From 369633b1ea609e8ef73a74c26459441c8f9f9024 Mon Sep 17 00:00:00 2001 From: Riley Karson Date: Tue, 15 Oct 2019 14:41:52 -0700 Subject: [PATCH] Add userinfo.email to default scopes (#2473) --- ...ta_source_google_client_openid_userinfo.go | 2 +- ...urce_google_client_openid_userinfo_test.go | 20 +-------------- third_party/terraform/utils/config.go.erb | 1 + .../terraform/utils/provider_test.go.erb | 7 ------ ...oogle_client_openid_userinfo.html.markdown | 25 ++----------------- .../docs/provider_reference.html.markdown | 1 + 6 files changed, 6 insertions(+), 50 deletions(-) diff --git a/third_party/terraform/data_sources/data_source_google_client_openid_userinfo.go b/third_party/terraform/data_sources/data_source_google_client_openid_userinfo.go index eb524a0e2f9e..6d8cc2a44fe0 100644 --- a/third_party/terraform/data_sources/data_source_google_client_openid_userinfo.go +++ b/third_party/terraform/data_sources/data_source_google_client_openid_userinfo.go @@ -26,7 +26,7 @@ func dataSourceGoogleClientOpenIDUserinfoRead(d *schema.ResourceData, meta inter // URL retrieved from https://accounts.google.com/.well-known/openid-configuration res, err := sendRequest(config, "GET", "", "https://openidconnect.googleapis.com/v1/userinfo", nil) if err != nil { - return fmt.Errorf("error retrieving userinfo for your provider credentials; have you enabled the 'https://www.googleapis.com/auth/userinfo.email' scope? error: %s", err) + return fmt.Errorf("error retrieving userinfo for your provider credentials. have you enabled the 'https://www.googleapis.com/auth/userinfo.email' scope? error: %s", err) } d.SetId(time.Now().UTC().String()) diff --git a/third_party/terraform/tests/data_source_google_client_openid_userinfo_test.go b/third_party/terraform/tests/data_source_google_client_openid_userinfo_test.go index 0f7fc42578ad..f293f8b17fda 100644 --- a/third_party/terraform/tests/data_source_google_client_openid_userinfo_test.go +++ b/third_party/terraform/tests/data_source_google_client_openid_userinfo_test.go @@ -24,23 +24,5 @@ func TestAccDataSourceGoogleClientOpenIDUserinfo_basic(t *testing.T) { } const testAccCheckGoogleClientOpenIDUserinfo_basic = ` -provider "google" { - alias = "google-scoped" - - # We need to add an additional scope to test this; because our tests rely on - # every env var being set, we can just add an alias with the appropriate - # scopes. This will fail if someone uses an access token instead of creds - # unless they've configured the userinfo.email scope. - scopes = [ - "https://www.googleapis.com/auth/compute", - "https://www.googleapis.com/auth/cloud-platform", - "https://www.googleapis.com/auth/ndev.clouddns.readwrite", - "https://www.googleapis.com/auth/devstorage.full_control", - "https://www.googleapis.com/auth/userinfo.email", - ] -} - -data "google_client_openid_userinfo" "me" { - provider = "google.google-scoped" -} +data "google_client_openid_userinfo" "me" {} ` diff --git a/third_party/terraform/utils/config.go.erb b/third_party/terraform/utils/config.go.erb index d6d507dff358..83c678062fa0 100644 --- a/third_party/terraform/utils/config.go.erb +++ b/third_party/terraform/utils/config.go.erb @@ -193,6 +193,7 @@ var defaultClientScopes = []string{ "https://www.googleapis.com/auth/cloud-platform", "https://www.googleapis.com/auth/ndev.clouddns.readwrite", "https://www.googleapis.com/auth/devstorage.full_control", + "https://www.googleapis.com/auth/userinfo.email", } func (c *Config) LoadAndValidate() error { diff --git a/third_party/terraform/utils/provider_test.go.erb b/third_party/terraform/utils/provider_test.go.erb index 68388caf0347..c5329b53bdbd 100644 --- a/third_party/terraform/utils/provider_test.go.erb +++ b/third_party/terraform/utils/provider_test.go.erb @@ -264,13 +264,6 @@ resource "google_compute_address" "default" { // which causes the create to fail unless user_project_override is set to true. func testAccProviderUserProjectOverride(pid, name, org, billing, sa string) string { return fmt.Sprintf(` -provider "google" { - scopes = [ - "https://www.googleapis.com/auth/cloud-platform", - "https://www.googleapis.com/auth/userinfo.email", - ] -} - resource "google_project" "project-1" { project_id = "%s" name = "%s" diff --git a/third_party/terraform/website/docs/d/datasource_google_client_openid_userinfo.html.markdown b/third_party/terraform/website/docs/d/datasource_google_client_openid_userinfo.html.markdown index 6b2d9d0d1b12..c663911841bf 100644 --- a/third_party/terraform/website/docs/d/datasource_google_client_openid_userinfo.html.markdown +++ b/third_party/terraform/website/docs/d/datasource_google_client_openid_userinfo.html.markdown @@ -11,9 +11,8 @@ description: |- Get OpenID userinfo about the credentials used with the Google provider, specifically the email. -When the `https://www.googleapis.com/auth/userinfo.email` scope is enabled in -your provider block, this datasource enables you to export the email of the -account you've authenticated the provider with; this can be used alongside +This datasource enables you to export the email of the account you've +authenticated the provider with; this can be used alongside `data.google_client_config`'s `access_token` to perform OpenID Connect authentication with GKE and configure an RBAC role for the email used. @@ -24,16 +23,6 @@ receive an error otherwise. ## Example Usage - exporting an email ```hcl -provider "google" { - scopes = [ - "https://www.googleapis.com/auth/compute", - "https://www.googleapis.com/auth/cloud-platform", - "https://www.googleapis.com/auth/ndev.clouddns.readwrite", - "https://www.googleapis.com/auth/devstorage.full_control", - "https://www.googleapis.com/auth/userinfo.email", - ] -} - data "google_client_openid_userinfo" "me" {} output "my-email" { @@ -44,16 +33,6 @@ output "my-email" { ## Example Usage - OpenID Connect w/ Kubernetes provider + RBAC IAM role ```hcl -provider "google" { - scopes = [ - "https://www.googleapis.com/auth/compute", - "https://www.googleapis.com/auth/cloud-platform", - "https://www.googleapis.com/auth/ndev.clouddns.readwrite", - "https://www.googleapis.com/auth/devstorage.full_control", - "https://www.googleapis.com/auth/userinfo.email", - ] -} - data "google_client_openid_userinfo" "provider_identity" {} data "google_client_config" "provider" {} diff --git a/third_party/terraform/website/docs/provider_reference.html.markdown b/third_party/terraform/website/docs/provider_reference.html.markdown index 2ab8a2c425c7..a4ef831f5db6 100644 --- a/third_party/terraform/website/docs/provider_reference.html.markdown +++ b/third_party/terraform/website/docs/provider_reference.html.markdown @@ -213,6 +213,7 @@ an access token using the service account key specified in `credentials`. * https://www.googleapis.com/auth/cloud-platform * https://www.googleapis.com/auth/ndev.clouddns.readwrite * https://www.googleapis.com/auth/devstorage.full_control + * https://www.googleapis.com/auth/userinfo.email ---