updates from review comments

third_party/terraform/resources/resource_container_cluster.go.erb

@@ -323,7 +323,7 @@ func resourceContainerCluster() *schema.Resource {
 										Type:     schema.TypeList,
 										Optional: true,
 										Elem:     &schema.Schema{Type: schema.TypeString},
-										DiffSuppressFunc: containerClusterAutoProvisioningDefaultSuppress,
+										DiffSuppressFunc: containerClusterAddedScopesSuppress,
 										ExactlyOneOf: []string{
 											"cluster_autoscaling.0.auto_provisioning_defaults.0.oauth_scopes",
 											"cluster_autoscaling.0.auto_provisioning_defaults.0.service_account",
@@ -2879,17 +2879,16 @@ func cidrOrSizeDiffSuppress(k, old, new string, d *schema.ResourceData) bool {
 	return strings.HasPrefix(new, "/") && strings.HasSuffix(old, new)
 }
 
-// We want to suppress diffs for the default auto provisioning defaults
-func containerClusterAutoProvisioningDefaultSuppress(k, old, new string, d *schema.ResourceData) bool {
+// We want to suppress diffs for the scopes automatically added by GKE
+func containerClusterAddedScopesSuppress(k, old, new string, d *schema.ResourceData) bool {
 	o, n := d.GetChange("cluster_autoscaling.0.auto_provisioning_defaults.0.oauth_scopes")
 
-	defaultScopes := []string{
-		"https://www.googleapis.com/auth/logging.write",
-		"https://www.googleapis.com/auth/monitoring",
+	addedScopes := []string{
+		"https://www.googleapis.com/auth/monitoring.write",
 	}
 
 	// combine what the default scopes are with what was passed
-	m := golangSetFromStringSlice(append(defaultScopes, convertStringArr(n.([]interface{}))... ))
+	m := golangSetFromStringSlice(append(addedScopes, convertStringArr(n.([]interface{}))... ))
 	combined := stringSliceFromGolangSet(m)
 
 	// compare if the combined new scopes and default scopes differ from the old scopes

third_party/terraform/tests/resource_container_cluster_test.go.erb

@@ -2627,6 +2627,10 @@ resource "google_container_cluster" "with_autoprovisioning" {
   location           = "us-central1-a"
   min_master_version = data.google_container_engine_versions.central1a.latest_master_version
   initial_node_count = 1
+
+  logging_service    = "none"
+  monitoring_service = "none"
+
 `, cluster)
 	if autoprovisioning {
 		config += `

third_party/terraform/utils/node_config.go.erb

@@ -124,6 +124,7 @@ var schemaNodeConfig = &schema.Schema{
 						return canonicalizeServiceScope(v.(string))
 					},
 				},
+				DiffSuppressFunc: containerClusterAddedScopesSuppress,
 				Set: stringScopeHashcode,
 			},
 

third_party/terraform/website/docs/r/container_cluster.html.markdown

@@ -362,6 +362,9 @@ cluster. Configuring the `cpu` and `memory` types is required if node
 auto-provisioning is enabled. These limits will apply to node pool autoscaling
 in addition to node auto-provisioning. Structure is documented below.
 
+* `auto_provisioning_defaults` - (Optional) Contains defaults for a node pool created by NAP.
+Structure is documented below.
+
 The `resource_limits` block supports:
 
 * `resource_type` - (Required) The type of the resource. For example, `cpu` and
@@ -372,6 +375,14 @@ for a list of types.
 
 * `maximum` - (Optional) Maximum amount of the resource in the cluster.
 
+The `auto_provisioning_defaults` block supports:
+
+* `oauth_scopes` - (Optional) Scopes that are used by NAP when creating node pools.
+If `oauth_scopes` are specified, `service_account` must be empty.
+
+* `service_account` - (Optional) The Google Cloud Platform Service Account to be used by the node VMs.
+If `service_account` is specified, `oauth_scopes` must be empty.
+
 The `authenticator_groups_config` block supports:
 
 * `security_group` - (Required) The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format `gke-security-groups@yourdomain.com`.