From 60c077483b8f249396af566548e1cd9b2db71b05 Mon Sep 17 00:00:00 2001 From: Michael Parker Date: Sun, 1 Apr 2018 16:16:30 -0500 Subject: [PATCH 1/5] Updates the default GKE legacy ABAC setting to false --- google/resource_container_cluster.go | 2 +- google/resource_container_cluster_test.go | 32 +++++++++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go index c5dbf4856a8..febe46a34f3 100644 --- a/google/resource_container_cluster.go +++ b/google/resource_container_cluster.go @@ -206,7 +206,7 @@ func resourceContainerCluster() *schema.Resource { "enable_legacy_abac": { Type: schema.TypeBool, Optional: true, - Default: true, + Default: false, }, "initial_node_count": { diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go index 57b8e6a9af5..81181518ff7 100644 --- a/google/resource_container_cluster_test.go +++ b/google/resource_container_cluster_test.go @@ -368,6 +368,29 @@ func TestAccContainerCluster_withLegacyAbac(t *testing.T) { }) } +/* + Since GKE disables legacy ABAC by default in Kubernetes version 1.8+, and the default Kubernetes version for GKE is + also 1.8+, this test will ensure that legacy ABAC is disabled by default to be more consistent with default settings + in the Cloud Console + */ +func TestAccContainerCluster_withDefaultLegacyAbac(t *testing.T) { + t.Parallel() + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckContainerClusterDestroy, + Steps: []resource.TestStep{ + { + Config: testAccContainerCluster_defaultLegacyAbac(acctest.RandString(10)), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr("google_container_cluster.default_legacy_abac", "enable_legacy_abac", "false"), + ), + }, + }, + }) +} + func TestAccContainerCluster_withVersion(t *testing.T) { t.Parallel() @@ -1314,6 +1337,15 @@ resource "google_container_cluster" "with_kubernetes_alpha" { }`, clusterName) } +func testAccContainerCluster_defaultLegacyAbac(clusterName string) string { + return fmt.Sprintf(` +resource "google_container_cluster" "default_legacy_abac" { + name = "cluster-test-%s" + zone = "us-central1-a" + initial_node_count = 1 +}`, clusterName) +} + func testAccContainerCluster_withLegacyAbac(clusterName string) string { return fmt.Sprintf(` resource "google_container_cluster" "with_legacy_abac" { From 56bc1d76d96849b7f7eb0a4fad05c6387a3978f9 Mon Sep 17 00:00:00 2001 From: Michael Parker Date: Sun, 1 Apr 2018 16:16:43 -0500 Subject: [PATCH 2/5] Updates docs for container_cluster --- website/docs/r/container_cluster.html.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/r/container_cluster.html.markdown b/website/docs/r/container_cluster.html.markdown index a000ea5b17d..df423756775 100644 --- a/website/docs/r/container_cluster.html.markdown +++ b/website/docs/r/container_cluster.html.markdown @@ -94,7 +94,7 @@ output "cluster_ca_certificate" { * `enable_legacy_abac` - (Optional) Whether the ABAC authorizer is enabled for this cluster. When enabled, identities in the system, including service accounts, nodes, and controllers, will have statically granted permissions beyond those provided by the RBAC configuration or IAM. - Defaults to `true` + Defaults to `false` * `initial_node_count` - (Optional) The number of nodes to create in this cluster (not including the Kubernetes master). Must be set if `node_pool` is not set. From db681e2e1c2a285d591fd590f89a39bab40d5dc3 Mon Sep 17 00:00:00 2001 From: Michael Parker Date: Sun, 1 Apr 2018 16:26:52 -0500 Subject: [PATCH 3/5] Update test comments --- google/resource_container_cluster_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go index 81181518ff7..56444767092 100644 --- a/google/resource_container_cluster_test.go +++ b/google/resource_container_cluster_test.go @@ -369,9 +369,9 @@ func TestAccContainerCluster_withLegacyAbac(t *testing.T) { } /* - Since GKE disables legacy ABAC by default in Kubernetes version 1.8+, and the default Kubernetes version for GKE is - also 1.8+, this test will ensure that legacy ABAC is disabled by default to be more consistent with default settings - in the Cloud Console + Since GKE disables legacy ABAC by default in Kubernetes version 1.8+, and the default Kubernetes + version for GKE is also 1.8+, this test will ensure that legacy ABAC is disabled by default to be + more consistent with default settings in the Cloud Console */ func TestAccContainerCluster_withDefaultLegacyAbac(t *testing.T) { t.Parallel() From 0584307fa452b464b0efdf8c5cc820bfd8412db4 Mon Sep 17 00:00:00 2001 From: Michael Parker Date: Sun, 1 Apr 2018 16:28:01 -0500 Subject: [PATCH 4/5] Format fix --- google/resource_container_cluster_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go index 56444767092..3809e820503 100644 --- a/google/resource_container_cluster_test.go +++ b/google/resource_container_cluster_test.go @@ -372,7 +372,7 @@ func TestAccContainerCluster_withLegacyAbac(t *testing.T) { Since GKE disables legacy ABAC by default in Kubernetes version 1.8+, and the default Kubernetes version for GKE is also 1.8+, this test will ensure that legacy ABAC is disabled by default to be more consistent with default settings in the Cloud Console - */ +*/ func TestAccContainerCluster_withDefaultLegacyAbac(t *testing.T) { t.Parallel() From a067d4e8c2a8c259d5008f79be004d1f1ed0277b Mon Sep 17 00:00:00 2001 From: Michael Parker Date: Wed, 4 Apr 2018 07:58:07 -0500 Subject: [PATCH 5/5] Adds ImportState test step to default legacy ABAC test --- google/resource_container_cluster_test.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go index 3809e820503..88d108638e8 100644 --- a/google/resource_container_cluster_test.go +++ b/google/resource_container_cluster_test.go @@ -387,6 +387,12 @@ func TestAccContainerCluster_withDefaultLegacyAbac(t *testing.T) { resource.TestCheckResourceAttr("google_container_cluster.default_legacy_abac", "enable_legacy_abac", "false"), ), }, + { + ResourceName: "google_container_cluster.default_legacy_abac", + ImportStateIdPrefix: "us-central1-a/", + ImportState: true, + ImportStateVerify: true, + }, }, }) }