Updates container_cluster to set enable_legacy_abac to false by default (#1281)

mrparkers · danawillow · commit b8adcc28fec7 · 2018-04-04T10:58:08.000-07:00
* Updates the default GKE legacy ABAC setting to false

* Updates docs for container_cluster

* Update test comments

* Format fix

* Adds ImportState test step to default legacy ABAC test
diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go
@@ -206,7 +206,7 @@ func resourceContainerCluster() *schema.Resource {
 			"enable_legacy_abac": {
 				Type:     schema.TypeBool,
 				Optional: true,
-				Default:  true,
+				Default:  false,
 			},
 
 			"initial_node_count": {
diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go
@@ -374,6 +374,35 @@ func TestAccContainerCluster_withLegacyAbac(t *testing.T) {
 	})
 }
 
+/*
+	Since GKE disables legacy ABAC by default in Kubernetes version 1.8+, and the default Kubernetes
+	version for GKE is also 1.8+, this test will ensure that legacy ABAC is disabled by default to be
+	more consistent with default settings in the Cloud Console
+*/
+func TestAccContainerCluster_withDefaultLegacyAbac(t *testing.T) {
+	t.Parallel()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckContainerClusterDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccContainerCluster_defaultLegacyAbac(acctest.RandString(10)),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("google_container_cluster.default_legacy_abac", "enable_legacy_abac", "false"),
+				),
+			},
+			{
+				ResourceName:        "google_container_cluster.default_legacy_abac",
+				ImportStateIdPrefix: "us-central1-a/",
+				ImportState:         true,
+				ImportStateVerify:   true,
+			},
+		},
+	})
+}
+
 func TestAccContainerCluster_withVersion(t *testing.T) {
 	t.Parallel()
 
@@ -1320,6 +1349,15 @@ resource "google_container_cluster" "with_kubernetes_alpha" {
 }`, clusterName)
 }
 
+func testAccContainerCluster_defaultLegacyAbac(clusterName string) string {
+	return fmt.Sprintf(`
+resource "google_container_cluster" "default_legacy_abac" {
+	name = "cluster-test-%s"
+	zone = "us-central1-a"
+	initial_node_count = 1
+}`, clusterName)
+}
+
 func testAccContainerCluster_withLegacyAbac(clusterName string) string {
 	return fmt.Sprintf(`
 resource "google_container_cluster" "with_legacy_abac" {
diff --git a/website/docs/r/container_cluster.html.markdown b/website/docs/r/container_cluster.html.markdown
@@ -94,7 +94,7 @@ output "cluster_ca_certificate" {
 * `enable_legacy_abac` - (Optional) Whether the ABAC authorizer is enabled for this cluster.
     When enabled, identities in the system, including service accounts, nodes, and controllers,
     will have statically granted permissions beyond those provided by the RBAC configuration or IAM.
-    Defaults to `true`
+    Defaults to `false`
     
 * `initial_node_count` - (Optional) The number of nodes to create in this
     cluster (not including the Kubernetes master). Must be set if `node_pool` is not set.
