Merge branch 'main' into main

GoogleCloudPlatform · Aug 29, 2024 · 4af5115 · 4af5115
2 parents 49f7a57 + b7538e9
commit 4af5115
Show file tree

Hide file tree

Showing 10 changed files with 669 additions and 38 deletions.
diff --git a/mmv1/products/securitycenterv2/ProjectSccBigQueryExports.yaml b/mmv1/products/securitycenterv2/ProjectSccBigQueryExports.yaml
@@ -0,0 +1,138 @@
+# Copyright 2024 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+--- !ruby/object:Api::Resource
+name: 'ProjectSccBigQueryExports'
+base_url: projects/{{project}}/locations/{{location}}/bigQueryExports
+self_link: projects/{{project}}/locations/{{location}}/bigQueryExports/{{big_query_export_id}}
+create_url: projects/{{project}}/locations/{{location}}/bigQueryExports?bigQueryExportId={{big_query_export_id}}
+update_verb: :PATCH
+update_mask: true
+import_format:
+  - 'projects/{{project}}/locations/{{location}}/bigQueryExports/{{big_query_export_id}}'
+description: |
+  A Cloud Security Command Center (Cloud SCC) Big Query Export Config.
+  It represents exporting Security Command Center data, including assets, findings, and security marks
+  using gcloud scc bqexports
+  ~> **Note:** In order to use Cloud SCC resources, your organization must be enrolled
+  in [SCC Standard/Premium](https://cloud.google.com/security-command-center/docs/quickstart-security-command-center).
+  Without doing so, you may run into errors during resource creation.
+references: !ruby/object:Api::Resource::ReferenceLinks
+  guides:
+    'Official Documentation': 'https://cloud.google.com/security-command-center/docs/how-to-analyze-findings-in-big-query'
+  api: 'https://cloud.google.com/security-command-center/docs/reference/rest/v2/projects.locations.bigQueryExports'
+examples:
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'scc_v2_project_big_query_export_config_basic'
+    primary_resource_id: 'custom_big_query_export_config'
+    external_providers: ["random", "time"]
+    skip_test: true
+    vars:
+      big_query_export_id: 'my-export'
+      dataset: 'my-dataset'
+      dataset_id: 'my_dataset_id'
+      name: 'my-export'
+    test_env_vars:
+      org_id: :ORG_ID
+      project: :PROJECT_NAME
+    ignore_read_extra:
+      - 'project'
+
+parameters:
+  - !ruby/object:Api::Type::String
+    name: bigQueryExportId
+    required: true
+    immutable: true
+    url_param_only: true
+    description: |
+      This must be unique within the organization.
+  - !ruby/object:Api::Type::String
+    name: location
+    immutable: true
+    url_param_only: true
+    default_value: global
+    description: |
+      location Id is provided by organization. If not provided, Use global as default.
+properties:
+  - !ruby/object:Api::Type::String
+    name: name
+    output: true
+    description: |
+      The resource name of this export, in the format
+      `projects/{{project}}/locations/{{location}}/bigQueryExports/{{big_query_export_id}}`.
+      This field is provided in responses, and is ignored when provided in create requests.
+  - !ruby/object:Api::Type::String
+    name: description
+    description: |
+      The description of the notification config (max of 1024 characters).
+    validation: !ruby/object:Provider::Terraform::Validation
+      function: 'validation.StringLenBetween(0, 1024)'
+  - !ruby/object:Api::Type::String
+    name: dataset
+    description: |
+      The dataset to write findings' updates to.
+      Its format is "projects/[projectId]/datasets/[bigquery_dataset_id]".
+      BigQuery Dataset unique ID must contain only letters (a-z, A-Z), numbers (0-9), or underscores (_).
+  - !ruby/object:Api::Type::String
+    name: createTime
+    output: true
+    description: |
+      The time at which the BigQuery export was created. This field is set by the server and will be ignored if provided on export on creation.
+      A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits.
+      Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
+  - !ruby/object:Api::Type::String
+    name: updateTime
+    output: true
+    description: |
+      The most recent time at which the BigQuery export was updated. This field is set by the server and will be ignored if provided on export creation or update.
+      A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits.
+      Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
+  - !ruby/object:Api::Type::String
+    name: mostRecentEditor
+    output: true
+    description: |
+      Email address of the user who last edited the BigQuery export.
+      This field is set by the server and will be ignored if provided on export creation or update.
+  - !ruby/object:Api::Type::String
+    name: principal
+    output: true
+    description: |
+      The service account that needs permission to create table and upload data to the BigQuery dataset.
+  - !ruby/object:Api::Type::String
+    name: filter
+    description: |
+      Expression that defines the filter to apply across create/update
+      events of findings. The
+      expression is a list of zero or more restrictions combined via
+      logical operators AND and OR. Parentheses are supported, and OR
+      has higher precedence than AND.
+
+      Restrictions have the form <field> <operator> <value> and may have
+      a - character in front of them to indicate negation. The fields
+      map to those defined in the corresponding resource.
+
+      The supported operators are:
+
+      * = for all value types.
+      * >, <, >=, <= for integer values.
+      * :, meaning substring matching, for strings.
+
+      The supported value types are:
+
+      * string literals in quotes.
+      * integer literals without quotes.
+      * boolean literals true and false without quotes.
+
+      See
+      [Filtering notifications](https://cloud.google.com/security-command-center/docs/how-to-api-filter-notifications)
+      for information on how to write a filter.
diff --git a/mmv1/templates/terraform/examples/scc_v2_project_big_query_export_config_basic.tf.erb b/mmv1/templates/terraform/examples/scc_v2_project_big_query_export_config_basic.tf.erb
@@ -0,0 +1,26 @@
+resource "google_bigquery_dataset" "default" {
+  dataset_id                  = "<%= ctx[:vars]['dataset_id'] %>"
+  friendly_name               = "test"
+  description                 = "This is a test description"
+  location                    = "US"
+  default_table_expiration_ms = 3600000
+  default_partition_expiration_ms = null
+
+  labels = {
+    env = "default"
+  }
+
+  lifecycle {
+    ignore_changes = [default_partition_expiration_ms]
+  }
+}
+
+resource "google_scc_v2_project_scc_big_query_exports" "<%= ctx[:primary_resource_id] %>" {
+  name         = "<%= ctx[:vars]['name'] %>"
+  big_query_export_id    = "<%= ctx[:vars]['big_query_export_id'] %>"
+  project      = "<%= ctx[:test_env_vars]['project'] %>"
+  dataset      = google_bigquery_dataset.default.id
+  location     = "global"
+  description  = "Cloud Security Command Center Findings Big Query Export Config"
+  filter       = "state=\"ACTIVE\" AND NOT mute=\"MUTED\""
+}
diff --git a/mmv1/third_party/terraform/services/container/go/resource_container_cluster.go.tmpl b/mmv1/third_party/terraform/services/container/go/resource_container_cluster.go.tmpl
@@ -2126,13 +2126,11 @@ func ResourceContainerCluster() *schema.Resource {
 				Description: `Configuration for Cloud DNS for Kubernetes Engine.`,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
-						{{- if ne $.TargetVersionName "ga" }}
 						"additive_vpc_scope_dns_domain": {
 							Type:         schema.TypeString,
 							Description:  `Enable additive VPC scope DNS in a GKE cluster.`,
 							Optional:     true,
 						},
-						{{- end }}
 						"cluster_dns": {
 							Type:         schema.TypeString,
 							Default:      "PROVIDER_UNSPECIFIED",
@@ -5488,9 +5486,7 @@ func expandDnsConfig(configured interface{}) *container.DNSConfig {
 
 	config := l[0].(map[string]interface{})
 	return &container.DNSConfig{
-{{- if ne $.TargetVersionName "ga" }}
 		AdditiveVpcScopeDnsDomain: 	config["additive_vpc_scope_dns_domain"].(string),
-{{- end }}
 		ClusterDns:       			config["cluster_dns"].(string),
 		ClusterDnsScope:  			config["cluster_dns_scope"].(string),
 		ClusterDnsDomain: 			config["cluster_dns_domain"].(string),
@@ -6402,9 +6398,7 @@ func flattenDnsConfig(c *container.DNSConfig) []map[string]interface{} {
 	}
 	return []map[string]interface{}{
 		{
-{{- if ne $.TargetVersionName "ga" }}
 			"additive_vpc_scope_dns_domain": 	c.AdditiveVpcScopeDnsDomain,
-{{- end }}
 			"cluster_dns":        				c.ClusterDns,
 			"cluster_dns_scope":  				c.ClusterDnsScope,
 			"cluster_dns_domain": 				c.ClusterDnsDomain,

diff --git a/mmv1/third_party/terraform/services/container/go/resource_container_cluster_test.go.tmpl b/mmv1/third_party/terraform/services/container/go/resource_container_cluster_test.go.tmpl
@@ -488,7 +488,6 @@ func TestAccContainerCluster_withFQDNNetworkPolicy(t *testing.T) {
 }
 {{- end }}
 
-{{ if ne $.TargetVersionName `ga` -}}
 func TestAccContainerCluster_withAdditiveVPC(t *testing.T) {
 	t.Parallel()
 
@@ -511,7 +510,6 @@ func TestAccContainerCluster_withAdditiveVPC(t *testing.T) {
 		},
 	})
 }
-{{- end }}
 
 func TestAccContainerCluster_withMasterAuthConfig_NoCert(t *testing.T) {
 	t.Parallel()
@@ -699,7 +697,6 @@ resource "google_container_cluster" "cluster" {
 `, clusterName, clusterName)
 }
 
-{{ if ne $.TargetVersionName `ga` -}}
 func testAccContainerCluster_withAdditiveVPC(clusterName string) string {
 	return fmt.Sprintf(`
 resource "google_container_cluster" "cluster" {
@@ -716,7 +713,6 @@ resource "google_container_cluster" "cluster" {
 }
 `, clusterName)
 }
-{{- end }}
 
 {{ if ne $.TargetVersionName `ga` -}}
 func testAccContainerCluster_withFQDNNetworkPolicy(clusterName string, enabled bool) string {

diff --git a/mmv1/third_party/terraform/services/container/node_config.go.erb b/mmv1/third_party/terraform/services/container/node_config.go.erb
@@ -78,6 +78,18 @@ func schemaContainerdConfig() *schema.Schema {
 	}
 }
 
+// Note: this is a bool internally, but implementing as an enum internally to
+// make it easier to accept API level defaults.
+func schemaInsecureKubeletReadonlyPortEnabled() *schema.Schema {
+	return &schema.Schema{
+		Type:         schema.TypeString,
+		Optional:     true,
+		Computed:     true,
+		Description:  "Controls whether the kubelet read-only port is enabled. It is strongly recommended to set this to `FALSE`. Possible values: `TRUE`, `FALSE`.",
+		ValidateFunc: validation.StringInSlice([]string{"FALSE","TRUE"}, false),
+	}
+}
+
 func schemaLoggingVariant() *schema.Schema {
 	return &schema.Schema{
 		Type: schema.TypeString,
@@ -605,6 +617,7 @@ func schemaNodeConfig() *schema.Schema {
 								Optional: true,
 								Description: `Set the CPU CFS quota period value 'cpu.cfs_period_us'.`,
 							},
+							"insecure_kubelet_readonly_port_enabled": schemaInsecureKubeletReadonlyPortEnabled(),
 							"pod_pids_limit": {
 								Type:        schema.TypeInt,
 								Optional:    true,
@@ -777,14 +790,20 @@ func schemaNodeConfig() *schema.Schema {
 }
 
 func expandNodeConfigDefaults(configured interface{}) *container.NodeConfigDefaults {
-        configs := configured.([]interface{})
+	configs := configured.([]interface{})
 	if len(configs) == 0 || configs[0] == nil {
 		return nil
 	}
 	config := configs[0].(map[string]interface{})
 
 	nodeConfigDefaults := &container.NodeConfigDefaults{}
 	nodeConfigDefaults.ContainerdConfig = expandContainerdConfig(config["containerd_config"])
+	if v, ok := config["insecure_kubelet_readonly_port_enabled"]; ok {
+		nodeConfigDefaults.NodeKubeletConfig = &container.NodeKubeletConfig{
+			InsecureKubeletReadonlyPortEnabled: expandInsecureKubeletReadonlyPortEnabled(v),
+			ForceSendFields: []string{"InsecureKubeletReadonlyPortEnabled"},
+		}
+	}
 	if variant, ok := config["logging_variant"]; ok {
 		nodeConfigDefaults.LoggingConfig = &container.NodePoolLoggingConfig{
 			VariantConfig: &container.LoggingVariantConfig{
@@ -793,14 +812,14 @@ func expandNodeConfigDefaults(configured interface{}) *container.NodeConfigDefau
 		}
 	}
 <% unless version == "ga" -%>
-        if v, ok := config["gcfs_config"]; ok && len(v.([]interface{})) > 0 {
-                gcfsConfig := v.([]interface{})[0].(map[string]interface{})
+	if v, ok := config["gcfs_config"]; ok && len(v.([]interface{})) > 0 {
+		gcfsConfig := v.([]interface{})[0].(map[string]interface{})
 		nodeConfigDefaults.GcfsConfig = &container.GcfsConfig{
 			Enabled: gcfsConfig["enabled"].(bool),
 		}
 	}
 <% end -%>
-        return nodeConfigDefaults
+	return nodeConfigDefaults
 }
 
 func expandNodeConfig(v interface{}) *container.NodeConfig {
@@ -1152,6 +1171,13 @@ func expandWorkloadMetadataConfig(v interface{}) *container.WorkloadMetadataConf
 	return wmc
 }
 
+func expandInsecureKubeletReadonlyPortEnabled(v interface{}) bool {
+	if v == "TRUE" {
+		return true
+	}
+	return false
+}
+
 func expandKubeletConfig(v interface{}) *container.NodeKubeletConfig {
 	if v == nil {
 		return nil
@@ -1172,6 +1198,10 @@ func expandKubeletConfig(v interface{}) *container.NodeKubeletConfig {
 	if cpuCfsQuotaPeriod, ok := cfg["cpu_cfs_quota_period"]; ok {
 		kConfig.CpuCfsQuotaPeriod = cpuCfsQuotaPeriod.(string)
 	}
+	if insecureKubeletReadonlyPortEnabled, ok := cfg["insecure_kubelet_readonly_port_enabled"]; ok {
+		kConfig.InsecureKubeletReadonlyPortEnabled = expandInsecureKubeletReadonlyPortEnabled(insecureKubeletReadonlyPortEnabled)
+		kConfig.ForceSendFields = append(kConfig.ForceSendFields, "InsecureKubeletReadonlyPortEnabled")
+	}
 	if podPidsLimit, ok := cfg["pod_pids_limit"]; ok {
 		kConfig.PodPidsLimit = int64(podPidsLimit.(int))
 	}
@@ -1380,6 +1410,8 @@ func flattenNodeConfigDefaults(c *container.NodeConfigDefaults) []map[string]int
 
 	result[0]["containerd_config"] = flattenContainerdConfig(c.ContainerdConfig)
 
+	result[0]["insecure_kubelet_readonly_port_enabled"] = flattenInsecureKubeletReadonlyPortEnabled(c.NodeKubeletConfig)
+
 	result[0]["logging_variant"] = flattenLoggingVariant(c.LoggingConfig)
 
 <% unless version == 'ga' -%>
@@ -1572,6 +1604,14 @@ func flattenSecondaryBootDisks(c []*container.SecondaryBootDisk) []map[string]in
 	return result
 }
 
+func flattenInsecureKubeletReadonlyPortEnabled(c *container.NodeKubeletConfig) string {
+	// Convert bool from the API to the enum values used internally
+	if c != nil && c.InsecureKubeletReadonlyPortEnabled {
+		return "TRUE"
+	}
+	return "FALSE"
+}
+
 func flattenLoggingVariant(c *container.NodePoolLoggingConfig) string {
 	variant := "DEFAULT"
 	if c != nil && c.VariantConfig != nil && c.VariantConfig.Variant != "" {
@@ -1721,10 +1761,11 @@ func flattenKubeletConfig(c *container.NodeKubeletConfig) []map[string]interface
 	result := []map[string]interface{}{}
 	if c != nil {
 		result = append(result, map[string]interface{}{
-			"cpu_cfs_quota":        c.CpuCfsQuota,
-			"cpu_cfs_quota_period": c.CpuCfsQuotaPeriod,
-			"cpu_manager_policy":   c.CpuManagerPolicy,
-			"pod_pids_limit":       c.PodPidsLimit,
+			"cpu_cfs_quota":                          c.CpuCfsQuota,
+			"cpu_cfs_quota_period":                   c.CpuCfsQuotaPeriod,
+			"cpu_manager_policy":                     c.CpuManagerPolicy,
+			"insecure_kubelet_readonly_port_enabled": flattenInsecureKubeletReadonlyPortEnabled(c),
+			"pod_pids_limit":                         c.PodPidsLimit,
 		})
 	}
 	return result