Only set enabled bool if evaluation mode is unspecified (#9629) (#16851)

modular-magician · web-flow · commit 90bab07f14f1 · 2023-12-20T11:03:06.000-08:00
* Only set enabled bool if evaluation mode is unspecified

* Only trigger one cluster update event if both both legacy  and  struct blocks have diffs.

* remove inadvertant modifications

* Pass legacy bool to expandBinaryAuthorization fn

* move fn for diff readability

* reformat

* reformat

* Only get enable_binary_authorization if its been changed

* remove commas

* fix logic

* Remove enable_binary_authorization condition

* Add upgrade path docs

* Add comma

* Update mmv1/third_party/terraform/website/docs/guides/version_5_upgrade.html.markdown

---------


[upstream:c1e45b10619f22ab5dff5d29f5b429a787389f45]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/9629.txt b/.changelog/9629.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+container: fixed an issue in which migrating from the deprecated Binauthz enablement bool to the new evaluation mode enum inadvertently caused two cluster update events, instead of none.
+```
diff --git a/google/services/container/resource_container_cluster.go b/google/services/container/resource_container_cluster.go
@@ -2770,26 +2770,6 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
 		log.Printf("[INFO] GKE cluster %s's autopilot workload policy config allow_net_admin has been set to %v", d.Id(), allowed)
 	}
 
-	if d.HasChange("enable_binary_authorization") {
-		enabled := d.Get("enable_binary_authorization").(bool)
-		req := &container.UpdateClusterRequest{
-			Update: &container.ClusterUpdate{
-				DesiredBinaryAuthorization: &container.BinaryAuthorization{
-					Enabled:         enabled,
-					ForceSendFields: []string{"Enabled"},
-				},
-			},
-		}
-
-		updateF := updateFunc(req, "updating GKE binary authorization")
-		// Call update serially.
-		if err := transport_tpg.LockedCall(lockKey, updateF); err != nil {
-			return err
-		}
-
-		log.Printf("[INFO] GKE cluster %s's binary authorization has been updated to %v", d.Id(), enabled)
-	}
-
 	if d.HasChange("private_cluster_config.0.enable_private_endpoint") {
 		enabled := d.Get("private_cluster_config.0.enable_private_endpoint").(bool)
 		req := &container.UpdateClusterRequest{
diff --git a/website/docs/guides/version_5_upgrade.html.markdown b/website/docs/guides/version_5_upgrade.html.markdown
@@ -636,7 +636,15 @@ resource "google_container_cluster" "primary" {
 
 ### `enable_binary_authorization` is now removed
 
-`enable_binary_authorization` has been removed in favor of `binary_authorization.enabled`.
+`enable_binary_authorization` has been removed in favor of `binary_authorization.evaluation_mode`.
+To enable Binary Authorization, set evaluation mode to "PROJECT_SINGLETON_POLICY_ENFORCE"
+as shown in the example below. To disable it, set evaluation mode to "DISABLED".
+
+```
+  binary_authorization {
+    evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+  }
+```
 
 ### Default value of `network_policy.provider` is now removed
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:bug
	`2`	`+container: fixed an issue in which migrating from the deprecated Binauthz enablement bool to the new evaluation mode enum inadvertently caused two cluster update events, instead of none.`
	`3`	+```