Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Changes to add Shielded VMs support in google_dataproc_workflow_templ… #12451

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/6481.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
dataproc: added option `shielded_instance_config` to resource `google_dataproc_workflow_template`.
```
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ go 1.18

require (
cloud.google.com/go/bigtable v1.16.0
github.com/GoogleCloudPlatform/declarative-resource-client-library v1.18.0
github.com/GoogleCloudPlatform/declarative-resource-client-library v1.19.0
github.com/apparentlymart/go-cidr v1.1.0
github.com/client9/misspell v0.3.4
github.com/davecgh/go-spew v1.1.1
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -76,8 +76,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 h1:sHglBQTwgx+rWPdisA5ynNEsoARbiCBOyGcJM4/OzsM=
github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
github.com/GoogleCloudPlatform/declarative-resource-client-library v1.18.0 h1:0NWhlgF7eg/jpecAhG/QUwp0MH7D4jYekpljiLUaE74=
github.com/GoogleCloudPlatform/declarative-resource-client-library v1.18.0/go.mod h1:i6Pmzp7aolLmJY86RaJ9wjqm/HFleMeN7Vl5uIWLwE8=
github.com/GoogleCloudPlatform/declarative-resource-client-library v1.19.0 h1:4YAtk4xuOCxUSkGdwlDhkX7DTP4VwLZCoebGGEsU+U4=
github.com/GoogleCloudPlatform/declarative-resource-client-library v1.19.0/go.mod h1:i6Pmzp7aolLmJY86RaJ9wjqm/HFleMeN7Vl5uIWLwE8=
github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
Expand Down
68 changes: 68 additions & 0 deletions google/resource_dataproc_workflow_template.go
Original file line number Diff line number Diff line change
Expand Up @@ -1222,6 +1222,15 @@ func DataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigSchema
Elem: &schema.Schema{Type: schema.TypeString},
},

"shielded_instance_config": {
Type: schema.TypeList,
Optional: true,
ForceNew: true,
Description: "Optional. Shielded Instance Config for clusters using Compute Engine Shielded VMs.",
MaxItems: 1,
Elem: DataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfigSchema(),
},

"subnetwork": {
Type: schema.TypeString,
Optional: true,
Expand Down Expand Up @@ -1292,6 +1301,33 @@ func DataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigReserv
}
}

func DataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfigSchema() *schema.Resource {
return &schema.Resource{
Schema: map[string]*schema.Schema{
"enable_integrity_monitoring": {
Type: schema.TypeBool,
Optional: true,
ForceNew: true,
Description: "Optional. Defines whether instances have integrity monitoring enabled. Integrity monitoring compares the most recent boot measurements to the integrity policy baseline and returns a pair of pass/fail results depending on whether they match or not.",
},

"enable_secure_boot": {
Type: schema.TypeBool,
Optional: true,
ForceNew: true,
Description: "Optional. Defines whether the instances have Secure Boot enabled. Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.",
},

"enable_vtpm": {
Type: schema.TypeBool,
Optional: true,
ForceNew: true,
Description: "Optional. Defines whether the instance have the vTPM enabled. Virtual Trusted Platform Module protects objects like keys, certificates and enables Measured Boot by performing the measurements needed to create a known good boot baseline, called the integrity policy baseline.",
},
},
}
}

func DataprocWorkflowTemplatePlacementManagedClusterConfigInitializationActionsSchema() *schema.Resource {
return &schema.Resource{
Schema: map[string]*schema.Schema{
Expand Down Expand Up @@ -3162,6 +3198,7 @@ func expandDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfig
ReservationAffinity: expandDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigReservationAffinity(obj["reservation_affinity"]),
ServiceAccount: dcl.String(obj["service_account"].(string)),
ServiceAccountScopes: expandStringArray(obj["service_account_scopes"]),
ShieldedInstanceConfig: expandDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig(obj["shielded_instance_config"]),
Subnetwork: dcl.String(obj["subnetwork"].(string)),
Tags: expandStringArray(obj["tags"]),
Zone: dcl.StringOrNil(obj["zone"].(string)),
Expand All @@ -3181,6 +3218,7 @@ func flattenDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfi
"reservation_affinity": flattenDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigReservationAffinity(obj.ReservationAffinity),
"service_account": obj.ServiceAccount,
"service_account_scopes": obj.ServiceAccountScopes,
"shielded_instance_config": flattenDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig(obj.ShieldedInstanceConfig),
"subnetwork": obj.Subnetwork,
"tags": obj.Tags,
"zone": obj.Zone,
Expand Down Expand Up @@ -3244,6 +3282,36 @@ func flattenDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfi

return []interface{}{transformed}

}

func expandDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig(o interface{}) *dataproc.WorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig {
if o == nil {
return dataproc.EmptyWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig
}
objArr := o.([]interface{})
if len(objArr) == 0 || objArr[0] == nil {
return dataproc.EmptyWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig
}
obj := objArr[0].(map[string]interface{})
return &dataproc.WorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig{
EnableIntegrityMonitoring: dcl.Bool(obj["enable_integrity_monitoring"].(bool)),
EnableSecureBoot: dcl.Bool(obj["enable_secure_boot"].(bool)),
EnableVtpm: dcl.Bool(obj["enable_vtpm"].(bool)),
}
}

func flattenDataprocWorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig(obj *dataproc.WorkflowTemplatePlacementManagedClusterConfigGceClusterConfigShieldedInstanceConfig) interface{} {
if obj == nil || obj.Empty() {
return nil
}
transformed := map[string]interface{}{
"enable_integrity_monitoring": obj.EnableIntegrityMonitoring,
"enable_secure_boot": obj.EnableSecureBoot,
"enable_vtpm": obj.EnableVtpm,
}

return []interface{}{transformed}

}
func expandDataprocWorkflowTemplatePlacementManagedClusterConfigInitializationActionsArray(o interface{}) []dataproc.WorkflowTemplatePlacementManagedClusterConfigInitializationActions {
if o == nil {
Expand Down
90 changes: 90 additions & 0 deletions google/resource_dataproc_workflow_template_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,35 @@ func TestAccDataprocWorkflowTemplate_basic(t *testing.T) {
})
}

func TestAccDataprocWorkflowTemplate_withShieldedVMs(t *testing.T) {
t.Parallel()

context := map[string]interface{}{
"random_suffix": randString(t, 10),
"project": getTestProjectFromEnv(),
"version": "2.0.35-debian10",
}

vcrTest(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: funcAccTestDataprocWorkflowTemplateCheckDestroy(t),
ExternalProviders: map[string]resource.ExternalProvider{
"random": {},
},
Steps: []resource.TestStep{
{
Config: testAccDataprocWorkflowTemplate_withShieldedVMs(context),
},
{
ImportState: true,
ImportStateVerify: true,
ResourceName: "google_dataproc_workflow_template.shielded_vms_template",
},
},
})
}

func testAccDataprocWorkflowTemplate_basic(context map[string]interface{}) string {
return Nprintf(`
resource "google_dataproc_workflow_template" "template" {
Expand Down Expand Up @@ -94,6 +123,67 @@ resource "google_dataproc_workflow_template" "template" {
`, context)
}

func testAccDataprocWorkflowTemplate_withShieldedVMs(context map[string]interface{}) string {
return Nprintf(`
resource "google_dataproc_workflow_template" "shielded_vms_template" {
name = "template%{random_suffix}"
location = "us-central1"
placement {
managed_cluster {
cluster_name = "my-shielded-cluster"
config {
gce_cluster_config {
zone = "us-central1-a"
tags = ["foo", "bar"]
shielded_instance_config {
enable_secure_boot = true
enable_vtpm = true
enable_integrity_monitoring = true
}
}
master_config {
num_instances = 1
machine_type = "n1-standard-1"
disk_config {
boot_disk_type = "pd-ssd"
boot_disk_size_gb = 15
}
}
worker_config {
num_instances = 3
machine_type = "n1-standard-2"
disk_config {
boot_disk_size_gb = 10
num_local_ssds = 2
}
}

secondary_worker_config {
num_instances = 2
}
software_config {
image_version = "%{version}"
}
}
}
}
jobs {
step_id = "someJob"
spark_job {
main_class = "SomeClass"
}
}
jobs {
step_id = "otherJob"
prerequisite_step_ids = ["someJob"]
presto_job {
query_file_uri = "someuri"
}
}
}
`, context)
}

func funcAccTestDataprocWorkflowTemplateCheckDestroy(t *testing.T) func(s *terraform.State) error {
return func(s *terraform.State) error {
for name, rs := range s.RootModule().Resources {
Expand Down
30 changes: 30 additions & 0 deletions website/docs/r/dataproc_workflow_template.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -730,6 +730,10 @@ The `gce_cluster_config` block supports:
* `service_account_scopes` -
(Optional)
Optional. The URIs of service account scopes to be included in Compute Engine instances. The following base set of scopes is always included: * https://www.googleapis.com/auth/cloud.useraccounts.readonly * https://www.googleapis.com/auth/devstorage.read_write * https://www.googleapis.com/auth/logging.write If no scopes are specified, the following defaults are also provided: * https://www.googleapis.com/auth/bigquery * https://www.googleapis.com/auth/bigtable.admin.table * https://www.googleapis.com/auth/bigtable.data * https://www.googleapis.com/auth/devstorage.full_control

* `shielded_instance_config` -
(Optional)
Optional. Shielded Instance Config for clusters using [Compute Engine Shielded VMs](https://cloud.google.com/security/shielded-cloud/shielded-vm). Structure [defined below](#nested_shielded_instance_config).

* `subnetwork` -
(Optional)
Expand Down Expand Up @@ -762,6 +766,32 @@ The `reservation_affinity` block supports:
* `values` -
(Optional)
Optional. Corresponds to the label values of reservation resource.

<a name="nested_shielded_instance_config"></a>The `shielded_instance_config` block supports:

```hcl
cluster_config {
gce_cluster_config {
shielded_instance_config {
enable_secure_boot = true
enable_vtpm = true
enable_integrity_monitoring = true
}
}
}
```

* `enable_secure_boot` -
(Optional)
Optional. Defines whether instances have [Secure Boot](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#secure-boot) enabled.

* `enable_vtpm` -
(Optional)
Optional. Defines whether instances have the [vTPM](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm) enabled.

* `enable_integrity_monitoring` -
(Optional)
Optional. Defines whether instances have [Integrity Monitoring](https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#integrity-monitoring) enabled.

The `gke_cluster_config` block supports:

Expand Down