flattenSecretManagerConfig(c *container.SecretManagerConfig) []map[string]i
 	result := make(map[string]interface{})
 
 	result["enabled"] = c.Enabled
+
+	rotationList := []map[string]interface{}{}
+	if c.RotationConfig != nil {
+		rotationConfigMap := map[string]interface{}{
+			"enabled": c.RotationConfig.Enabled,
+		}
+		if c.RotationConfig.RotationInterval != "" {
+			rotationConfigMap["rotation_interval"] = c.RotationConfig.RotationInterval
+		}
+		rotationList = append(rotationList, rotationConfigMap)
+	}
+	result["rotation_config"] = rotationList
 	return []map[string]interface{}{result}
 }
 
diff --git a/google/services/container/resource_container_cluster_test.go b/google/services/container/resource_container_cluster_test.go
@@ -10894,6 +10894,10 @@ resource "google_container_cluster" "primary" {
   initial_node_count = 1
   secret_manager_config {
     enabled = true
+  rotation_config {
+    enabled = true
+    rotation_interval = "300s"
+    }
   }
   deletion_protection = false
   network    = "%s"
@@ -10916,6 +10920,10 @@ resource "google_container_cluster" "primary" {
   initial_node_count = 1
   secret_manager_config {
     enabled = true
+  rotation_config {
+    enabled = true
+    rotation_interval = "120s"
+    }
   }
   deletion_protection = false
   network    = "%s"
@@ -10938,6 +10946,10 @@ resource "google_container_cluster" "primary" {
   initial_node_count = 1
   secret_manager_config {
     enabled = true
+  rotation_config {
+    enabled = false
+    rotation_interval = "120s"
+    }
   }
   deletion_protection = false
   network    = "%s"
diff --git a/website/docs/r/container_cluster.html.markdown b/website/docs/r/container_cluster.html.markdown
@@ -1299,7 +1299,7 @@ notification_config {
 <a name="nested_secret_manager_config"></a>The `secret_manager_config` block supports:
 
 * `enabled` (Required) - Enable the Secret Manager add-on for this cluster.
-* `rotation_config` (Optional, Beta) - config for secret manager auto rotation. Structure is [docuemented below](#rotation_config)
+* `rotation_config` (Optional) - config for secret manager auto rotation. Structure is [docuemented below](#rotation_config)
 
 <a name="rotation_config"></a>The `rotation_config` block supports:
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	+container: added `secret_manager_config.rotation_config` field to `google_container_cluster` resource
	`3`	+```