[Terraform] new option "scopes" to define OAuth scopes for provider (#2888)

Signed-off-by: Modular Magician <magic-modules@google.com>

google/config.go

@@ -54,6 +54,7 @@ type Config struct {
 	Project     string
 	Region      string
 	Zone        string
+	Scopes      []string
 
 	client    *http.Client
 	userAgent string
@@ -95,15 +96,19 @@ type Config struct {
 	bigtableClientFactory *BigtableClientFactory
 }
 
+var defaultClientScopes = []string{
+	"https://www.googleapis.com/auth/compute",
+	"https://www.googleapis.com/auth/cloud-platform",
+	"https://www.googleapis.com/auth/ndev.clouddns.readwrite",
+	"https://www.googleapis.com/auth/devstorage.full_control",
+}
+
 func (c *Config) loadAndValidate() error {
-	clientScopes := []string{
-		"https://www.googleapis.com/auth/compute",
-		"https://www.googleapis.com/auth/cloud-platform",
-		"https://www.googleapis.com/auth/ndev.clouddns.readwrite",
-		"https://www.googleapis.com/auth/devstorage.full_control",
+	if len(c.Scopes) == 0 {
+		c.Scopes = defaultClientScopes
 	}
 
-	tokenSource, err := c.getTokenSource(clientScopes)
+	tokenSource, err := c.getTokenSource(c.Scopes)
 	if err != nil {
 		return err
 	}

google/config_test.go

@@ -117,3 +117,17 @@ func TestAccConfigLoadValidate_accessToken(t *testing.T) {
 		t.Fatalf("expected API call with loaded config to work, got error: %s", err)
 	}
 }
+
+func TestConfigLoadAndValidate_defaultScopes(t *testing.T) {
+	config := Config{}
+	err := config.loadAndValidate()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	for index, scope := range defaultClientScopes {
+		if config.Scopes[index] != scope {
+			t.Fatalf("Unexpected default client scopes: %v, index %d", config.Scopes[index], index)
+		}
+	}
+}

google/provider.go

@@ -69,6 +69,11 @@ func Provider() terraform.ResourceProvider {
 					"CLOUDSDK_COMPUTE_ZONE",
 				}, nil),
 			},
+			"scopes": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
 		},
 
 		DataSourcesMap: map[string]*schema.Resource{
@@ -269,6 +274,14 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 		config.Credentials = v.(string)
 	}
 
+	scopes := d.Get("scopes").([]interface{})
+	if len(scopes) > 0 {
+		config.Scopes = make([]string, len(scopes), len(scopes))
+	}
+	for i, scope := range scopes {
+		config.Scopes[i] = scope.(string)
+	}
+
 	if err := config.loadAndValidate(); err != nil {
 		return nil, err
 	}

website/docs/provider_reference.html.markdown

@@ -135,9 +135,17 @@ share the same configuration.
     * `GCLOUD_ZONE`
     * `CLOUDSDK_COMPUTE_ZONE`
 
+* `scopes` - (Optional) The list of OAuth 2.0 [scopes] used to generate access token for Google APIs.
+  Default list of scopes:
+    * https://www.googleapis.com/auth/compute
+    * https://www.googleapis.com/auth/cloud-platform
+    * https://www.googleapis.com/auth/ndev.clouddns.readwrite
+    * https://www.googleapis.com/auth/devstorage.full_control
+
 [Google Cloud service account file]: https://console.cloud.google.com/apis/credentials/serviceaccountkey
 [adc]: https://cloud.google.com/docs/authentication/production
 [gce-service-account]: https://cloud.google.com/compute/docs/authentication
 [gcloud adc]: https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login
 [service accounts]: https://cloud.google.com/docs/authentication/getting-started
 [GCE metadata]: https://cloud.google.com/docs/authentication/production#obtaining_credentials_on_compute_engine_kubernetes_engine_app_engine_flexible_environment_and_cloud_functions
+[scopes]: https://developers.google.com/identity/protocols/googlescopes