Fix GKE not being able to disable Cilium Policies (GoogleCloudPlatform#11810)

Author: maxi-cit

mmv1/third_party/terraform/services/container/resource_container_cluster.go.tmpl

@@ -3423,6 +3423,7 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
 		req := &container.UpdateClusterRequest{
 			Update: &container.ClusterUpdate{
 				DesiredEnableCiliumClusterwideNetworkPolicy: enabled,
+				ForceSendFields: []string{"DesiredEnableCiliumClusterwideNetworkPolicy"},
 			},
 		}
 		updateF := updateFunc(req, "updating cilium clusterwide network policy")

mmv1/third_party/terraform/services/container/resource_container_cluster_test.go.tmpl

@@ -4245,10 +4245,10 @@ func TestAccContainerCluster_autoprovisioningLocations(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("google_container_cluster.with_autoprovisioning_locations",
 						"cluster_autoscaling.0.enabled", "true"),
-					
+
 					resource.TestCheckResourceAttr("google_container_cluster.with_autoprovisioning_locations",
 						"cluster_autoscaling.0.auto_provisioning_locations.0", "us-central1-a"),
-					
+
 					resource.TestCheckResourceAttr("google_container_cluster.with_autoprovisioning_locations",
 						"cluster_autoscaling.0.auto_provisioning_locations.1", "us-central1-f"),
 				),
@@ -4264,10 +4264,10 @@ func TestAccContainerCluster_autoprovisioningLocations(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("google_container_cluster.with_autoprovisioning_locations",
 						"cluster_autoscaling.0.enabled", "true"),
-					
+
 					resource.TestCheckResourceAttr("google_container_cluster.with_autoprovisioning_locations",
 						"cluster_autoscaling.0.auto_provisioning_locations.0", "us-central1-b"),
-					
+
 					resource.TestCheckResourceAttr("google_container_cluster.with_autoprovisioning_locations",
 						"cluster_autoscaling.0.auto_provisioning_locations.1", "us-central1-c"),
 				),
@@ -4591,6 +4591,18 @@ func TestAccContainerCluster_enableCiliumPolicies(t *testing.T) {
 				ImportStateVerify:       true,
 				ImportStateVerifyIgnore: []string{"deletion_protection"},
 			},
+			{
+				Config: testAccContainerCluster_enableCiliumPolicies(clusterName, networkName, subnetworkName, false),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("google_container_cluster.primary", "enable_cilium_clusterwide_network_policy", "false"),
+				),
+			},
+			{
+				ResourceName:            "google_container_cluster.primary",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+			},
 		},
 	})
 }
@@ -11331,30 +11343,30 @@ func TestAccContainerCluster_privateRegistry(t *testing.T) {
 
 func testAccContainerCluster_privateRegistryEnabled(secretID, clusterName, networkName, subnetworkName string) string {
 	return fmt.Sprintf(`
-data "google_project" "test_project" { 
+data "google_project" "test_project" {
 	}
 
-resource "google_secret_manager_secret" "secret-basic" { 
+resource "google_secret_manager_secret" "secret-basic" {
 	secret_id     = "%s"
-	replication { 
-		user_managed { 
-		replicas { 
-			location = "us-central1" 
-		} 
-		} 
-	} 
-}
-
-resource "google_secret_manager_secret_version" "secret-version-basic" { 
-	secret = google_secret_manager_secret.secret-basic.id 
-	secret_data = "dummypassword" 
-  } 
-   
-resource "google_secret_manager_secret_iam_member" "secret_iam" { 
-	secret_id  = google_secret_manager_secret.secret-basic.id 
-	role       = "roles/secretmanager.admin" 
-	member     = "serviceAccount:${data.google_project.test_project.number}[email protected]" 
-	depends_on = [google_secret_manager_secret_version.secret-version-basic]  
+	replication {
+		user_managed {
+		replicas {
+			location = "us-central1"
+		}
+		}
+	}
+}
+
+resource "google_secret_manager_secret_version" "secret-version-basic" {
+	secret = google_secret_manager_secret.secret-basic.id
+	secret_data = "dummypassword"
+  }
+
+resource "google_secret_manager_secret_iam_member" "secret_iam" {
+	secret_id  = google_secret_manager_secret.secret-basic.id
+	role       = "roles/secretmanager.admin"
+	member     = "serviceAccount:${data.google_project.test_project.number}[email protected]"
+	depends_on = [google_secret_manager_secret_version.secret-version-basic]
   }
 
 resource "google_container_cluster" "primary" {
@@ -11391,7 +11403,7 @@ resource "google_container_cluster" "primary" {
       }
     }
   }
-} 
+}
 `, secretID, clusterName, networkName, subnetworkName)
 }
 
@@ -11420,29 +11432,29 @@ resource "google_container_cluster" "primary" {
 
 func testAccContainerCluster_withNodePoolPrivateRegistry(secretID, clusterName, nodePoolName, networkName, subnetworkName string) string {
 	return fmt.Sprintf(`
-data "google_project" "test_project" { 
+data "google_project" "test_project" {
 	}
 
-resource "google_secret_manager_secret" "secret-basic" { 
+resource "google_secret_manager_secret" "secret-basic" {
 	secret_id     = "%s"
-	replication { 
-		user_managed { 
-		replicas { 
-			location = "us-central1" 
-		} 
-		} 
-	} 
-}
-resource "google_secret_manager_secret_version" "secret-version-basic" { 
-	secret = google_secret_manager_secret.secret-basic.id 
-	secret_data = "dummypassword" 
-  } 
-   
-resource "google_secret_manager_secret_iam_member" "secret_iam" { 
-	secret_id  = google_secret_manager_secret.secret-basic.id 
-	role       = "roles/secretmanager.admin" 
-	member     = "serviceAccount:${data.google_project.test_project.number}[email protected]" 
-	depends_on = [google_secret_manager_secret_version.secret-version-basic] 
+	replication {
+		user_managed {
+		replicas {
+			location = "us-central1"
+		}
+		}
+	}
+}
+resource "google_secret_manager_secret_version" "secret-version-basic" {
+	secret = google_secret_manager_secret.secret-basic.id
+	secret_data = "dummypassword"
+  }
+
+resource "google_secret_manager_secret_iam_member" "secret_iam" {
+	secret_id  = google_secret_manager_secret.secret-basic.id
+	role       = "roles/secretmanager.admin"
+	member     = "serviceAccount:${data.google_project.test_project.number}[email protected]"
+	depends_on = [google_secret_manager_secret_version.secret-version-basic]
   }
 resource "google_container_cluster" "primary" {
   name               = "%s"
@@ -11479,29 +11491,29 @@ resource "google_container_cluster" "primary" {
 
 func testAccContainerCluster_withNodeConfigPrivateRegistry(secretID, clusterName, networkName, subnetworkName string) string {
 	return fmt.Sprintf(`
-data "google_project" "test_project" { 
+data "google_project" "test_project" {
 	}
 
 resource "google_secret_manager_secret" "secret-basic" {
 	secret_id     = "%s"
-	replication { 
-		user_managed { 
-		replicas { 
-			location = "us-central1" 
-		} 
-		} 
-	}  
-}
-resource "google_secret_manager_secret_version" "secret-version-basic" { 
-	secret = google_secret_manager_secret.secret-basic.id 
-	secret_data = "dummypassword" 
-  } 
-   
-resource "google_secret_manager_secret_iam_member" "secret_iam" { 
-	secret_id  = google_secret_manager_secret.secret-basic.id 
-	role       = "roles/secretmanager.admin" 
-	member     = "serviceAccount:${data.google_project.test_project.number}[email protected]" 
-	depends_on = [google_secret_manager_secret_version.secret-version-basic] 
+	replication {
+		user_managed {
+		replicas {
+			location = "us-central1"
+		}
+		}
+	}
+}
+resource "google_secret_manager_secret_version" "secret-version-basic" {
+	secret = google_secret_manager_secret.secret-basic.id
+	secret_data = "dummypassword"
+  }
+
+resource "google_secret_manager_secret_iam_member" "secret_iam" {
+	secret_id  = google_secret_manager_secret.secret-basic.id
+	role       = "roles/secretmanager.admin"
+	member     = "serviceAccount:${data.google_project.test_project.number}[email protected]"
+	depends_on = [google_secret_manager_secret_version.secret-version-basic]
   }
 resource "google_container_cluster" "primary" {
   name               = "%s"