Add support for binauthz evaluation mode (#6101) (#12035)

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/6101.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+container: Added `binauthz_evaluation_mode` field to `resource_container_cluster`.
+```

google/data_source_google_container_cluster_test.go

@@ -24,7 +24,6 @@ func TestAccContainerClusterDatasource_zonal(t *testing.T) {
 						map[string]struct{}{
 							"enable_autopilot":             {},
 							"enable_tpu":                   {},
-							"enable_binary_authorization":  {},
 							"pod_security_policy_config.#": {},
 						},
 					),
@@ -51,7 +50,6 @@ func TestAccContainerClusterDatasource_regional(t *testing.T) {
 						map[string]struct{}{
 							"enable_autopilot":             {},
 							"enable_tpu":                   {},
-							"enable_binary_authorization":  {},
 							"pod_security_policy_config.#": {},
 						},
 					),

google/resource_container_cluster.go

@@ -400,11 +400,38 @@ func resourceContainerCluster() *schema.Resource {
 			},
 
 			"enable_binary_authorization": {
-				Default:       false,
 				Type:          schema.TypeBool,
 				Optional:      true,
+				Default:       false,
+				Deprecated:    "Deprecated in favor of binary_authorization.",
 				Description:   `Enable Binary Authorization for this cluster. If enabled, all container images will be validated by Google Binary Authorization.`,
-				ConflictsWith: []string{"enable_autopilot"},
+				ConflictsWith: []string{"enable_autopilot", "binary_authorization"},
+			},
+			"binary_authorization": {
+				Type:             schema.TypeList,
+				Optional:         true,
+				DiffSuppressFunc: BinaryAuthorizationDiffSuppress,
+				MaxItems:         1,
+				Description:      "Configuration options for the Binary Authorization feature.",
+				ConflictsWith:    []string{"enable_binary_authorization"},
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"enabled": {
+							Type:          schema.TypeBool,
+							Optional:      true,
+							Deprecated:    "Deprecated in favor of evaluation_mode.",
+							Description:   "Enable Binary Authorization for this cluster.",
+							ConflictsWith: []string{"enable_autopilot", "binary_authorization.0.evaluation_mode"},
+						},
+						"evaluation_mode": {
+							Type:          schema.TypeString,
+							Optional:      true,
+							ValidateFunc:  validation.StringInSlice([]string{"DISABLED", "PROJECT_SINGLETON_POLICY_ENFORCE"}, false),
+							Description:   "Mode of operation for Binary Authorization policy evaluation.",
+							ConflictsWith: []string{"binary_authorization.0.enabled"},
+						},
+					},
+				},
 			},
 
 			"enable_kubernetes_alpha": {
@@ -1299,10 +1326,7 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
 		EnableKubernetesAlpha: d.Get("enable_kubernetes_alpha").(bool),
 		IpAllocationPolicy:    ipAllocationBlock,
 		Autoscaling:           expandClusterAutoscaling(d.Get("cluster_autoscaling"), d),
-		BinaryAuthorization: &container.BinaryAuthorization{
-			Enabled:         d.Get("enable_binary_authorization").(bool),
-			ForceSendFields: []string{"Enabled"},
-		},
+		BinaryAuthorization:   expandBinaryAuthorization(d.Get("binary_authorization"), d.Get("enable_binary_authorization").(bool)),
 		Autopilot: &container.Autopilot{
 			Enabled:         d.Get("enable_autopilot").(bool),
 			ForceSendFields: []string{"Enabled"},
@@ -1646,8 +1670,17 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
 	if err := d.Set("cluster_autoscaling", flattenClusterAutoscaling(cluster.Autoscaling)); err != nil {
 		return err
 	}
-	if err := d.Set("enable_binary_authorization", cluster.BinaryAuthorization != nil && cluster.BinaryAuthorization.Enabled); err != nil {
-		return fmt.Errorf("Error setting enable_binary_authorization: %s", err)
+	binauthz_enabled := d.Get("binary_authorization.0.enabled").(bool)
+	legacy_binauthz_enabled := d.Get("enable_binary_authorization").(bool)
+	if !binauthz_enabled {
+		if err := d.Set("enable_binary_authorization", cluster.BinaryAuthorization != nil && cluster.BinaryAuthorization.Enabled); err != nil {
+			return fmt.Errorf("Error setting enable_binary_authorization: %s", err)
+		}
+	}
+	if !legacy_binauthz_enabled {
+		if err := d.Set("binary_authorization", flattenBinaryAuthorization(cluster.BinaryAuthorization)); err != nil {
+			return err
+		}
 	}
 	if cluster.Autopilot != nil {
 		if err := d.Set("enable_autopilot", cluster.Autopilot.Enabled); err != nil {
@@ -1873,6 +1906,22 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
 		log.Printf("[INFO] GKE cluster %s's binary authorization has been updated to %v", d.Id(), enabled)
 	}
 
+	if d.HasChange("binary_authorization") {
+		req := &container.UpdateClusterRequest{
+			Update: &container.ClusterUpdate{
+				DesiredBinaryAuthorization: expandBinaryAuthorization(d.Get("binary_authorization"), d.Get("enable_binary_authorization").(bool)),
+			},
+		}
+
+		updateF := updateFunc(req, "updating GKE binary authorization")
+		// Call update serially.
+		if err := lockedCall(lockKey, updateF); err != nil {
+			return err
+		}
+
+		log.Printf("[INFO] GKE cluster %s's binary authorization has been updated to %v", d.Id(), req.Update.DesiredBinaryAuthorization)
+	}
+
 	if d.HasChange("enable_shielded_nodes") {
 		enabled := d.Get("enable_shielded_nodes").(bool)
 		req := &container.UpdateClusterRequest{
@@ -2981,6 +3030,21 @@ func expandNotificationConfig(configured interface{}) *container.NotificationCon
 	}
 }
 
+func expandBinaryAuthorization(configured interface{}, legacy_enabled bool) *container.BinaryAuthorization {
+	l := configured.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return &container.BinaryAuthorization{
+			Enabled:         legacy_enabled,
+			ForceSendFields: []string{"Enabled"},
+		}
+	}
+	config := l[0].(map[string]interface{})
+	return &container.BinaryAuthorization{
+		Enabled:        config["enabled"].(bool),
+		EvaluationMode: config["evaluation_mode"].(string),
+	}
+}
+
 func expandConfidentialNodes(configured interface{}) *container.ConfidentialNodes {
 	l := configured.([]interface{})
 	if len(l) == 0 || l[0] == nil {
@@ -3247,6 +3311,18 @@ func flattenNotificationConfig(c *container.NotificationConfig) []map[string]int
 		},
 	}
 }
+
+func flattenBinaryAuthorization(c *container.BinaryAuthorization) []map[string]interface{} {
+	result := []map[string]interface{}{}
+	if c != nil {
+		result = append(result, map[string]interface{}{
+			"enabled":         c.Enabled,
+			"evaluation_mode": c.EvaluationMode,
+		})
+	}
+	return result
+}
+
 func flattenConfidentialNodes(c *container.ConfidentialNodes) []map[string]interface{} {
 	result := []map[string]interface{}{}
 	if c != nil {
@@ -3859,3 +3935,15 @@ func containerClusterNetworkPolicyDiffSuppress(k, old, new string, r *schema.Res
 
 	return false
 }
+
+func BinaryAuthorizationDiffSuppress(k, old, new string, r *schema.ResourceData) bool {
+	// An empty config is equivalent to a config with enabled set to false.
+	if k == "binary_authorization.#" && old == "1" && new == "0" {
+		o, _ := r.GetChange("binary_authorization.0.enabled")
+		if !o.(bool) && !r.HasChange("binary_authorization.0.evaluation_mode") {
+			return true
+		}
+	}
+
+	return false
+}

google/resource_container_cluster_test.go

@@ -2313,6 +2313,9 @@ resource "google_container_cluster" "primary" {
     enabled = true
   }
 
+  binary_authorization {
+    evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+  }
 }
 `, name)
 }
@@ -2342,6 +2345,9 @@ resource "google_container_cluster" "primary" {
     enabled = true
   }
 
+  binary_authorization {
+    evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+  }
 }
 `, name)
 }

website/docs/r/container_cluster.html.markdown

@@ -136,6 +136,9 @@ on the current needs of the cluster's workload. See the
 [guide to using Node Auto-Provisioning](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-provisioning)
 for more details. Structure is [documented below](#nested_cluster_autoscaling).
 
+* `binary_authorization` - (Optional) Configuration options for the Binary
+  Authorization feature. Structure is [documented below](#nested_binary_authorization).
+
 * `database_encryption` - (Optional)
     Structure is [documented below](#nested_database_encryption).
 
@@ -146,8 +149,9 @@ per node in this cluster. This doesn't work on "routes-based" clusters, clusters
 that don't have IP Aliasing enabled. See the [official documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/flexible-pod-cidr)
 for more information.
 
-* `enable_binary_authorization` - (Optional) Enable Binary Authorization for this cluster.
+* `enable_binary_authorization` - (DEPRECATED) Enable Binary Authorization for this cluster.
     If enabled, all container images will be validated by Google Binary Authorization.
+    Deprecated in favor of `binary_authorization`.
 
 * `enable_kubernetes_alpha` - (Optional) Whether to enable Kubernetes Alpha features for
     this cluster. Note that when this option is enabled, the cluster cannot be upgraded
@@ -410,6 +414,11 @@ addons_config {
   }
 }
 ```
+<a name="nested_binary_authorization"></a>The `binary_authorization` block supports:
+
+* `enabled` - (DEPRECATED) Enable Binary Authorization for this cluster. Deprecated in favor of `evaluation_mode`.
+
+* `evaluation_mode` - (Optional) Mode of operation for Binary Authorization policy evaluation.
 
 <a name="nested_database_encryption"></a>The `database_encryption` block supports: