Support Resource Manager Tags for GKE

maxi-cit commented 9 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Currently, only VMs and Instance have Resource Manager Tags support. This will allow to set custom firewall rules within the nodes that belong to a GKE Cluster.

New or Affected Resource(s)

google_container_cluster
google_container_node_pool

Potential Terraform Configuration

node_config = {
...
    resource_manager_tags = {
      "tagKeys/${google_tags_tag_key.key.name}" = "tagValues/${google_tags_tag_value.value.name}"
    }
...
}

References

GKE Cluster API
PR Added support for Resource Manager Resource to Compute Instance

b/315953619

bcorbitt-ps commented 6 months ago

Question on what was implemented in https://github.com/GoogleCloudPlatform/magic-modules/pull/9531. It appears to me that resource_manager_tags was implemented for the node_config block within the google_container_cluster resource and has not been implemented (yet?) in google_container_node_pool, making this applicable only for the default pool. Is that accurate?

maxi-cit commented 6 months ago

Hello @bcorbitt-ps node_pool resource references the same object (node_config) as the cluster resource so it may seem that it is only implemented for clusters. I added a usage example for 'node_pools' in the tests.

Let me know if you find something to fix.

bcorbitt-ps commented 6 months ago

Thanks for the reply @maxi-cit. Everything planned and applied, but I was unable to "see" the tags anywhere. (Nothing in the console, nothing returned for gcloud resource-manager tags bindings list), but appears I may not have found just the right command. gcloud beta container node-pools describe <node-pool> --format="value(config.resourceManagerTags)" appears to be that command. Now I just need to verify that the tag alone (without a binding?) is sufficient to inherit a rule. Thanks a bunch for the contribution here!

sanmaym commented 6 months ago

I also followed up on this and found this public documentation page I think we need to incorporate "autoprovisioning-resource-manager-tags" support in container-cluster resource to apply all secure tags at a cluster level?

Cluster-level setting

GKE applies the tags to all new auto-provisioned node pools in the cluster. If you use this flag on an existing cluster, existing node pools retain any tags that were applied before the update

maxi-cit commented 5 months ago

Hello @sanmaym, I added support for auto provisioned clusters in this PR. In case there isnt anything more to add I think we can close this issue

sanmaym commented 5 months ago

@maxi-cit thank you so much

hashicorp / terraform-provider-google