make database_encryption updateable (#3728) (#6757)

* make datbase_encryption updateable * add update test Signed-off-by: Modular Magician <magic-modules@google.com>
hashicorp · Jul 8, 2020 · 9c9e327 · 9c9e327
1 parent 8aa804a
commit 9c9e327
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 5 deletions.
diff --git a/.changelog/3728.txt b/.changelog/3728.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+container: added the ability to update `database_encryption` without recreating the cluster.
+```
diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go
@@ -883,21 +883,18 @@ func resourceContainerCluster() *schema.Resource {
 				Type:        schema.TypeList,
 				MaxItems:    1,
 				Optional:    true,
-				ForceNew:    true,
 				Computed:    true,
 				Description: `Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key.`,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"state": {
 							Type:         schema.TypeString,
-							ForceNew:     true,
 							Required:     true,
 							ValidateFunc: validation.StringInSlice([]string{"ENCRYPTED", "DECRYPTED"}, false),
 							Description:  `ENCRYPTED or DECRYPTED.`,
 						},
 						"key_name": {
 							Type:        schema.TypeString,
-							ForceNew:    true,
 							Optional:    true,
 							Description: `The key to use to encrypt/decrypt secrets.`,
 						},
@@ -1842,6 +1839,31 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
 		}
 	}
 
+	if d.HasChange("database_encryption") {
+		c := d.Get("database_encryption")
+		req := &containerBeta.UpdateClusterRequest{
+			Update: &containerBeta.ClusterUpdate{
+				DesiredDatabaseEncryption: expandDatabaseEncryption(c),
+			},
+		}
+
+		updateF := func() error {
+			name := containerClusterFullName(project, location, clusterName)
+			op, err := config.clientContainerBeta.Projects.Locations.Clusters.Update(name, req).Do()
+			if err != nil {
+				return err
+			}
+			// Wait until it's updated
+			return containerOperationWait(config, op, project, location, "updating GKE cluster database encryption config", d.Timeout(schema.TimeoutUpdate))
+		}
+		if err := lockedCall(lockKey, updateF); err != nil {
+			return err
+		}
+		log.Printf("[INFO] GKE cluster %s database encryption config has been updated", d.Id())
+
+		d.SetPartial("database_encryption")
+	}
+
 	if d.HasChange("workload_identity_config") {
 		// Because GKE uses a non-RESTful update function, when removing the
 		// feature you need to specify a fairly full request body or it fails:

diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go
@@ -1304,7 +1304,15 @@ func TestAccContainerCluster_withDatabaseEncryption(t *testing.T) {
 				Config: testAccContainerCluster_withDatabaseEncryption(clusterName, kmsData),
 			},
 			{
-				ResourceName:      "google_container_cluster.with_database_encryption",
+				ResourceName:      "google_container_cluster.primary",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccContainerCluster_basic(clusterName),
+			},
+			{
+				ResourceName:      "google_container_cluster.primary",
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
@@ -2933,7 +2941,7 @@ resource "google_kms_key_ring_iam_policy" "test_key_ring_iam_policy" {
   policy_data = data.google_iam_policy.test_kms_binding.policy_data
 }
 
-resource "google_container_cluster" "with_database_encryption" {
+resource "google_container_cluster" "primary" {
   name               = "%[3]s"
   location           = "us-central1-a"
   initial_node_count = 1