From 0961613d7e8be391422e5a411801e2737280c2c3 Mon Sep 17 00:00:00 2001
From: Martin Petkov <MartinPetkov@users.noreply.github.com>
Date: Tue, 5 May 2020 13:01:05 -0400
Subject: [PATCH] feat: Expose the grant_registry_access variable in
 safer-cluster (#509)

Issue: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/508
---
 autogen/safer-cluster/main.tf.tmpl                | 2 +-
 autogen/safer-cluster/variables.tf.tmpl           | 2 +-
 modules/safer-cluster-update-variant/README.md    | 2 +-
 modules/safer-cluster-update-variant/main.tf      | 2 +-
 modules/safer-cluster-update-variant/variables.tf | 2 +-
 modules/safer-cluster/README.md                   | 2 +-
 modules/safer-cluster/main.tf                     | 2 +-
 modules/safer-cluster/variables.tf                | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl
index 507b637f4..82c368ba0 100644
--- a/autogen/safer-cluster/main.tf.tmpl
+++ b/autogen/safer-cluster/main.tf.tmpl
@@ -95,7 +95,7 @@ module "gke" {
   create_service_account = var.compute_engine_service_account == "" ? true : false
   service_account        = var.compute_engine_service_account
   registry_project_id    = var.registry_project_id
-  grant_registry_access  = true
+  grant_registry_access  = var.grant_registry_access
 
   // Basic Auth disabled
   basic_auth_username = ""
diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl
index 85d9555a1..bcce76b1e 100644
--- a/autogen/safer-cluster/variables.tf.tmpl
+++ b/autogen/safer-cluster/variables.tf.tmpl
@@ -205,7 +205,7 @@ variable "monitoring_service" {
 variable "grant_registry_access" {
   type        = bool
   description = "Grants created cluster-specific service account storage.objectViewer role."
-  default     = false
+  default     = true
 }
 
 variable "registry_project_id" {
diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md
index 1ef75b926..862df8d4e 100644
--- a/modules/safer-cluster-update-variant/README.md
+++ b/modules/safer-cluster-update-variant/README.md
@@ -214,7 +214,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | bool | `"true"` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
-| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
+| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"true"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
 | http\_load\_balancing | Enable httpload balancer addon. The addon allows whoever can create Ingress objects to expose an application to a public IP. Network policies or Gatekeeper policies should be used to verify that only authorized applications are exposed. | bool | `"true"` | no |
 | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no |
diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf
index 57bba6ba0..eae4f4023 100644
--- a/modules/safer-cluster-update-variant/main.tf
+++ b/modules/safer-cluster-update-variant/main.tf
@@ -91,7 +91,7 @@ module "gke" {
   create_service_account = var.compute_engine_service_account == "" ? true : false
   service_account        = var.compute_engine_service_account
   registry_project_id    = var.registry_project_id
-  grant_registry_access  = true
+  grant_registry_access  = var.grant_registry_access
 
   // Basic Auth disabled
   basic_auth_username = ""
diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf
index 02cbdb084..3ffb9d091 100644
--- a/modules/safer-cluster-update-variant/variables.tf
+++ b/modules/safer-cluster-update-variant/variables.tf
@@ -205,7 +205,7 @@ variable "monitoring_service" {
 variable "grant_registry_access" {
   type        = bool
   description = "Grants created cluster-specific service account storage.objectViewer role."
-  default     = false
+  default     = true
 }
 
 variable "registry_project_id" {
diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md
index 1ef75b926..862df8d4e 100644
--- a/modules/safer-cluster/README.md
+++ b/modules/safer-cluster/README.md
@@ -214,7 +214,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | bool | `"true"` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
-| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
+| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"true"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
 | http\_load\_balancing | Enable httpload balancer addon. The addon allows whoever can create Ingress objects to expose an application to a public IP. Network policies or Gatekeeper policies should be used to verify that only authorized applications are exposed. | bool | `"true"` | no |
 | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no |
diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf
index dc2d6657d..9eaf20f6e 100644
--- a/modules/safer-cluster/main.tf
+++ b/modules/safer-cluster/main.tf
@@ -91,7 +91,7 @@ module "gke" {
   create_service_account = var.compute_engine_service_account == "" ? true : false
   service_account        = var.compute_engine_service_account
   registry_project_id    = var.registry_project_id
-  grant_registry_access  = true
+  grant_registry_access  = var.grant_registry_access
 
   // Basic Auth disabled
   basic_auth_username = ""
diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf
index 02cbdb084..3ffb9d091 100644
--- a/modules/safer-cluster/variables.tf
+++ b/modules/safer-cluster/variables.tf
@@ -205,7 +205,7 @@ variable "monitoring_service" {
 variable "grant_registry_access" {
   type        = bool
   description = "Grants created cluster-specific service account storage.objectViewer role."
-  default     = false
+  default     = true
 }
 
 variable "registry_project_id" {