mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-07-01 07:42:40 +00:00
Update OAuth Scopes (#3205)
Update the OAuth scopes to remove the insecure default and match googles latest recommendations https://cloud.google.com/kubernetes-engine/docs/how-to/access-scopes
This commit is contained in:
parent
a7b7c4f9dd
commit
71b62c7598
|
@ -51,8 +51,6 @@ resource "google_container_node_pool" "primary_preemptible_nodes" {
|
|||
}
|
||||
|
||||
oauth_scopes = [
|
||||
"https://www.googleapis.com/auth/compute",
|
||||
"https://www.googleapis.com/auth/devstorage.read_only",
|
||||
"https://www.googleapis.com/auth/logging.write",
|
||||
"https://www.googleapis.com/auth/monitoring",
|
||||
]
|
||||
|
@ -90,8 +88,6 @@ resource "google_container_cluster" "primary" {
|
|||
|
||||
node_config {
|
||||
oauth_scopes = [
|
||||
"https://www.googleapis.com/auth/compute",
|
||||
"https://www.googleapis.com/auth/devstorage.read_only",
|
||||
"https://www.googleapis.com/auth/logging.write",
|
||||
"https://www.googleapis.com/auth/monitoring",
|
||||
]
|
||||
|
@ -309,23 +305,23 @@ The `addons_config` block supports:
|
|||
It ensures that a Heapster pod is running in the cluster, which is also used by the Cloud Monitoring service.
|
||||
It is enabled by default;
|
||||
set `disabled = true` to disable.
|
||||
|
||||
|
||||
* `http_load_balancing` - (Optional) The status of the HTTP (L7) load balancing
|
||||
controller addon, which makes it easy to set up HTTP load balancers for services in a
|
||||
cluster. It is enabled by default; set `disabled = true` to disable.
|
||||
|
||||
|
||||
* `kubernetes_dashboard` - (Optional) The status of the Kubernetes Dashboard
|
||||
add-on, which controls whether the Kubernetes Dashboard is enabled for this cluster.
|
||||
It is enabled by default; set `disabled = true` to disable.
|
||||
|
||||
|
||||
* `network_policy_config` - (Optional) Whether we should enable the network policy addon
|
||||
for the master. This must be enabled in order to enable network policy for the nodes.
|
||||
It can only be disabled if the nodes already do not have network policies enabled.
|
||||
Defaults to disabled; set `disabled = false` to enable.
|
||||
|
||||
|
||||
* `istio_config` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)).
|
||||
Structure is documented below.
|
||||
|
||||
|
||||
* `cloudrun_config` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)).
|
||||
The status of the CloudRun addon. It requires `istio_config` enabled. It is disabled by default.
|
||||
Set `disabled = false` to enable. This addon can only be enabled at cluster creation time.
|
||||
|
@ -361,7 +357,7 @@ The `resource_limits` block supports:
|
|||
|
||||
* `resource_type` - (Required) See [the docs](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-provisioning)
|
||||
for a list of permitted types - `cpu`, `memory`, and others.
|
||||
|
||||
|
||||
* `minimum` - (Optional) The minimum value for the resource type specified.
|
||||
|
||||
* `maximum` - (Optional) The maximum value for the resource type specified.
|
||||
|
@ -499,8 +495,10 @@ The `node_config` block supports:
|
|||
either FQDNs, or scope aliases. The following scopes are necessary to ensure
|
||||
the correct functioning of the cluster:
|
||||
|
||||
* `compute-rw` (`https://www.googleapis.com/auth/compute`)
|
||||
* `storage-ro` (`https://www.googleapis.com/auth/devstorage.read_only`)
|
||||
* `storage-ro` (`https://www.googleapis.com/auth/devstorage.read_only`),
|
||||
if the cluster must read private images from GCR.
|
||||
Note this will grant read access to ALL GCS content unless you also
|
||||
specify a custom role. See https://cloud.google.com/kubernetes-engine/docs/how-to/access-scopes
|
||||
* `logging-write` (`https://www.googleapis.com/auth/logging.write`),
|
||||
if `logging_service` points to Google
|
||||
* `monitoring` (`https://www.googleapis.com/auth/monitoring`),
|
||||
|
|
|
@ -18,7 +18,7 @@ and [the API reference](https://cloud.google.com/container-engine/reference/rest
|
|||
resource "google_container_cluster" "primary" {
|
||||
name = "my-gke-cluster"
|
||||
location = "us-central1"
|
||||
|
||||
|
||||
# We can't create a cluster with no node pool defined, but we want to only use
|
||||
# separately managed node pools. So we create the smallest possible default
|
||||
# node pool and immediately delete it.
|
||||
|
@ -37,8 +37,6 @@ resource "google_container_node_pool" "primary_preemptible_nodes" {
|
|||
machine_type = "n1-standard-1"
|
||||
|
||||
oauth_scopes = [
|
||||
"https://www.googleapis.com/auth/compute",
|
||||
"https://www.googleapis.com/auth/devstorage.read_only",
|
||||
"https://www.googleapis.com/auth/logging.write",
|
||||
"https://www.googleapis.com/auth/monitoring",
|
||||
]
|
||||
|
@ -54,7 +52,7 @@ resource "google_container_node_pool" "np" {
|
|||
location = "us-central1-a"
|
||||
cluster = "${google_container_cluster.primary.name}"
|
||||
node_count = 3
|
||||
|
||||
|
||||
timeouts {
|
||||
create = "30m"
|
||||
update = "20m"
|
||||
|
@ -78,8 +76,6 @@ resource "google_container_cluster" "primary" {
|
|||
|
||||
node_config {
|
||||
oauth_scopes = [
|
||||
"https://www.googleapis.com/auth/compute",
|
||||
"https://www.googleapis.com/auth/devstorage.read_only",
|
||||
"https://www.googleapis.com/auth/logging.write",
|
||||
"https://www.googleapis.com/auth/monitoring",
|
||||
]
|
||||
|
|
Loading…
Reference in New Issue
Block a user