hashicorp · modular-magician · Oct 5, 2021 · Oct 5, 2021
diff --git a/.changelog/5277.txt b/.changelog/5277.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+composer: added field `enable_ip_masq_agent` to resource `google_composer_environment` (beta)
+```
diff --git a/google-beta/resource_composer_environment.go b/google-beta/resource_composer_environment.go
@@ -203,6 +203,13 @@ func resourceComposerEnvironment() *schema.Resource {
 										ValidateFunc: validation.IntBetween(8, 110),
 										Description:  `The maximum pods per node in the GKE cluster allocated during environment creation. Lowering this value reduces IP address consumption by the Cloud Composer Kubernetes cluster. This value can only be set during environment creation, and only if the environment is VPC-Native. The range of possible values is 8-110, and the default is 32.`,
 									},
+									"enable_ip_masq_agent": {
+										Type:        schema.TypeBool,
+										Computed:    true,
+										Optional:    true,
+										ForceNew:    true,
+										Description: `Deploys 'ip-masq-agent' daemon set in the GKE cluster and defines nonMasqueradeCIDRs equals to pod IP range so IP masquerading is used for all destination addresses, except between pods traffic. See: https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent`,
+									},
 									"tags": {
 										Type:     schema.TypeSet,
 										Optional: true,
@@ -995,6 +1002,7 @@ func flattenComposerEnvironmentConfigNodeConfig(nodeCfg *composer.NodeConfig) in
 	transformed["service_account"] = nodeCfg.ServiceAccount
 	transformed["oauth_scopes"] = flattenComposerEnvironmentConfigNodeConfigOauthScopes(nodeCfg.OauthScopes)
 	transformed["max_pods_per_node"] = nodeCfg.MaxPodsPerNode
+	transformed["enable_ip_masq_agent"] = nodeCfg.EnableIpMasqAgent
 	transformed["tags"] = flattenComposerEnvironmentConfigNodeConfigTags(nodeCfg.Tags)
 	transformed["ip_allocation_policy"] = flattenComposerEnvironmentConfigNodeConfigIPAllocationPolicy(nodeCfg.IpAllocationPolicy)
 	return []interface{}{transformed}
@@ -1273,6 +1281,10 @@ func expandComposerEnvironmentConfigNodeConfig(v interface{}, d *schema.Resource
 		transformed.MaxPodsPerNode = int64(transformedMaxPodsPerNode.(int))
 	}
 
+	if transformedEnableIpMasqAgent, ok := original["enable_ip_masq_agent"]; ok {
+		transformed.EnableIpMasqAgent = transformedEnableIpMasqAgent.(bool)
+	}
+
 	var nodeConfigZone string
 	if v, ok := original["zone"]; ok {
 		transformedZone, err := expandComposerEnvironmentZone(v, d, config)

diff --git a/google-beta/resource_composer_environment_test.go b/google-beta/resource_composer_environment_test.go
@@ -997,15 +997,16 @@ func testAccComposerEnvironment_nodeCfg(environment, network, subnetwork, servic
 	return fmt.Sprintf(`
 resource "google_composer_environment" "test" {
 	name   = "%s"
-	region = "us-central1"
+	region = "us-east1"  # later should be changed to us-central1, when ip_masq_agent feature is accessible globally
 	config {
 		node_config {
 			network    = google_compute_network.test.self_link
 			subnetwork = google_compute_subnetwork.test.self_link
-			zone       = "us-central1-a"
+			zone       = "us-east1-b"   # later should be changed to us-central1-a, when ip_masq_agent feature is accessible globally
 
 			service_account = google_service_account.test.name
 			max_pods_per_node = 33
+			enable_ip_masq_agent = true
 			ip_allocation_policy {
 				use_ip_aliases          = true
 				cluster_ipv4_cidr_block = "10.0.0.0/16"
@@ -1023,7 +1024,7 @@ resource "google_compute_network" "test" {
 resource "google_compute_subnetwork" "test" {
 	name          = "%s"
 	ip_cidr_range = "10.2.0.0/16"
-	region        = "us-central1"
+	region        = "us-east1"  # later should be changed to us-central1, when ip_masq_agent feature is accessible globally
 	network       = google_compute_network.test.self_link
 }
 

diff --git a/google-beta/resource_gke_hub_feature_membership_test.go b/google-beta/resource_gke_hub_feature_membership_test.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"testing"
 
-	dcl "github.com/GoogleCloudPlatform/declarative-resource-client-library/dcl"
+	"github.com/GoogleCloudPlatform/declarative-resource-client-library/dcl"
 	gkehub "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/gkehub/beta"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"

diff --git a/website/docs/r/composer_environment.html.markdown b/website/docs/r/composer_environment.html.markdown
@@ -259,6 +259,13 @@ The `node_config` block supports:
   The range of possible values is 8-110, and the default is 32.
   Cannot be updated.
 
+* `enable_ip_masq_agent` -
+  (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html))
+  Deploys 'ip-masq-agent' daemon set in the GKE cluster and defines
+  nonMasqueradeCIDRs equals to pod IP range so IP masquerading is used for
+  all destination addresses, except between pods traffic.
+  See the [documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent).
+
 The `software_config` block supports:
 
 * `airflow_config_overrides` -