Allow for specify scopes for assigned service account (#401)

dacbd · web-flow · commit 0e94e21150db · 2022-02-17T11:10:55.000+01:00
* draft commit

* initial fix

* split '0' 😕

* confused by my own comments 😢

* handle shorthand
diff --git a/iterative/gcp/provider.go b/iterative/gcp/provider.go
@@ -34,7 +34,8 @@ func ResourceMachineCreate(ctx context.Context, d *schema.ResourceData, m interf
 	instanceZone := getRegion(d.Get("region").(string))
 	instanceHddSize := int64(d.Get("instance_hdd_size").(int))
 	instancePublicSshKey := fmt.Sprintf("%s:%s %s\n", "ubuntu", strings.TrimSpace(d.Get("ssh_public").(string)), "ubuntu")
-	instanceServiceAccount := d.Get("instance_permission_set").(string)
+
+	serviceAccountEmail, serviceAccountScopes := getServiceAccountData(d.Get("instance_permission_set").(string))
 
 	instanceMetadata := map[string]string{}
 	for key, value := range d.Get("metadata").(map[string]interface{}) {
@@ -199,7 +200,8 @@ func ResourceMachineCreate(ctx context.Context, d *schema.ResourceData, m interf
 		MachineType: instanceMachineType.SelfLink,
 		ServiceAccounts: []*gcp_compute.ServiceAccount{
 			{
-				Email: instanceServiceAccount,
+				Email:  serviceAccountEmail,
+				Scopes: serviceAccountScopes,
 			},
 		},
 		Disks: []*gcp_compute.AttachedDisk{
@@ -287,6 +289,21 @@ func ResourceMachineDelete(ctx context.Context, d *schema.ResourceData, m interf
 	return nil
 }
 
+func getServiceAccountData(saString string) (string, []string) {
+	// ["SA email", "scopes=s1", "s2", ...]
+	splitStr := strings.Split(saString, ",")
+	serviceAccountEmail := splitStr[0]
+	if len(splitStr) == 1 {
+		// warn user about scopes?
+		return serviceAccountEmail, nil
+	}
+	// ["scopes=s1", "s2"]
+	splitStr[1] = strings.Split(splitStr[1], "=")[1]
+	// ["s1", "s2", ...]
+	serviceAccountScopes := splitStr[1:]
+	return serviceAccountEmail, utils.CanonicalizeServiceScopes(serviceAccountScopes)
+}
+
 func getProjectService() (string, *gcp_compute.Service, error) {
 	var credentials *google.Credentials
 	var err error
diff --git a/iterative/utils/helpers.go b/iterative/utils/helpers.go
@@ -37,3 +37,47 @@ func LoadGCPCredentials() string {
 	}
 	return credentialsData
 }
+
+// Better way than copying?
+// https://github.com/hashicorp/terraform-provider-google/blob/8a362008bd4d36b6a882eb53455f87305e6dff52/google/service_scope.go#L5-L48
+func canonicalizeServiceScope(scope string) string {
+	// This is a convenience map of short names used by the gcloud tool
+	// to the GCE auth endpoints they alias to.
+	scopeMap := map[string]string{
+		"bigquery":              "https://www.googleapis.com/auth/bigquery",
+		"cloud-platform":        "https://www.googleapis.com/auth/cloud-platform",
+		"cloud-source-repos":    "https://www.googleapis.com/auth/source.full_control",
+		"cloud-source-repos-ro": "https://www.googleapis.com/auth/source.read_only",
+		"compute-ro":            "https://www.googleapis.com/auth/compute.readonly",
+		"compute-rw":            "https://www.googleapis.com/auth/compute",
+		"datastore":             "https://www.googleapis.com/auth/datastore",
+		"logging-write":         "https://www.googleapis.com/auth/logging.write",
+		"monitoring":            "https://www.googleapis.com/auth/monitoring",
+		"monitoring-read":       "https://www.googleapis.com/auth/monitoring.read",
+		"monitoring-write":      "https://www.googleapis.com/auth/monitoring.write",
+		"pubsub":                "https://www.googleapis.com/auth/pubsub",
+		"service-control":       "https://www.googleapis.com/auth/servicecontrol",
+		"service-management":    "https://www.googleapis.com/auth/service.management.readonly",
+		"sql":                   "https://www.googleapis.com/auth/sqlservice",
+		"sql-admin":             "https://www.googleapis.com/auth/sqlservice.admin",
+		"storage-full":          "https://www.googleapis.com/auth/devstorage.full_control",
+		"storage-ro":            "https://www.googleapis.com/auth/devstorage.read_only",
+		"storage-rw":            "https://www.googleapis.com/auth/devstorage.read_write",
+		"taskqueue":             "https://www.googleapis.com/auth/taskqueue",
+		"trace":                 "https://www.googleapis.com/auth/trace.append",
+		"useraccounts-ro":       "https://www.googleapis.com/auth/cloud.useraccounts.readonly",
+		"useraccounts-rw":       "https://www.googleapis.com/auth/cloud.useraccounts",
+		"userinfo-email":        "https://www.googleapis.com/auth/userinfo.email",
+	}
+	if matchedURL, ok := scopeMap[scope]; ok {
+		return matchedURL
+	}
+	return scope
+}
+func CanonicalizeServiceScopes(scopes []string) []string {
+	cs := make([]string, len(scopes))
+	for i, scope := range scopes {
+		cs[i] = canonicalizeServiceScope(scope)
+	}
+	return cs
+}
