feat(TF>=1.1)!: Configure ASM management mode (#1702)

Co-authored-by: Andrew Peabody <[email protected]>

Author: ferrarimarco

modules/asm/README.md

@@ -34,6 +34,7 @@ module "asm" {
 ```
 
 Note that the [`mesh_id` label on the cluster](https://cloud.google.com/service-mesh/docs/managed/auto-control-plane-with-fleet#apply_the_mesh_id_label) is required for metrics to get displayed on the Anthos Service Mesh pages in the Cloud console (Topology, etc.). Illustrated with the full example mentioned above, here is an example of what your cluster should have:
+
 ```tf
 module "gke" {
 ...
@@ -58,9 +59,10 @@ To deploy this config:
 | enable\_cni | Determines whether to enable CNI for this ASM installation. Required to use Managed Data Plane (MDP). | `bool` | `false` | no |
 | enable\_fleet\_registration | Determines whether the module registers the cluster to the fleet. | `bool` | `false` | no |
 | enable\_mesh\_feature | Determines whether the module enables the mesh feature on the fleet. | `bool` | `false` | no |
-| enable\_vpc\_sc | Determines whether to enable VPC-SC for this ASM installation. For more information read https://cloud.google.com/service-mesh/docs/managed/vpc-sc | `bool` | `false` | no |
+| enable\_vpc\_sc | Determines whether to enable VPC-SC for this ASM installation. For more information read [VPC Service Controls for Managed Anthos Service Mesh](https://cloud.google.com/service-mesh/docs/managed/vpc-sc) | `bool` | `false` | no |
 | fleet\_id | The fleet to use for this ASM installation. | `string` | `""` | no |
 | internal\_ip | Use internal ip for the cluster endpoint when running kubectl commands. | `bool` | `false` | no |
+| mesh\_management | ASM Management mode. For more information, see the [gke\_hub\_feature\_membership resource documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_hub_feature_membership#nested_mesh) | `string` | `""` | no |
 | module\_depends\_on | List of modules or resources this module depends on.  If multiple, all items must be the same type. | `list(any)` | `[]` | no |
 | multicluster\_mode | [Preview] Determines whether remote secrets should be autogenerated across fleet cluster. | `string` | `"manual"` | no |
 | project\_id | The project in which the resource belongs. | `string` | n/a | yes |

modules/asm/hub.tf

@@ -33,3 +33,15 @@ resource "google_gke_hub_feature" "mesh" {
   location = "global"
   provider = google-beta
 }
+
+resource "google_gke_hub_feature_membership" "mesh_feature_membership" {
+  count = var.enable_fleet_registration && var.enable_mesh_feature && var.mesh_management != "" ? 1 : 0
+
+  location   = "global"
+  feature    = google_gke_hub_feature.mesh[0].name
+  membership = google_gke_hub_membership.membership[0].membership_id
+  mesh {
+    management = var.mesh_management
+  }
+  provider = google-beta
+}

modules/asm/main.tf

@@ -34,14 +34,16 @@ data "google_container_cluster" "asm" {
 }
 
 resource "kubernetes_namespace" "system" {
-  count = var.create_system_namespace ? 1 : 0
+  count = var.create_system_namespace && var.mesh_management != "MANAGEMENT_AUTOMATIC" ? 1 : 0
 
   metadata {
     name = "istio-system"
   }
 }
 
 resource "kubernetes_config_map" "asm_options" {
+  count = var.mesh_management != "MANAGEMENT_AUTOMATIC" ? 1 : 0
+
   metadata {
     name      = "asm-options"
     namespace = try(kubernetes_namespace.system[0].metadata[0].name, "istio-system")
@@ -56,6 +58,8 @@ resource "kubernetes_config_map" "asm_options" {
 }
 
 module "cpr" {
+  count = var.mesh_management != "MANAGEMENT_AUTOMATIC" ? 1 : 0
+
   source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
   version = "~> 3.1"
 
@@ -69,3 +73,42 @@ module "cpr" {
 
   module_depends_on = [kubernetes_config_map.asm_options]
 }
+
+# Wait for the ControlPlaneRevision custom resource to be ready.
+# Add an explicit "retry until the resource is created" until
+module "kubectl_asm_wait_for_controlplanerevision_custom_resource_definition" {
+  count = var.mesh_management == "MANAGEMENT_AUTOMATIC" ? 1 : 0
+
+  source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version = "~> 3.1"
+
+  project_id              = var.project_id
+  cluster_name            = var.cluster_name
+  cluster_location        = var.cluster_location
+  kubectl_create_command  = "/bin/sh -c 'while ! kubectl wait crd/controlplanerevisions.mesh.cloud.google.com --for condition=established --timeout=60m --all-namespaces; do echo \"crd/controlplanerevisions.mesh.cloud.google.com not yet available, waiting...\"; sleep 5; done'"
+  kubectl_destroy_command = ""
+
+  module_depends_on = [
+    google_gke_hub_feature_membership.mesh_feature_membership
+  ]
+}
+
+# Wait for the ASM control plane revision to be ready so we can safely deploy resources that depend
+# on ASM mutating webhooks.
+# Add an explicit "retry until the resource is created" until
+module "kubectl_asm_wait_for_controlplanerevision" {
+  count = var.mesh_management == "MANAGEMENT_AUTOMATIC" ? 1 : 0
+
+  source  = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
+  version = "~> 3.1"
+
+  project_id              = var.project_id
+  cluster_name            = var.cluster_name
+  cluster_location        = var.cluster_location
+  kubectl_create_command  = "/bin/sh -c 'while ! kubectl -n istio-system wait ControlPlaneRevision --all --timeout=60m --for condition=Reconciled; do echo \"ControlPlaneRevision not yet available, waiting...\"; sleep 5; done'"
+  kubectl_destroy_command = ""
+
+  module_depends_on = [
+    module.kubectl_asm_wait_for_controlplanerevision_custom_resource_definition[0].wait
+  ]
+}

modules/asm/outputs.tf

@@ -20,6 +20,6 @@ output "revision_name" {
 }
 
 output "wait" {
-  value       = module.cpr.wait
+  value       = var.mesh_management == "MANAGEMENT_AUTOMATIC" ? module.kubectl_asm_wait_for_controlplanerevision[0].wait : module.cpr[0].wait
   description = "An output to use when depending on the ASM installation finishing."
 }

modules/asm/variables.tf

@@ -50,6 +50,21 @@ variable "channel" {
   default = ""
 }
 
+variable "mesh_management" {
+  default     = ""
+  description = "ASM Management mode. For more information, see the [gke_hub_feature_membership resource documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_hub_feature_membership#nested_mesh)"
+  type        = string
+  validation {
+    condition = anytrue([
+      var.mesh_management == null,
+      var.mesh_management == "",
+      var.mesh_management == "MANAGEMENT_AUTOMATIC",
+      var.mesh_management == "MANAGEMENT_MANUAL",
+    ])
+    error_message = "Must be null, empty, or one of MANAGEMENT_AUTOMATIC or MANAGEMENT_MANUAL."
+  }
+}
+
 variable "multicluster_mode" {
   description = "[Preview] Determines whether remote secrets should be autogenerated across fleet cluster."
   type        = string
@@ -70,7 +85,7 @@ variable "enable_cni" {
 }
 
 variable "enable_vpc_sc" {
-  description = "Determines whether to enable VPC-SC for this ASM installation. For more information read https://cloud.google.com/service-mesh/docs/managed/vpc-sc"
+  description = "Determines whether to enable VPC-SC for this ASM installation. For more information read [VPC Service Controls for Managed Anthos Service Mesh](https://cloud.google.com/service-mesh/docs/managed/vpc-sc)"
   type        = bool
   default     = false
 }

modules/asm/versions.tf

@@ -16,7 +16,7 @@
  */
 
 terraform {
-  required_version = ">= 0.14.0"
+  required_version = ">= 1.1"
 
   required_providers {
     kubernetes = {