From f507a78187a27b9667b948799e317e9d1f0d51d4 Mon Sep 17 00:00:00 2001
From: Conor Gilsenan <conorgilsenan@gmail.com>
Date: Mon, 25 Feb 2019 17:40:52 -0500
Subject: [PATCH] Explain why scopes are required

Scopes are the legacy way to assign permissions
to an instance, so it was incredibly confusing
for a first time GCP user why this field was required.

This updates the terraform docs to explain this briefly
and link to the Google docs which state that this field
is still required  (presumably, for legacy reasons).
---
 website/docs/r/compute_instance_template.html.markdown | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/website/docs/r/compute_instance_template.html.markdown b/website/docs/r/compute_instance_template.html.markdown
index f4b534555cb..fa537afe4a5 100644
--- a/website/docs/r/compute_instance_template.html.markdown
+++ b/website/docs/r/compute_instance_template.html.markdown
@@ -357,6 +357,11 @@ The `service_account` block supports:
     short names are supported. To allow full access to all Cloud APIs, use the
     `cloud-platform` scope. See a complete list of scopes [here](https://cloud.google.com/sdk/gcloud/reference/alpha/compute/instances/set-scopes#--scopes).
 
+    The [service accounts documentation](https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam)
+    explains that access scopes are the legacy method of specifying permissions for your instance.
+    If you are following best practices and using IAM roles to grant permissions to service accounts,
+    then you can define this field as an empty list.
+
 The `scheduling` block supports:
 
 * `automatic_restart` - (Optional) Specifies whether the instance should be