Add feature to define individual oauth scopes to node pools

[lantier]

Recently I had a problem where some applications that use specific GCP oauth_scopes didn't recognize the scope cloud-platform (which was the default implementation of this module) as the necessary scope.

Another point is when in some situation we may need to limit scopes for some specific pools or cluster so I was thinking that may be useful to introduce manual implementation of scopes as a feature. (The default still is the cloud-platform

The module execution is similar (as in the README) as the other node_pool configuration:

node_pools_oauth_scopes = {
    all   = ["https://www.googleapis.com/auth/storage-rw"]
    small = [
      "https://www.googleapis.com/auth/cloud-vision",
      "https://www.googleapis.com/auth/ediscovery"
    ]
  }

[adrienthebo]

Thanks for submitting this pull request! (And thanks for your patience on getting this review, we've been getting CI issues resolved so that we can validate pull requests like this.)

Before we dig into this change closely, I noticed that oauth scopes on node pools are no longer granted on GKE 1.10 and later. Is this pull request adding support for GKE 1.9 and older, or is there utility for oauth scopes in GKE 1.10+ that will be of continued use?

[morgante]

Changes look good, but CI is failing.

[adrienthebo]

Here's a copy of the current CI failures:

-----> Converging <node-pool-local>...
       Terraform v0.11.10
       
       Your version of Terraform is out of date! The latest version
       is 0.11.13. You can update by downloading from www.terraform.io/downloads.html
$$$$$$ Running command `terraform workspace select kitchen-terraform-node-pool-local` in directory /tmp/build/859ab044/terraform-google-kubernetes-engine/test/fixtures/node_pool
$$$$$$ Running command `terraform get -update` in directory /tmp/build/859ab044/terraform-google-kubernetes-engine/test/fixtures/node_pool
       - module.example
         Updating source "../../../examples/node_pool"
       - module.example.gke
         Updating source "../../"
$$$$$$ Running command `terraform validate -check-variables=true   ` in directory /tmp/build/859ab044/terraform-google-kubernetes-engine/test/fixtures/node_pool
       
       Error: module.example.module.gke.google_container_node_pool.zonal_pools: 2 error(s) occurred:
       
       * module.example.module.gke.google_container_node_pool.zonal_pools[0]: key "pool-01" does not exist in map var.node_pools_oauth_scopes in:
       
       ${concat(var.node_pools_oauth_scopes["all"], var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}
       * module.example.module.gke.google_container_node_pool.zonal_pools[1]: key "pool-02" does not exist in map var.node_pools_oauth_scopes in:
       
       ${concat(var.node_pools_oauth_scopes["all"], var.node_pools_oauth_scopes[lookup(var.node_pools[count.index], "name")])}
       

I bet that we can resolve this issue by adding a default value for the node_poollookup(var.node_pools[count.index], "name") expression. Perhaps lookup(var.node_pools[count.index], "name", list()) with a default value work work. Could you give that a shot?

[thiagonache]

Hey folks (@adrienthebo @aaron-lane @Jberlinsky @morgante ), when can we expect it to be merged? This is a very important feature.

[morgante]

This LGTM, I'm going to merge into our v2.0.0 release branch.