Use existing var grant_registry_access

README.md

@@ -132,7 +132,6 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
-| grant\_artifact\_registry\_access | Grants created cluster-specific service account artifactregistry.reader role. | `bool` | `false` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
 | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |

autogen/main/sa.tf.tmpl

@@ -77,7 +77,7 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
 }
 
 resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
-  count   = var.create_service_account && var.grant_artifact_registry_access ? 1 : 0
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
   project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
   role    = "roles/artifactregistry.reader"
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

autogen/main/variables.tf.tmpl

@@ -333,12 +333,6 @@ variable "grant_registry_access" {
   default     = false
 }
 
-variable "grant_artifact_registry_access" {
-  type        = bool
-  description = "Grants created cluster-specific service account artifactregistry.reader role."
-  default     = false
-}
-
 variable "registry_project_id" {
   type        = string
   description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. If grant_artifact_registry_access is true, artifactregistry.reader role is assigned on this project."

autogen/safer-cluster/variables.tf.tmpl

@@ -208,12 +208,6 @@ variable "grant_registry_access" {
   default     = true
 }
 
-variable "grant_artifact_registry_access" {
-  type        = bool
-  description = "Grants created cluster-specific service account artifactregistry.reader role."
-  default     = false
-}
-
 variable "registry_project_id" {
   type        = string
   description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. If grant_artifact_registry_access is true, artifactregistry.reader role is assigned on this project."

modules/beta-private-cluster-update-variant/README.md

@@ -178,7 +178,6 @@ Then perform the following commands on the root folder:
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
 | gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
-| grant\_artifact\_registry\_access | Grants created cluster-specific service account artifactregistry.reader role. | `bool` | `false` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
 | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |

modules/beta-private-cluster-update-variant/sa.tf

@@ -77,7 +77,7 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
 }
 
 resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
-  count   = var.create_service_account && var.grant_artifact_registry_access ? 1 : 0
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
   project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
   role    = "roles/artifactregistry.reader"
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

modules/beta-private-cluster-update-variant/variables.tf

@@ -323,12 +323,6 @@ variable "grant_registry_access" {
   default     = false
 }
 
-variable "grant_artifact_registry_access" {
-  type        = bool
-  description = "Grants created cluster-specific service account artifactregistry.reader role."
-  default     = false
-}
-
 variable "registry_project_id" {
   type        = string
   description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. If grant_artifact_registry_access is true, artifactregistry.reader role is assigned on this project."

modules/beta-private-cluster/README.md

@@ -156,7 +156,6 @@ Then perform the following commands on the root folder:
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
 | gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
-| grant\_artifact\_registry\_access | Grants created cluster-specific service account artifactregistry.reader role. | `bool` | `false` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
 | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |

modules/beta-private-cluster/sa.tf

@@ -77,7 +77,7 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
 }
 
 resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
-  count   = var.create_service_account && var.grant_artifact_registry_access ? 1 : 0
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
   project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
   role    = "roles/artifactregistry.reader"
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

modules/beta-private-cluster/variables.tf

@@ -323,12 +323,6 @@ variable "grant_registry_access" {
   default     = false
 }
 
-variable "grant_artifact_registry_access" {
-  type        = bool
-  description = "Grants created cluster-specific service account artifactregistry.reader role."
-  default     = false
-}
-
 variable "registry_project_id" {
   type        = string
   description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. If grant_artifact_registry_access is true, artifactregistry.reader role is assigned on this project."

modules/beta-public-cluster-update-variant/README.md

@@ -169,7 +169,6 @@ Then perform the following commands on the root folder:
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
 | gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
-| grant\_artifact\_registry\_access | Grants created cluster-specific service account artifactregistry.reader role. | `bool` | `false` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
 | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |

modules/beta-public-cluster-update-variant/sa.tf

@@ -77,7 +77,7 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
 }
 
 resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
-  count   = var.create_service_account && var.grant_artifact_registry_access ? 1 : 0
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
   project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
   role    = "roles/artifactregistry.reader"
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

modules/beta-public-cluster-update-variant/variables.tf

@@ -323,12 +323,6 @@ variable "grant_registry_access" {
   default     = false
 }
 
-variable "grant_artifact_registry_access" {
-  type        = bool
-  description = "Grants created cluster-specific service account artifactregistry.reader role."
-  default     = false
-}
-
 variable "registry_project_id" {
   type        = string
   description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. If grant_artifact_registry_access is true, artifactregistry.reader role is assigned on this project."

modules/beta-public-cluster/README.md

@@ -147,7 +147,6 @@ Then perform the following commands on the root folder:
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
 | gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
-| grant\_artifact\_registry\_access | Grants created cluster-specific service account artifactregistry.reader role. | `bool` | `false` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
 | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |

modules/beta-public-cluster/sa.tf

@@ -77,7 +77,7 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
 }
 
 resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
-  count   = var.create_service_account && var.grant_artifact_registry_access ? 1 : 0
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
   project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
   role    = "roles/artifactregistry.reader"
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

modules/beta-public-cluster/variables.tf

@@ -323,12 +323,6 @@ variable "grant_registry_access" {
   default     = false
 }
 
-variable "grant_artifact_registry_access" {
-  type        = bool
-  description = "Grants created cluster-specific service account artifactregistry.reader role."
-  default     = false
-}
-
 variable "registry_project_id" {
   type        = string
   description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. If grant_artifact_registry_access is true, artifactregistry.reader role is assigned on this project."

modules/private-cluster-update-variant/README.md

@@ -163,7 +163,6 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
-| grant\_artifact\_registry\_access | Grants created cluster-specific service account artifactregistry.reader role. | `bool` | `false` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
 | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |

modules/private-cluster-update-variant/sa.tf

@@ -77,7 +77,7 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
 }
 
 resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
-  count   = var.create_service_account && var.grant_artifact_registry_access ? 1 : 0
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
   project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
   role    = "roles/artifactregistry.reader"
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

modules/private-cluster-update-variant/variables.tf

@@ -298,12 +298,6 @@ variable "grant_registry_access" {
   default     = false
 }
 
-variable "grant_artifact_registry_access" {
-  type        = bool
-  description = "Grants created cluster-specific service account artifactregistry.reader role."
-  default     = false
-}
-
 variable "registry_project_id" {
   type        = string
   description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. If grant_artifact_registry_access is true, artifactregistry.reader role is assigned on this project."

modules/private-cluster/README.md

@@ -141,7 +141,6 @@ Then perform the following commands on the root folder:
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
-| grant\_artifact\_registry\_access | Grants created cluster-specific service account artifactregistry.reader role. | `bool` | `false` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
 | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |

modules/private-cluster/sa.tf

@@ -77,7 +77,7 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
 }
 
 resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
-  count   = var.create_service_account && var.grant_artifact_registry_access ? 1 : 0
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
   project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
   role    = "roles/artifactregistry.reader"
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

modules/private-cluster/variables.tf

@@ -298,12 +298,6 @@ variable "grant_registry_access" {
   default     = false
 }
 
-variable "grant_artifact_registry_access" {
-  type        = bool
-  description = "Grants created cluster-specific service account artifactregistry.reader role."
-  default     = false
-}
-
 variable "registry_project_id" {
   type        = string
   description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. If grant_artifact_registry_access is true, artifactregistry.reader role is assigned on this project."

modules/safer-cluster-update-variant/README.md

@@ -221,7 +221,6 @@ For simplicity, we suggest using `roles/container.admin` and
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
-| grant\_artifact\_registry\_access | Grants created cluster-specific service account artifactregistry.reader role. | `bool` | `false` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `true` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
 | http\_load\_balancing | Enable httpload balancer addon. The addon allows whoever can create Ingress objects to expose an application to a public IP. Network policies or Gatekeeper policies should be used to verify that only authorized applications are exposed. | `bool` | `true` | no |

modules/safer-cluster-update-variant/variables.tf

@@ -208,12 +208,6 @@ variable "grant_registry_access" {
   default     = true
 }
 
-variable "grant_artifact_registry_access" {
-  type        = bool
-  description = "Grants created cluster-specific service account artifactregistry.reader role."
-  default     = false
-}
-
 variable "registry_project_id" {
   type        = string
   description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. If grant_artifact_registry_access is true, artifactregistry.reader role is assigned on this project."

modules/safer-cluster/README.md

@@ -221,7 +221,6 @@ For simplicity, we suggest using `roles/container.admin` and
 | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | <pre>[<br>  "8443",<br>  "9443",<br>  "15017"<br>]</pre> | no |
 | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
 | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
-| grant\_artifact\_registry\_access | Grants created cluster-specific service account artifactregistry.reader role. | `bool` | `false` | no |
 | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `true` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
 | http\_load\_balancing | Enable httpload balancer addon. The addon allows whoever can create Ingress objects to expose an application to a public IP. Network policies or Gatekeeper policies should be used to verify that only authorized applications are exposed. | `bool` | `true` | no |

modules/safer-cluster/variables.tf

@@ -208,12 +208,6 @@ variable "grant_registry_access" {
   default     = true
 }
 
-variable "grant_artifact_registry_access" {
-  type        = bool
-  description = "Grants created cluster-specific service account artifactregistry.reader role."
-  default     = false
-}
-
 variable "registry_project_id" {
   type        = string
   description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. If grant_artifact_registry_access is true, artifactregistry.reader role is assigned on this project."

sa.tf

@@ -77,7 +77,7 @@ resource "google_project_iam_member" "cluster_service_account-gcr" {
 }
 
 resource "google_project_iam_member" "cluster_service_account-artifact-registry" {
-  count   = var.create_service_account && var.grant_artifact_registry_access ? 1 : 0
+  count   = var.create_service_account && var.grant_registry_access ? 1 : 0
   project = var.registry_project_id == "" ? var.project_id : var.registry_project_id
   role    = "roles/artifactregistry.reader"
   member  = "serviceAccount:${google_service_account.cluster_service_account[0].email}"

variables.tf

@@ -298,12 +298,6 @@ variable "grant_registry_access" {
   default     = false
 }
 
-variable "grant_artifact_registry_access" {
-  type        = bool
-  description = "Grants created cluster-specific service account artifactregistry.reader role."
-  default     = false
-}
-
 variable "registry_project_id" {
   type        = string
   description = "Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. If grant_artifact_registry_access is true, artifactregistry.reader role is assigned on this project."