kubernetes_cluster -gmsa

[qiqingzhang]

Closes #16386

create a public pull request for k8s_cluster supports gmsa

test result:

[stephybun]

Thanks for this PR @heiazuo.

In the AKS resource as well as throughout the provider we typically don't expose an enabled field for blocks, since the behaviour should be if block is present -> enabled, if block is absent -> disabled.

Since both the DNS server and root domain name can be left empty/omitted I think these might be better as their own individual properties
gmsa_enabled
gmsa_dns_server
gmsa_root_domain_name

[stephybun]

Can we not expose this field for toggling GMSA, as with the other blocks in the AKS resource and across most of the provider the behaviour should be if block is present -> enabled, if block is absent -> disabled.

[stephybun]

_profile doesn't add any informational value, so i'd suggest removing it.

Suggested change

	"gmsa_profile": {
	"gmsa": {

[qiqingzhang]

Hi @stephybun , would you please take another look? Thanks!

[ms-henglu]

Hi @stephybun , would you please take a look at this PR? Thanks!

[stephybun]

If both gmsa_dns_server and gmsa_root_domain_name are optional, then if a user wants to enable gmsa without specifying either of those properties they would have to add an empty block to their config like below

gmsa {}

Is this a valid use case? If so then I think we should flatten this block and create three separate properties like was suggested initially. This would be more consistent with the resource and the provider.

[qiqingzhang]

Hi @stephybun, I modified it according to the suggestion, please take a look again.

[stephybun]

Given the changes last made I'm assuming even though gmsa can be enabled without specifying a dns server and root domain it isn't a functional configuration. In that case we can use a block, but should specify AtLeastOneOf so at least one or the other property must be specified for the block.

Suggested change

	"gmsa_dns_server": {
	Type: pluginsdk.TypeString,
	Optional: true,
	ValidateFunc: validation.StringIsNotEmpty,
	},
	"gmsa_root_domain_name": {
	Type: pluginsdk.TypeString,
	Optional: true,
	ValidateFunc: validation.StringIsNotEmpty,
	},
	"gmsa": {
	Type: pluginsdk.TypeList,
	Optional: true,
	MaxItems: 1,
	Elem: &pluginsdk.Resource{
	Schema: map[string]*pluginsdk.Schema{
	"dns_server": {
	Type: pluginsdk.TypeString,
	Optional: true,
	ValidateFunc: validation.StringIsNotEmpty,
	AtLeastOneOf: []string{"windows_profile.0.gmsa.0.dns_server"},
	},
	"root_domain": {
	Type: pluginsdk.TypeString,
	Optional: true,
	ValidateFunc: validation.StringIsNotEmpty,
	AtLeastOneOf: []string{"windows_profile.0.gmsa.0.root_domain"},
	},
	},
	},
	},

[qiqingzhang]

Hi @stephybun, changes have been made as suggested, would you please take a look at this PR? Thanks!

[mrowken]

Is it gonna to be finished soon ? I'm waiting for this to be able rollout Windows Nodes. Any ETA will be appreciated.

[stephybun]

Hi @qiqingzhang, sorry for the delayed re-review here.

While playing around with this I noticed that once gmsa is enabled for a cluster it isn't possible to disable it. We should add some logic to CustomizeDiff that will ForceNew the resource if a user tries to remove the gmsa block.

Once that's done we can take another look through.

Thanks!

[ms-henglu]

Hi @stephybun ,

I've added a commit to fix it, please take another look, thanks!

[stephybun]

Can you please confirm with the service team whether setting dns_server and root_domain to empty is a valid configuration for the cluster? This isn't mentioned in the documentation anywhere?

[stephybun]

It looks like the API has changed since it now throws an error if only one or the other is set. Depending on the answer to my question in the other comment left in-line, these should either both become Required or RequiredWith.

Suggested change

	"dns_server": {
	Type: pluginsdk.TypeString,
	Optional: true,
	ValidateFunc: validation.StringIsNotEmpty,
	AtLeastOneOf: []string{"windows_profile.0.gmsa.0.dns_server", "windows_profile.0.gmsa.0.root_domain"},
	},
	"root_domain": {
	Type: pluginsdk.TypeString,
	Optional: true,
	ValidateFunc: validation.StringIsNotEmpty,
	AtLeastOneOf: []string{"windows_profile.0.gmsa.0.dns_server", "windows_profile.0.gmsa.0.root_domain"},
	},
	"dns_server": {
	Type: pluginsdk.TypeString,
	Optional: true,
	ValidateFunc: validation.StringIsNotEmpty,
	RequiredWith: []string{"windows_profile.0.gmsa.0.dns_server", "windows_profile.0.gmsa.0.root_domain"},
	},
	"root_domain": {
	Type: pluginsdk.TypeString,
	Optional: true,
	ValidateFunc: validation.StringIsNotEmpty,
	RequiredWith: []string{"windows_profile.0.gmsa.0.dns_server", "windows_profile.0.gmsa.0.root_domain"},
	},

[ms-henglu]

Hi @stephybun ,

I've confirmed with service team, if both dns_server and root_domain are omitted, it's still a valid config to enable gmsa. I've updated the PR, thanks!

[stephybun]

Thanks for clarifying @ms-henglu.

To avoid the case where a user would need to add in an empty gmsa block in their config just to enable it I think we need to make the following adjustments to the schema

						"gmsa": {
							Type:     pluginsdk.TypeList,
							Optional: true,
							MaxItems: 1,
							Elem: &pluginsdk.Resource{
								Schema: map[string]*pluginsdk.Schema{
									// empty values for these are valid and required to enable gmsa with defaults
									"dns_server": {
										Type:     pluginsdk.TypeString,
										Required: true,
									},
									"root_domain": {
										Type:     pluginsdk.TypeString,
										Required: true,
									},
								},
							},
						},

Once that's done this should be good to go!

[ms-henglu]

Hi @stephybun ,

Thanks for the suggestion, I've updated the schema, would you please take another look? Thanks!

[stephybun]

Thanks @qiqingzhang @ms-henglu LGTM 🍕

[github-actions]

This functionality has been released in v3.22.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.