Migrate from the ConfigManagement API to the PolicyController API

This page explains how to migrate from the ConfigManagement API to the PolicyController API for managing Policy Controller. The PolicyController API offers the same capabilities for installing and managing Policy Controller

The steps to fully migrate differ depending on which installation method you used to install Policy Controller.

If you use gcloud CLI PolicyController commands that start with gcloud container fleet policycontroller, you are already using the PolicyController API. No action is needed. Otherwise, review the instructions for the method that you used to install Policy Controller:

config management

If you use gcloud CLI commands that start with gcloud alpha container fleet config-management, switch to using gcloud CLI Policy Controller commands that start with gcloud container fleet policycontroller. Review the gcloud CLI documentation for a list of commands. No other action is required.

If your Google Cloud CLI apply spec file has the policyController block, remove it to ensure compatibility with Config Sync.

Terraform

If you use a Terraform resource that configures Policy Controller with the feature name "configmanagement", you should switch to a Terraform resource with the feature name "policycontroller" by completing the following steps:

  1. Copy your existing Terraform file to a new file, or update your Terraform file, and add the following:

    resource "google_gke_hub_feature" "feature" {
  name = "policycontroller"
  location = "global"
}

resource "google_gke_hub_feature_membership" "feature_member" {
  feature = google_gke_hub_feature.feature.name # "policycontroller"
  location = "global"
  membership = MEMBERSHIP_NAME
  project = PROJECT_ID
   policycontroller {
      policy_controller_hub_config {
        install_spec = "INSTALL_SPEC_ENABLED"
    }
  }
}

    Replace the following:

    • MEMBERSHIP: the membership name of the registered cluster that has Policy Controller installed.
    • PROJECT_ID: your project ID.

  2. Remove the "policy_controller" block from your existing Terraform resource. You can find the block under the "configmanagement" block. If you're using the resource to only manage Policy Controller, you can remove the entire configmanagement block. If you're using the resource to manage Config Sync, ensure you remove only the Policy Controller block. For example, your configmanagement block might resemble the following:

    resource "google_gke_hub_feature_membership" "feature_member" {
   provider   = google-beta
   location   = "global"
   feature    = "configmanagement"
   membership = google_gke_hub_membership.membership.membership_id
   configmanagement {
      version = "1.8.0"
      config_sync {
         source_format = "unstructured"
         git {
         }
      }
      # if you're still using the config_sync block, delete only the policy_controller block
      policy_controller {
         enabled                    = true
         template_library_installed = true
         referential_rules_enabled  = true
      }
   }
}

  3. Import the Policy Controller membership feature settings by completing one of the following steps:

    1. Run the following command:

      terraform import "google_gke_hub_feature.policycontroller" "projects/PROJECT_ID/locations/global/features/policycontroller"
terraform import "google_gke_hub_feature_membership.policycontroller" "projects/PROJECT_ID/locations/global/features/policycontroller/membershipId/MEMBERSHIP_NAME"

    2. Add an import block to your Terraform resource:

      import {
   to = google_gke_hub_feature_membership.policycontroller
   id = "projects/PROJECT_ID/locations/global/features/policycontroller/membershipId/MEMBERSHIP_NAME"
}

  4. Apply the Policy Controller settings:

    terraform apply

  5. Optional: After the import is complete, you can remove the import block from your Terraform resource. Alternatively, it is safe to leave the import block in your configuration as a record of the resource's origin.

Config Connector

To stop using the configmanagement.policyController spec, complete the following steps:

  1. Create or update your GKEHubFeatureMembership spec by entering the spec.ResourceID number into the policycontroller field.

  2. If you have an existing GKEHubFeatureMembership that uses the spec.configmanagement.policyController field, remove any policycontroller fields from the configmanagement spec.

kubectl

If you use kubectl commands to manage Policy Controller with a ConfigManagement object, switch to using gcloud CLI Policy Controller commands that start with gcloud container fleet policycontroller. No other action is required.

If your ConfigManagement object. has the policyController block, remove it for compatibility with Config Sync.

You might want to review the following resources to learn more about the Policy Controller API: