Add policycontroller fields to fleet default configs for GKE Hub Feature resource

mmv1/products/gkehub2/Feature.yaml

@@ -93,6 +93,11 @@ examples:
     skip_test: true
     primary_resource_name: 'fmt.Sprintf("configmanagement")'
     primary_resource_id: 'feature'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'enable_fleet_default_member_config_policycontroller'
+    skip_test: true
+    primary_resource_name: 'fmt.Sprintf("policycontroller")'
+    primary_resource_id: 'feature'
 autogen_async: true
 # Skip sweeper gen since this is a child resource.
 skip_sweeper: true
@@ -259,6 +264,161 @@ properties:
                   - !ruby/object:Api::Type::String
                     name: version
                     description: 'Version of ACM installed'
+      - !ruby/object:Api::Type::NestedObject
+        name: policycontroller
+        description: Policy Controller spec
+        properties:
+          - !ruby/object:Api::Type::String
+            name: version
+            description: 'Configures the version of Policy Controller'
+            default_from_api: true
+          - !ruby/object:Api::Type::NestedObject
+            name: policyControllerHubConfig
+            description: 'Configuration of Policy Controller'
+            required: true
+            properties:
+              - !ruby/object:Api::Type::Enum
+                name: installSpec
+                description: 'Configures the mode of the Policy Controller installation'
+                values:
+                  - :INSTALL_SPEC_UNSPECIFIED
+                  - :INSTALL_SPEC_NOT_INSTALLED
+                  - :INSTALL_SPEC_ENABLED
+                  - :INSTALL_SPEC_SUSPENDED
+                  - :INSTALL_SPEC_DETACHED
+                required: true
+              - !ruby/object:Api::Type::Integer
+                name: auditIntervalSeconds
+                description: 'Interval for Policy Controller Audit scans (in seconds). When set to 0, this disables audit functionality altogether.'
+              - !ruby/object:Api::Type::Array
+                name: exemptableNamespaces
+                description: 'The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.'
+                item_type: Api::Type::String
+              - !ruby/object:Api::Type::Boolean
+                name: logDeniesEnabled
+                description: 'Logs all denies and dry run failures.'
+              - !ruby/object:Api::Type::Boolean
+                name: mutationEnabled
+                description: 'Enables the ability to mutate resources using Policy Controller.'
+              - !ruby/object:Api::Type::Boolean
+                name: referentialRulesEnabled
+                description: 'Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.'
+              - !ruby/object:Api::Type::NestedObject
+                name: monitoring
+                description: 'Monitoring specifies the configuration of monitoring Policy Controller.'
+                default_from_api: true
+                properties:
+                  - !ruby/object:Api::Type::Array
+                    name: backends
+                    description: 'Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export.'
+                    default_from_api: true
+                    item_type: !ruby/object:Api::Type::Enum
+                      name: 'required but unused'
+                      description: 'required but unused'
+                      values:
+                        - :MONITORING_BACKEND_UNSPECIFIED
+                        - :PROMETHEUS
+                        - :CLOUD_MONITORING
+              - !ruby/object:Api::Type::Integer
+                name: constraintViolationLimit
+                description: 'The maximum number of audit violations to be stored in a constraint. If not set, the internal default of 20 will be used.'
+              - !ruby/object:Api::Type::Map
+                name: deploymentConfigs
+                description: 'Map of deployment configs to deployments ("admission", "audit", "mutation").'
+                key_name: component
+                key_description: 'Specifies which component to apply the deployment config to. Accepted values are "admission", "audit" and "mutation".'
+                default_from_api: true
+                value_type: !ruby/object:Api::Type::NestedObject
+                  name: deploymentConfig
+                  description: 'Configures deployment-specific options, such as high availability.'
+                  properties:
+                    - !ruby/object:Api::Type::Integer
+                      name: replicaCount
+                      description: 'Pod replica count.'
+                      send_empty_value: false
+                      default_from_api: true
+                    - !ruby/object:Api::Type::NestedObject
+                      name: containerResources
+                      description: 'Container resource requirements.'
+                      properties:
+                        - !ruby/object:Api::Type::NestedObject
+                          name: limits
+                          description: 'Limits describes the maximum amount of compute resources allowed for use by the running container.'
+                          properties:
+                            - !ruby/object:Api::Type::String
+                              name: memory
+                              description: 'Memory requirement expressed in Kubernetes resource units.'
+                            - !ruby/object:Api::Type::String
+                              name: cpu
+                              description: 'CPU requirement expressed in Kubernetes resource units.'
+                        - !ruby/object:Api::Type::NestedObject
+                          name: requests
+                          description: 'Requests describes the amount of compute resources reserved for the container by the kube-scheduler.'
+                          properties:
+                            - !ruby/object:Api::Type::String
+                              name: memory
+                              description: 'Memory requirement expressed in Kubernetes resource units.'
+                            - !ruby/object:Api::Type::String
+                              name: cpu
+                              description: 'CPU requirement expressed in Kubernetes resource units.'
+                    - !ruby/object:Api::Type::Enum
+                      name: podAffinity
+                      description: 'Pod affinity configuration.'
+                      default_from_api: true
+                      values:
+                        - :AFFINITY_UNSPECIFIED
+                        - :NO_AFFINITY
+                        - :ANTI_AFFINITY
+                    - !ruby/object:Api::Type::Array
+                      name: podToleration
+                      api_name: podTolerations
+                      description: 'Pod tolerations of node taints.'
+                      item_type: !ruby/object:Api::Type::NestedObject
+                        name: 'required but unused'
+                        description: 'required but unused'
+                        properties:
+                          - !ruby/object:Api::Type::String
+                            name: key
+                            description: 'Matches a taint key (not necessarily unique).'
+                          - !ruby/object:Api::Type::String
+                            name: operator
+                            description: 'Matches a taint operator.'
+                          - !ruby/object:Api::Type::String
+                            name: value
+                            description: 'Matches a taint value.'
+                          - !ruby/object:Api::Type::String
+                            name: effect
+                            description: 'Matches a taint effect.'
+              - !ruby/object:Api::Type::NestedObject
+                name: policyContent
+                description: 'Specifies the desired policy content on the cluster.'
+                # default_from_api: true
+                properties:
+                  - !ruby/object:Api::Type::NestedObject
+                    name: templateLibrary
+                    description: 'Configures the installation of the Template Library.'
+                    default_from_api: true
+                    properties:
+                      - !ruby/object:Api::Type::Enum
+                        name: installation
+                        description: 'Configures the manner in which the template library is installed on the cluster.'
+                        values:
+                          - :INSTALATION_UNSPECIFIED
+                          - :NOT_INSTALLED
+                          - :ALL
+                  - !ruby/object:Api::Type::Map
+                    name: bundles
+                    description: 'Configures which bundles to install and their corresponding install specs.'
+                    key_name: bundle
+                    key_description: 'A bundle name supported in this version. Values configure the exempted namespaces for this bundle.'
+                    value_type: !ruby/object:Api::Type::NestedObject
+                      name: bundleInstallSpec
+                      description: 'The specification configuration for a single managed bundle.'
+                      properties:
+                        - !ruby/object:Api::Type::Array
+                          name: exemptedNamespaces
+                          description: 'The set of namespaces to be exempted from the bundle.'
+                          item_type: Api::Type::String
   - !ruby/object:Api::Type::NestedObject
     name: state
     description: Output only. The Hub-wide Feature state

mmv1/templates/terraform/custom_expand/gkehub2_feature_policycontroller_deployment_configs.go.erb

@@ -0,0 +1,66 @@
+func expand<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+  if v == nil {
+    return nil, nil
+  }
+
+  m, ok := v.([]interface{})
+  if !ok {
+    return nil, fmt.Errorf("unable to convert %v to []interface{}", v)
+  }
+  req := make(map[string]interface{})
+  for _, raw := range m {
+    if raw == nil {
+      continue
+    }
+
+    deploymentConfig := raw.(map[string]interface{})
+    log.Printf("WTF*** config is: %v\n", deploymentConfig)
+    componentName := deploymentConfig["component"].(string)
+    delete(deploymentConfig, "component")
+
+    if v, ok := deploymentConfig["pod_toleration"]; ok {
+      deploymentConfig["pod_tolerations"] = v
+      delete(deploymentConfig, "pod_toleration")
+    }
+
+    if v, ok := deploymentConfig["pod_affinity"]; ok {
+      pa := v.(string)
+      if pa == "" {
+        delete(deploymentConfig, "pod_affinity")
+      }
+    }
+
+    if v, ok := deploymentConfig["replica_count"]; ok {
+      rc := v.(int)
+      if rc == 0 {
+        delete(deploymentConfig, "replica_count")
+      }
+    }
+
+    // Somehow the container_resources field gets encoded unexpectedly into an array. Fix that.
+    if v, ok := deploymentConfig["container_resources"]; ok {
+      if arr, ok := v.([]interface{}); ok && len(arr) == 1 {
+        actualCR := arr[0].(map[string]interface{})
+        if l, ok := actualCR["limits"]; ok {
+          if lArr, ok := l.([]interface{}); ok && len(lArr) == 1 {
+            actualLimits := lArr[0].(map[string]interface{})
+            actualCR["limits"] = actualLimits
+          }
+        }
+        if r, ok := actualCR["requests"]; ok {
+          if rArr, ok := r.([]interface{}); ok && len(rArr) == 1 {
+            actualRequests := rArr[0].(map[string]interface{})
+            actualCR["requests"] = actualRequests
+          }
+        }
+        deploymentConfig["container_resources"] = actualCR
+      } else if ok && len(arr) == 0 {
+        delete(deploymentConfig, "container_resources")
+      }
+    }
+
+    req[componentName] = deploymentConfig
+  }
+
+  return req, nil
+}

mmv1/templates/terraform/custom_expand/gkehub2_feature_policycontroller_policy_content_bundles.go.erb

@@ -0,0 +1,23 @@
+func expand<%= prefix -%><%= titlelize_property(property) -%>(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+  if v == nil {
+    return nil, nil
+  }
+
+  m, ok := v.([]interface{})
+  if !ok {
+    return nil, fmt.Errorf("unable to convert %v to []interface{}", v)
+  }
+  req := make(map[string]interface{})
+  for _, raw := range m {
+    if raw == nil {
+      continue
+    }
+
+    bundleObj := raw.(map[string]interface{})
+    bundleName := bundleObj["name"].(string)
+    delete(bundleObj, "name")
+    req[bundleName] = bundleObj
+  }
+
+  return req, nil
+}

mmv1/templates/terraform/examples/enable_fleet_default_member_config_policycontroller.tf.erb

@@ -0,0 +1,23 @@
+resource "google_gke_hub_feature" "feature" {
+  name = "policycontroller"
+  location = "global"
+  fleet_default_member_config {
+    policycontroller {
+      policy_controller_hub_config {
+        install_spec = "INSTALL_SPEC_ENABLED"
+        exemptable_namespaces = ["foo"]
+        policy_content {
+          bundle {
+            name = "policy-essentials-v2022"
+            exempted_namespaces = ["foo", "bar"]
+          }
+          template_library {
+            installation = "ALL"
+          }
+        }
+        audit_interval_seconds = 30
+        referential_rules_enabled = true
+      }
+    }
+  }
+}