Container warnings (#15118) (#10725)

[upstream:211119cc09dfc4ac7a0e83baf674d5177e166fce]

Signed-off-by: Modular Magician <magic-modules@google.com>

Author: modular-magician

.changelog/15118.txt

@@ -0,0 +1,3 @@
+```release-note:deprecation
+compute: deprecated the option to deploy a container during VM creation using the container startup agent in `google_compute_instance`. Use alternative services to run containers on your VMs. Learn more at https://cloud.google.com/compute/docs/containers/migrate-containers.
+```

google-beta/services/compute/resource_compute_instance.go

@@ -216,6 +216,18 @@ func ComputeInstanceMinCpuPlatformEmptyOrAutomaticDiffSuppress(k, old, new strin
 	return (old == "" && new == defaultVal) || (new == "" && old == defaultVal)
 }
 
+func ValidateInstanceMetadata(i interface{}, k string) ([]string, []error) {
+	metadata, ok := i.(map[string]interface{})
+	if !ok {
+		return nil, []error{fmt.Errorf("expected %q to be a map, got %T", k, i)}
+	}
+	var warnings []string
+	if _, ok := metadata["gce-container-declaration"]; ok {
+		warnings = append(warnings, "The option to deploy a container during VM creation using the container startup agent is deprecated. Use alternative services to run containers on your VMs. Learn more at https://cloud.google.com/compute/docs/containers/migrate-containers.")
+	}
+	return warnings, nil
+}
+
 func ResourceComputeInstance() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceComputeInstanceCreate,
@@ -995,10 +1007,11 @@ func ResourceComputeInstance() *schema.Resource {
 			},
 
 			"metadata": {
-				Type:        schema.TypeMap,
-				Optional:    true,
-				Elem:        &schema.Schema{Type: schema.TypeString},
-				Description: `Metadata key/value pairs made available within the instance.`,
+				Type:         schema.TypeMap,
+				Optional:     true,
+				Elem:         &schema.Schema{Type: schema.TypeString},
+				Description:  `Metadata key/value pairs made available within the instance.`,
+				ValidateFunc: ValidateInstanceMetadata,
 			},
 
 			"partner_metadata": {

google-beta/services/compute/resource_compute_instance_template.go

@@ -442,10 +442,11 @@ Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key m
 			},
 
 			"metadata": {
-				Type:        schema.TypeMap,
-				Optional:    true,
-				ForceNew:    true,
-				Description: `Metadata key/value pairs to make available from within instances created from this template.`,
+				Type:         schema.TypeMap,
+				Optional:     true,
+				ForceNew:     true,
+				Description:  `Metadata key/value pairs to make available from within instances created from this template.`,
+				ValidateFunc: ValidateInstanceMetadata,
 			},
 
 			"metadata_startup_script": {

google-beta/services/compute/resource_compute_instance_template_test.go

@@ -106,6 +106,35 @@ func TestAccComputeInstanceTemplate_imageShorthand(t *testing.T) {
 	})
 }
 
+func TestAccComputeInstanceTemplate_metadataGceContainerDeclaration(t *testing.T) {
+	t.Parallel()
+
+	var instanceTemplate compute.InstanceTemplate
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeInstanceTemplateDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeInstanceTemplate_metadataGceContainerDeclaration(acctest.RandString(t, 10)),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckComputeInstanceTemplateExists(
+						t, "google_compute_instance_template.foobar", &instanceTemplate),
+					testAccCheckComputeInstanceTemplateMetadata(&instanceTemplate, "foo", "bar"),
+					testAccCheckComputeInstanceTemplateMetadata(&instanceTemplate, "gce-container-declaration", "spec:\n containers:\n - name: test\n image: gcr.io/google-containers/busybox\n"),
+				),
+			},
+			{
+				ResourceName:            "google_compute_instance_template.foobar",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels", "metadata.foo", "metadata.gce-container-declaration"},
+			},
+		},
+	})
+}
+
 func TestAccComputeInstanceTemplate_preemptible(t *testing.T) {
 	t.Parallel()
 
@@ -2740,6 +2769,50 @@ resource "google_compute_instance_template" "foobar" {
 `, context)
 }
 
+func testAccComputeInstanceTemplate_metadataGceContainerDeclaration(suffix string) string {
+	return fmt.Sprintf(`
+data "google_compute_image" "my_image" {
+  family  = "debian-11"
+  project = "debian-cloud"
+}
+
+resource "google_compute_instance_template" "foobar" {
+  name           = "tf-test-instance-template-%s"
+  machine_type   = "e2-medium"
+  can_ip_forward = false
+  tags           = ["foo", "bar"]
+
+  disk {
+    source_image = data.google_compute_image.my_image.self_link
+    auto_delete  = true
+    boot         = true
+  }
+
+  network_interface {
+    network = "default"
+  }
+
+  scheduling {
+    preemptible       = false
+    automatic_restart = true
+  }
+
+  metadata = {
+    foo                       = "bar"
+    gce-container-declaration = "spec:\n containers:\n - name: test\n image: gcr.io/google-containers/busybox\n"
+  }
+
+  service_account {
+    scopes = ["userinfo-email", "compute-ro", "storage-ro"]
+  }
+
+  labels = {
+    my_label = "foobar"
+  }
+}
+`, suffix)
+}
+
 func testAccComputeInstanceTemplate_preemptible(suffix string) string {
 	return fmt.Sprintf(`
 data "google_compute_image" "my_image" {

google-beta/services/compute/resource_compute_instance_test.go

@@ -153,6 +153,48 @@ func TestDisksForceAttachDiffSuppress(t *testing.T) {
 	}
 }
 
+func TestValidateInstanceMetadata(t *testing.T) {
+	cases := map[string]struct {
+		Metadata      map[string]interface{}
+		ExpectWarning string
+	}{
+		"with gce-container-declaration": {
+			Metadata: map[string]interface{}{
+				"gce-container-declaration": "some-value",
+			},
+			ExpectWarning: "The option to deploy a container during VM creation using the container startup agent is deprecated. Use alternative services to run containers on your VMs. Learn more at https://cloud.google.com/compute/docs/containers/migrate-containers.",
+		},
+		"without gce-container-declaration": {
+			Metadata: map[string]interface{}{
+				"foo": "bar",
+			},
+			ExpectWarning: "",
+		},
+		"with empty metadata": {
+			Metadata:      map[string]interface{}{},
+			ExpectWarning: "",
+		},
+	}
+
+	for tn, tc := range cases {
+		warnings, errs := tpgcompute.ValidateInstanceMetadata(tc.Metadata, "metadata")
+		if len(errs) > 0 {
+			t.Errorf("%s: Unexpected errors: %v", tn, errs)
+		}
+		if tc.ExpectWarning == "" {
+			if len(warnings) > 0 {
+				t.Errorf("%s: Expected no warning, got: %v", tn, warnings)
+			}
+		} else {
+			if len(warnings) == 0 {
+				t.Errorf("%s: Expected warning %q, got none", tn, tc.ExpectWarning)
+			} else if warnings[0] != tc.ExpectWarning {
+				t.Errorf("%s: Expected warning %q, got %q", tn, tc.ExpectWarning, warnings[0])
+			}
+		}
+	}
+}
+
 func TestCheckForCommonAliasIp(t *testing.T) {
 	type testCase struct {
 		old, new []*compute.AliasIpRange
@@ -358,6 +400,31 @@ func TestAccComputeInstance_basic5(t *testing.T) {
 	})
 }
 
+func TestAccComputeInstance_metadataGceContainerDeclaration(t *testing.T) {
+	t.Parallel()
+
+	var instance compute.Instance
+	var instanceName = fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeInstanceDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeInstance_metadataGceContainerDeclaration(instanceName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckComputeInstanceExists(
+						t, "google_compute_instance.foobar", &instance),
+					testAccCheckComputeInstanceMetadata(&instance, "foo", "bar"),
+					testAccCheckComputeInstanceMetadata(&instance, "gce-container-declaration", "spec:\n containers:\n - name: test\n image: gcr.io/google-containers/busybox\n"),
+				),
+			},
+			computeInstanceImportStep("us-central1-a", instanceName, []string{"metadata.foo", "metadata.gce-container-declaration", "desired_status"}),
+		},
+	})
+}
+
 func TestAccComputeInstance_resourceManagerTags(t *testing.T) {
 	t.Parallel()
 
@@ -6046,6 +6113,38 @@ resource "google_compute_instance" "foobar" {
 `, instance)
 }
 
+func testAccComputeInstance_metadataGceContainerDeclaration(instance string) string {
+	return fmt.Sprintf(`
+data "google_compute_image" "my_image" {
+  family  = "debian-11"
+  project = "debian-cloud"
+}
+
+resource "google_compute_instance" "foobar" {
+  name           = "%s"
+  machine_type   = "e2-medium"
+  zone           = "us-central1-a"
+  tags           = ["foo", "bar"]
+  desired_status  = "RUNNING"
+
+  boot_disk {
+    initialize_params {
+      image = data.google_compute_image.my_image.self_link
+    }
+  }
+
+  network_interface {
+    network = "default"
+  }
+
+  metadata = {
+    foo                       = "bar"
+    gce-container-declaration = "spec:\n containers:\n - name: test\n image: gcr.io/google-containers/busybox\n"
+  }
+}
+`, instance)
+}
+
 func testAccComputeInstance_machineType(instance string, machineType string) string {
 	return fmt.Sprintf(`
 data "google_compute_image" "my_image" {

google-beta/services/compute/resource_compute_region_instance_template.go

@@ -416,10 +416,11 @@ Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key m
 			},
 
 			"metadata": {
-				Type:        schema.TypeMap,
-				Optional:    true,
-				ForceNew:    true,
-				Description: `Metadata key/value pairs to make available from within instances created from this template.`,
+				Type:         schema.TypeMap,
+				Optional:     true,
+				ForceNew:     true,
+				Description:  `Metadata key/value pairs to make available from within instances created from this template.`,
+				ValidateFunc: ValidateInstanceMetadata,
 			},
 
 			"partner_metadata": {

google-beta/services/compute/resource_compute_region_instance_template_test.go

@@ -103,6 +103,35 @@ func TestAccComputeRegionInstanceTemplate_imageShorthand(t *testing.T) {
 	})
 }
 
+func TestAccComputeRegionInstanceTemplate_metadataGceContainerDeclaration(t *testing.T) {
+	t.Parallel()
+
+	var instanceTemplate compute.InstanceTemplate
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckComputeRegionInstanceTemplateDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccComputeRegionInstanceTemplate_metadataGceContainerDeclaration(acctest.RandString(t, 10)),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckComputeRegionInstanceTemplateExists(
+						t, "google_compute_region_instance_template.foobar", &instanceTemplate),
+					testAccCheckComputeRegionInstanceTemplateMetadata(&instanceTemplate, "foo", "bar"),
+					testAccCheckComputeRegionInstanceTemplateMetadata(&instanceTemplate, "gce-container-declaration", "spec:\n containers:\n - name: test\n image: gcr.io/google-containers/busybox\n"),
+				),
+			},
+			{
+				ResourceName:            "google_compute_region_instance_template.foobar",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"labels", "terraform_labels", "metadata.foo", "metadata.gce-container-declaration"},
+			},
+		},
+	})
+}
+
 func TestAccComputeRegionInstanceTemplate_preemptible(t *testing.T) {
 	t.Parallel()
 
@@ -2291,6 +2320,51 @@ resource "google_compute_region_instance_template" "foobar" {
 `, context)
 }
 
+func testAccComputeRegionInstanceTemplate_metadataGceContainerDeclaration(suffix string) string {
+	return fmt.Sprintf(`
+data "google_compute_image" "my_image" {
+  family  = "debian-11"
+  project = "debian-cloud"
+}
+
+resource "google_compute_region_instance_template" "foobar" {
+  name           = "tf-test-instance-template-%s"
+  region      = "us-central1"
+  machine_type   = "e2-medium"
+  can_ip_forward = false
+  tags           = ["foo", "bar"]
+
+  disk {
+    source_image = data.google_compute_image.my_image.self_link
+    auto_delete  = true
+    boot         = true
+  }
+
+  network_interface {
+    network = "default"
+  }
+
+  scheduling {
+    preemptible       = false
+    automatic_restart = true
+  }
+
+  metadata = {
+    foo                       = "bar"
+    gce-container-declaration = "spec:\n containers:\n - name: test\n image: gcr.io/google-containers/busybox\n"
+  }
+
+  service_account {
+    scopes = ["userinfo-email", "compute-ro", "storage-ro"]
+  }
+
+  labels = {
+    my_label = "foobar"
+  }
+}
+`, suffix)
+}
+
 func testAccComputeRegionInstanceTemplate_preemptible(suffix string) string {
 	return fmt.Sprintf(`
 data "google_compute_image" "my_image" {