update terraform config: specific scopes needed to use auto-unseal. Right now a pre-made service account is used, but will be replaced later

test/terraform/main.tf

@@ -5,6 +5,7 @@ locals {
 provider "google" {
   project = "${var.project}"
   region  = "us-central1"
+
   credentials = "${file("vault-helm-dev-creds.json")}"
 }
 
@@ -16,11 +17,9 @@ data "google_container_engine_versions" "main" {
   zone = "${var.zone}"
 }
 
-#data "google_container_cluster" "cluster" {
+data "google_service_account" "gcpapi" {
-#  name    = "cluster-1"
+  account_id = "${var.gcp_service_account}"
-#  zone    = "${var.zone}"
+}
-#  project = "${var.project}"
-#}
 
 resource "google_container_cluster" "cluster" {
   name               = "vault-helm-dev-${random_id.suffix.dec}"
@@ -30,6 +29,22 @@ resource "google_container_cluster" "cluster" {
   zone               = "${var.zone}"
   min_master_version = "${data.google_container_engine_versions.main.latest_master_version}"
   node_version       = "${data.google_container_engine_versions.main.latest_node_version}"
+
+  node_config {
+    #service account for nodes to use
+    oauth_scopes = [
+      "https://www.googleapis.com/auth/cloud-platform",
+      "https://www.googleapis.com/auth/compute",
+      "https://www.googleapis.com/auth/devstorage.read_write",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring",
+      "https://www.googleapis.com/auth/service.management.readonly",
+      "https://www.googleapis.com/auth/servicecontrol",
+      "https://www.googleapis.com/auth/trace.append",
+    ]
+
+    service_account = "${data.google_service_account.gcpapi.email}"
+  }
 }
 
 resource "null_resource" "kubectl" {

test/terraform/variables.tf

@@ -17,3 +17,12 @@ variable "init_cli" {
   default     = true
   description = "Whether to init the CLI tools kubectl, helm, etc. or not."
 }
+
+variable "gcp_service_account" {
+  default = "vault-helm-dev"
+
+  description = <<EOF
+Service account used on the nodes to manage/use the API, specifically needed
+for using auto-unseal
+EOF
+}