Remove redundant default scopes (#5343) (#3756)

Signed-off-by: Modular Magician <[email protected]>
hashicorp · Oct 22, 2021 · b48aec7 · b48aec7
1 parent 7d969e9
commit b48aec7
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 10 deletions.
diff --git a/.changelog/5343.txt b/.changelog/5343.txt
@@ -0,0 +1,3 @@
+```release-note:breaking-change
+provider: removed redundant default scopes. The provider's default scopes when authenticating with credentials are now exclusively "https://www.googleapis.com/auth/cloud-platform" and "https://www.googleapis.com/auth/userinfo.email".
+```
diff --git a/google-beta/config.go b/google-beta/config.go
@@ -370,11 +370,7 @@ var DefaultBasePaths = map[string]string{
 }
 
 var DefaultClientScopes = []string{
-	"https://www.googleapis.com/auth/compute",
 	"https://www.googleapis.com/auth/cloud-platform",
-	"https://www.googleapis.com/auth/cloud-identity",
-	"https://www.googleapis.com/auth/ndev.clouddns.readwrite",
-	"https://www.googleapis.com/auth/devstorage.full_control",
 	"https://www.googleapis.com/auth/userinfo.email",
 }
 

diff --git a/google-beta/resource_dataproc_cluster_test.go b/google-beta/resource_dataproc_cluster_test.go
@@ -13,9 +13,8 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 
-	"google.golang.org/api/googleapi"
-
 	dataproc "google.golang.org/api/dataproc/v1beta2"
+	"google.golang.org/api/googleapi"
 )
 
 func TestDataprocExtractInitTimeout(t *testing.T) {

diff --git a/google-beta/resource_gke_hub_feature_membership_test.go b/google-beta/resource_gke_hub_feature_membership_test.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/GoogleCloudPlatform/declarative-resource-client-library/dcl"
+	dcl "github.com/GoogleCloudPlatform/declarative-resource-client-library/dcl"
 	gkehub "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/gkehub/beta"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"

diff --git a/website/docs/guides/provider_reference.html.markdown b/website/docs/guides/provider_reference.html.markdown
@@ -265,10 +265,7 @@ an access token using the service account key specified in `credentials`.
 
     By default, the following scopes are configured:
 
-    * https://www.googleapis.com/auth/compute
     * https://www.googleapis.com/auth/cloud-platform
-    * https://www.googleapis.com/auth/ndev.clouddns.readwrite
-    * https://www.googleapis.com/auth/devstorage.full_control
     * https://www.googleapis.com/auth/userinfo.email
 
 * `request_reason` - (Optional) Send a Request Reason [System Parameter](https://cloud.google.com/apis/docs/system-parameters) for each API call made by the provider.  The `X-Goog-Request-Reason` header value is used to provide a user-supplied justification into GCP AuditLogs. Alternatively, this can be specified using the `CLOUDSDK_CORE_REQUEST_REASON` environment variable.

diff --git a/website/docs/guides/version_4_upgrade.html.markdown b/website/docs/guides/version_4_upgrade.html.markdown
@@ -12,6 +12,7 @@ description: |-
   - [I accidentally upgraded to 4.0.0, how do I downgrade to `3.X`?](#i-accidentally-upgraded-to-400-how-do-i-downgrade-to-3x)
   - [Provider Version Configuration](#provider-version-configuration)
   - [Provider](#provider)
+    - [Redundant default scopes are removed](#redundant-default-scopes-are-removed)
     - [Runtime Configurator (`runtimeconfig`) resources have been removed from the GA provider](#runtime-configurator-runtimeconfig-resources-have-been-removed-from-the-ga-provider)
   - [Datasource: `google_product_resource`](#datasource-google_product_resource)
     - [Datasource-level change example](#datasource-level-change-example)
@@ -154,6 +155,26 @@ terraform {
 
 ## Provider
 
+### Redundant default scopes are removed
+
+Several default scopes are removed from the provider:
+
+* "https://www.googleapis.com/auth/compute"
+* "https://www.googleapis.com/auth/ndev.clouddns.readwrite"
+* "https://www.googleapis.com/auth/devstorage.full_control"
+* "https://www.googleapis.com/auth/cloud-identity"
+
+They are redundant with the "https://www.googleapis.com/auth/cloud-platform"
+scope per [Access scopes](https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam).
+After this change the following scopes are enabled, in line with `gcloud`'s
+[list of scopes](https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login):
+
+* "https://www.googleapis.com/auth/cloud-platform"
+* "https://www.googleapis.com/auth/userinfo.email"
+
+This change is believed to have no user impact. If you find that Terraform
+behaves incorrectly as a result of this change, please report a [bug](https://github.com/hashicorp/terraform-provider-google/issues/new?assignees=&labels=bug&template=bug.md).
+
 ### Runtime Configurator (`runtimeconfig`) resources have been removed from the GA provider
 
 Earlier versions of the provider accidentally included the Runtime Configurator