From 81d167d3e1ce721b421d2f94d3076e10902d3f45 Mon Sep 17 00:00:00 2001
From: Martin Petkov <MartinPetkov@users.noreply.github.com>
Date: Tue, 5 May 2020 13:01:05 -0400
Subject: [PATCH] feat: Expose the grant_registry_access variable in
 safer-cluster (#509)

Issue: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/508
---
 autogen/safer-cluster/main.tf.tmpl                | 2 +-
 autogen/safer-cluster/variables.tf.tmpl           | 2 +-
 modules/safer-cluster-update-variant/README.md    | 2 +-
 modules/safer-cluster-update-variant/main.tf      | 2 +-
 modules/safer-cluster-update-variant/variables.tf | 2 +-
 modules/safer-cluster/README.md                   | 2 +-
 modules/safer-cluster/main.tf                     | 2 +-
 modules/safer-cluster/variables.tf                | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl
index 507b637f44..82c368ba09 100644
--- a/autogen/safer-cluster/main.tf.tmpl
+++ b/autogen/safer-cluster/main.tf.tmpl
@@ -95,7 +95,7 @@ module "gke" {
   create_service_account = var.compute_engine_service_account == "" ? true : false
   service_account        = var.compute_engine_service_account
   registry_project_id    = var.registry_project_id
-  grant_registry_access  = true
+  grant_registry_access  = var.grant_registry_access
 
   // Basic Auth disabled
   basic_auth_username = ""
diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl
index 85d9555a1e..bcce76b1e7 100644
--- a/autogen/safer-cluster/variables.tf.tmpl
+++ b/autogen/safer-cluster/variables.tf.tmpl
@@ -205,7 +205,7 @@ variable "monitoring_service" {
 variable "grant_registry_access" {
   type        = bool
   description = "Grants created cluster-specific service account storage.objectViewer role."
-  default     = false
+  default     = true
 }
 
 variable "registry_project_id" {
diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md
index 1ef75b9263..862df8d4e7 100644
--- a/modules/safer-cluster-update-variant/README.md
+++ b/modules/safer-cluster-update-variant/README.md
@@ -214,7 +214,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | bool | `"true"` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
-| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
+| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"true"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
 | http\_load\_balancing | Enable httpload balancer addon. The addon allows whoever can create Ingress objects to expose an application to a public IP. Network policies or Gatekeeper policies should be used to verify that only authorized applications are exposed. | bool | `"true"` | no |
 | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no |
diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf
index 57bba6ba05..eae4f40239 100644
--- a/modules/safer-cluster-update-variant/main.tf
+++ b/modules/safer-cluster-update-variant/main.tf
@@ -91,7 +91,7 @@ module "gke" {
   create_service_account = var.compute_engine_service_account == "" ? true : false
   service_account        = var.compute_engine_service_account
   registry_project_id    = var.registry_project_id
-  grant_registry_access  = true
+  grant_registry_access  = var.grant_registry_access
 
   // Basic Auth disabled
   basic_auth_username = ""
diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf
index 02cbdb084d..3ffb9d091b 100644
--- a/modules/safer-cluster-update-variant/variables.tf
+++ b/modules/safer-cluster-update-variant/variables.tf
@@ -205,7 +205,7 @@ variable "monitoring_service" {
 variable "grant_registry_access" {
   type        = bool
   description = "Grants created cluster-specific service account storage.objectViewer role."
-  default     = false
+  default     = true
 }
 
 variable "registry_project_id" {
diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md
index 1ef75b9263..862df8d4e7 100644
--- a/modules/safer-cluster/README.md
+++ b/modules/safer-cluster/README.md
@@ -214,7 +214,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | bool | `"true"` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
-| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
+| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"true"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
 | http\_load\_balancing | Enable httpload balancer addon. The addon allows whoever can create Ingress objects to expose an application to a public IP. Network policies or Gatekeeper policies should be used to verify that only authorized applications are exposed. | bool | `"true"` | no |
 | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no |
diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf
index dc2d6657d5..9eaf20f6e9 100644
--- a/modules/safer-cluster/main.tf
+++ b/modules/safer-cluster/main.tf
@@ -91,7 +91,7 @@ module "gke" {
   create_service_account = var.compute_engine_service_account == "" ? true : false
   service_account        = var.compute_engine_service_account
   registry_project_id    = var.registry_project_id
-  grant_registry_access  = true
+  grant_registry_access  = var.grant_registry_access
 
   // Basic Auth disabled
   basic_auth_username = ""
diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf
index 02cbdb084d..3ffb9d091b 100644
--- a/modules/safer-cluster/variables.tf
+++ b/modules/safer-cluster/variables.tf
@@ -205,7 +205,7 @@ variable "monitoring_service" {
 variable "grant_registry_access" {
   type        = bool
   description = "Grants created cluster-specific service account storage.objectViewer role."
-  default     = false
+  default     = true
 }
 
 variable "registry_project_id" {