Add userinfo.email to default scopes (#2473)

GoogleCloudPlatform · Oct 24, 2019 · a2cfcfa · a2cfcfa
1 parent 2e285c1
commit a2cfcfa
Show file tree

Hide file tree

Showing 6 changed files with 6 additions and 50 deletions.
diff --git a/third_party/terraform/data_sources/data_source_google_client_openid_userinfo.go b/third_party/terraform/data_sources/data_source_google_client_openid_userinfo.go
@@ -26,7 +26,7 @@ func dataSourceGoogleClientOpenIDUserinfoRead(d *schema.ResourceData, meta inter
 	// URL retrieved from https://accounts.google.com/.well-known/openid-configuration
 	res, err := sendRequest(config, "GET", "", "https://openidconnect.googleapis.com/v1/userinfo", nil)
 	if err != nil {
-		return fmt.Errorf("error retrieving userinfo for your provider credentials; have you enabled the 'https://www.googleapis.com/auth/userinfo.email' scope? error: %s", err)
+		return fmt.Errorf("error retrieving userinfo for your provider credentials. have you enabled the 'https://www.googleapis.com/auth/userinfo.email' scope? error: %s", err)
 	}
 
 	d.SetId(time.Now().UTC().String())

diff --git a/third_party/terraform/tests/data_source_google_client_openid_userinfo_test.go b/third_party/terraform/tests/data_source_google_client_openid_userinfo_test.go
@@ -24,23 +24,5 @@ func TestAccDataSourceGoogleClientOpenIDUserinfo_basic(t *testing.T) {
 }
 
 const testAccCheckGoogleClientOpenIDUserinfo_basic = `
-provider "google" {
-  alias = "google-scoped"
-
-  # We need to add an additional scope to test this; because our tests rely on
-  # every env var being set, we can just add an alias with the appropriate
-  # scopes. This will fail if someone uses an access token instead of creds
-  # unless they've configured the userinfo.email scope.
-  scopes = [
-    "https://www.googleapis.com/auth/compute",
-    "https://www.googleapis.com/auth/cloud-platform",
-    "https://www.googleapis.com/auth/ndev.clouddns.readwrite",
-    "https://www.googleapis.com/auth/devstorage.full_control",
-    "https://www.googleapis.com/auth/userinfo.email",
-  ]
-}
-
-data "google_client_openid_userinfo" "me" {
-  provider = "google.google-scoped"
-}
+data "google_client_openid_userinfo" "me" {}
 `
diff --git a/third_party/terraform/utils/config.go.erb b/third_party/terraform/utils/config.go.erb
@@ -193,6 +193,7 @@ var defaultClientScopes = []string{
 	"https://www.googleapis.com/auth/cloud-platform",
 	"https://www.googleapis.com/auth/ndev.clouddns.readwrite",
 	"https://www.googleapis.com/auth/devstorage.full_control",
+	"https://www.googleapis.com/auth/userinfo.email",
 }
 
 func (c *Config) LoadAndValidate() error {

diff --git a/third_party/terraform/utils/provider_test.go.erb b/third_party/terraform/utils/provider_test.go.erb
@@ -264,13 +264,6 @@ resource "google_compute_address" "default" {
 // which causes the create to fail unless user_project_override is set to true.
 func testAccProviderUserProjectOverride(pid, name, org, billing, sa string) string {
 	return fmt.Sprintf(`
-provider "google" {
-  scopes = [
-    "https://www.googleapis.com/auth/cloud-platform",
-    "https://www.googleapis.com/auth/userinfo.email",
-  ]
-}
-
 resource "google_project" "project-1" {
 	project_id      = "%s"
 	name            = "%s"

diff --git a/...terraform/website/docs/d/datasource_google_client_openid_userinfo.html.markdown b/...terraform/website/docs/d/datasource_google_client_openid_userinfo.html.markdown
@@ -11,9 +11,8 @@ description: |-
 Get OpenID userinfo about the credentials used with the Google provider,
 specifically the email.
 
-When the `https://www.googleapis.com/auth/userinfo.email` scope is enabled in
-your provider block, this datasource enables you to export the email of the
-account you've authenticated the provider with; this can be used alongside
+This datasource enables you to export the email of the account you've
+authenticated the provider with; this can be used alongside
 `data.google_client_config`'s `access_token` to perform OpenID Connect
 authentication with GKE and configure an RBAC role for the email used.
 
@@ -24,16 +23,6 @@ receive an error otherwise.
 ## Example Usage - exporting an email
 
 ```hcl
-provider "google" {
-  scopes = [
-    "https://www.googleapis.com/auth/compute",
-    "https://www.googleapis.com/auth/cloud-platform",
-    "https://www.googleapis.com/auth/ndev.clouddns.readwrite",
-    "https://www.googleapis.com/auth/devstorage.full_control",
-    "https://www.googleapis.com/auth/userinfo.email",
-  ]
-}
-
 data "google_client_openid_userinfo" "me" {}
 
 output "my-email" {
@@ -44,16 +33,6 @@ output "my-email" {
 ## Example Usage - OpenID Connect w/ Kubernetes provider + RBAC IAM role
 
 ```hcl
-provider "google" {
-  scopes = [
-    "https://www.googleapis.com/auth/compute",
-    "https://www.googleapis.com/auth/cloud-platform",
-    "https://www.googleapis.com/auth/ndev.clouddns.readwrite",
-    "https://www.googleapis.com/auth/devstorage.full_control",
-    "https://www.googleapis.com/auth/userinfo.email",
-  ]
-}
-
 data "google_client_openid_userinfo" "provider_identity" {}
 
 data "google_client_config" "provider" {}

diff --git a/third_party/terraform/website/docs/provider_reference.html.markdown b/third_party/terraform/website/docs/provider_reference.html.markdown
@@ -213,6 +213,7 @@ an access token using the service account key specified in `credentials`.
     * https://www.googleapis.com/auth/cloud-platform
     * https://www.googleapis.com/auth/ndev.clouddns.readwrite
     * https://www.googleapis.com/auth/devstorage.full_control
+    * https://www.googleapis.com/auth/userinfo.email
 
 ---