Bug Fix - OKE terraform provider bug fix: add data source for oidc discovery endpoint, fix update issue for oidc auth and update docs

XinruXiao-9 · ravinitp · commit adf01d61ea83 · 2025-03-19T18:07:35.000+05:30
diff --git a/examples/container_engine/oidc_authn_token_config/main.tf b/examples/container_engine/oidc_authn_token_config/main.tf
@@ -87,10 +87,6 @@ variable "cluster_options_open_id_connect_token_authentication_config_groups_cla
   default = "groupsClaim"
 }
 
-variable "cluster_options_open_id_connect_token_authentication_config_configuration_file" {
-  default = ""
-}
-
 variable "cluster_options_open_id_connect_token_authentication_config_groups_prefix" {
   default = "groupsPrefix"
 }
@@ -260,8 +256,6 @@ resource "oci_containerengine_cluster" "test_cluster" {
       ca_certificate = var.cluster_options_open_id_connect_token_authentication_config_ca_certificate
       groups_claim   = var.cluster_options_open_id_connect_token_authentication_config_groups_claim
       groups_prefix  = var.cluster_options_open_id_connect_token_authentication_config_groups_prefix
-      #Optional
-      configuration_file = var.cluster_options_open_id_connect_token_authentication_config_configuration_file
       required_claims {
 
         #Optional
diff --git a/examples/container_engine/oidc_discovery/main.tf b/examples/container_engine/oidc_discovery/main.tf
@@ -226,4 +226,13 @@ data "oci_containerengine_clusters" "test_clusters" {
   #Optional
   name  = var.cluster_name
   state = var.cluster_state
+}
+
+data "oci_containerengine_cluster" "test_cluster" {
+  #Required
+  cluster_id = oci_containerengine_cluster.test_cluster.id
+}
+
+output "oidc_discovery_endpoint" {
+  value = data.oci_containerengine_cluster.test_cluster.open_id_connect_discovery_endpoint
 }
diff --git a/internal/integrationtest/containerengine_cluster_test.go b/internal/integrationtest/containerengine_cluster_test.go
diff --git a/internal/service/containerengine/containerengine_cluster_data_source.go b/internal/service/containerengine/containerengine_cluster_data_source.go
@@ -124,6 +124,10 @@ func (s *ContainerengineClusterDataSourceCrud) SetData() error {
 		s.D.Set("name", *s.Res.Name)
 	}
 
+	if s.Res.OpenIdConnectDiscoveryEndpoint != nil {
+		s.D.Set("open_id_connect_discovery_endpoint", *s.Res.OpenIdConnectDiscoveryEndpoint)
+	}
+
 	if s.Res.Options != nil {
 		s.D.Set("options", []interface{}{ClusterCreateOptionsToMap(s.Res.Options)})
 	} else {
diff --git a/internal/service/containerengine/containerengine_cluster_resource.go b/internal/service/containerengine/containerengine_cluster_resource.go
@@ -284,39 +284,39 @@ func ContainerengineClusterResource() *schema.Resource {
 
 									// Optional
 									"ca_certificate": {
-										Type:     schema.TypeString,
-										Optional: true,
-										Computed: true,
+										Type:          schema.TypeString,
+										Optional:      true,
+										ConflictsWith: []string{"options.0.open_id_connect_token_authentication_config.0.configuration_file"},
 									},
 									"client_id": {
-										Type:     schema.TypeString,
-										Optional: true,
-										Computed: true,
+										Type:          schema.TypeString,
+										Optional:      true,
+										ConflictsWith: []string{"options.0.open_id_connect_token_authentication_config.0.configuration_file"},
 									},
 									"configuration_file": {
-										Type:     schema.TypeString,
-										Optional: true,
-										Computed: true,
+										Type:          schema.TypeString,
+										Optional:      true,
+										ConflictsWith: []string{"options.0.open_id_connect_token_authentication_config.0.ca_certificate", "options.0.open_id_connect_token_authentication_config.0.client_id", "options.0.open_id_connect_token_authentication_config.0.groups_claim", "options.0.open_id_connect_token_authentication_config.0.groups_prefix", "options.0.open_id_connect_token_authentication_config.0.issuer_url", "options.0.open_id_connect_token_authentication_config.0.required_claims", "options.0.open_id_connect_token_authentication_config.0.signing_algorithms", "options.0.open_id_connect_token_authentication_config.0.username_claim", "options.0.open_id_connect_token_authentication_config.0.username_prefix"},
 									},
 									"groups_claim": {
-										Type:     schema.TypeString,
-										Optional: true,
-										Computed: true,
+										Type:          schema.TypeString,
+										Optional:      true,
+										ConflictsWith: []string{"options.0.open_id_connect_token_authentication_config.0.configuration_file"},
 									},
 									"groups_prefix": {
-										Type:     schema.TypeString,
-										Optional: true,
-										Computed: true,
+										Type:          schema.TypeString,
+										Optional:      true,
+										ConflictsWith: []string{"options.0.open_id_connect_token_authentication_config.0.configuration_file"},
 									},
 									"issuer_url": {
-										Type:     schema.TypeString,
-										Optional: true,
-										Computed: true,
+										Type:          schema.TypeString,
+										Optional:      true,
+										ConflictsWith: []string{"options.0.open_id_connect_token_authentication_config.0.configuration_file"},
 									},
 									"required_claims": {
-										Type:     schema.TypeList,
-										Optional: true,
-										Computed: true,
+										Type:          schema.TypeList,
+										Optional:      true,
+										ConflictsWith: []string{"options.0.open_id_connect_token_authentication_config.0.configuration_file"},
 										Elem: &schema.Resource{
 											Schema: map[string]*schema.Schema{
 												// Required
@@ -325,35 +325,33 @@ func ContainerengineClusterResource() *schema.Resource {
 												"key": {
 													Type:     schema.TypeString,
 													Optional: true,
-													Computed: true,
 												},
 												"value": {
 													Type:     schema.TypeString,
 													Optional: true,
-													Computed: true,
 												},
 
 												// Computed
 											},
 										},
 									},
 									"signing_algorithms": {
-										Type:     schema.TypeList,
-										Optional: true,
-										Computed: true,
+										Type:          schema.TypeList,
+										Optional:      true,
+										ConflictsWith: []string{"options.0.open_id_connect_token_authentication_config.0.configuration_file"},
 										Elem: &schema.Schema{
 											Type: schema.TypeString,
 										},
 									},
 									"username_claim": {
-										Type:     schema.TypeString,
-										Optional: true,
-										Computed: true,
+										Type:          schema.TypeString,
+										Optional:      true,
+										ConflictsWith: []string{"options.0.open_id_connect_token_authentication_config.0.configuration_file"},
 									},
 									"username_prefix": {
-										Type:     schema.TypeString,
-										Optional: true,
-										Computed: true,
+										Type:          schema.TypeString,
+										Optional:      true,
+										ConflictsWith: []string{"options.0.open_id_connect_token_authentication_config.0.configuration_file"},
 									},
 
 									// Computed
@@ -575,8 +573,7 @@ func ContainerengineClusterResource() *schema.Resource {
 				}
 				return false
 			}),
-		),
-	}
+		)}
 }
 
 func createContainerengineCluster(d *schema.ResourceData, m interface{}) error {
@@ -755,6 +752,7 @@ func (s *ContainerengineClusterResourceCrud) Create() error {
 
 	requestGet := oci_containerengine.GetClusterRequest{}
 	requestGet.ClusterId = clusterIDForGet
+
 	requestGet.RequestMetadata.RetryPolicy = tfresource.GetRetryPolicy(s.DisableNotFoundRetries, "containerengine")
 	responseGet, getClusterErr := s.Client.GetCluster(context.Background(), requestGet)
 	if getClusterErr != nil {
@@ -904,6 +902,7 @@ func clusterWaitForWorkRequest(wId *string, entityType string, action oci_contai
 		},
 		Timeout: timeout,
 	}
+
 	// Set PollInterval to 1 for replay mode.
 	if httpreplay.ShouldRetryImmediately() {
 		stateConf.PollInterval = 1
@@ -1018,7 +1017,7 @@ func (s *ContainerengineClusterResourceCrud) Update() error {
 		}
 	}
 
-	if kubernetesVersion, ok := s.D.GetOkExists("kubernetes_version"); ok {
+	if kubernetesVersion, ok := s.D.GetOkExists("kubernetes_version"); ok && s.D.HasChange("kubernetes_version") {
 		tmp := kubernetesVersion.(string)
 		request.KubernetesVersion = &tmp
 	}
@@ -1842,27 +1841,27 @@ func KubernetesNetworkConfigToMap(obj *oci_containerengine.KubernetesNetworkConf
 func (s *ContainerengineClusterResourceCrud) mapToOpenIdConnectTokenAuthenticationConfig(fieldKeyFormat string) (oci_containerengine.OpenIdConnectTokenAuthenticationConfig, error) {
 	result := oci_containerengine.OpenIdConnectTokenAuthenticationConfig{}
 
-	if caCertificate, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "ca_certificate")); ok {
+	if caCertificate, ok := s.D.GetOk(fmt.Sprintf(fieldKeyFormat, "ca_certificate")); ok {
 		tmp := caCertificate.(string)
 		result.CaCertificate = &tmp
 	}
 
-	if clientId, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "client_id")); ok {
+	if clientId, ok := s.D.GetOk(fmt.Sprintf(fieldKeyFormat, "client_id")); ok {
 		tmp := clientId.(string)
 		result.ClientId = &tmp
 	}
 
-	if configurationFile, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "configuration_file")); ok {
+	if configurationFile, ok := s.D.GetOk(fmt.Sprintf(fieldKeyFormat, "configuration_file")); ok {
 		tmp := configurationFile.(string)
 		result.ConfigurationFile = &tmp
 	}
 
-	if groupsClaim, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "groups_claim")); ok {
+	if groupsClaim, ok := s.D.GetOk(fmt.Sprintf(fieldKeyFormat, "groups_claim")); ok {
 		tmp := groupsClaim.(string)
 		result.GroupsClaim = &tmp
 	}
 
-	if groupsPrefix, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "groups_prefix")); ok {
+	if groupsPrefix, ok := s.D.GetOk(fmt.Sprintf(fieldKeyFormat, "groups_prefix")); ok {
 		tmp := groupsPrefix.(string)
 		result.GroupsPrefix = &tmp
 	}
@@ -1872,12 +1871,12 @@ func (s *ContainerengineClusterResourceCrud) mapToOpenIdConnectTokenAuthenticati
 		result.IsOpenIdConnectAuthEnabled = &tmp
 	}
 
-	if issuerUrl, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "issuer_url")); ok {
+	if issuerUrl, ok := s.D.GetOk(fmt.Sprintf(fieldKeyFormat, "issuer_url")); ok {
 		tmp := issuerUrl.(string)
 		result.IssuerUrl = &tmp
 	}
 
-	if requiredClaims, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "required_claims")); ok {
+	if requiredClaims, ok := s.D.GetOk(fmt.Sprintf(fieldKeyFormat, "required_claims")); ok {
 		interfaces := requiredClaims.([]interface{})
 		tmp := make([]oci_containerengine.KeyValue, len(interfaces))
 		for i := range interfaces {
@@ -1894,7 +1893,7 @@ func (s *ContainerengineClusterResourceCrud) mapToOpenIdConnectTokenAuthenticati
 		}
 	}
 
-	if signingAlgorithms, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "signing_algorithms")); ok {
+	if signingAlgorithms, ok := s.D.GetOk(fmt.Sprintf(fieldKeyFormat, "signing_algorithms")); ok {
 		interfaces := signingAlgorithms.([]interface{})
 		tmp := make([]string, len(interfaces))
 		for i := range interfaces {
@@ -1907,12 +1906,12 @@ func (s *ContainerengineClusterResourceCrud) mapToOpenIdConnectTokenAuthenticati
 		}
 	}
 
-	if usernameClaim, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "username_claim")); ok {
+	if usernameClaim, ok := s.D.GetOk(fmt.Sprintf(fieldKeyFormat, "username_claim")); ok {
 		tmp := usernameClaim.(string)
 		result.UsernameClaim = &tmp
 	}
 
-	if usernamePrefix, ok := s.D.GetOkExists(fmt.Sprintf(fieldKeyFormat, "username_prefix")); ok {
+	if usernamePrefix, ok := s.D.GetOk(fmt.Sprintf(fieldKeyFormat, "username_prefix")); ok {
 		tmp := usernamePrefix.(string)
 		result.UsernamePrefix = &tmp
 	}
diff --git a/website/docs/d/containerengine_cluster.html.markdown b/website/docs/d/containerengine_cluster.html.markdown
@@ -74,10 +74,10 @@ The following attributes are exported:
 		* `is_tiller_enabled` - Whether or not to enable the Tiller add-on.
 	* `admission_controller_options` - Configurable cluster admission controllers
 		* `is_pod_security_policy_enabled` - Whether or not to enable the Pod Security Policy admission controller.
-	* `ip_families` - IP family to use for single stack or define the order of IP families for dual-stack
+	* `ip_families` - IP family to use for single stack or define the order of IP families for dual-stack. Available values are [] (defaults to IPv4), [IPv4] (IPv4), [IPv4, IPv6] (IPv4 preferred dual stack).
 	* `kubernetes_network_config` - Network configuration for Kubernetes.
-		* `pods_cidr` - The CIDR block for Kubernetes pods. Optional, defaults to 10.244.0.0/16.
-		* `services_cidr` - The CIDR block for Kubernetes services. Optional, defaults to 10.96.0.0/16.
+		* `pods_cidr` - The CIDR block for Kubernetes pods. Optional. For ipv4, defaults to 10.244.0.0/16. For ipv6, defaults to fd00:eeee:eeee:0000::/96.
+		* `services_cidr` - The CIDR block for Kubernetes services. Optional. For ipv4, defaults to 10.96.0.0/16. For ipv6, defaults to fd00:eeee:eeee:0001::/108.
 	* `open_id_connect_discovery` - The property that define the status of the OIDC Discovery feature for a cluster. 
 		* `is_open_id_connect_discovery_enabled` - Whether the cluster has OIDC Discovery enabled. Defaults to false. If set to true, the cluster will be assigned a public OIDC Discovery endpoint. 
 	* `open_id_connect_token_authentication_config` - The properties that configure OIDC token authentication in kube-apiserver. For more information, see [Configuring the API Server](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-flags). 
diff --git a/website/docs/d/containerengine_clusters.html.markdown b/website/docs/d/containerengine_clusters.html.markdown
@@ -87,10 +87,10 @@ The following attributes are exported:
 		* `is_tiller_enabled` - Whether or not to enable the Tiller add-on.
 	* `admission_controller_options` - Configurable cluster admission controllers
 		* `is_pod_security_policy_enabled` - Whether or not to enable the Pod Security Policy admission controller.
-	* `ip_families` - IP family to use for single stack or define the order of IP families for dual-stack
+	* `ip_families` - IP family to use for single stack or define the order of IP families for dual-stack. Available values are [] (defaults to IPv4), [IPv4] (IPv4), [IPv4, IPv6] (IPv4 preferred dual stack).
 	* `kubernetes_network_config` - Network configuration for Kubernetes.
-		* `pods_cidr` - The CIDR block for Kubernetes pods. Optional, defaults to 10.244.0.0/16.
-		* `services_cidr` - The CIDR block for Kubernetes services. Optional, defaults to 10.96.0.0/16.
+		* `pods_cidr` - The CIDR block for Kubernetes pods. Optional. For ipv4, defaults to 10.244.0.0/16. For ipv6, defaults to fd00:eeee:eeee:0000::/96.
+		* `services_cidr` - The CIDR block for Kubernetes services. Optional. For ipv4, defaults to 10.96.0.0/16. For ipv6, defaults to fd00:eeee:eeee:0001::/108.
 	* `open_id_connect_token_authentication_config` - The properties that configure OIDC token authentication in kube-apiserver. For more information, see [Configuring the API Server](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-flags). 
 		* `ca_certificate` - A Base64 encoded public RSA or ECDSA certificates used to signed your identity provider's web certificate. 
 		* `client_id` - A client id that all tokens must be issued for. 
diff --git a/website/docs/d/containerengine_node_pools.html.markdown b/website/docs/d/containerengine_node_pools.html.markdown
@@ -85,7 +85,6 @@ The following attributes are exported:
 	* `is_force_delete_after_grace_duration` - If the underlying compute instance should be deleted if you cannot evict all the pods in grace period
 * `node_image_id` - Deprecated. see `nodeSource`. The OCID of the image running on the nodes in the node pool. 
 * `node_image_name` - Deprecated. see `nodeSource`. The name of the image running on the nodes in the node pool. 
-* `node_metadata` - A list of key/value pairs to add to each underlying Oracle Cloud Infrastructure instance in the node pool on launch.
 * `node_pool_cycling_details` - Node Pool Cycling Details
 	* `is_node_cycling_enabled` - If nodes in the nodepool will be cycled to have new changes.
 	* `maximum_surge` - Maximum additional new compute instances that would be temporarily created and added to nodepool during the cycling nodepool process. OKE supports both integer and percentage input. Defaults to 1, Ranges from 0 to Nodepool size or 0% to 100% 
diff --git a/website/docs/r/containerengine_cluster.html.markdown b/website/docs/r/containerengine_cluster.html.markdown
@@ -138,10 +138,10 @@ The following arguments are supported:
 		* `is_tiller_enabled` - (Optional) Whether or not to enable the Tiller add-on.
 	* `admission_controller_options` - (Optional) (Updatable) Configurable cluster admission controllers
 		* `is_pod_security_policy_enabled` - (Optional) (Updatable) Whether or not to enable the Pod Security Policy admission controller.
-	* `ip_families` - (Optional) IP family to use for single stack or define the order of IP families for dual-stack
+	* `ip_families` - (Optional) IP family to use for single stack or define the order of IP families for dual-stack. Available values are [] (defaults to IPv4), [IPv4] (IPv4), [IPv4, IPv6] (IPv4 preferred dual stack).
 	* `kubernetes_network_config` - (Optional) Network configuration for Kubernetes.
-		* `pods_cidr` - (Optional) The CIDR block for Kubernetes pods. Optional, defaults to 10.244.0.0/16.
-		* `services_cidr` - (Optional) The CIDR block for Kubernetes services. Optional, defaults to 10.96.0.0/16.
+		* `pods_cidr` - (Optional) The CIDR block for Kubernetes pods. Optional. For ipv4, defaults to 10.244.0.0/16. For ipv6, defaults to fd00:eeee:eeee:0000::/96.
+		* `services_cidr` - (Optional) The CIDR block for Kubernetes services. Optional. For ipv4, defaults to 10.96.0.0/16. For ipv6, defaults to fd00:eeee:eeee:0001::/108.
 	* `open_id_connect_token_authentication_config` - (Optional) (Updatable) The properties that configure OIDC token authentication in kube-apiserver. For more information, see [Configuring the API Server](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-flags). 
 		* `ca_certificate` - (Optional) (Updatable) A Base64 encoded public RSA or ECDSA certificates used to signed your identity provider's web certificate. 
 		* `client_id` - (Optional) (Updatable) A client id that all tokens must be issued for. 
@@ -219,10 +219,10 @@ The following attributes are exported:
 		* `is_tiller_enabled` - Whether or not to enable the Tiller add-on.
 	* `admission_controller_options` - Configurable cluster admission controllers
 		* `is_pod_security_policy_enabled` - Whether or not to enable the Pod Security Policy admission controller.
-	* `ip_families` - IP family to use for single stack or define the order of IP families for dual-stack
+	* `ip_families` - IP family to use for single stack or define the order of IP families for dual-stack. Available values are [] (defaults to IPv4), [IPv4] (IPv4), [IPv4, IPv6] (IPv4 preferred dual stack).
 	* `kubernetes_network_config` - Network configuration for Kubernetes.
-		* `pods_cidr` - The CIDR block for Kubernetes pods. Optional, defaults to 10.244.0.0/16.
-		* `services_cidr` - The CIDR block for Kubernetes services. Optional, defaults to 10.96.0.0/16.
+		* `pods_cidr` - The CIDR block for Kubernetes pods. Optional. For ipv4, defaults to 10.244.0.0/16. For ipv6, defaults to fd00:eeee:eeee:0000::/96.
+		* `services_cidr` - The CIDR block for Kubernetes services. Optional. For ipv4, defaults to 10.96.0.0/16. For ipv6, defaults to fd00:eeee:eeee:0001::/108.
 	* `open_id_connect_token_authentication_config` - The properties that configure OIDC token authentication in kube-apiserver. For more information, see [Configuring the API Server](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-flags). 
 		* `ca_certificate` - A Base64 encoded public RSA or ECDSA certificates used to signed your identity provider's web certificate. 
 		* `client_id` - A client id that all tokens must be issued for. 
