The OpenResty config is only 140 lines of code! And it plays nicely with Zapier. A ton of powerful features got to be reused to create a very concise and high performance implementation. Google requires public Oauth 2 applications to be verified, however, I was able to get an internal-only app working with Zapier without verification.
In some sense the manual process is a blessing, as this step involves secrets and having it done outside of Terraform avoids secret management headaches. The only manual part involved is creating the Oauth2 credentials in the GCP console.
To get a working Zapier integration the authorization URL should be customized with scopes and offline access
Why must it take so much time! Why must I solve the same problems so many times now! I found myself nodding furiously while reading Google's BeyondCorp papers, "we should solve it in the proxy layer!". Seemingly every project I work on gets bogged down at some point on authentication.