diff --git a/google/config.go b/google/config.go index 6898ee13..4d098098 100644 --- a/google/config.go +++ b/google/config.go @@ -54,6 +54,7 @@ type Config struct { Project string Region string Zone string + Scopes []string client *http.Client userAgent string @@ -95,15 +96,19 @@ type Config struct { bigtableClientFactory *BigtableClientFactory } +var defaultClientScopes = []string{ + "https://www.googleapis.com/auth/compute", + "https://www.googleapis.com/auth/cloud-platform", + "https://www.googleapis.com/auth/ndev.clouddns.readwrite", + "https://www.googleapis.com/auth/devstorage.full_control", +} + func (c *Config) loadAndValidate() error { - clientScopes := []string{ - "https://www.googleapis.com/auth/compute", - "https://www.googleapis.com/auth/cloud-platform", - "https://www.googleapis.com/auth/ndev.clouddns.readwrite", - "https://www.googleapis.com/auth/devstorage.full_control", + if len(c.Scopes) == 0 { + c.Scopes = defaultClientScopes } - tokenSource, err := c.getTokenSource(clientScopes) + tokenSource, err := c.getTokenSource(c.Scopes) if err != nil { return err } diff --git a/google/config_test.go b/google/config_test.go index 99bcbd1d..8d6bbabe 100644 --- a/google/config_test.go +++ b/google/config_test.go @@ -117,3 +117,17 @@ func TestAccConfigLoadValidate_accessToken(t *testing.T) { t.Fatalf("expected API call with loaded config to work, got error: %s", err) } } + +func TestConfigLoadAndValidate_defaultScopes(t *testing.T) { + config := Config{} + err := config.loadAndValidate() + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + + for index, scope := range defaultClientScopes { + if config.Scopes[index] != scope { + t.Fatalf("Unexpected default client scopes: %v, index %d", config.Scopes[index], index) + } + } +} diff --git a/google/provider.go b/google/provider.go index 7018cf63..be29a59e 100644 --- a/google/provider.go +++ b/google/provider.go @@ -69,6 +69,11 @@ func Provider() terraform.ResourceProvider { "CLOUDSDK_COMPUTE_ZONE", }, nil), }, + "scopes": { + Type: schema.TypeList, + Optional: true, + Elem: &schema.Schema{Type: schema.TypeString}, + }, }, DataSourcesMap: map[string]*schema.Resource{ @@ -269,6 +274,14 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { config.Credentials = v.(string) } + scopes := d.Get("scopes").([]interface{}) + if len(scopes) > 0 { + config.Scopes = make([]string, len(scopes), len(scopes)) + } + for i, scope := range scopes { + config.Scopes[i] = scope.(string) + } + if err := config.loadAndValidate(); err != nil { return nil, err } diff --git a/website/docs/provider_reference.html.markdown b/website/docs/provider_reference.html.markdown index 8e629bdf..07b8b870 100644 --- a/website/docs/provider_reference.html.markdown +++ b/website/docs/provider_reference.html.markdown @@ -135,9 +135,17 @@ share the same configuration. * `GCLOUD_ZONE` * `CLOUDSDK_COMPUTE_ZONE` +* `scopes` - (Optional) The list of OAuth 2.0 [scopes] used to generate access token for Google APIs. + Default list of scopes: + * https://www.googleapis.com/auth/compute + * https://www.googleapis.com/auth/cloud-platform + * https://www.googleapis.com/auth/ndev.clouddns.readwrite + * https://www.googleapis.com/auth/devstorage.full_control + [Google Cloud service account file]: https://console.cloud.google.com/apis/credentials/serviceaccountkey [adc]: https://cloud.google.com/docs/authentication/production [gce-service-account]: https://cloud.google.com/compute/docs/authentication [gcloud adc]: https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login [service accounts]: https://cloud.google.com/docs/authentication/getting-started [GCE metadata]: https://cloud.google.com/docs/authentication/production#obtaining_credentials_on_compute_engine_kubernetes_engine_app_engine_flexible_environment_and_cloud_functions +[scopes]: https://developers.google.com/identity/protocols/googlescopes