From a21c4796a38458d808b488d027906b10b1f4c97f Mon Sep 17 00:00:00 2001
From: Brad Geesaman <bgeesaman@google.com>
Date: Fri, 9 Aug 2019 16:25:58 -0400
Subject: [PATCH 1/2] TF 12, Vault 1.2.0, Jenkinsfile formatting

---
 Jenkinsfile                | 151 ++++++++++++++++---------------------
 README.md                  |  12 ++-
 k8s-manifests/sidecar.yaml |   2 +-
 scripts/auth-to-vault.sh   |   3 +
 terraform/gcs.tf           |   4 +-
 terraform/iam.tf           |   8 +-
 terraform/main.tf          |  51 +++++++------
 terraform/network.tf       |  38 +++++-----
 terraform/outputs.tf       |  10 +--
 terraform/provider.tf      |  14 ++--
 terraform/variables.tf     |  10 +--
 terraform/vault.tf         |   8 +-
 12 files changed, 154 insertions(+), 157 deletions(-)

diff --git a/Jenkinsfile b/Jenkinsfile
index 76f80bf..b6d91a1 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -1,4 +1,5 @@
 #!/usr/bin/env groovy
+
 /*
 Copyright 2018 Google LLC
 
@@ -22,93 +23,75 @@ limitations under the License.
 // Reference: https://github.com/jenkinsci/kubernetes-plugin
 
 // set up pod label and GOOGLE_APPLICATION_CREDENTIALS (for Terraform)
-def label = "k8s-infra"
-def containerName = "k8s-node"
-def GOOGLE_APPLICATION_CREDENTIALS    = '/home/jenkins/dev/jenkins-deploy-dev-infra.json'
+def containerName = "vault"
+def GOOGLE_APPLICATION_CREDENTIALS = '/home/jenkins/dev/jenkins-deploy-dev-infra.json'
 // Tells the ./scripts/common.sh which VAULT_VERSION of the vault CLI binary to use
-def VAULT_VERSION = '1.0.2'
-
-podTemplate(label: label, yaml: """
-apiVersion: v1
-kind: Pod
-metadata:
-  labels:
-    jenkins: build-node
-spec:
-  containers:
-  - name: ${containerName}
-    image: gcr.io/pso-helmsman-cicd/jenkins-k8s-node:${env.CONTAINER_VERSION}
-    command: ['cat']
-    tty: true
-    volumeMounts:
-    # Mount the dev service account key
-    - name: dev-key
-      mountPath: /home/jenkins/dev
-    # Mount the host /dev/urandom to /dev/random for entropy
-    - name: random
-      mountPath: /dev/random
-  volumes:
-  # Create a volume that contains the dev json key that was saved as a secret
-  - name: dev-key
-    secret:
-      secretName: jenkins-deploy-dev-infra
-  # Host /dev/urandom to allow for entropy access
-  - name: random
-    hostPath:
-      path: /dev/urandom
-"""
- ) {
- node(label) {
-  try {
-    // Options covers all other job properties or wrapper functions that apply to entire Pipeline.
-    properties([disableConcurrentBuilds()])
-    // set env variable GOOGLE_APPLICATION_CREDENTIALS for Terraform
-    env.GOOGLE_APPLICATION_CREDENTIALS=GOOGLE_APPLICATION_CREDENTIALS
+def VAULT_VERSION = '1.2.0'
+def jenkins_container_version = env.JENKINS_CONTAINER_VERSION
 
-    stage('Setup') {
-        container(containerName) {
-          // checkout code from scm i.e. commits related to the PR
-          checkout scm
-
-          // Setup gcloud service account access
-          sh "gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS}"
-          sh "gcloud config set compute/zone ${env.ZONE}"
-          sh "gcloud config set core/project ${env.PROJECT_ID}"
-          sh "gcloud config set compute/region ${env.REGION}"
-         }
-    }
-    stage('Lint') {
-        container(containerName) {
-          sh "make lint"
-      }
-    }
+podTemplate(
+    containers: [
+        containerTemplate(name: "${containerName}",
+            image: "gcr.io/pso-helmsman-cicd/jenkins-k8s-node:${jenkins_container_version}",
+            command: 'tail -f /dev/null',
+            resourceRequestCpu: '1000m',
+            resourceLimitCpu: '2000m',
+            resourceRequestMemory: '1Gi',
+            resourceLimitMemory: '2Gi'
+        )
+    ],
+    volumes: [secretVolume(mountPath: '/home/jenkins/dev',
+            secretName: 'jenkins-deploy-dev-infra'
+        ),
+        hostPathVolume(mountPath: '/dev/random', hostPath: '/dev/urandom')
+    ]
+) {
+    node(POD_LABEL) {
+        try {
+            // Options covers all other job properties or wrapper functions that apply to entire Pipeline.
+            properties([disableConcurrentBuilds()])
+            // set env variable GOOGLE_APPLICATION_CREDENTIALS for Terraform
+            env.GOOGLE_APPLICATION_CREDENTIALS = GOOGLE_APPLICATION_CREDENTIALS
 
-    stage('Create') {
-        container(containerName) {
-          sh "make create"
-        }
-    }
+            stage('Setup') {
+                container(containerName) {
+                    // checkout code from scm i.e. commits related to the PR
+                    checkout scm
 
-    stage('Validate') {
-        container(containerName) {
-          sh "make validate"
+                    // Setup gcloud service account access
+                    sh "gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS}"
+                    sh "gcloud config set compute/zone ${env.ZONE}"
+                    sh "gcloud config set core/project ${env.PROJECT_ID}"
+                    sh "gcloud config set compute/region ${env.REGION}"
+                }
+            }
+            stage('Lint') {
+                container(containerName) {
+                    sh "make lint"
+                }
+            }
+            stage('Create') {
+                container(containerName) {
+                    sh "make create"
+                }
+            }
+            stage('Validate') {
+                container(containerName) {
+                    sh "make validate"
+                }
+            }
+        } catch (err) {
+            // if any exception occurs, mark the build as failed
+            // and display a detailed message on the Jenkins console output
+            currentBuild.result = 'FAILURE'
+            echo "FAILURE caught echo ${err}"
+            throw err
+        } finally {
+            stage('Teardown') {
+                container(containerName) {
+                    sh "make teardown"
+                }
+            }
         }
     }
-
-  }
-   catch (err) {
-      // if any exception occurs, mark the build as failed
-      // and display a detailed message on the Jenkins console output
-      currentBuild.result = 'FAILURE'
-      echo "FAILURE caught echo ${err}"
-      throw err
-   }
-   finally {
-     stage('Teardown') {
-      container(containerName) {
-        sh "make teardown"
-      }
-     }
-   }
-  }
-}
+}
\ No newline at end of file
diff --git a/README.md b/README.md
index decc95b..cc267b8 100644
--- a/README.md
+++ b/README.md
@@ -128,7 +128,7 @@ Recovery Seal Type       shamir
 Sealed                   false
 Total Recovery Shares    1
 Threshold                1
-Version                  1.0.0
+Version                  1.2.0
 Cluster Name             vault-cluster-be7094aa
 Cluster ID               ac0d2d33-61db-a06a-77d0-eb9c1e87b236
 HA Enabled               true
@@ -136,6 +136,12 @@ HA Cluster               https://10.24.1.3:8201
 HA Mode                  active
 ```
 
+Enable the `kv` store inside Vault:
+
+```console
+vault secrets enable -path=secret/ kv
+```
+
 Create a sample secret in Vault inside the custom `kv` path:
 
 ```console
@@ -181,7 +187,7 @@ Recovery Seal Type       shamir
 Sealed                   false
 Total Recovery Shares    1
 Threshold                1
-Version                  1.0.0
+Version                  1.2.0
 Cluster Name             vault-cluster-be7094aa
 Cluster ID               ac0d2d33-61db-a06a-77d0-eb9c1e87b236
 HA Enabled               true
@@ -320,7 +326,7 @@ Recovery Seal Type       shamir
 Sealed                   false
 Total Recovery Shares    1
 Threshold                1
-Version                  1.0.0
+Version                  1.2.0
 Cluster Name             vault-cluster-be7094aa
 Cluster ID               ac0d2d33-61db-a06a-77d0-eb9c1e87b236
 HA Enabled               true
diff --git a/k8s-manifests/sidecar.yaml b/k8s-manifests/sidecar.yaml
index 37dc0b5..51e95e4 100644
--- a/k8s-manifests/sidecar.yaml
+++ b/k8s-manifests/sidecar.yaml
@@ -51,7 +51,7 @@ spec:
       # The vault-authenticator container authenticates the container using the
       # kubernetes auth method and puts the resulting token on the filesystem.
       - name: vault-authenticator
-        image: registry.hub.docker.com/sethvargo/vault-kubernetes-authenticator:0.1.0
+        image: registry.hub.docker.com/sethvargo/vault-kubernetes-authenticator:0.3.0
         imagePullPolicy: Always
         volumeMounts:
         # The mount where the vault token will be written after login
diff --git a/scripts/auth-to-vault.sh b/scripts/auth-to-vault.sh
index 017d55b..c7d6cc9 100755
--- a/scripts/auth-to-vault.sh
+++ b/scripts/auth-to-vault.sh
@@ -99,6 +99,9 @@ vault write auth/kubernetes/config \
   kubernetes_ca_cert="${K8S_CACERT}" \
   token_reviewer_jwt="${TR_ACCOUNT_TOKEN}"
 
+# Enable the KV secrets backend
+vault secrets enable -path=secret/ kv
+
 # Create a policy to be referenced by a role to access the kv location secret/myapp/*
 vault policy write myapp-kv-rw - <<EOF
 path "secret/myapp/*" {
diff --git a/terraform/gcs.tf b/terraform/gcs.tf
index 95f2ec4..f4f56da 100644
--- a/terraform/gcs.tf
+++ b/terraform/gcs.tf
@@ -16,8 +16,8 @@ limitations under the License.
 
 # Create the storage bucket
 resource "google_storage_bucket" "app" {
-  name          = "${var.project}-gcs"
-  project       = "${var.project}"
+  name          = format("%s-gcs", var.project)
+  project       = var.project
   force_destroy = true
 
   depends_on = ["google_project_service.app_service"]
diff --git a/terraform/iam.tf b/terraform/iam.tf
index aacb4f0..623b1a6 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -16,9 +16,9 @@ limitations under the License.
 
 # Add user-specified roles
 resource "google_project_iam_member" "service-account" {
-  count      = "${length(var.service_account_roles)}"
-  project    = "${var.project}"
-  role       = "${element(var.service_account_roles, count.index)}"
-  member     = "serviceAccount:vault-server@${module.vault.project}.iam.gserviceaccount.com"
+  count      = length(var.service_account_roles)
+  project    = var.project
+  role       = element(var.service_account_roles, count.index)
+  member     = format("serviceAccount:vault-server@%s.iam.gserviceaccount.com", module.vault.project)
   depends_on = ["module.vault"]
 }
diff --git a/terraform/main.tf b/terraform/main.tf
index 0109983..1d7825f 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -17,22 +17,22 @@ limitations under the License.
 // Provides access to available Google Container Engine versions in a region for a given project.
 // https://www.terraform.io/docs/providers/google/d/google_container_engine_versions.html
 data "google_container_engine_versions" "gke_version" {
-  project = "${var.project}"
-  location  = "${var.region}"
+  project  = var.project
+  location = var.region
 }
 
 # Create the dedicated GKE service account for the application cluster
 resource "google_service_account" "app_cluster" {
   account_id   = "gke-vault-demo-app-cluster"
   display_name = "Application Cluster"
-  project      = "${var.project}"
+  project      = var.project
 }
 
 # Enable required services on the app cluster project
 resource "google_project_service" "app_service" {
-  count   = "${length(var.app_project_services)}"
-  project = "${var.project}"
-  service = "${element(var.app_project_services, count.index)}"
+  count   = length(var.app_project_services)
+  project = var.project
+  service = element(var.app_project_services, count.index)
 
   # Do not disable the service on destroy. On destroy, we are going to
   # destroy the project, but we need the APIs available to destroy the
@@ -42,18 +42,17 @@ resource "google_project_service" "app_service" {
 
 # Create the GKE cluster
 resource "google_container_cluster" "app" {
-  provider  = "google-beta"
-  name      = "${var.application_cluster_name}"
-  project   = "${var.project}"
-  location  = "${var.region}"
+  provider = "google-beta"
+  name     = var.application_cluster_name
+  project  = var.project
+  location = var.region
 
-  network    = "${google_compute_network.app-network.self_link}"
-  subnetwork = "${google_compute_subnetwork.app-subnetwork.self_link}"
+  network    = google_compute_network.app-network.self_link
+  subnetwork = google_compute_subnetwork.app-subnetwork.self_link
 
-  initial_node_count = "${var.num_nodes_per_zone}"
+  initial_node_count = var.num_nodes_per_zone
 
-  min_master_version = "${data.google_container_engine_versions.gke_version.latest_master_version}"
-  node_version       = "${data.google_container_engine_versions.gke_version.latest_node_version}"
+  min_master_version = data.google_container_engine_versions.gke_version.latest_master_version
 
   logging_service    = "logging.googleapis.com"
   monitoring_service = "monitoring.googleapis.com"
@@ -63,18 +62,18 @@ resource "google_container_cluster" "app" {
 
   node_config {
     machine_type    = "n1-standard-1"
-    service_account = "${google_service_account.app_cluster.email}"
+    service_account = google_service_account.app_cluster.email
 
     oauth_scopes = [
       "https://www.googleapis.com/auth/cloud-platform",
     ]
 
     # Set metadata on the VM to supply more entropy
-    metadata {
+    metadata = {
       google-compute-enable-virtio-rng = "true"
     }
 
-    labels {
+    labels = {
       service = "applications"
     }
 
@@ -118,19 +117,25 @@ resource "google_container_cluster" "app" {
   # Set the maintenance window.
   maintenance_policy {
     daily_maintenance_window {
-      start_time = "${var.daily_maintenance_window}"
+      start_time = var.daily_maintenance_window
     }
   }
 
   # Allocate IPs in our subnetwork
   ip_allocation_policy {
-    cluster_secondary_range_name  = "${google_compute_subnetwork.app-subnetwork.secondary_ip_range.0.range_name}"
-    services_secondary_range_name = "${google_compute_subnetwork.app-subnetwork.secondary_ip_range.1.range_name}"
+    cluster_secondary_range_name  = google_compute_subnetwork.app-subnetwork.secondary_ip_range.0.range_name
+    services_secondary_range_name = google_compute_subnetwork.app-subnetwork.secondary_ip_range.1.range_name
   }
 
   # Specify the list of CIDRs which can access the GKE API Server
   master_authorized_networks_config {
-    cidr_blocks = ["${var.kubernetes_master_authorized_networks}"]
+    dynamic "cidr_blocks" {
+      for_each = var.kubernetes_master_authorized_networks
+      content {
+        cidr_block   = cidr_blocks.value.cidr_block
+        display_name = cidr_blocks.value.display_name
+      }
+    }
   }
 
   # Configure the cluster to be private (not have public facing IPs)
@@ -143,7 +148,7 @@ resource "google_container_cluster" "app" {
     enable_private_endpoint = false
 
     enable_private_nodes   = true
-    master_ipv4_cidr_block = "${var.kubernetes_masters_ipv4_cidr}"
+    master_ipv4_cidr_block = var.kubernetes_masters_ipv4_cidr
   }
 
   depends_on = [
diff --git a/terraform/network.tf b/terraform/network.tf
index af8b6b0..c483fa1 100644
--- a/terraform/network.tf
+++ b/terraform/network.tf
@@ -18,8 +18,8 @@ limitations under the License.
 resource "google_compute_address" "app-nat" {
   count   = 2
   name    = "app-nat-external-${count.index}"
-  project = "${var.project}"
-  region  = "${var.region}"
+  project = var.project
+  region  = var.region
 
   depends_on = [
     "google_project_service.app_service",
@@ -29,7 +29,7 @@ resource "google_compute_address" "app-nat" {
 # Create a network for GKE
 resource "google_compute_network" "app-network" {
   name                    = "app-network"
-  project                 = "${var.project}"
+  project                 = var.project
   auto_create_subnetworks = false
 
   depends_on = [
@@ -40,30 +40,30 @@ resource "google_compute_network" "app-network" {
 # Create subnets
 resource "google_compute_subnetwork" "app-subnetwork" {
   name          = "app-subnetwork"
-  project       = "${var.project}"
-  network       = "${google_compute_network.app-network.self_link}"
-  region        = "${var.region}"
-  ip_cidr_range = "${var.kubernetes_network_ipv4_cidr}"
+  project       = var.project
+  network       = google_compute_network.app-network.self_link
+  region        = var.region
+  ip_cidr_range = var.kubernetes_network_ipv4_cidr
 
   private_ip_google_access = true
 
   secondary_ip_range {
     range_name    = "app-pods"
-    ip_cidr_range = "${var.kubernetes_pods_ipv4_cidr}"
+    ip_cidr_range = var.kubernetes_pods_ipv4_cidr
   }
 
   secondary_ip_range {
     range_name    = "app-svcs"
-    ip_cidr_range = "${var.kubernetes_services_ipv4_cidr}"
+    ip_cidr_range = var.kubernetes_services_ipv4_cidr
   }
 }
 
 # Create a NAT router so the nodes can reach DockerHub, etc
 resource "google_compute_router" "app-router" {
   name    = "app-router"
-  project = "${var.project}"
-  region  = "${var.region}"
-  network = "${google_compute_network.app-network.self_link}"
+  project = var.project
+  region  = var.region
+  network = google_compute_network.app-network.self_link
 
   bgp {
     asn = 64514
@@ -72,22 +72,22 @@ resource "google_compute_router" "app-router" {
 
 resource "google_compute_router_nat" "app-nat" {
   name    = "app-nat-1"
-  project = "${var.project}"
-  router  = "${google_compute_router.app-router.name}"
-  region  = "${var.region}"
+  project = var.project
+  router  = google_compute_router.app-router.name
+  region  = var.region
 
   nat_ip_allocate_option = "MANUAL_ONLY"
-  nat_ips                = ["${google_compute_address.app-nat.*.self_link}"]
+  nat_ips                = google_compute_address.app-nat.*.self_link
 
   source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
 
   subnetwork {
-    name                    = "${google_compute_subnetwork.app-subnetwork.self_link}"
+    name                    = google_compute_subnetwork.app-subnetwork.self_link
     source_ip_ranges_to_nat = ["PRIMARY_IP_RANGE", "LIST_OF_SECONDARY_IP_RANGES"]
 
     secondary_ip_range_names = [
-      "${google_compute_subnetwork.app-subnetwork.secondary_ip_range.0.range_name}",
-      "${google_compute_subnetwork.app-subnetwork.secondary_ip_range.1.range_name}",
+      google_compute_subnetwork.app-subnetwork.secondary_ip_range.0.range_name,
+      google_compute_subnetwork.app-subnetwork.secondary_ip_range.1.range_name,
     ]
   }
 }
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
index c8b3fc6..634b70a 100644
--- a/terraform/outputs.tf
+++ b/terraform/outputs.tf
@@ -15,21 +15,21 @@ limitations under the License.
 */
 
 output "vault-address" {
-  value = "${module.vault.address}"
+  value = module.vault.address
 }
 
 output "vault-root-token" {
-  value = "${module.vault.root_token}"
+  value = module.vault.root_token
 }
 
 output "vault-project" {
-  value = "${module.vault.project}"
+  value = module.vault.project
 }
 
 output "vault-region" {
-  value = "${module.vault.region}"
+  value = module.vault.region
 }
 
 output "application-cluster-name" {
-  value = "${var.application_cluster_name}"
+  value = var.application_cluster_name
 }
diff --git a/terraform/provider.tf b/terraform/provider.tf
index db9d601..cfedc26 100644
--- a/terraform/provider.tf
+++ b/terraform/provider.tf
@@ -16,18 +16,18 @@ limitations under the License.
 
 // Configles the Google Cloud Provider with default settings
 provider "google" {
-  project = "${var.project}"
-  version = "~> 2.5.1"
+  project = var.project
+  version = "~> 2.12.0"
 }
 provider "google-beta" {
-  project = "${var.project}"
-  version = "~> 2.5.1"
+  project = var.project
+  version = "~> 2.12.0"
 }
 provider "http" {
-  version = "~> 1.0.0"
+  version = "~> 1.1.1"
 }
 provider "kubernetes" {
-  version = "~> 1.6.0"
+  version = "~> 1.8.1"
 }
 provider "null" {
   version = "~> 2.1.2"
@@ -39,5 +39,5 @@ provider "template" {
   version = "~> 2.1.2"
 }
 provider "tls" {
-  version = "~> 1.2.0"
+  version = "~> 2.0.1"
 }
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 8b94c75..832bf54 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -90,13 +90,13 @@ EOF
 }
 
 variable "daily_maintenance_window" {
-  type        = "string"
-  default     = "06:00"
+  type = "string"
+  default = "06:00"
   description = "The 4 hr block each day when we want GKE to perform maintenance if needed."
 }
 
 variable "kubernetes_network_ipv4_cidr" {
-  type    = "string"
+  type = "string"
   default = "10.0.96.0/22"
 
   description = <<EOF
@@ -116,7 +116,7 @@ EOF
 }
 
 variable "kubernetes_services_ipv4_cidr" {
-  type    = "string"
+  type = "string"
   default = "10.0.88.0/22"
 
   description = <<EOF
@@ -141,7 +141,7 @@ variable "kubernetes_master_authorized_networks" {
   default = [
     {
       display_name = "Anyone"
-      cidr_block   = "0.0.0.0/0"
+      cidr_block = "0.0.0.0/0"
     },
   ]
 
diff --git a/terraform/vault.tf b/terraform/vault.tf
index 11c6431..1c08ed5 100644
--- a/terraform/vault.tf
+++ b/terraform/vault.tf
@@ -16,8 +16,8 @@ limitations under the License.
 
 module "vault" {
   source                                = "github.com/sethvargo/vault-on-gke//terraform"
-  org_id                                = "${var.org_id}"
-  billing_account                       = "${var.billing_account}"
-  kubernetes_master_authorized_networks = "${var.kubernetes_master_authorized_networks}"
-  project                               = "${var.vault_project}"
+  org_id                                = var.org_id
+  billing_account                       = var.billing_account
+  kubernetes_master_authorized_networks = var.kubernetes_master_authorized_networks
+  project                               = var.vault_project
 }

From 55a62aec8be8b647a5905a20f2f5712adbef4a98 Mon Sep 17 00:00:00 2001
From: Brad Geesaman <bgeesaman@google.com>
Date: Tue, 13 Aug 2019 14:41:05 -0400
Subject: [PATCH 2/2] fix IAM permissions and linting

---
 terraform/iam.tf       | 10 +++++++++-
 terraform/main.tf      |  7 ++++++-
 terraform/variables.tf | 12 ++++++++++++
 test/make.sh           |  6 ++++--
 4 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/terraform/iam.tf b/terraform/iam.tf
index 623b1a6..93f09a5 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -14,7 +14,15 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-# Add user-specified roles
+# Add user-specified roles to App SA
+resource "google_project_iam_member" "app-service-account" {
+  count   = length(var.app_service_account_roles)
+  project = var.project
+  role    = element(var.app_service_account_roles, count.index)
+  member  = format("serviceAccount:gke-vault-demo-app-cluster@%s.iam.gserviceaccount.com", var.project)
+}
+
+# Add user-specified roles to Vault SA
 resource "google_project_iam_member" "service-account" {
   count      = length(var.service_account_roles)
   project    = var.project
diff --git a/terraform/main.tf b/terraform/main.tf
index 1d7825f..fcdd0a9 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -65,7 +65,12 @@ resource "google_container_cluster" "app" {
     service_account = google_service_account.app_cluster.email
 
     oauth_scopes = [
-      "https://www.googleapis.com/auth/cloud-platform",
+      "https://www.googleapis.com/auth/devstorage.read_only",
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring",
+      "https://www.googleapis.com/auth/servicecontrol",
+      "https://www.googleapis.com/auth/service.management.readonly",
+      "https://www.googleapis.com/auth/trace.append"
     ]
 
     # Set metadata on the VM to supply more entropy
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 832bf54..da4f88e 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -178,3 +178,15 @@ List of roles to be granted to the vault-server SA in this application cluster
 project for managing SAs and SA Keys.
 EOF
 }
+
+variable "app_service_account_roles" {
+  type = "list"
+
+  default = [
+    "roles/editor"
+  ]
+
+  description = <<EOF
+List of roles to be granted to the App cluster SA Node Pool.
+EOF
+}
diff --git a/test/make.sh b/test/make.sh
index 9377027..9a225bf 100644
--- a/test/make.sh
+++ b/test/make.sh
@@ -48,8 +48,10 @@ function docker() {
 # files ending in '.tf'
 function check_terraform() {
   echo "Running terraform validate"
-  #shellcheck disable=SC2156
-  find . -name "*.tf" -exec bash -c 'terraform validate --check-variables=false $(dirname "{}")' \;
+  REPO_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
+  cd "${REPO_ROOT}/terraform" || exit
+  terraform init
+  terraform validate
 }
 
 # This function runs 'go fmt' and 'go vet' on eery file