Add documentation on resource.google_container_cluster (#2419)

When a google_container_cluster is created using terraform the oauth_scope needs to be set to allow authentication of the VM service account on the google services. In addition, the default service account will need the IAM permissions for doing so. The default service account will have this permissions if the project is created and the service is enabled using the Google Cloud Console. If those are done using terraform, the default account will not have this permissions. I added some documentation regarding this issue, as it took me quite some time to figure out what was missing. I hope, I placed this addition at the correct spot in the documentation.
2024-07-03 08:42:39 +00:00 · 2018-11-13 22:16:45 +01:00 · 2018-11-13 22:16:45 +01:00 · 1f5b380cd6
commit 1f5b380cd6
parent 5ec8d57ea7
1 changed files with 5 additions and 0 deletions
--- a/website/docs/r/container_cluster.html.markdown
+++ b/website/docs/r/container_cluster.html.markdown
@ -357,6 +357,11 @@ The `node_config` block supports:

 * `service_account` - (Optional) The service account to be used by the Node VMs.
    If not specified, the "default" service account is used.
+    In order to use the configured `oauth_scopes` for logging and monitoring, the service account being used needs the
+    [roles/logging.logWriter](https://cloud.google.com/iam/docs/understanding-roles#stackdriver_logging_roles) and
+    [roles/monitoring.metricWriter](https://cloud.google.com/iam/docs/understanding-roles#stackdriver_monitoring_roles) roles.
+
+    -> Projects that enable the [Cloud Compute Engine API](https://cloud.google.com/compute/) with Terraform may need these roles added manually to the service account. Projects that enable the API in the Cloud Console should have them added automatically.

 * `tags` - (Optional) The list of instance tags applied to all nodes. Tags are used to identify
    valid sources or targets for network firewalls.