From a0b57f3aab09c16b7b16a2e908c4067bfb194e8e Mon Sep 17 00:00:00 2001
From: Vasyl Kaigorodov <vkaigoro@redhat.com>
Date: Fri, 15 May 2015 15:28:28 +0200
Subject: [PATCH 1/4] GCE module: add posibility to specify Service Account
 permissions during instance creation

---
 cloud/google/gce.py | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/cloud/google/gce.py b/cloud/google/gce.py
index 314f1200161..20ceb257b3a 100644
--- a/cloud/google/gce.py
+++ b/cloud/google/gce.py
@@ -287,6 +287,8 @@ def create_instances(module, gce, instance_names):
     ip_forward = module.params.get('ip_forward')
     external_ip = module.params.get('external_ip')
     disk_auto_delete = module.params.get('disk_auto_delete')
+    service_account_permissions = module.params.get('service_account_permissions')
+    service_account_email = module.params.get('service_account_email')
 
     if external_ip == "none":
         external_ip = None
@@ -330,6 +332,14 @@ def create_instances(module, gce, instance_names):
             items.append({"key": k,"value": v})
         metadata = {'items': items}
 
+    ex_sa_perms = []
+    if service_account_permissions:
+        if service_account_email:
+            ex_sa_perms.append({'email': service_account_email})
+        else:
+            ex_sa_perms.append({'email': "default"})
+        ex_sa_perms[0]['scopes'] = service_account_permissions
+
     # These variables all have default values but check just in case
     if not lc_image or not lc_network or not lc_machine_type or not lc_zone:
         module.fail_json(msg='Missing required create instance variable',
@@ -349,7 +359,7 @@ def create_instances(module, gce, instance_names):
             inst = gce.create_node(name, lc_machine_type, lc_image,
                     location=lc_zone, ex_network=network, ex_tags=tags,
                     ex_metadata=metadata, ex_boot_disk=pd, ex_can_ip_forward=ip_forward,
-                    external_ip=external_ip, ex_disk_auto_delete=disk_auto_delete)
+                    external_ip=external_ip, ex_disk_auto_delete=disk_auto_delete, ex_service_accounts=ex_sa_perms)
             changed = True
         except ResourceExistsError:
             inst = gce.ex_get_node(name, lc_zone)
@@ -437,6 +447,7 @@ def main():
             tags = dict(type='list'),
             zone = dict(default='us-central1-a'),
             service_account_email = dict(),
+            service_account_permissions = dict(type='list'),
             pem_file = dict(),
             project_id = dict(),
             ip_forward = dict(type='bool', default=False),

From f714cc5f7ecb7d8f8bf994276292db6e72caa0a2 Mon Sep 17 00:00:00 2001
From: Vasyl Kaigorodov <vkaigoro@redhat.com>
Date: Fri, 15 May 2015 15:34:36 +0200
Subject: [PATCH 2/4] GCE module: document Service Account permissions
 parameter usage

---
 cloud/google/gce.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/cloud/google/gce.py b/cloud/google/gce.py
index 20ceb257b3a..261f6d32297 100644
--- a/cloud/google/gce.py
+++ b/cloud/google/gce.py
@@ -58,6 +58,13 @@ options:
     required: false
     default: null
     aliases: []
+  service_account_permissions:
+    version_added: 1.5.1
+    description:
+      - service account permissions (see U(https://cloud.google.com/sdk/gcloud/reference/compute/instances/create), --scopes section for detailed information)
+    required: false
+    default: null
+    aliases: []
   pem_file:
     version_added: 1.5.1
     description:

From fa9727eb99fdd0c38ed7f3ba72cdf31c69e82a61 Mon Sep 17 00:00:00 2001
From: Vasyl Kaigorodov <vkaigoro@redhat.com>
Date: Fri, 15 May 2015 16:00:24 +0200
Subject: [PATCH 3/4] GCE module: added Service Account permissions sanity
 checks

---
 cloud/google/gce.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/cloud/google/gce.py b/cloud/google/gce.py
index 261f6d32297..b288d9dfb43 100644
--- a/cloud/google/gce.py
+++ b/cloud/google/gce.py
@@ -340,7 +340,13 @@ def create_instances(module, gce, instance_names):
         metadata = {'items': items}
 
     ex_sa_perms = []
+    bad_perms = []
     if service_account_permissions:
+        for perm in service_account_permissions:
+            if not perm in gce.SA_SCOPES_MAP.keys():
+                bad_perms.append(perm)
+        if len(bad_perms) > 0:
+            module.fail_json(msg='bad permissions: %s' % str(bad_perms))
         if service_account_email:
             ex_sa_perms.append({'email': service_account_email})
         else:

From baff1bf7f0b49e2b4bc9f2c0582a1d356df160d9 Mon Sep 17 00:00:00 2001
From: James Cammarata <jimi@sngx.net>
Date: Tue, 23 Jun 2015 13:16:28 -0400
Subject: [PATCH 4/4] Update choices and version_added for new gce.py param
 service_account_permissions

---
 cloud/google/gce.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cloud/google/gce.py b/cloud/google/gce.py
index 48536057637..251a3ee9e93 100644
--- a/cloud/google/gce.py
+++ b/cloud/google/gce.py
@@ -59,12 +59,13 @@ options:
     default: null
     aliases: []
   service_account_permissions:
-    version_added: 1.5.1
+    version_added: 2.0
     description:
       - service account permissions (see U(https://cloud.google.com/sdk/gcloud/reference/compute/instances/create), --scopes section for detailed information)
     required: false
     default: null
     aliases: []
+    choices: ["bigquery", "cloud-platform", "compute-ro", "compute-rw", "computeaccounts-ro", "computeaccounts-rw", "datastore", "logging-write", "monitoring", "sql", "sql-admin", "storage-full", "storage-ro", "storage-rw", "taskqueue", "userinfo-email"]
   pem_file:
     version_added: 1.5.1
     description: