diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go index 35c26f33fdc..8fd33f0da7f 100644 --- a/google/resource_container_cluster.go +++ b/google/resource_container_cluster.go @@ -206,7 +206,7 @@ func resourceContainerCluster() *schema.Resource { "enable_legacy_abac": { Type: schema.TypeBool, Optional: true, - Default: true, + Default: false, }, "initial_node_count": { diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go index 498f0dff843..82d81a0bf9d 100644 --- a/google/resource_container_cluster_test.go +++ b/google/resource_container_cluster_test.go @@ -374,6 +374,35 @@ func TestAccContainerCluster_withLegacyAbac(t *testing.T) { }) } +/* + Since GKE disables legacy ABAC by default in Kubernetes version 1.8+, and the default Kubernetes + version for GKE is also 1.8+, this test will ensure that legacy ABAC is disabled by default to be + more consistent with default settings in the Cloud Console +*/ +func TestAccContainerCluster_withDefaultLegacyAbac(t *testing.T) { + t.Parallel() + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckContainerClusterDestroy, + Steps: []resource.TestStep{ + { + Config: testAccContainerCluster_defaultLegacyAbac(acctest.RandString(10)), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("google_container_cluster.default_legacy_abac", "enable_legacy_abac", "false"), + ), + }, + { + ResourceName: "google_container_cluster.default_legacy_abac", + ImportStateIdPrefix: "us-central1-a/", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func TestAccContainerCluster_withVersion(t *testing.T) { t.Parallel() @@ -1320,6 +1349,15 @@ resource "google_container_cluster" "with_kubernetes_alpha" { }`, clusterName) } +func testAccContainerCluster_defaultLegacyAbac(clusterName string) string { + return fmt.Sprintf(` +resource "google_container_cluster" "default_legacy_abac" { + name = "cluster-test-%s" + zone = "us-central1-a" + initial_node_count = 1 +}`, clusterName) +} + func testAccContainerCluster_withLegacyAbac(clusterName string) string { return fmt.Sprintf(` resource "google_container_cluster" "with_legacy_abac" { diff --git a/website/docs/r/container_cluster.html.markdown b/website/docs/r/container_cluster.html.markdown index 08c6770c11d..61fc47dccab 100644 --- a/website/docs/r/container_cluster.html.markdown +++ b/website/docs/r/container_cluster.html.markdown @@ -94,7 +94,7 @@ output "cluster_ca_certificate" { * `enable_legacy_abac` - (Optional) Whether the ABAC authorizer is enabled for this cluster. When enabled, identities in the system, including service accounts, nodes, and controllers, will have statically granted permissions beyond those provided by the RBAC configuration or IAM. - Defaults to `true` + Defaults to `false` * `initial_node_count` - (Optional) The number of nodes to create in this cluster (not including the Kubernetes master). Must be set if `node_pool` is not set.