public/terraform-provider-google
0
0
Fork 0
mirror of https://github.com/letic/terraform-provider-google.git synced 2024-07-01 07:42:40 +00:00
Code Issues Projects Releases Wiki Activity

Update OAuth Scopes (#3205)

Browse Source 
Update the OAuth scopes to remove the insecure default and match googles latest recommendations https://cloud.google.com/kubernetes-engine/docs/how-to/access-scopes
This commit is contained in:
Mike Brooks 2019-03-20 18:28:19 +00:00 committed by Chris Stephens
parent a7b7c4f9dd
commit 71b62c7598
2 changed files with 12 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
website/docs/r/container_cluster.html.markdown
View File

@ -51,8 +51,6 @@ resource "google_container_node_pool" "primary_preemptible_nodes" {
}
oauth_scopes = [
"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring",
]
@ -90,8 +88,6 @@ resource "google_container_cluster" "primary" {
node_config {
oauth_scopes = [
"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring",
]
@ -309,23 +305,23 @@ The `addons_config` block supports:
It ensures that a Heapster pod is running in the cluster, which is also used by the Cloud Monitoring service.
It is enabled by default;
set `disabled = true` to disable.
* `http_load_balancing` - (Optional) The status of the HTTP (L7) load balancing
controller addon, which makes it easy to set up HTTP load balancers for services in a
cluster. It is enabled by default; set `disabled = true` to disable.
* `kubernetes_dashboard` - (Optional) The status of the Kubernetes Dashboard
add-on, which controls whether the Kubernetes Dashboard is enabled for this cluster.
It is enabled by default; set `disabled = true` to disable.
* `network_policy_config` - (Optional) Whether we should enable the network policy addon
for the master. This must be enabled in order to enable network policy for the nodes.
It can only be disabled if the nodes already do not have network policies enabled.
Defaults to disabled; set `disabled = false` to enable.
* `istio_config` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)).
Structure is documented below.
* `cloudrun_config` - (Optional, [Beta](https://terraform.io/docs/providers/google/provider_versions.html)).
The status of the CloudRun addon. It requires `istio_config` enabled. It is disabled by default.
Set `disabled = false` to enable. This addon can only be enabled at cluster creation time.
@ -361,7 +357,7 @@ The `resource_limits` block supports:
* `resource_type` - (Required) See [the docs](https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-provisioning)
for a list of permitted types - `cpu`, `memory`, and others.
* `minimum` - (Optional) The minimum value for the resource type specified.
* `maximum` - (Optional) The maximum value for the resource type specified.
@ -499,8 +495,10 @@ The `node_config` block supports:
either FQDNs, or scope aliases. The following scopes are necessary to ensure
the correct functioning of the cluster:
* `compute-rw` (`https://www.googleapis.com/auth/compute`)
* `storage-ro` (`https://www.googleapis.com/auth/devstorage.read_only`)
* `storage-ro` (`https://www.googleapis.com/auth/devstorage.read_only`),
if the cluster must read private images from GCR.
Note this will grant read access to ALL GCS content unless you also
specify a custom role. See https://cloud.google.com/kubernetes-engine/docs/how-to/access-scopes
* `logging-write` (`https://www.googleapis.com/auth/logging.write`),
if `logging_service` points to Google
* `monitoring` (`https://www.googleapis.com/auth/monitoring`),

8
website/docs/r/container_node_pool.html.markdown
View File

@ -18,7 +18,7 @@ and [the API reference](https://cloud.google.com/container-engine/reference/rest
resource "google_container_cluster" "primary" {
name = "my-gke-cluster"
location = "us-central1"
# We can't create a cluster with no node pool defined, but we want to only use
# separately managed node pools. So we create the smallest possible default
# node pool and immediately delete it.
@ -37,8 +37,6 @@ resource "google_container_node_pool" "primary_preemptible_nodes" {
machine_type = "n1-standard-1"
oauth_scopes = [
"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring",
]
@ -54,7 +52,7 @@ resource "google_container_node_pool" "np" {
location = "us-central1-a"
cluster = "${google_container_cluster.primary.name}"
node_count = 3
timeouts {
create = "30m"
update = "20m"
@ -78,8 +76,6 @@ resource "google_container_cluster" "primary" {
node_config {
oauth_scopes = [
"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring",
]