Support Resource Manager Tags for GKE

[maxi-cit]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Currently, only VMs and Instance have Resource Manager Tags support.
This will allow to set custom firewall rules within the nodes that belong to a GKE Cluster.

New or Affected Resource(s)

• google_container_cluster
• google_container_node_pool

Potential Terraform Configuration

node_config = {
...
    resource_manager_tags = {
      "tagKeys/${google_tags_tag_key.key.name}" = "tagValues/${google_tags_tag_value.value.name}"
    }
...
}

References

• GKE Cluster API
• PR Added support for Resource Manager Resource to Compute Instance

b/315953619

[bcorbitt-ps]

Question on what was implemented in GoogleCloudPlatform/magic-modules#9531.
It appears to me that resource_manager_tags was implemented for the node_config block within the google_container_cluster resource and has not been implemented (yet?) in google_container_node_pool, making this applicable only for the default pool. Is that accurate?

[maxi-cit]

Hello @bcorbitt-ps node_pool resource references the same object (node_config) as the cluster resource so it may seem that it is only implemented for clusters. I added a usage example for 'node_pools' in the tests.

Let me know if you find something to fix.

[bcorbitt-ps]

Thanks for the reply @maxi-cit. Everything planned and applied, but I was unable to "see" the tags anywhere. (Nothing in the console, nothing returned for gcloud resource-manager tags bindings list), but appears I may not have found just the right command. gcloud beta container node-pools describe <node-pool> --format="value(config.resourceManagerTags)" appears to be that command. Now I just need to verify that the tag alone (without a binding?) is sufficient to inherit a rule. Thanks a bunch for the contribution here!

[sanmaym]

I also followed up on this and found this public documentation page I think we need to incorporate "autoprovisioning-resource-manager-tags" support in container-cluster resource to apply all secure tags at a cluster level?

Cluster-level setting

GKE applies the tags to all new auto-provisioned node pools in the cluster. If you use this flag on an existing cluster, existing node pools retain any tags that were applied before the update

[maxi-cit]

Hello @sanmaym, I added support for auto provisioned clusters in this PR.
In case there isnt anything more to add I think we can close this issue

[sanmaym]

@maxi-cit thank you so much