Add network policy config. (#1200)

Author: nat-henderson

google/resource_container_cluster.go

@@ -160,6 +160,20 @@ func resourceContainerCluster() *schema.Resource {
 								},
 							},
 						},
+						"network_policy_config": {
+							Type:     schema.TypeList,
+							Optional: true,
+							Computed: true,
+							MaxItems: 1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"disabled": {
+										Type:     schema.TypeBool,
+										Optional: true,
+									},
+								},
+							},
+						},
 					},
 				},
 			},
@@ -1187,6 +1201,15 @@ func expandClusterAddonsConfig(configured interface{}) *containerBeta.AddonsConf
 			ForceSendFields: []string{"Disabled"},
 		}
 	}
+
+	if v, ok := config["network_policy_config"]; ok && len(v.([]interface{})) > 0 {
+		addon := v.([]interface{})[0].(map[string]interface{})
+		ac.NetworkPolicyConfig = &containerBeta.NetworkPolicyConfig{
+			Disabled:        addon["disabled"].(bool),
+			ForceSendFields: []string{"Disabled"},
+		}
+	}
+
 	return ac
 }
 
@@ -1304,6 +1327,14 @@ func flattenClusterAddonsConfig(c *containerBeta.AddonsConfig) []map[string]inte
 			},
 		}
 	}
+	if c.NetworkPolicyConfig != nil {
+		result["network_policy_config"] = []map[string]interface{}{
+			{
+				"disabled": c.NetworkPolicyConfig.Disabled,
+			},
+		}
+	}
+
 	return []map[string]interface{}{result}
 }
 

google/resource_container_cluster_test.go

@@ -146,7 +146,16 @@ func TestAccContainerCluster_withNetworkPolicyEnabled(t *testing.T) {
 				),
 			},
 			{
-				Config:             testAccContainerCluster_withNetworkPolicyDisabled(clusterName),
+				Config: testAccContainerCluster_withNetworkPolicyConfigDisabled(clusterName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckContainerCluster(
+						"google_container_cluster.with_network_policy_enabled"),
+					resource.TestCheckResourceAttr("google_container_cluster.with_network_policy_enabled",
+						"addons_config.0.network_policy_config.0.disabled", "true"),
+				),
+			},
+			{
+				Config:             testAccContainerCluster_withNetworkPolicyConfigDisabled(clusterName),
 				PlanOnly:           true,
 				ExpectNonEmptyPlan: false,
 			},
@@ -1142,6 +1151,11 @@ resource "google_container_cluster" "with_network_policy_enabled" {
 		enabled = true
 		provider = "CALICO"
 	}	
+	addons_config {
+		network_policy_config {
+			disabled = false
+		}
+	}
 }`, clusterName)
 }
 
@@ -1165,6 +1179,22 @@ resource "google_container_cluster" "with_network_policy_enabled" {
 }`, clusterName)
 }
 
+func testAccContainerCluster_withNetworkPolicyConfigDisabled(clusterName string) string {
+	return fmt.Sprintf(`
+resource "google_container_cluster" "with_network_policy_enabled" {
+	name = "%s"
+	zone = "us-central1-a"
+	initial_node_count = 1
+
+	network_policy = {}
+	addons_config {
+		network_policy_config {
+			disabled = true
+		}
+	}
+}`, clusterName)
+}
+
 func testAccContainerCluster_withMasterAuthorizedNetworksConfig(clusterName string, cidrs []string) string {
 
 	cidrBlocks := ""

website/docs/r/container_cluster.html.markdown

@@ -169,10 +169,13 @@ The `addons_config` block supports:
 * `http_load_balancing` - (Optional) The status of the HTTP (L7) load balancing
     controller addon, which makes it easy to set up HTTP load balancers for services in a
     cluster. It is enabled by default; set `disabled = true` to disable.
-
 * `kubernetes_dashboard` - (Optional) The status of the Kubernetes Dashboard
     add-on, which controls whether the Kubernetes Dashboard is enabled for this cluster.
     It is enabled by default; set `disabled = true` to disable.
+* `network_policy_config` - (Optional) Whether we should enable the network policy addon
+    for the master.  This must be enabled in order to enable network policy for the nodes.
+    It can only be disabled if the nodes already do not have network policies enabled.
+    Set `disabled = true` to disable.
 
 This example `addons_config` disables two addons: