Introduce confidential_instance_type into confidential_nodes config (#14190) (#23410)

[upstream:6dff3ea5f8bde7147ace81cad1cbcd20306bdc54]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/14190.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+container: added `confidential_nodes.confidential_instance_type` field to `google_container_cluster` resource
+```
+
+```release-note:enhancement
+container: added `node_config.confidential_nodes.confidential_instance_type` field to `google_container_node_pool` resource
+```

google/services/container/node_config.go

@@ -808,6 +808,14 @@ func schemaNodeConfig() *schema.Schema {
 								Required:    true,
 								Description: `Whether Confidential Nodes feature is enabled for all nodes in this pool.`,
 							},
+							"confidential_instance_type": {
+								Type:             schema.TypeString,
+								Optional:         true,
+								ForceNew:         true,
+								DiffSuppressFunc: suppressDiffForConfidentialNodes,
+								Description:      `Defines the type of technology used by the confidential node.`,
+								ValidateFunc:     validation.StringInSlice([]string{"SEV", "SEV_SNP", "TDX"}, false),
+							},
 						},
 					},
 				},
@@ -1561,7 +1569,8 @@ func expandConfidentialNodes(configured interface{}) *container.ConfidentialNode
 	}
 	config := l[0].(map[string]interface{})
 	return &container.ConfidentialNodes{
-		Enabled: config["enabled"].(bool),
+		Enabled:                  config["enabled"].(bool),
+		ConfidentialInstanceType: config["confidential_instance_type"].(string),
 	}
 }
 
@@ -2000,7 +2009,8 @@ func flattenConfidentialNodes(c *container.ConfidentialNodes) []map[string]inter
 	result := []map[string]interface{}{}
 	if c != nil {
 		result = append(result, map[string]interface{}{
-			"enabled": c.Enabled,
+			"enabled":                    c.Enabled,
+			"confidential_instance_type": c.ConfidentialInstanceType,
 		})
 	}
 	return result

google/services/container/resource_container_cluster.go

@@ -151,6 +151,14 @@ var (
 		}
 		return false
 	})
+
+	suppressDiffForConfidentialNodes = schema.SchemaDiffSuppressFunc(func(k, oldValue, newValue string, d *schema.ResourceData) bool {
+		k = strings.Replace(k, "confidential_instance_type", "enabled", 1)
+		if v, _ := d.Get(k).(bool); v {
+			return oldValue == "SEV" && newValue == ""
+		}
+		return false
+	})
 )
 
 // Defines default nodel pool settings for the entire cluster. These settings are
@@ -1287,6 +1295,14 @@ func ResourceContainerCluster() *schema.Resource {
 							ForceNew:    true,
 							Description: `Whether Confidential Nodes feature is enabled for all nodes in this cluster.`,
 						},
+						"confidential_instance_type": {
+							Type:             schema.TypeString,
+							Optional:         true,
+							ForceNew:         true,
+							DiffSuppressFunc: suppressDiffForConfidentialNodes,
+							Description:      `Defines the type of technology used by the confidential node.`,
+							ValidateFunc:     validation.StringInSlice([]string{"SEV", "SEV_SNP", "TDX"}, false),
+						},
 					},
 				},
 			},

google/services/container/resource_container_cluster_meta.yaml

@@ -83,6 +83,7 @@ fields:
     api_field: 'autoscaling.resource_limits.resource_type'
   - field: 'cluster_ipv4_cidr'
   - field: 'confidential_nodes.enabled'
+  - field: 'confidential_nodes.confidential_instance_type'
   - field: 'control_plane_endpoints_config.dns_endpoint_config.allow_external_traffic'
   - field: 'control_plane_endpoints_config.dns_endpoint_config.endpoint'
   - field: 'cost_management_config.enabled'
@@ -203,6 +204,7 @@ fields:
   - field: 'node_config.advanced_machine_features.threads_per_core'
   - field: 'node_config.boot_disk_kms_key'
   - field: 'node_config.confidential_nodes.enabled'
+  - field: 'node_config.confidential_nodes.confidential_instance_type'
   - field: 'node_config.containerd_config.private_registry_access_config.certificate_authority_domain_config.fqdns'
   - field: 'node_config.containerd_config.private_registry_access_config.certificate_authority_domain_config.gcp_secret_manager_certificate_config.secret_uri'
   - field: 'node_config.containerd_config.private_registry_access_config.enabled'
@@ -342,6 +344,8 @@ fields:
     api_field: 'node_pools.config.boot_disk_kms_key'
   - field: 'node_pool.node_config.confidential_nodes.enabled'
     api_field: 'node_pools.config.confidential_nodes.enabled'
+  - field: 'node_pool.node_config.confidential_nodes.confidential_instance_type'
+    api_field: 'node_pools.config.confidential_nodes.confidential_instance_type'
   - field: 'node_pool.node_config.containerd_config.private_registry_access_config.certificate_authority_domain_config.fqdns'
     api_field: 'node_pools.config.containerd_config.private_registry_access_config.certificate_authority_domain_config.fqdns'
   - field: 'node_pool.node_config.containerd_config.private_registry_access_config.certificate_authority_domain_config.gcp_secret_manager_certificate_config.secret_uri'

google/services/container/resource_container_cluster_migratev1.go

@@ -960,6 +960,14 @@ func resourceContainerClusterResourceV1() *schema.Resource {
 							ForceNew:    true,
 							Description: `Whether Confidential Nodes feature is enabled for all nodes in this cluster.`,
 						},
+						"confidential_instance_type": {
+							Type:             schema.TypeString,
+							Optional:         true,
+							ForceNew:         true,
+							DiffSuppressFunc: suppressDiffForConfidentialNodes,
+							Description:      `Defines the type of technology used by the confidential node.`,
+							ValidateFunc:     validation.StringInSlice([]string{"SEV", "SEV_SNP", "TDX"}, false),
+						},
 					},
 				},
 			},

google/services/container/resource_container_cluster_test.go

@@ -419,7 +419,7 @@ func TestAccContainerCluster_withConfidentialNodes(t *testing.T) {
 		CheckDestroy:             testAccCheckContainerClusterDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccContainerCluster_withConfidentialNodes(clusterName, npName, networkName, subnetworkName),
+				Config: testAccContainerCluster_withConfidentialNodes(clusterName, npName, networkName, subnetworkName, false, "", "n2d-standard-2"),
 			},
 			{
 				ResourceName:            "google_container_cluster.confidential_nodes",
@@ -428,7 +428,7 @@ func TestAccContainerCluster_withConfidentialNodes(t *testing.T) {
 				ImportStateVerifyIgnore: []string{"deletion_protection"},
 			},
 			{
-				Config: testAccContainerCluster_disableConfidentialNodes(clusterName, npName, networkName, subnetworkName),
+				Config: testAccContainerCluster_withConfidentialNodes(clusterName, npName, networkName, subnetworkName, true, "", "n2d-standard-2"),
 			},
 			{
 				ResourceName:            "google_container_cluster.confidential_nodes",
@@ -437,7 +437,25 @@ func TestAccContainerCluster_withConfidentialNodes(t *testing.T) {
 				ImportStateVerifyIgnore: []string{"deletion_protection"},
 			},
 			{
-				Config: testAccContainerCluster_withConfidentialNodes(clusterName, npName, networkName, subnetworkName),
+				Config: testAccContainerCluster_withConfidentialNodes(clusterName, npName, networkName, subnetworkName, false, "SEV", "n2d-standard-2"),
+			},
+			{
+				ResourceName:            "google_container_cluster.confidential_nodes",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+			},
+			{
+				Config: testAccContainerCluster_withConfidentialNodes(clusterName, npName, networkName, subnetworkName, false, "SEV_SNP", "n2d-standard-2"),
+			},
+			{
+				ResourceName:            "google_container_cluster.confidential_nodes",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+			},
+			{
+				Config: testAccContainerCluster_withConfidentialNodes(clusterName, npName, networkName, subnetworkName, false, "TDX", "c3-standard-4"),
 			},
 			{
 				ResourceName:            "google_container_cluster.confidential_nodes",
@@ -6666,60 +6684,36 @@ resource "google_container_cluster" "filtered_notification_config" {
 `, topic, topic, clusterName, topic, networkName, subnetworkName)
 }
 
-func testAccContainerCluster_withConfidentialNodes(clusterName, npName, networkName, subnetworkName string) string {
-	return fmt.Sprintf(`
-resource "google_container_cluster" "confidential_nodes" {
-  name               = "%s"
-  location           = "us-central1-a"
-  release_channel {
-    channel = "RAPID"
-  }
-
-  node_pool {
-    name = "%s"
-    initial_node_count = 1
-    node_config {
-      machine_type = "n2d-standard-2" // can't be e2 because Confidential Nodes require AMD CPUs
-    }
-  }
-
-  confidential_nodes {
-    enabled = true
-  }
-  network    = "%s"
-  subnetwork = "%s"
-
-  deletion_protection = false
-}
-`, clusterName, npName, networkName, subnetworkName)
-}
+func testAccContainerCluster_withConfidentialNodes(clusterName, npName, networkName, subnetworkName string, enable bool, confidentialInstanceType, machineType string) string {
+	confInsTypeString := ""
+	if confidentialInstanceType != "" {
+		confInsTypeString = fmt.Sprintf(`confidential_instance_type = "%s"`, confidentialInstanceType)
+	}
 
-func testAccContainerCluster_disableConfidentialNodes(clusterName, npName, networkName, subnetworkName string) string {
 	return fmt.Sprintf(`
 resource "google_container_cluster" "confidential_nodes" {
   name               = "%s"
   location           = "us-central1-a"
-  release_channel {
-    channel = "RAPID"
-  }
 
   node_pool {
     name = "%s"
     initial_node_count = 1
     node_config {
-      machine_type = "n2d-standard-2"
+      machine_type = "%s"
     }
   }
 
   confidential_nodes {
-    enabled = false
+    enabled = %t
+    %s
   }
+
   network    = "%s"
   subnetwork = "%s"
 
   deletion_protection = false
 }
-`, clusterName, npName, networkName, subnetworkName)
+`, clusterName, npName, machineType, enable, confInsTypeString, networkName, subnetworkName)
 }
 
 func testAccContainerCluster_withLocalSsdEncryptionMode(clusterName, npName, networkName, subnetworkName, mode string) string {

google/services/container/resource_container_node_pool_meta.yaml

@@ -43,6 +43,8 @@ fields:
     api_field: 'config.boot_disk_kms_key'
   - field: 'node_config.confidential_nodes.enabled'
     api_field: 'config.confidential_nodes.enabled'
+  - field: 'node_config.confidential_nodes.confidential_instance_type'
+    api_field: 'config.confidential_nodes.confidential_instance_type'
   - field: 'node_config.containerd_config.private_registry_access_config.certificate_authority_domain_config.fqdns'
     api_field: 'config.containerd_config.private_registry_access_config.certificate_authority_domain_config.fqdns'
   - field: 'node_config.containerd_config.private_registry_access_config.certificate_authority_domain_config.gcp_secret_manager_certificate_config.secret_uri'

google/services/container/resource_container_node_pool_test.go

@@ -4313,23 +4313,37 @@ func TestAccContainerNodePool_withConfidentialNodes(t *testing.T) {
 		CheckDestroy:             testAccCheckContainerClusterDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccContainerNodePool_withConfidentialNodes(clusterName, np, networkName, subnetworkName, true),
+				Config: testAccContainerNodePool_withConfidentialNodes(clusterName, np, networkName, subnetworkName, false, "", "n2d-standard-2"),
 			},
 			{
 				ResourceName:      "google_container_node_pool.np",
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
 			{
-				Config: testAccContainerNodePool_withConfidentialNodes(clusterName, np, networkName, subnetworkName, false),
+				Config: testAccContainerNodePool_withConfidentialNodes(clusterName, np, networkName, subnetworkName, true, "", "n2d-standard-2"),
 			},
 			{
 				ResourceName:      "google_container_node_pool.np",
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
 			{
-				Config: testAccContainerNodePool_withConfidentialNodes(clusterName, np, networkName, subnetworkName, true),
+				Config: testAccContainerNodePool_withConfidentialNodes(clusterName, np, networkName, subnetworkName, false, "SEV", "n2d-standard-2"),
+			},
+			{
+				ResourceName:      "google_container_node_pool.np",
+				ImportState:       true,
+				ImportStateVerify: true,
+			}, {
+				Config: testAccContainerNodePool_withConfidentialNodes(clusterName, np, networkName, subnetworkName, false, "SEV_SNP", "n2d-standard-2"),
+			},
+			{
+				ResourceName:      "google_container_node_pool.np",
+				ImportState:       true,
+				ImportStateVerify: true,
+			}, {
+				Config: testAccContainerNodePool_withConfidentialNodes(clusterName, np, networkName, subnetworkName, false, "TDX", "c3-standard-4"),
 			},
 			{
 				ResourceName:      "google_container_node_pool.np",
@@ -4340,18 +4354,16 @@ func TestAccContainerNodePool_withConfidentialNodes(t *testing.T) {
 	})
 }
 
-func testAccContainerNodePool_withConfidentialNodes(clusterName, np, networkName, subnetworkName string, confidential bool) string {
+func testAccContainerNodePool_withConfidentialNodes(clusterName, np, networkName, subnetworkName string, enable bool, confidentialInstanceType, machineType string) string {
+	confInsTypeString := ""
+	if confidentialInstanceType != "" {
+		confInsTypeString = fmt.Sprintf(`confidential_instance_type = "%s"`, confidentialInstanceType)
+	}
 	return fmt.Sprintf(`
 resource "google_container_cluster" "cluster" {
   name               = "%s"
   location           = "us-central1-a"
   initial_node_count = 1
-  node_config {
-    confidential_nodes {
-      enabled = false
-    }
-    machine_type = "n2-standard-2"
-  }
   deletion_protection = false
   network    = "%s"
   subnetwork = "%s"
@@ -4363,13 +4375,14 @@ resource "google_container_node_pool" "np" {
   cluster            = google_container_cluster.cluster.name
   initial_node_count = 1
   node_config {
-    machine_type = "n2d-standard-2" // can't be e2 because Confidential Nodes require AMD CPUs
+    machine_type = "%s"
     confidential_nodes {
-      enabled = "%t"
+      enabled = %t
+      %s
     }
   }
 }
-`, clusterName, networkName, subnetworkName, np, confidential)
+`, clusterName, networkName, subnetworkName, np, machineType, enable, confInsTypeString)
 }
 
 func TestAccContainerNodePool_withLocalSsdEncryptionMode(t *testing.T) {

website/docs/r/container_cluster.html.markdown

@@ -1066,6 +1066,9 @@ sole_tenant_config {
 * `enabled` (Required) - Enable Confidential GKE Nodes for this node pool, to
     enforce encryption of data in-use.
 
+* `confidential_instance_type` (Optional) - Defines the type of technology used
+    by the confidential node.
+
 <a name="nested_node_affinity"></a>The `node_affinity` block supports:
 
 * `key` (Required) - The default or custom node affinity label key name.
@@ -1227,6 +1230,9 @@ notification_config {
 * `enabled` (Required) - Enable Confidential GKE Nodes for this cluster, to
     enforce encryption of data in-use.
 
+* `confidential_instance_type` (Optional) - Defines the type of technology used
+    by the confidential node.
+
 <a name="nested_pod_security_policy_config"></a>The `pod_security_policy_config` block supports:
 
 * `enabled` (Required) - Enable the PodSecurityPolicy controller for this cluster.