promote database_encryption to ga (#3699) (#6701)

Signed-off-by: Modular Magician <magic-modules@google.com>
hashicorp · Jun 25, 2020 · d690c16 · d690c16
1 parent 29f5cbc
commit d690c16
Show file tree

Hide file tree

Showing 6 changed files with 131 additions and 96 deletions.
diff --git a/.changelog/3699.txt b/.changelog/3699.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+container: Promoted `google_container_cluster` `database_encryption` to GA.
+```
diff --git a/google/resource_bigquery_table.go b/google/resource_bigquery_table.go
@@ -336,13 +336,13 @@ func resourceBigQueryTable() *schema.Resource {
 							Description: `Number of milliseconds for which to keep the storage for a partition.`,
 						},
 
-						// Type: [Required] The supported types are DAY and HOUR, which will generate
-						// one partition per day or hour based on data loading time.
+						// Type: [Required] The only type supported is DAY, which will generate
+						// one partition per day based on data loading time.
 						"type": {
 							Type:         schema.TypeString,
 							Required:     true,
-							Description:  `The supported types are DAY and HOUR, which will generate one partition per day or hour based on data loading time.`,
-							ValidateFunc: validation.StringInSlice([]string{"DAY", "HOUR"}, false),
+							Description:  `The only type supported is DAY, which will generate one partition per day based on data loading time.`,
+							ValidateFunc: validation.StringInSlice([]string{"DAY"}, false),
 						},
 
 						// Field: [Optional] The field used to determine how to create a time-based

diff --git a/google/resource_bigquery_table_test.go b/google/resource_bigquery_table_test.go
@@ -20,7 +20,7 @@ func TestAccBigQueryTable_Basic(t *testing.T) {
 		CheckDestroy: testAccCheckBigQueryTableDestroyProducer(t),
 		Steps: []resource.TestStep{
 			{
-				Config: testAccBigQueryTableDailyTimePartitioning(datasetID, tableID),
+				Config: testAccBigQueryTable(datasetID, tableID),
 			},
 			{
 				ResourceName:      "google_bigquery_table.test",
@@ -64,37 +64,6 @@ func TestAccBigQueryTable_Kms(t *testing.T) {
 	})
 }
 
-func TestAccBigQueryTable_HourlyTimePartitioning(t *testing.T) {
-	t.Parallel()
-
-	datasetID := fmt.Sprintf("tf_test_%s", randString(t, 10))
-	tableID := fmt.Sprintf("tf_test_%s", randString(t, 10))
-
-	vcrTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
-		Providers:    testAccProviders,
-		CheckDestroy: testAccCheckBigQueryTableDestroyProducer(t),
-		Steps: []resource.TestStep{
-			{
-				Config: testAccBigQueryTableHourlyTimePartitioning(datasetID, tableID),
-			},
-			{
-				ResourceName:      "google_bigquery_table.test",
-				ImportState:       true,
-				ImportStateVerify: true,
-			},
-			{
-				Config: testAccBigQueryTableUpdated(datasetID, tableID),
-			},
-			{
-				ResourceName:      "google_bigquery_table.test",
-				ImportState:       true,
-				ImportStateVerify: true,
-			},
-		},
-	})
-}
-
 func TestAccBigQueryTable_HivePartitioning(t *testing.T) {
 	t.Parallel()
 	bucketName := testBucketName(t)
@@ -292,7 +261,7 @@ func testAccCheckBigQueryTableDestroyProducer(t *testing.T) func(s *terraform.St
 	}
 }
 
-func testAccBigQueryTableDailyTimePartitioning(datasetID, tableID string) string {
+func testAccBigQueryTable(datasetID, tableID string) string {
 	return fmt.Sprintf(`
 resource "google_bigquery_dataset" "test" {
 	dataset_id = "%s"
@@ -349,63 +318,6 @@ EOH
 `, datasetID, tableID)
 }
 
-func testAccBigQueryTableHourlyTimePartitioning(datasetID, tableID string) string {
-	return fmt.Sprintf(`
-resource "google_bigquery_dataset" "test" {
-	dataset_id = "%s"
-}
-
-resource "google_bigquery_table" "test" {
-	table_id   = "%s"
-	dataset_id = google_bigquery_dataset.test.dataset_id
-
-	time_partitioning {
-		type                     = "HOUR"
-		field                    = "ts"
-		require_partition_filter = true
-	}
-	clustering = ["some_int", "some_string"]
-	schema     = <<EOH
-[
-	{
-		"name": "ts",
-		"type": "TIMESTAMP"
-	},
-	{
-		"name": "some_string",
-		"type": "STRING"
-	},
-	{
-		"name": "some_int",
-		"type": "INTEGER"
-	},
-	{
-		"name": "city",
-		"type": "RECORD",
-		"fields": [
-	{
-		"name": "id",
-		"type": "INTEGER"
-	},
-	{
-		"name": "coord",
-		"type": "RECORD",
-		"fields": [
-		{
-		"name": "lon",
-		"type": "FLOAT"
-		}
-		]
-	}
-		]
-	}
-]
-EOH
-
-}
-`, datasetID, tableID)
-}
-
 func testAccBigQueryTableKms(cryptoKeyName, datasetID, tableID string) string {
 	return fmt.Sprintf(`
 resource "google_bigquery_dataset" "test" {

diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go
@@ -879,6 +879,32 @@ func resourceContainerCluster() *schema.Resource {
 				},
 			},
 
+			"database_encryption": {
+				Type:        schema.TypeList,
+				MaxItems:    1,
+				Optional:    true,
+				ForceNew:    true,
+				Computed:    true,
+				Description: `Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key.`,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"state": {
+							Type:         schema.TypeString,
+							ForceNew:     true,
+							Required:     true,
+							ValidateFunc: validation.StringInSlice([]string{"ENCRYPTED", "DECRYPTED"}, false),
+							Description:  `ENCRYPTED or DECRYPTED.`,
+						},
+						"key_name": {
+							Type:        schema.TypeString,
+							ForceNew:    true,
+							Optional:    true,
+							Description: `The key to use to encrypt/decrypt secrets.`,
+						},
+					},
+				},
+			},
+
 			"resource_usage_export_config": {
 				Type:        schema.TypeList,
 				MaxItems:    1,
@@ -1112,6 +1138,10 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
 		cluster.VerticalPodAutoscaling = expandVerticalPodAutoscaling(v)
 	}
 
+	if v, ok := d.GetOk("database_encryption"); ok {
+		cluster.DatabaseEncryption = expandDatabaseEncryption(v)
+	}
+
 	if v, ok := d.GetOk("workload_identity_config"); ok {
 		cluster.WorkloadIdentityConfig = expandWorkloadIdentityConfig(v)
 	}
@@ -1323,6 +1353,10 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
 		return err
 	}
 
+	if err := d.Set("database_encryption", flattenDatabaseEncryption(cluster.DatabaseEncryption)); err != nil {
+		return err
+	}
+
 	d.Set("resource_labels", cluster.ResourceLabels)
 	d.Set("label_fingerprint", cluster.LabelFingerprint)
 
@@ -2353,6 +2387,18 @@ func expandVerticalPodAutoscaling(configured interface{}) *containerBeta.Vertica
 	}
 }
 
+func expandDatabaseEncryption(configured interface{}) *containerBeta.DatabaseEncryption {
+	l := configured.([]interface{})
+	if len(l) == 0 {
+		return nil
+	}
+	config := l[0].(map[string]interface{})
+	return &containerBeta.DatabaseEncryption{
+		State:   config["state"].(string),
+		KeyName: config["key_name"].(string),
+	}
+}
+
 func expandWorkloadIdentityConfig(configured interface{}) *containerBeta.WorkloadIdentityConfig {
 	l := configured.([]interface{})
 	if len(l) == 0 || l[0] == nil {
@@ -2676,6 +2722,18 @@ func flattenResourceUsageExportConfig(c *containerBeta.ResourceUsageExportConfig
 	}
 }
 
+func flattenDatabaseEncryption(c *containerBeta.DatabaseEncryption) []map[string]interface{} {
+	if c == nil {
+		return nil
+	}
+	return []map[string]interface{}{
+		{
+			"state":    c.State,
+			"key_name": c.KeyName,
+		},
+	}
+}
+
 func resourceContainerClusterStateImporter(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
 	config := meta.(*Config)
 

diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go
@@ -1283,6 +1283,35 @@ func TestAccContainerCluster_errorNoClusterCreated(t *testing.T) {
 	})
 }
 
+func TestAccContainerCluster_withDatabaseEncryption(t *testing.T) {
+	t.Parallel()
+
+	clusterName := fmt.Sprintf("tf-test-cluster-%s", randString(t, 10))
+
+	// Use the bootstrapped KMS key so we can avoid creating keys needlessly
+	// as they will pile up in the project because they can not be completely
+	// deleted.  Also, we need to create the key in the same location as the
+	// cluster as GKE does not support the "global" location for KMS keys.
+	// See https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets#creating_a_key
+	kmsData := BootstrapKMSKeyInLocation(t, "us-central1")
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckContainerClusterDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccContainerCluster_withDatabaseEncryption(clusterName, kmsData),
+			},
+			{
+				ResourceName:      "google_container_cluster.with_database_encryption",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccContainerCluster_withResourceUsageExportConfig(t *testing.T) {
 	t.Parallel()
 
@@ -1620,7 +1649,7 @@ func testAccContainerCluster_updateAddons(projectID string, clusterName string)
 	return fmt.Sprintf(`
 data "google_project" "project" {
   project_id = "%s"
-}	
+}
 
 resource "google_container_cluster" "primary" {
   name               = "%s"
@@ -2882,6 +2911,39 @@ resource "google_container_cluster" "with_resource_labels" {
 `, location)
 }
 
+func testAccContainerCluster_withDatabaseEncryption(clusterName string, kmsData bootstrappedKMS) string {
+	return fmt.Sprintf(`
+data "google_project" "project" {
+}
+
+data "google_iam_policy" "test_kms_binding" {
+  binding {
+    role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
+
+    members = [
+      "serviceAccount:service-${data.google_project.project.number}@container-engine-robot.iam.gserviceaccount.com",
+    ]
+  }
+}
+
+resource "google_kms_key_ring_iam_policy" "test_key_ring_iam_policy" {
+  key_ring_id = "%[1]s"
+  policy_data = data.google_iam_policy.test_kms_binding.policy_data
+}
+
+resource "google_container_cluster" "with_database_encryption" {
+  name               = "%[3]s"
+  location           = "us-central1-a"
+  initial_node_count = 1
+
+  database_encryption {
+    state    = "ENCRYPTED"
+    key_name = "%[2]s"
+  }
+}
+`, kmsData.KeyRing.Name, kmsData.CryptoKey.Name, clusterName)
+}
+
 func testAccContainerCluster_withMasterAuthorizedNetworksDisabled(containerNetName string, clusterName string) string {
 	return fmt.Sprintf(`
 resource "google_compute_network" "container_network" {

diff --git a/website/docs/r/container_cluster.html.markdown b/website/docs/r/container_cluster.html.markdown
@@ -147,7 +147,7 @@ on the current needs of the cluster's workload. See the
 [guide to using Node Auto-Provisioning](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-provisioning)
 for more details. Structure is documented below.
 
-* `database_encryption` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)).
+* `database_encryption` - (Optional)
     Structure is documented below.
 
 * `description` - (Optional) Description of the cluster.