Add support for GKE anonymous authentication config (#14388) (#23491)

[upstream:47b57af50ad3d58eba09e26d99c1d466f8940096]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/14388.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+container: added support for `anonymous_authentication_config`
+```

google/services/container/resource_container_cluster.go

@@ -2301,6 +2301,26 @@ func ResourceContainerCluster() *schema.Resource {
 					},
 				},
 			},
+			"anonymous_authentication_config": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				MaxItems:    1,
+				Computed:    true,
+				Description: `AnonymousAuthenticationConfig allows users to restrict or enable anonymous access to the cluster.`,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"mode": {
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validation.StringInSlice([]string{"ENABLED", "LIMITED"}, false),
+							Description: `Setting this to LIMITED will restrict authentication of anonymous users to health check endpoints only.
+ Accepted values are:
+* ENABLED: Authentication of anonymous users is enabled for all endpoints.
+* LIMITED: Anonymous access is only allowed for health check endpoints.`,
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -2615,6 +2635,10 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
 		cluster.EnterpriseConfig = expandEnterpriseConfig(v)
 	}
 
+	if v, ok := d.GetOk("anonymous_authentication_config"); ok {
+		cluster.AnonymousAuthenticationConfig = expandAnonymousAuthenticationConfig(v)
+	}
+
 	needUpdateAfterCreate := false
 
 	// For now PSC based cluster don't support `enable_private_endpoint` on `create`, but only on `update` API call.
@@ -3168,6 +3192,10 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
 		return err
 	}
 
+	if err := d.Set("anonymous_authentication_config", flattenAnonymousAuthenticationConfig(cluster.AnonymousAuthenticationConfig)); err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -4658,6 +4686,21 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
 		log.Printf("[INFO] GKE cluster %s Enterprise Config has been updated to %#v", d.Id(), req.Update.DesiredSecurityPostureConfig)
 	}
 
+	if d.HasChange("anonymous_authentication_config") {
+		req := &container.UpdateClusterRequest{
+			Update: &container.ClusterUpdate{
+				DesiredAnonymousAuthenticationConfig: expandAnonymousAuthenticationConfig(
+					d.Get("anonymous_authentication_config"),
+				),
+			},
+		}
+		updateF := updateFunc(req, "updating anonymous authentication config")
+		// Call update serially.
+		if err := transport_tpg.LockedCall(lockKey, updateF); err != nil {
+			return err
+		}
+	}
+
 	d.Partial(false)
 
 	if _, err := containerClusterAwaitRestingState(config, project, location, clusterName, userAgent, d.Timeout(schema.TimeoutUpdate)); err != nil {
@@ -5287,6 +5330,15 @@ func flattenEnterpriseConfig(ec *container.EnterpriseConfig) []map[string]interf
 	return []map[string]interface{}{result}
 }
 
+func flattenAnonymousAuthenticationConfig(aac *container.AnonymousAuthenticationConfig) []map[string]interface{} {
+	if aac == nil {
+		return nil
+	}
+	result := make(map[string]interface{})
+	result["mode"] = aac.Mode
+	return []map[string]interface{}{result}
+}
+
 func flattenAdditionalPodRangesConfig(ipAllocationPolicy *container.IPAllocationPolicy) []map[string]interface{} {
 	if ipAllocationPolicy == nil {
 		return nil
@@ -5413,6 +5465,23 @@ func expandMasterAuthorizedNetworksConfig(d *schema.ResourceData) *container.Mas
 	return result
 }
 
+func expandAnonymousAuthenticationConfig(configured interface{}) *container.AnonymousAuthenticationConfig {
+	l, ok := configured.([]interface{})
+	if len(l) == 0 || l[0] == nil || !ok {
+		return nil
+	}
+
+	anonAuthConfig := l[0].(map[string]interface{})
+	result := container.AnonymousAuthenticationConfig{}
+
+	if v, ok := anonAuthConfig["mode"]; ok {
+		if mode, ok := v.(string); ok && mode != "" {
+			result.Mode = mode
+		}
+	}
+	return &result
+}
+
 func expandManCidrBlocks(configured interface{}) []*container.CidrBlock {
 	config, ok := configured.(*schema.Set)
 	if !ok {

google/services/container/resource_container_cluster_test.go

@@ -13094,3 +13094,59 @@ resource "google_container_cluster" "primary" {
 }
 `, name, networkName, subnetworkName, config)
 }
+
+func TestAccContainerCluster_withAnonymousAuthenticationConfig(t *testing.T) {
+	t.Parallel()
+
+	clusterName := fmt.Sprintf("tf-test-cluster-%s", acctest.RandString(t, 10))
+	networkName := acctest.BootstrapSharedTestNetwork(t, "gke-cluster")
+	subnetworkName := acctest.BootstrapSubnet(t, "gke-cluster", networkName)
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckContainerClusterDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccContainerCluster_withAnonymousAuthenticationConfig(clusterName, networkName, subnetworkName, "LIMITED"),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("google_container_cluster.primary", "anonymous_authentication_config.0.mode", "LIMITED"),
+				),
+			},
+			{
+				ResourceName:            "google_container_cluster.primary",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+			},
+			{
+				Config: testAccContainerCluster_withAnonymousAuthenticationConfig(clusterName, networkName, subnetworkName, "ENABLED"),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("google_container_cluster.primary", "anonymous_authentication_config.0.mode", "ENABLED"),
+				),
+			},
+			{
+				ResourceName:            "google_container_cluster.primary",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+			},
+		},
+	})
+}
+
+func testAccContainerCluster_withAnonymousAuthenticationConfig(name, networkName, subnetworkName string, mode string) string {
+	return fmt.Sprintf(`
+resource "google_container_cluster" "primary" {
+  name                = "%s"
+  network             = "%s"
+  subnetwork          = "%s"
+  initial_node_count  = 1
+  deletion_protection = false
+
+  anonymous_authentication_config {
+    mode = "%s"
+  }
+}
+ `, name, networkName, subnetworkName, mode)
+}

website/docs/r/container_cluster.html.markdown

@@ -437,6 +437,9 @@ Fleet configuration for the cluster. Structure is [documented below](#nested_fle
 * `enterprise_config` - (Optional)
   Configuration for [Enterprise edition].(https://cloud.google.com/kubernetes-engine/enterprise/docs/concepts/gke-editions). Structure is [documented below](#nested_enterprise_config).
 
+* `anonymous_authentication_config` - (Optional)
+  Configuration for [anonymous authentication restrictions](https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict-anon-access). Structure is [documented below](#anonymous_authentication_config).
+
 
 <a name="nested_default_snat_status"></a>The `default_snat_status` block supports
 
@@ -1558,6 +1561,10 @@ linux_node_config {
 
 * `desired_tier` - (Optional) Sets the tier of the cluster. Available options include `STANDARD` and `ENTERPRISE`.
 
+<a name="anonymous_authentication_config"></a>The `anonymous_authentication_config` block supports:
+
+* `mode` - (Optional) Sets or removes authentication restrictions. Available options include `LIMITED` and `ENABLED`.
+
 
 ## Attributes Reference