diff --git a/.changelog/5343.txt b/.changelog/5343.txt new file mode 100644 index 0000000000..d90d2066d2 --- /dev/null +++ b/.changelog/5343.txt @@ -0,0 +1,3 @@ +```release-note:breaking-change +provider: removed redundant default scopes. The provider's default scopes when authenticating with credentials are now exclusively "https://www.googleapis.com/auth/cloud-platform" and "https://www.googleapis.com/auth/userinfo.email". +``` diff --git a/google-beta/config.go b/google-beta/config.go index 91eb95aecc..eac0610e4a 100644 --- a/google-beta/config.go +++ b/google-beta/config.go @@ -370,11 +370,7 @@ var DefaultBasePaths = map[string]string{ } var DefaultClientScopes = []string{ - "https://www.googleapis.com/auth/compute", "https://www.googleapis.com/auth/cloud-platform", - "https://www.googleapis.com/auth/cloud-identity", - "https://www.googleapis.com/auth/ndev.clouddns.readwrite", - "https://www.googleapis.com/auth/devstorage.full_control", "https://www.googleapis.com/auth/userinfo.email", } diff --git a/google-beta/resource_dataproc_cluster_test.go b/google-beta/resource_dataproc_cluster_test.go index 798461eee3..e3c9d32ff6 100644 --- a/google-beta/resource_dataproc_cluster_test.go +++ b/google-beta/resource_dataproc_cluster_test.go @@ -13,9 +13,8 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" - "google.golang.org/api/googleapi" - dataproc "google.golang.org/api/dataproc/v1beta2" + "google.golang.org/api/googleapi" ) func TestDataprocExtractInitTimeout(t *testing.T) { diff --git a/google-beta/resource_gke_hub_feature_membership_test.go b/google-beta/resource_gke_hub_feature_membership_test.go index 9e1f2ea64d..32fa84c196 100644 --- a/google-beta/resource_gke_hub_feature_membership_test.go +++ b/google-beta/resource_gke_hub_feature_membership_test.go @@ -5,7 +5,7 @@ import ( "fmt" "testing" - "github.com/GoogleCloudPlatform/declarative-resource-client-library/dcl" + dcl "github.com/GoogleCloudPlatform/declarative-resource-client-library/dcl" gkehub "github.com/GoogleCloudPlatform/declarative-resource-client-library/services/google/gkehub/beta" "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" diff --git a/website/docs/guides/provider_reference.html.markdown b/website/docs/guides/provider_reference.html.markdown index 8160829e9d..02aa0f6334 100644 --- a/website/docs/guides/provider_reference.html.markdown +++ b/website/docs/guides/provider_reference.html.markdown @@ -265,10 +265,7 @@ an access token using the service account key specified in `credentials`. By default, the following scopes are configured: - * https://www.googleapis.com/auth/compute * https://www.googleapis.com/auth/cloud-platform - * https://www.googleapis.com/auth/ndev.clouddns.readwrite - * https://www.googleapis.com/auth/devstorage.full_control * https://www.googleapis.com/auth/userinfo.email * `request_reason` - (Optional) Send a Request Reason [System Parameter](https://cloud.google.com/apis/docs/system-parameters) for each API call made by the provider. The `X-Goog-Request-Reason` header value is used to provide a user-supplied justification into GCP AuditLogs. Alternatively, this can be specified using the `CLOUDSDK_CORE_REQUEST_REASON` environment variable. diff --git a/website/docs/guides/version_4_upgrade.html.markdown b/website/docs/guides/version_4_upgrade.html.markdown index 2255d0ab1e..598db1a5cf 100644 --- a/website/docs/guides/version_4_upgrade.html.markdown +++ b/website/docs/guides/version_4_upgrade.html.markdown @@ -12,6 +12,7 @@ description: |- - [I accidentally upgraded to 4.0.0, how do I downgrade to `3.X`?](#i-accidentally-upgraded-to-400-how-do-i-downgrade-to-3x) - [Provider Version Configuration](#provider-version-configuration) - [Provider](#provider) + - [Redundant default scopes are removed](#redundant-default-scopes-are-removed) - [Runtime Configurator (`runtimeconfig`) resources have been removed from the GA provider](#runtime-configurator-runtimeconfig-resources-have-been-removed-from-the-ga-provider) - [Datasource: `google_product_resource`](#datasource-google_product_resource) - [Datasource-level change example](#datasource-level-change-example) @@ -154,6 +155,26 @@ terraform { ## Provider +### Redundant default scopes are removed + +Several default scopes are removed from the provider: + +* "https://www.googleapis.com/auth/compute" +* "https://www.googleapis.com/auth/ndev.clouddns.readwrite" +* "https://www.googleapis.com/auth/devstorage.full_control" +* "https://www.googleapis.com/auth/cloud-identity" + +They are redundant with the "https://www.googleapis.com/auth/cloud-platform" +scope per [Access scopes](https://cloud.google.com/compute/docs/access/service-accounts#accesscopesiam). +After this change the following scopes are enabled, in line with `gcloud`'s +[list of scopes](https://cloud.google.com/sdk/gcloud/reference/auth/application-default/login): + +* "https://www.googleapis.com/auth/cloud-platform" +* "https://www.googleapis.com/auth/userinfo.email" + +This change is believed to have no user impact. If you find that Terraform +behaves incorrectly as a result of this change, please report a [bug](https://github.com/hashicorp/terraform-provider-google/issues/new?assignees=&labels=bug&template=bug.md). + ### Runtime Configurator (`runtimeconfig`) resources have been removed from the GA provider Earlier versions of the provider accidentally included the Runtime Configurator