Changes to add Shielded VMs support in google_dataproc_workflow_templ… (#6481) (#12451)

* Changes to add Shielded VMs support in google_dataproc_workflow_template resource and would also address : /issues/10565

* Added new shielded vm test case to vcr test

* updated `go` dependencies and separated the test cases

* reverted all dependencies other than dcl

* removed enterprise-certificate-proxy dependency

* reverted extra dependencies other than dcl

Signed-off-by: Modular Magician <[email protected]>

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/6481.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+dataproc: added option `shielded_instance_config` to resource `google_dataproc_workflow_template`.
+```

go.mod

@@ -3,7 +3,7 @@ go 1.18
 
 require (
 	cloud.google.com/go/bigtable v1.16.0
-	github.com/GoogleCloudPlatform/declarative-resource-client-library v1.18.0
+	github.com/GoogleCloudPlatform/declarative-resource-client-library v1.19.0
 	github.com/apparentlymart/go-cidr v1.1.0
 	github.com/client9/misspell v0.3.4
 	github.com/davecgh/go-spew v1.1.1

go.sum

@@ -76,8 +76,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 h1:sHglBQTwgx+rWPdisA5ynNEsoARbiCBOyGcJM4/OzsM=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
-github.com/GoogleCloudPlatform/declarative-resource-client-library v1.18.0 h1:0NWhlgF7eg/jpecAhG/QUwp0MH7D4jYekpljiLUaE74=
-github.com/GoogleCloudPlatform/declarative-resource-client-library v1.18.0/go.mod h1:i6Pmzp7aolLmJY86RaJ9wjqm/HFleMeN7Vl5uIWLwE8=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.19.0 h1:4YAtk4xuOCxUSkGdwlDhkX7DTP4VwLZCoebGGEsU+U4=
+github.com/GoogleCloudPlatform/declarative-resource-client-library v1.19.0/go.mod h1:i6Pmzp7aolLmJY86RaJ9wjqm/HFleMeN7Vl5uIWLwE8=
 github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=

google/resource_dataproc_workflow_template.go

@@ -1222,6 +1222,15 @@ func DataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigSchema
 				Elem:        &schema.Schema{Type: schema.TypeString},
 			},
 
+			"shielded_instance_config": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				ForceNew:    true,
+				Description: "Optional. Shielded Instance Config for clusters using Compute Engine Shielded VMs.",
+				MaxItems:    1,
+				Elem:        DataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfigSchema(),
+			},
+
 			"subnetwork": {
 				Type:             schema.TypeString,
 				Optional:         true,
@@ -1292,6 +1301,33 @@ func DataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigReserv
 	}
 }
 
+func DataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfigSchema() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"enable_integrity_monitoring": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				ForceNew:    true,
+				Description: "Optional. Defines whether instances have integrity monitoring enabled. Integrity monitoring compares the most recent boot measurements to the integrity policy baseline and returns a pair of pass/fail results depending on whether they match or not.",
+			},
+
+			"enable_secure_boot": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				ForceNew:    true,
+				Description: "Optional. Defines whether the instances have Secure Boot enabled. Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.",
+			},
+
+			"enable_vtpm": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				ForceNew:    true,
+				Description: "Optional. Defines whether the instance have the vTPM enabled. Virtual Trusted Platform Module protects objects like keys, certificates and enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline.",
+			},
+		},
+	}
+}
+
 func DataprocWorkflowTemplatePlacementManagedClusterConfigInitializationActionsSchema() *schema.Resource {
 	return &schema.Resource{
 		Schema: map[string]*schema.Schema{
@@ -3162,6 +3198,7 @@ func expandDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfig
 		ReservationAffinity:     expandDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigReservationAffinity(obj["reservation_affinity"]),
 		ServiceAccount:          dcl.String(obj["service_account"].(string)),
 		ServiceAccountScopes:    expandStringArray(obj["service_account_scopes"]),
+		ShieldedInstanceConfig:  expandDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig(obj["shielded_instance_config"]),
 		Subnetwork:              dcl.String(obj["subnetwork"].(string)),
 		Tags:                    expandStringArray(obj["tags"]),
 		Zone:                    dcl.StringOrNil(obj["zone"].(string)),
@@ -3181,6 +3218,7 @@ func flattenDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfi
 		"reservation_affinity":       flattenDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigReservationAffinity(obj.ReservationAffinity),
 		"service_account":            obj.ServiceAccount,
 		"service_account_scopes":     obj.ServiceAccountScopes,
+		"shielded_instance_config":   flattenDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig(obj.ShieldedInstanceConfig),
 		"subnetwork":                 obj.Subnetwork,
 		"tags":                       obj.Tags,
 		"zone":                       obj.Zone,
@@ -3244,6 +3282,36 @@ func flattenDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfi
 
 	return []interface{}{transformed}
 
+}
+
+func expandDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig(o interface{}) *dataproc.WorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig {
+	if o == nil {
+		return dataproc.EmptyWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig
+	}
+	objArr := o.([]interface{})
+	if len(objArr) == 0 || objArr[0] == nil {
+		return dataproc.EmptyWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig
+	}
+	obj := objArr[0].(map[string]interface{})
+	return &dataproc.WorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig{
+		EnableIntegrityMonitoring: dcl.Bool(obj["enable_integrity_monitoring"].(bool)),
+		EnableSecureBoot:          dcl.Bool(obj["enable_secure_boot"].(bool)),
+		EnableVtpm:                dcl.Bool(obj["enable_vtpm"].(bool)),
+	}
+}
+
+func flattenDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig(obj *dataproc.WorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig) interface{} {
+	if obj == nil || obj.Empty() {
+		return nil
+	}
+	transformed := map[string]interface{}{
+		"enable_integrity_monitoring": obj.EnableIntegrityMonitoring,
+		"enable_secure_boot":          obj.EnableSecureBoot,
+		"enable_vtpm":                 obj.EnableVtpm,
+	}
+
+	return []interface{}{transformed}
+
 }
 func expandDataprocWorkflowTemplatePlacementManagedClusterConfigInitializationActionsArray(o interface{}) []dataproc.WorkflowTemplatePlacementManagedClusterConfigInitializationActions {
 	if o == nil {

google/resource_dataproc_workflow_template_test.go

@@ -38,6 +38,35 @@ func TestAccDataprocWorkflowTemplate_basic(t *testing.T) {
 	})
 }
 
+func TestAccDataprocWorkflowTemplate_withShieldedVMs(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": randString(t, 10),
+		"project":       getTestProjectFromEnv(),
+		"version":       "2.0.35-debian10",
+	}
+
+	vcrTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: funcAccTestDataprocWorkflowTemplateCheckDestroy(t),
+		ExternalProviders: map[string]resource.ExternalProvider{
+			"random": {},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataprocWorkflowTemplate_withShieldedVMs(context),
+			},
+			{
+				ImportState:       true,
+				ImportStateVerify: true,
+				ResourceName:      "google_dataproc_workflow_template.shielded_vms_template",
+			},
+		},
+	})
+}
+
 func testAccDataprocWorkflowTemplate_basic(context map[string]interface{}) string {
 	return Nprintf(`
 resource "google_dataproc_workflow_template" "template" {
@@ -94,6 +123,67 @@ resource "google_dataproc_workflow_template" "template" {
 `, context)
 }
 
+func testAccDataprocWorkflowTemplate_withShieldedVMs(context map[string]interface{}) string {
+	return Nprintf(`
+resource "google_dataproc_workflow_template" "shielded_vms_template" {
+  name = "template%{random_suffix}"
+  location = "us-central1"
+  placement {
+    managed_cluster {
+      cluster_name = "my-shielded-cluster"
+      config {
+        gce_cluster_config {
+          zone = "us-central1-a"
+          tags = ["foo", "bar"]
+          shielded_instance_config {
+            enable_secure_boot = true
+            enable_vtpm = true
+            enable_integrity_monitoring = true
+          }
+        }
+        master_config {
+          num_instances = 1
+          machine_type = "n1-standard-1"
+          disk_config {
+            boot_disk_type = "pd-ssd"
+            boot_disk_size_gb = 15
+          }
+        }
+        worker_config {
+          num_instances = 3
+          machine_type = "n1-standard-2"
+          disk_config {
+            boot_disk_size_gb = 10
+            num_local_ssds = 2
+          }
+        }
+
+        secondary_worker_config {
+          num_instances = 2
+        }
+        software_config {
+          image_version = "%{version}"
+        }
+      }
+    }
+  }
+  jobs {
+    step_id = "someJob"
+    spark_job {
+      main_class = "SomeClass"
+    }
+  }
+  jobs {
+    step_id = "otherJob"
+    prerequisite_step_ids = ["someJob"]
+    presto_job {
+      query_file_uri = "someuri"
+    }
+  }
+}
+`, context)
+}
+
 func funcAccTestDataprocWorkflowTemplateCheckDestroy(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {

website/docs/r/dataproc_workflow_template.html.markdown

@@ -730,6 +730,10 @@ The `gce_cluster_config` block supports:
 * `service_account_scopes` -
   (Optional)
   Optional. The URIs of service account scopes to be included in Compute Engine instances. The following base set of scopes is always included: * https://www.googleapis.com/auth/cloud.useraccounts.readonly * https://www.googleapis.com/auth/devstorage.read_write * https://www.googleapis.com/auth/logging.write If no scopes are specified, the following defaults are also provided: * https://www.googleapis.com/auth/bigquery * https://www.googleapis.com/auth/bigtable.admin.table * https://www.googleapis.com/auth/bigtable.data * https://www.googleapis.com/auth/devstorage.full_control
+
+* `shielded_instance_config` -
+  (Optional)
+  Optional. Shielded Instance Config for clusters using [Compute Engine Shielded VMs](https://cloud.google.com/security/shielded-cloud/shielded-vm). Structure [defined below](#nested_shielded_instance_config).
 
 * `subnetwork` -
   (Optional)
@@ -762,6 +766,32 @@ The `reservation_affinity` block supports:
 * `values` -
   (Optional)
   Optional. Corresponds to the label values of reservation resource.
+
+<a name="nested_shielded_instance_config"></a>The `shielded_instance_config` block supports:
+
+```hcl
+cluster_config {
+  gce_cluster_config {
+    shielded_instance_config {
+      enable_secure_boot          = true
+      enable_vtpm                 = true
+      enable_integrity_monitoring = true
+    }
+  }
+}
+```
+
+* `enable_secure_boot` -
+  (Optional)
+  Optional. Defines whether instances have [Secure Boot](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#secure-boot) enabled.
+    
+* `enable_vtpm` -
+  (Optional)
+  Optional. Defines whether instances have the [vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) enabled.
+    
+* `enable_integrity_monitoring` -
+  (Optional)
+  Optional. Defines whether instances have [Integrity Monitoring](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#integrity-monitoring) enabled.
 
 The `gke_cluster_config` block supports: