diff --git a/.changelog/12397.txt b/.changelog/12397.txt new file mode 100644 index 00000000000..0e000864112 --- /dev/null +++ b/.changelog/12397.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +dataproc: added `confidential_instance_config` field to `google_dataproc_cluster` resource +``` \ No newline at end of file diff --git a/google/services/dataproc/resource_dataproc_cluster.go b/google/services/dataproc/resource_dataproc_cluster.go index d9938ef534c..c8f2ccca6e6 100644 --- a/google/services/dataproc/resource_dataproc_cluster.go +++ b/google/services/dataproc/resource_dataproc_cluster.go @@ -64,6 +64,7 @@ var ( "cluster_config.0.gce_cluster_config.0.metadata", "cluster_config.0.gce_cluster_config.0.reservation_affinity", "cluster_config.0.gce_cluster_config.0.node_group_affinity", + "cluster_config.0.gce_cluster_config.0.confidential_instance_config", } schieldedInstanceConfigKeys = []string{ @@ -78,6 +79,10 @@ var ( "cluster_config.0.gce_cluster_config.0.reservation_affinity.0.values", } + confidentialInstanceConfigKeys = []string{ + "cluster_config.0.gce_cluster_config.0.confidential_instance_config.0.enable_confidential_compute", + } + masterDiskConfigKeys = diskConfigKeys("master_config") workerDiskConfigKeys = diskConfigKeys("worker_config") preemptibleWorkerDiskConfigKeys = diskConfigKeys("preemptible_worker_config") @@ -759,6 +764,26 @@ func ResourceDataprocCluster() *schema.Resource { }, }, }, + "confidential_instance_config": { + Type: schema.TypeList, + Optional: true, + AtLeastOneOf: gceClusterConfigKeys, + Computed: true, + MaxItems: 1, + Description: `Confidential Instance Config for clusters using Compute Engine Confidential VMs.`, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "enable_confidential_compute": { + Type: schema.TypeBool, + Optional: true, + Default: false, + AtLeastOneOf: confidentialInstanceConfigKeys, + ForceNew: true, + Description: `Defines whether the instance should have confidential compute enabled.`, + }, + }, + }, + }, }, }, }, @@ -2248,6 +2273,13 @@ func expandGceClusterConfig(d *schema.ResourceData, config *transport_tpg.Config conf.NodeGroupAffinity.NodeGroupUri = v.(string) } } + if v, ok := d.GetOk("cluster_config.0.gce_cluster_config.0.confidential_instance_config"); ok { + cfgCic := v.([]interface{})[0].(map[string]interface{}) + conf.ConfidentialInstanceConfig = &dataproc.ConfidentialInstanceConfig{} + if v, ok := cfgCic["enable_confidential_compute"]; ok { + conf.ConfidentialInstanceConfig.EnableConfidentialCompute = v.(bool) + } + } return conf, nil } @@ -3196,6 +3228,13 @@ func flattenGceClusterConfig(d *schema.ResourceData, gcc *dataproc.GceClusterCon }, } } + if gcc.ConfidentialInstanceConfig != nil { + gceConfig["confidential_instance_config"] = []map[string]interface{}{ + { + "enable_confidential_compute": gcc.ConfidentialInstanceConfig.EnableConfidentialCompute, + }, + } + } return []map[string]interface{}{gceConfig} } diff --git a/google/services/dataproc/resource_dataproc_cluster_test.go b/google/services/dataproc/resource_dataproc_cluster_test.go index db38621a262..0b92bea3c1b 100644 --- a/google/services/dataproc/resource_dataproc_cluster_test.go +++ b/google/services/dataproc/resource_dataproc_cluster_test.go @@ -258,6 +258,51 @@ func TestAccDataprocCluster_withInternalIpOnlyTrueAndShieldedConfig(t *testing.T }) } +func TestAccDataprocCluster_withConfidentialCompute(t *testing.T) { + t.Parallel() + + var cluster dataproc.Cluster + rnd := acctest.RandString(t, 10) + networkName := acctest.BootstrapSharedTestNetwork(t, "dataproc-cluster") + subnetworkName := acctest.BootstrapSubnet(t, "dataproc-cluster", networkName) + acctest.BootstrapFirewallForDataprocSharedNetwork(t, "dataproc-cluster", networkName) + imageUri := "https://www.googleapis.com/compute/v1/projects/cloud-dataproc/global/images/dataproc-2-1-ubu20-20241026-165100-rc01" + + acctest.VcrTest(t, resource.TestCase{ + PreCheck: func() { acctest.AccTestPreCheck(t) }, + ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t), + CheckDestroy: testAccCheckDataprocClusterDestroy(t), + Steps: []resource.TestStep{ + { + Config: testAccDataprocCluster_withConfidentialCompute(rnd, subnetworkName, imageUri), + Check: resource.ComposeTestCheckFunc( + testAccCheckDataprocClusterExists(t, "google_dataproc_cluster.confidential", &cluster), + + // Check confidential compute + resource.TestCheckResourceAttr("google_dataproc_cluster.confidential", + "cluster_config.0.gce_cluster_config.0.confidential_instance_config.0.enable_confidential_compute", "true"), + + // Check master + resource.TestCheckResourceAttr("google_dataproc_cluster.confidential", + "cluster_config.0.master_config.0.machine_type", "n2d-standard-2"), + resource.TestCheckResourceAttr("google_dataproc_cluster.confidential", + "cluster_config.0.master_config.0.image_uri", imageUri), + resource.TestCheckResourceAttr("google_dataproc_cluster.confidential", + "cluster_config.0.master_config.0.min_cpu_platform", "AMD Rome"), + + // Check worker + resource.TestCheckResourceAttr("google_dataproc_cluster.confidential", + "cluster_config.0.worker_config.0.machine_type", "n2d-standard-2"), + resource.TestCheckResourceAttr("google_dataproc_cluster.confidential", + "cluster_config.0.worker_config.0.image_uri", imageUri), + resource.TestCheckResourceAttr("google_dataproc_cluster.confidential", + "cluster_config.0.worker_config.0.min_cpu_platform", "AMD Rome"), + ), + }, + }, + }) +} + func TestAccDataprocCluster_withMetadataAndTags(t *testing.T) { t.Parallel() @@ -1540,6 +1585,36 @@ resource "google_dataproc_cluster" "basic" { `, rnd, rnd, rnd, rnd) } +func testAccDataprocCluster_withConfidentialCompute(rnd, subnetworkName string, imageUri string) string { + return fmt.Sprintf(` +resource "google_dataproc_cluster" "confidential" { + name = "tf-test-dproc-%s" + region = "us-central1" + + cluster_config { + gce_cluster_config { + subnetwork = "%s" + confidential_instance_config { + enable_confidential_compute = true + } + } + + master_config { + machine_type = "n2d-standard-2" + image_uri = "%s" + min_cpu_platform = "AMD Rome" + } + + worker_config { + machine_type = "n2d-standard-2" + image_uri = "%s" + min_cpu_platform = "AMD Rome" + } + } +} +`, rnd, subnetworkName, imageUri, imageUri) +} + func testAccDataprocCluster_withMetadataAndTags(rnd, subnetworkName string) string { return fmt.Sprintf(` resource "google_dataproc_cluster" "basic" { diff --git a/website/docs/r/dataproc_cluster.html.markdown b/website/docs/r/dataproc_cluster.html.markdown index 926e19d6d59..fcfb4bdbfee 100644 --- a/website/docs/r/dataproc_cluster.html.markdown +++ b/website/docs/r/dataproc_cluster.html.markdown @@ -448,6 +448,9 @@ resource "google_dataproc_cluster" "accelerated_cluster" { * `node_group_affinity` - (Optional) Node Group Affinity for sole-tenant clusters. * `node_group_uri` - (Required) The URI of a sole-tenant node group resource that the cluster will be created on. +* `confidential_instance_config` - (Optional) Confidential Instance Config for clusters using [Confidential VMs](https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/confidential-compute) + * `enable_confidential_compute` - (Optional) Defines whether the instance should have confidential compute enabled. + * `shielded_instance_config` (Optional) Shielded Instance Config for clusters using [Compute Engine Shielded VMs](https://cloud.google.com/security/shielded-cloud/shielded-vm). - - -