4.0 - Fully remove workload_metadata_config.node_metadata (#5346) (#10400)

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/5346.txt

@@ -0,0 +1,3 @@
+```release-note:breaking-change
+container: removed `workload_metadata_configuration.node_metadata` in favor of `workload_metadata_configuration.mode` in `google_container_cluster`
+```

google/node_config.go

@@ -231,8 +231,6 @@ func schemaNodeConfig() *schema.Schema {
 					},
 				},
 
-				// Note that ExactlyOneOf can't be set because this schema is reused by
-				// two different resources.
 				"workload_metadata_config": {
 					Computed:    true,
 					Type:        schema.TypeList,
@@ -241,18 +239,9 @@ func schemaNodeConfig() *schema.Schema {
 					Description: `The workload metadata configuration for this node.`,
 					Elem: &schema.Resource{
 						Schema: map[string]*schema.Schema{
-							"node_metadata": {
-								Type:         schema.TypeString,
-								Optional:     true,
-								Computed:     true,
-								Deprecated:   "Deprecated in favor of mode.",
-								ValidateFunc: validation.StringInSlice([]string{"UNSPECIFIED", "SECURE", "EXPOSE", "GKE_METADATA_SERVER"}, false),
-								Description:  `NodeMetadata is the configuration for how to expose metadata to the workloads running on the node.`,
-							},
 							"mode": {
 								Type:         schema.TypeString,
-								Optional:     true,
-								Computed:     true,
+								Required:     true,
 								ValidateFunc: validation.StringInSlice([]string{"MODE_UNSPECIFIED", "GCE_METADATA", "GKE_METADATA"}, false),
 								Description:  `Mode is the configuration for how to expose metadata to workloads running on the node.`,
 							},
@@ -407,10 +396,6 @@ func expandWorkloadMetadataConfig(v interface{}) *containerBeta.WorkloadMetadata
 		wmc.Mode = v.(string)
 	}
 
-	if v, ok := cfg["node_metadata"]; ok {
-		wmc.NodeMetadata = v.(string)
-	}
-
 	return wmc
 }
 
@@ -485,8 +470,7 @@ func flattenWorkloadMetadataConfig(c *containerBeta.WorkloadMetadataConfig) []ma
 	result := []map[string]interface{}{}
 	if c != nil {
 		result = append(result, map[string]interface{}{
-			"mode":          c.Mode,
-			"node_metadata": c.NodeMetadata,
+			"mode": c.Mode,
 		})
 	}
 	return result

google/resource_container_node_pool_test.go

@@ -230,45 +230,6 @@ func TestAccContainerNodePool_withWorkloadIdentityConfig(t *testing.T) {
 	})
 }
 
-func TestAccContainerNodePool_withWorkloadIdentityConfigDeprecated(t *testing.T) {
-	t.Parallel()
-
-	cluster := fmt.Sprintf("tf-test-cluster-%s", randString(t, 10))
-	np := fmt.Sprintf("tf-test-np-%s", randString(t, 10))
-
-	vcrTest(t, resource.TestCase{
-		PreCheck:     func() { testAccPreCheck(t) },
-		Providers:    testAccProviders,
-		CheckDestroy: testAccCheckContainerClusterDestroyProducer(t),
-		Steps: []resource.TestStep{
-			{
-				Config: testAccContainerNodePool_withWorkloadMetadataConfigNodeMetadata(cluster, np),
-				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr("google_container_node_pool.with_workload_metadata_config",
-						"node_config.0.workload_metadata_config.0.node_metadata", "SECURE"),
-				),
-			},
-			{
-				ResourceName:      "google_container_node_pool.with_workload_metadata_config",
-				ImportState:       true,
-				ImportStateVerify: true,
-			},
-			{
-				Config: testAccContainerNodePool_withWorkloadMetadataConfig(cluster, np),
-				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr("google_container_node_pool.with_workload_metadata_config",
-						"node_config.0.workload_metadata_config.0.mode", "GCE_METADATA"),
-				),
-			},
-			{
-				ResourceName:      "google_container_node_pool.with_workload_metadata_config",
-				ImportState:       true,
-				ImportStateVerify: true,
-			},
-		},
-	})
-}
-
 func TestAccContainerNodePool_withUpgradeSettings(t *testing.T) {
 	t.Parallel()
 
@@ -1219,38 +1180,6 @@ resource "google_container_node_pool" "with_workload_metadata_config" {
 `, cluster, np)
 }
 
-func testAccContainerNodePool_withWorkloadMetadataConfigNodeMetadata(cluster, np string) string {
-	return fmt.Sprintf(`
-data "google_container_engine_versions" "central1a" {
-  location = "us-central1-a"
-}
-
-resource "google_container_cluster" "cluster" {
-  name               = "%s"
-  location           = "us-central1-a"
-  initial_node_count = 1
-  min_master_version = data.google_container_engine_versions.central1a.latest_master_version
-}
-
-resource "google_container_node_pool" "with_workload_metadata_config" {
-  name               = "%s"
-  location           = "us-central1-a"
-  cluster            = google_container_cluster.cluster.name
-  initial_node_count = 1
-  node_config {
-    oauth_scopes = [
-      "https://www.googleapis.com/auth/logging.write",
-      "https://www.googleapis.com/auth/monitoring",
-    ]
-
-    workload_metadata_config {
-      node_metadata = "SECURE"
-    }
-  }
-}
-`, cluster, np)
-}
-
 func testAccContainerNodePool_withWorkloadMetadataConfig_gkeMetadata(projectID, cluster, np string) string {
 	return fmt.Sprintf(`
 data "google_project" "project" {

website/docs/r/container_cluster.html.markdown

@@ -877,16 +877,9 @@ Enables monitoring and attestation of the boot integrity of the instance. The at
 
 * `effect` (Required) Effect for taint. Accepted values are `NO_SCHEDULE`, `PREFER_NO_SCHEDULE`, and `NO_EXECUTE`.
 
-<a name="nested_workload_metadata_config"></a>The `workload_metadata_config` must have exactly one of `node_metadata` (deprecated) or `mode` set. This block supports:
+<a name="nested_workload_metadata_config"></a>The `workload_metadata_config` block supports:
 
-* `node_metadata` (Optional, Deprecated) How to expose the node metadata to the workload running on the node. This is deprecated in favor of `mode`
-    Accepted values are:
-    * UNSPECIFIED: Not Set
-    * SECURE: Prevent workloads not in hostNetwork from accessing certain VM metadata, specifically kube-env, which contains Kubelet credentials, and the instance identity token. See [Metadata Concealment](https://cloud.google.com/kubernetes-engine/docs/how-to/metadata-proxy) documentation.
-    * EXPOSE: Expose all VM metadata to pods.
-    * GKE_METADATA_SERVER: Enables [workload identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) on the node.
-
-* `mode` (Optional) How to expose the node metadata to the workload running on the node.
+* `mode` (Required) How to expose the node metadata to the workload running on the node.
     Accepted values are:
     * UNSPECIFIED: Not Set
     * GCE_METADATA: Expose all Compute Engine metadata to pods.