Support control_plane attribute in ske cluster (#1236)

* #STACKITTPR-517 - support control_plane attribute in ske cluster

* #STACKITTPR-517 - extend examples

* update tests

* update example

* access scope is now computed

* make access scope field immutable

* use util functions in condition

* fix min acc test

---------

Co-authored-by: Alexander Dahmen <alexander.dahmen@inovex.de>

Author: GokceGK

docs/data-sources/ske_cluster.md

@@ -117,8 +117,17 @@ Read-Only:
 
 Read-Only:
 
+- `control_plane` (Attributes) Control plane for the cluster. (see [below for nested schema](#nestedatt--network--control_plane))
 - `id` (String) ID of the STACKIT Network Area (SNA) network into which the cluster will be deployed.
 
+<a id="nestedatt--network--control_plane"></a>
+### Nested Schema for `network.control_plane`
+
+Read-Only:
+
+- `access_scope` (String) Access scope of the control plane. It defines if the Kubernetes control plane is public or only available inside a STACKIT Network Area.Possible values are: `PUBLIC`, `SNA`. The field is immutable!
+
+
 
 <a id="nestedatt--node_pools"></a>
 ### Nested Schema for `node_pools`

docs/resources/ske_cluster.md

@@ -39,6 +39,11 @@ resource "stackit_ske_cluster" "example" {
     start                                = "01:00:00Z"
     end                                  = "02:00:00Z"
   }
+  network = {
+    control_plane = {
+      access_scope = "PUBLIC"
+    }
+  }
 }
 
 # Only use the import statement, if you want to import an existing ske cluster
@@ -204,4 +209,12 @@ Optional:
 
 Optional:
 
+- `control_plane` (Attributes) Control plane for the cluster. (see [below for nested schema](#nestedatt--network--control_plane))
 - `id` (String) ID of the STACKIT Network Area (SNA) network into which the cluster will be deployed.
+
+<a id="nestedatt--network--control_plane"></a>
+### Nested Schema for `network.control_plane`
+
+Optional:
+
+- `access_scope` (String) Access scope of the control plane. It defines if the Kubernetes control plane is public or only available inside a STACKIT Network Area.Possible values are: `PUBLIC`, `SNA`. The field is immutable!

examples/resources/stackit_ske_cluster/resource.tf

@@ -21,6 +21,11 @@ resource "stackit_ske_cluster" "example" {
     start                                = "01:00:00Z"
     end                                  = "02:00:00Z"
   }
+  network = {
+    control_plane = {
+      access_scope = "PUBLIC"
+    }
+  }
 }
 
 # Only use the import statement, if you want to import an existing ske cluster

stackit/internal/services/ske/cluster/datasource.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/http"
 
+	sdkUtils "github.com/stackitcloud/stackit-sdk-go/core/utils"
 	"github.com/stackitcloud/terraform-provider-stackit/stackit/internal/conversion"
 	skeUtils "github.com/stackitcloud/terraform-provider-stackit/stackit/internal/services/ske/utils"
 
@@ -223,6 +224,16 @@ func (r *clusterDataSource) Schema(_ context.Context, _ datasource.SchemaRequest
 							validate.UUID(),
 						},
 					},
+					"control_plane": schema.SingleNestedAttribute{
+						Description: "Control plane for the cluster.",
+						Computed:    true,
+						Attributes: map[string]schema.Attribute{
+							"access_scope": schema.StringAttribute{
+								Description: "Access scope of the control plane. It defines if the Kubernetes control plane is public or only available inside a STACKIT Network Area." + utils.FormatPossibleValues(sdkUtils.EnumSliceToStringSlice(ske.AllowedAccessScopeEnumValues)...) + " The field is immutable!",
+								Computed:    true,
+							},
+						},
+					},
 				},
 			},
 

stackit/internal/services/ske/cluster/resource.go

@@ -158,12 +158,23 @@ var maintenanceTypes = map[string]attr.Type{
 
 // Struct corresponding to Model.Network
 type network struct {
-	ID types.String `tfsdk:"id"`
+	ID           types.String `tfsdk:"id"`
+	ControlPlane types.Object `tfsdk:"control_plane"`
 }
 
 // Types corresponding to network
 var networkTypes = map[string]attr.Type{
-	"id": basetypes.StringType{},
+	"id":            basetypes.StringType{},
+	"control_plane": types.ObjectType{AttrTypes: controlPlaneTypes},
+}
+
+type controlPlane struct {
+	AccessScope types.String `tfsdk:"access_scope"`
+}
+
+// Types corresponding to control plane
+var controlPlaneTypes = map[string]attr.Type{
+	"access_scope": basetypes.StringType{},
 }
 
 // Struct corresponding to Model.Hibernations[i]
@@ -566,6 +577,20 @@ func (r *clusterResource) Schema(_ context.Context, _ resource.SchemaRequest, re
 							stringplanmodifier.RequiresReplace(),
 						},
 					},
+					"control_plane": schema.SingleNestedAttribute{
+						Description: "Control plane for the cluster.",
+						Optional:    true,
+						Attributes: map[string]schema.Attribute{
+							"access_scope": schema.StringAttribute{
+								Description: "Access scope of the control plane. It defines if the Kubernetes control plane is public or only available inside a STACKIT Network Area." + utils.FormatPossibleValues(sdkUtils.EnumSliceToStringSlice(ske.AllowedAccessScopeEnumValues)...) + " The field is immutable!",
+								Optional:    true,
+								Computed:    true,
+								PlanModifiers: []planmodifier.String{
+									stringplanmodifier.RequiresReplace(),
+								},
+							},
+						},
+					},
 				},
 			},
 			"hibernations": schema.ListNestedAttribute{
@@ -1367,8 +1392,21 @@ func toNetworkPayload(ctx context.Context, m *Model) (*ske.Network, error) {
 		return nil, fmt.Errorf("converting network object: %v", diags.Errors())
 	}
 
+	var networkControlPlane *ske.V2ControlPlaneNetwork
+	if !utils.IsUndefined(network.ControlPlane) {
+		networkControlPlaneModel := controlPlane{}
+		diags = network.ControlPlane.As(ctx, &networkControlPlaneModel, basetypes.ObjectAsOptions{})
+		if diags.HasError() {
+			return nil, fmt.Errorf("converting network control plane: %w", core.DiagsToError(diags))
+		}
+		networkControlPlane = &ske.V2ControlPlaneNetwork{
+			AccessScope: ske.V2ControlPlaneNetworkGetAccessScopeAttributeType(conversion.StringValueToPointer(networkControlPlaneModel.AccessScope)),
+		}
+	}
+
 	return &ske.Network{
-		Id: conversion.StringValueToPointer(network.ID),
+		Id:           conversion.StringValueToPointer(network.ID),
+		ControlPlane: networkControlPlane,
 	}, nil
 }
 
@@ -1672,12 +1710,32 @@ func mapNetwork(cl *ske.Cluster, m *Model) error {
 		return nil
 	}
 
+	var diags diag.Diagnostics
 	id := types.StringNull()
 	if cl.Network.Id != nil {
 		id = types.StringValue(*cl.Network.Id)
 	}
+
+	networkControlPlane := types.ObjectNull(controlPlaneTypes)
+	if cl.Network.ControlPlane != nil {
+		controlPlaneAccessScope := types.StringNull()
+		if cl.Network.ControlPlane.AccessScope != nil {
+			controlPlaneAccessScope = types.StringValue(string(cl.Network.ControlPlane.GetAccessScope()))
+		}
+
+		controlPlaneValues := map[string]attr.Value{
+			"access_scope": controlPlaneAccessScope,
+		}
+
+		networkControlPlane, diags = types.ObjectValue(controlPlaneTypes, controlPlaneValues)
+		if diags.HasError() {
+			return fmt.Errorf("creating network control plane: %w", core.DiagsToError(diags))
+		}
+	}
+
 	networkValues := map[string]attr.Value{
-		"id": id,
+		"id":            id,
+		"control_plane": networkControlPlane,
 	}
 	networkObject, diags := types.ObjectValue(networkTypes, networkValues)
 	if diags.HasError() {

stackit/internal/services/ske/cluster/resource_test.go

@@ -110,6 +110,9 @@ func TestMapFields(t *testing.T) {
 				},
 				Network: &ske.Network{
 					Id: utils.Ptr("nid"),
+					ControlPlane: &ske.V2ControlPlaneNetwork{
+						AccessScope: ske.V2ControlPlaneNetworkGetAccessScopeAttributeType(utils.Ptr("SNA")),
+					},
 				},
 				Name: utils.Ptr("name"),
 				Nodepools: &[]ske.Nodepool{
@@ -231,6 +234,9 @@ func TestMapFields(t *testing.T) {
 				}),
 				Network: types.ObjectValueMust(networkTypes, map[string]attr.Value{
 					"id": types.StringValue("nid"),
+					"control_plane": types.ObjectValueMust(controlPlaneTypes, map[string]attr.Value{
+						"access_scope": types.StringValue("SNA"),
+					}),
 				}),
 				Hibernations: types.ListValueMust(
 					types.ObjectType{AttrTypes: hibernationTypes},
@@ -560,6 +566,9 @@ func TestMapFields(t *testing.T) {
 				},
 				Network: &ske.Network{
 					Id: utils.Ptr("nid"),
+					ControlPlane: &ske.V2ControlPlaneNetwork{
+						AccessScope: ske.V2ControlPlaneNetworkGetAccessScopeAttributeType(utils.Ptr("SNA")),
+					},
 				},
 				Name: utils.Ptr("name"),
 				Nodepools: &[]ske.Nodepool{
@@ -648,6 +657,9 @@ func TestMapFields(t *testing.T) {
 				}),
 				Network: types.ObjectValueMust(networkTypes, map[string]attr.Value{
 					"id": types.StringValue("nid"),
+					"control_plane": types.ObjectValueMust(controlPlaneTypes, map[string]attr.Value{
+						"access_scope": types.StringValue("SNA"),
+					}),
 				}),
 				Hibernations: types.ListValueMust(
 					types.ObjectType{AttrTypes: hibernationTypes},
@@ -2239,10 +2251,16 @@ func TestToNetworkPayload(t *testing.T) {
 				Name:      types.StringValue("name"),
 				Network: types.ObjectValueMust(networkTypes, map[string]attr.Value{
 					"id": types.StringValue("nid"),
+					"control_plane": types.ObjectValueMust(controlPlaneTypes, map[string]attr.Value{
+						"access_scope": types.StringValue("SNA"),
+					}),
 				}),
 			},
 			&ske.Network{
 				Id: utils.Ptr("nid"),
+				ControlPlane: &ske.V2ControlPlaneNetwork{
+					AccessScope: ske.V2ControlPlaneNetworkGetAccessScopeAttributeType(utils.Ptr("SNA")),
+				},
 			},
 			true,
 		},
@@ -2252,12 +2270,29 @@ func TestToNetworkPayload(t *testing.T) {
 				ProjectId: types.StringValue("pid"),
 				Name:      types.StringValue("name"),
 				Network: types.ObjectValueMust(networkTypes, map[string]attr.Value{
-					"id": types.StringNull(),
+					"id":            types.StringNull(),
+					"control_plane": types.ObjectNull(controlPlaneTypes),
 				}),
 			},
 			&ske.Network{},
 			true,
 		},
+		{
+			"no_control_plane",
+			&Model{
+				ProjectId: types.StringValue("pid"),
+				Name:      types.StringValue("name"),
+				Network: types.ObjectValueMust(networkTypes, map[string]attr.Value{
+					"id":            types.StringValue("nid"),
+					"control_plane": types.ObjectNull(controlPlaneTypes),
+				}),
+			},
+			&ske.Network{
+				Id:           utils.Ptr("nid"),
+				ControlPlane: nil,
+			},
+			true,
+		},
 		{
 			"no_network",
 			&Model{

stackit/internal/services/ske/ske_acc_test.go

@@ -49,9 +49,10 @@ var testConfigVarsMin = config.Variables{
 	"kubernetes_version_min":      config.StringVariable(skeProviderOptions.GetCreateK8sVersion()),
 	"maintenance_enable_machine_image_version_updates": config.StringVariable("true"),
 	"maintenance_enable_kubernetes_version_updates":    config.StringVariable("true"),
-	"maintenance_start": config.StringVariable("02:00:00+01:00"),
-	"maintenance_end":   config.StringVariable("04:00:00+01:00"),
-	"region":            config.StringVariable(testutil.Region),
+	"maintenance_start":                  config.StringVariable("02:00:00+01:00"),
+	"maintenance_end":                    config.StringVariable("04:00:00+01:00"),
+	"region":                             config.StringVariable(testutil.Region),
+	"network_control_plane_access_scope": config.StringVariable("PUBLIC"),
 }
 
 var testConfigVarsMax = config.Variables{
@@ -92,6 +93,7 @@ var testConfigVarsMax = config.Variables{
 	"refresh_before":                                   config.StringVariable("600"),
 	"dns_zone_name":                                    config.StringVariable("acc-" + acctest.RandStringFromCharSet(6, acctest.CharSetAlpha)),
 	"dns_name":                                         config.StringVariable("acc-" + acctest.RandStringFromCharSet(6, acctest.CharSetAlpha) + ".runs.onstackit.cloud"),
+	"network_control_plane_access_scope":               config.StringVariable("PUBLIC"),
 }
 
 var testConfigDatasource = config.Variables{
@@ -137,12 +139,14 @@ func TestAccSKEMin(t *testing.T) {
 					resource.TestCheckResourceAttr("stackit_ske_cluster.cluster", "node_pools.0.minimum", testutil.ConvertConfigVariable(testConfigVarsMin["nodepool_minimum"])),
 					resource.TestCheckResourceAttr("stackit_ske_cluster.cluster", "node_pools.0.name", testutil.ConvertConfigVariable(testConfigVarsMin["nodepool_name"])),
 					resource.TestCheckResourceAttrSet("stackit_ske_cluster.cluster", "node_pools.0.os_version_used"),
-					resource.TestCheckResourceAttr("stackit_ske_cluster.cluster", "maintenance.enable_kubernetes_version_updates", testutil.ConvertConfigVariable(testConfigVarsMax["maintenance_enable_kubernetes_version_updates"])),
-					resource.TestCheckResourceAttr("stackit_ske_cluster.cluster", "maintenance.enable_machine_image_version_updates", testutil.ConvertConfigVariable(testConfigVarsMax["maintenance_enable_machine_image_version_updates"])),
-					resource.TestCheckResourceAttr("stackit_ske_cluster.cluster", "maintenance.start", testutil.ConvertConfigVariable(testConfigVarsMax["maintenance_start"])),
-					resource.TestCheckResourceAttr("stackit_ske_cluster.cluster", "maintenance.end", testutil.ConvertConfigVariable(testConfigVarsMax["maintenance_end"])),
-					resource.TestCheckResourceAttrSet("stackit_ske_cluster.cluster", "region"),
+					resource.TestCheckResourceAttr("stackit_ske_cluster.cluster", "kubernetes_version_min", testutil.ConvertConfigVariable(testConfigVarsMin["kubernetes_version_min"])),
+					resource.TestCheckResourceAttr("stackit_ske_cluster.cluster", "maintenance.enable_kubernetes_version_updates", testutil.ConvertConfigVariable(testConfigVarsMin["maintenance_enable_kubernetes_version_updates"])),
+					resource.TestCheckResourceAttr("stackit_ske_cluster.cluster", "maintenance.enable_machine_image_version_updates", testutil.ConvertConfigVariable(testConfigVarsMin["maintenance_enable_machine_image_version_updates"])),
+					resource.TestCheckResourceAttr("stackit_ske_cluster.cluster", "maintenance.start", testutil.ConvertConfigVariable(testConfigVarsMin["maintenance_start"])),
+					resource.TestCheckResourceAttr("stackit_ske_cluster.cluster", "maintenance.end", testutil.ConvertConfigVariable(testConfigVarsMin["maintenance_end"])),
+					resource.TestCheckResourceAttr("stackit_ske_cluster.cluster", "region", testutil.ConvertConfigVariable(testConfigVarsMin["region"])),
 					resource.TestCheckResourceAttrSet("stackit_ske_cluster.cluster", "kubernetes_version_used"),
+					resource.TestCheckResourceAttr("stackit_ske_cluster.cluster", "network.control_plane.access_scope", testutil.ConvertConfigVariable(testConfigVarsMin["network_control_plane_access_scope"])),
 
 					// Kubeconfig
 					resource.TestCheckResourceAttrPair(
@@ -182,6 +186,7 @@ func TestAccSKEMin(t *testing.T) {
 					resource.TestCheckResourceAttr("stackit_ske_cluster.cluster", "maintenance.end", testutil.ConvertConfigVariable(testConfigVarsMax["maintenance_end"])),
 					resource.TestCheckResourceAttrSet("stackit_ske_cluster.cluster", "region"),
 					resource.TestCheckResourceAttrSet("data.stackit_ske_cluster.cluster", "kubernetes_version_used"),
+					resource.TestCheckResourceAttr("data.stackit_ske_cluster.cluster", "network.control_plane.access_scope", testutil.ConvertConfigVariable(testConfigVarsMin["network_control_plane_access_scope"])),
 				),
 			},
 			// 3) Import cluster
@@ -299,6 +304,8 @@ func TestAccSKEMax(t *testing.T) {
 					resource.TestCheckResourceAttrSet("stackit_ske_cluster.cluster", "pod_address_ranges.0"),
 					resource.TestCheckResourceAttrSet("stackit_ske_cluster.cluster", "kubernetes_version_used"),
 
+					resource.TestCheckResourceAttr("stackit_ske_cluster.cluster", "network.control_plane.access_scope", testutil.ConvertConfigVariable(testConfigVarsMax["network_control_plane_access_scope"])),
+
 					// Kubeconfig
 					resource.TestCheckResourceAttrPair(
 						"stackit_ske_kubeconfig.kubeconfig", "project_id",
@@ -373,6 +380,8 @@ func TestAccSKEMax(t *testing.T) {
 					resource.TestCheckResourceAttrSet("data.stackit_ske_cluster.cluster", "pod_address_ranges.0"),
 
 					resource.TestCheckResourceAttrSet("data.stackit_ske_cluster.cluster", "kubernetes_version_used"),
+
+					resource.TestCheckResourceAttr("data.stackit_ske_cluster.cluster", "network.control_plane.access_scope", testutil.ConvertConfigVariable(testConfigVarsMax["network_control_plane_access_scope"])),
 				),
 			},
 			// 3) Import cluster

stackit/internal/services/ske/testdata/resource-max.tf

@@ -35,6 +35,7 @@ variable "refresh" {}
 variable "refresh_before" {}
 variable "dns_zone_name" {}
 variable "dns_name" {}
+variable "network_control_plane_access_scope" {}
 
 resource "stackit_ske_cluster" "cluster" {
   project_id = var.project_id
@@ -92,6 +93,11 @@ resource "stackit_ske_cluster" "cluster" {
     end                                  = var.maintenance_end
   }
   region = var.region
+  network = {
+    control_plane = {
+      access_scope = var.network_control_plane_access_scope
+    }
+  }
 }
 
 resource "stackit_ske_kubeconfig" "kubeconfig" {

stackit/internal/services/ske/testdata/resource-min.tf

@@ -11,6 +11,7 @@ variable "maintenance_enable_machine_image_version_updates" {}
 variable "maintenance_start" {}
 variable "maintenance_end" {}
 variable "region" {}
+variable "network_control_plane_access_scope" {}
 
 
 resource "stackit_ske_cluster" "cluster" {
@@ -36,6 +37,11 @@ resource "stackit_ske_cluster" "cluster" {
     end                                  = var.maintenance_end
   }
   region = var.region
+  network = {
+    control_plane = {
+      access_scope = var.network_control_plane_access_scope
+    }
+  }
 }
 
 resource "stackit_ske_kubeconfig" "kubeconfig" {