From f8a5cca510b180ac285183214c0641cf9d0b8a87 Mon Sep 17 00:00:00 2001 From: Will Yardley Date: Mon, 25 Jul 2022 23:53:20 -0700 Subject: [PATCH] fix: resolve deprecation warning for binary authorization (#1332) enable_binary_authorization is now deprecated in favor of the binary_authorization block. This preserves the module's interface, but updates the underlying behavior Fixes #1331 --- autogen/main/cluster.tf.tmpl | 9 ++++++++- cluster.tf | 13 ++++++++++--- .../beta-private-cluster-update-variant/cluster.tf | 13 ++++++++++--- modules/beta-private-cluster/cluster.tf | 13 ++++++++++--- .../beta-public-cluster-update-variant/cluster.tf | 13 ++++++++++--- modules/beta-public-cluster/cluster.tf | 13 ++++++++++--- modules/private-cluster-update-variant/cluster.tf | 13 ++++++++++--- modules/private-cluster/cluster.tf | 13 ++++++++++--- test/integration/beta_cluster/controls/gcloud.rb | 2 +- test/integration/safer_cluster/controls/gcloud.rb | 2 +- test/integration/simple_regional/controls/gcloud.rb | 2 +- 11 files changed, 81 insertions(+), 25 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 8599190633..5a9f63f6ba 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -151,7 +151,14 @@ resource "google_container_cluster" "primary" { {% if autopilot_cluster != true %} default_max_pods_per_node = var.default_max_pods_per_node enable_shielded_nodes = var.enable_shielded_nodes - enable_binary_authorization = var.enable_binary_authorization + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + {% if beta_cluster %} enable_intranode_visibility = var.enable_intranode_visibility enable_kubernetes_alpha = var.enable_kubernetes_alpha diff --git a/cluster.tf b/cluster.tf index ab31caac86..cebee0167a 100644 --- a/cluster.tf +++ b/cluster.tf @@ -76,9 +76,16 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes - enable_binary_authorization = var.enable_binary_authorization + default_max_pods_per_node = var.default_max_pods_per_node + enable_shielded_nodes = var.enable_shielded_nodes + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index bdec3940c5..802ef2f223 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -116,9 +116,16 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes - enable_binary_authorization = var.enable_binary_authorization + default_max_pods_per_node = var.default_max_pods_per_node + enable_shielded_nodes = var.enable_shielded_nodes + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + enable_intranode_visibility = var.enable_intranode_visibility enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index c269b128e0..8d64e2d42e 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -116,9 +116,16 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes - enable_binary_authorization = var.enable_binary_authorization + default_max_pods_per_node = var.default_max_pods_per_node + enable_shielded_nodes = var.enable_shielded_nodes + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + enable_intranode_visibility = var.enable_intranode_visibility enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 71415c2b1a..731002cd3c 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -116,9 +116,16 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes - enable_binary_authorization = var.enable_binary_authorization + default_max_pods_per_node = var.default_max_pods_per_node + enable_shielded_nodes = var.enable_shielded_nodes + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + enable_intranode_visibility = var.enable_intranode_visibility enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index da0c8522ca..9d22602e5f 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -116,9 +116,16 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes - enable_binary_authorization = var.enable_binary_authorization + default_max_pods_per_node = var.default_max_pods_per_node + enable_shielded_nodes = var.enable_shielded_nodes + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + enable_intranode_visibility = var.enable_intranode_visibility enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index d43c96d71f..b0cfb538b2 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -76,9 +76,16 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes - enable_binary_authorization = var.enable_binary_authorization + default_max_pods_per_node = var.default_max_pods_per_node + enable_shielded_nodes = var.enable_shielded_nodes + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 0effdf9fae..460b85d7b7 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -76,9 +76,16 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes - enable_binary_authorization = var.enable_binary_authorization + default_max_pods_per_node = var.default_max_pods_per_node + enable_shielded_nodes = var.enable_shielded_nodes + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/test/integration/beta_cluster/controls/gcloud.rb b/test/integration/beta_cluster/controls/gcloud.rb index 0fcb76f4e2..99f477e099 100644 --- a/test/integration/beta_cluster/controls/gcloud.rb +++ b/test/integration/beta_cluster/controls/gcloud.rb @@ -81,7 +81,7 @@ it "has the expected binaryAuthorization config" do expect(data['binaryAuthorization']).to eq({ - "enabled" => true, + "evaluationMode" => "PROJECT_SINGLETON_POLICY_ENFORCE", }) end diff --git a/test/integration/safer_cluster/controls/gcloud.rb b/test/integration/safer_cluster/controls/gcloud.rb index 14323652c6..9faae675ca 100644 --- a/test/integration/safer_cluster/controls/gcloud.rb +++ b/test/integration/safer_cluster/controls/gcloud.rb @@ -76,7 +76,7 @@ it "has binary authorization" do expect(data['binaryAuthorization']).to eq({ - "enabled" => true, + "evaluationMode" => "PROJECT_SINGLETON_POLICY_ENFORCE", }) end diff --git a/test/integration/simple_regional/controls/gcloud.rb b/test/integration/simple_regional/controls/gcloud.rb index eac8fd0ee7..81fa2e720a 100644 --- a/test/integration/simple_regional/controls/gcloud.rb +++ b/test/integration/simple_regional/controls/gcloud.rb @@ -70,7 +70,7 @@ it "has the expected binaryAuthorization config" do expect(data['binaryAuthorization']).to eq({ - "enabled" => true, + "evaluationMode" => "PROJECT_SINGLETON_POLICY_ENFORCE", }) end end