feat: Expose the grant_registry_access variable in safer-cluster (#509)

Issue: #508

Author: MartinPetkov

autogen/safer-cluster/main.tf.tmpl

@@ -95,7 +95,7 @@ module "gke" {
   create_service_account = var.compute_engine_service_account == "" ? true : false
   service_account        = var.compute_engine_service_account
   registry_project_id    = var.registry_project_id
-  grant_registry_access  = true
+  grant_registry_access  = var.grant_registry_access
 
   // Basic Auth disabled
   basic_auth_username = ""

autogen/safer-cluster/variables.tf.tmpl

@@ -205,7 +205,7 @@ variable "monitoring_service" {
 variable "grant_registry_access" {
   type        = bool
   description = "Grants created cluster-specific service account storage.objectViewer role."
-  default     = false
+  default     = true
 }
 
 variable "registry_project_id" {

modules/safer-cluster-update-variant/README.md

@@ -214,7 +214,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | bool | `"true"` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
-| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
+| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"true"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
 | http\_load\_balancing | Enable httpload balancer addon. The addon allows whoever can create Ingress objects to expose an application to a public IP. Network policies or Gatekeeper policies should be used to verify that only authorized applications are exposed. | bool | `"true"` | no |
 | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no |

modules/safer-cluster-update-variant/main.tf

@@ -91,7 +91,7 @@ module "gke" {
   create_service_account = var.compute_engine_service_account == "" ? true : false
   service_account        = var.compute_engine_service_account
   registry_project_id    = var.registry_project_id
-  grant_registry_access  = true
+  grant_registry_access  = var.grant_registry_access
 
   // Basic Auth disabled
   basic_auth_username = ""

modules/safer-cluster-update-variant/variables.tf

@@ -205,7 +205,7 @@ variable "monitoring_service" {
 variable "grant_registry_access" {
   type        = bool
   description = "Grants created cluster-specific service account storage.objectViewer role."
-  default     = false
+  default     = true
 }
 
 variable "registry_project_id" {

modules/safer-cluster/README.md

@@ -214,7 +214,7 @@ For simplicity, we suggest using `roles/container.admin` and
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no |
 | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | bool | `"true"` | no |
 | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no |
-| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no |
+| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"true"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no |
 | http\_load\_balancing | Enable httpload balancer addon. The addon allows whoever can create Ingress objects to expose an application to a public IP. Network policies or Gatekeeper policies should be used to verify that only authorized applications are exposed. | bool | `"true"` | no |
 | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no |

modules/safer-cluster/main.tf

@@ -91,7 +91,7 @@ module "gke" {
   create_service_account = var.compute_engine_service_account == "" ? true : false
   service_account        = var.compute_engine_service_account
   registry_project_id    = var.registry_project_id
-  grant_registry_access  = true
+  grant_registry_access  = var.grant_registry_access
 
   // Basic Auth disabled
   basic_auth_username = ""

modules/safer-cluster/variables.tf

@@ -205,7 +205,7 @@ variable "monitoring_service" {
 variable "grant_registry_access" {
   type        = bool
   description = "Grants created cluster-specific service account storage.objectViewer role."
-  default     = false
+  default     = true
 }
 
 variable "registry_project_id" {