From 4a38e726dcf8dbbcef8ae7ce74677fbb130e9a57 Mon Sep 17 00:00:00 2001 From: The Magician Date: Tue, 7 Jul 2020 18:37:09 -0700 Subject: [PATCH] make database_encryption updateable (#3728) (#2259) * make datbase_encryption updateable * add update test Signed-off-by: Modular Magician --- .changelog/3728.txt | 3 ++ google-beta/resource_container_cluster.go | 28 +++++++++++++++++-- .../resource_container_cluster_test.go | 12 ++++++-- 3 files changed, 38 insertions(+), 5 deletions(-) create mode 100644 .changelog/3728.txt diff --git a/.changelog/3728.txt b/.changelog/3728.txt new file mode 100644 index 0000000000..5f3e365a89 --- /dev/null +++ b/.changelog/3728.txt @@ -0,0 +1,3 @@ +```release-note:bug +container: added the ability to update `database_encryption` without recreating the cluster. +``` diff --git a/google-beta/resource_container_cluster.go b/google-beta/resource_container_cluster.go index ba814303d7..863ea1ad5f 100644 --- a/google-beta/resource_container_cluster.go +++ b/google-beta/resource_container_cluster.go @@ -1016,21 +1016,18 @@ func resourceContainerCluster() *schema.Resource { Type: schema.TypeList, MaxItems: 1, Optional: true, - ForceNew: true, Computed: true, Description: `Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key.`, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ "state": { Type: schema.TypeString, - ForceNew: true, Required: true, ValidateFunc: validation.StringInSlice([]string{"ENCRYPTED", "DECRYPTED"}, false), Description: `ENCRYPTED or DECRYPTED.`, }, "key_name": { Type: schema.TypeString, - ForceNew: true, Optional: true, Description: `The key to use to encrypt/decrypt secrets.`, }, @@ -2098,6 +2095,31 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er } } + if d.HasChange("database_encryption") { + c := d.Get("database_encryption") + req := &containerBeta.UpdateClusterRequest{ + Update: &containerBeta.ClusterUpdate{ + DesiredDatabaseEncryption: expandDatabaseEncryption(c), + }, + } + + updateF := func() error { + name := containerClusterFullName(project, location, clusterName) + op, err := config.clientContainerBeta.Projects.Locations.Clusters.Update(name, req).Do() + if err != nil { + return err + } + // Wait until it's updated + return containerOperationWait(config, op, project, location, "updating GKE cluster database encryption config", d.Timeout(schema.TimeoutUpdate)) + } + if err := lockedCall(lockKey, updateF); err != nil { + return err + } + log.Printf("[INFO] GKE cluster %s database encryption config has been updated", d.Id()) + + d.SetPartial("database_encryption") + } + if d.HasChange("pod_security_policy_config") { c := d.Get("pod_security_policy_config") req := &containerBeta.UpdateClusterRequest{ diff --git a/google-beta/resource_container_cluster_test.go b/google-beta/resource_container_cluster_test.go index e0cd032f54..ca22c2502a 100644 --- a/google-beta/resource_container_cluster_test.go +++ b/google-beta/resource_container_cluster_test.go @@ -1726,7 +1726,15 @@ func TestAccContainerCluster_withDatabaseEncryption(t *testing.T) { Config: testAccContainerCluster_withDatabaseEncryption(clusterName, kmsData), }, { - ResourceName: "google_container_cluster.with_database_encryption", + ResourceName: "google_container_cluster.primary", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccContainerCluster_basic(clusterName), + }, + { + ResourceName: "google_container_cluster.primary", ImportState: true, ImportStateVerify: true, }, @@ -3848,7 +3856,7 @@ resource "google_kms_key_ring_iam_policy" "test_key_ring_iam_policy" { policy_data = data.google_iam_policy.test_kms_binding.policy_data } -resource "google_container_cluster" "with_database_encryption" { +resource "google_container_cluster" "primary" { name = "%[3]s" location = "us-central1-a" initial_node_count = 1