Add BlockingFunctionsConfig, AuthorizedDomains and QuotaConfig fields to identityplatform config

mmv1/products/identityplatform/ProjectDefaultConfig.yaml

@@ -124,3 +124,71 @@ properties:
             output: true
             description: |
               Memory cost for hash calculation. Used by scrypt and other similar password derivation algorithms. See https://tools.ietf.org/html/rfc7914 for explanation of field.
+
+  - !ruby/object:Api::Type::NestedObject
+    name: 'blockingFunctions'
+    description: |
+      Configuration related to blocking functions.
+    properties:
+      - !ruby/object:Api::Type::Map
+        name: 'triggers'
+        required: true
+        description: |
+          Map of Trigger to event type. Key should be one of the supported event types: "beforeCreate", "beforeSignIn".
+        key_name: event_type
+        value_type: !ruby/object:Api::Type::NestedObject
+          properties:
+            - !ruby/object:Api::Type::String
+              name: 'functionUri'
+              required: true
+              description: |
+                HTTP URI trigger for the Cloud Function.
+            - !ruby/object:Api::Type::Time
+              name: 'updateTime'
+              output: true
+              description: |
+                When the trigger was changed.
+      - !ruby/object:Api::Type::NestedObject
+        name: 'forwardInboundCredentials'
+        description: |
+          The user credentials to include in the JWT payload that is sent to the registered Blocking Functions.
+        properties:
+          - !ruby/object:Api::Type::Boolean
+            name: 'idToken'
+            description: |
+              Whether to pass the user's OIDC identity provider's ID token.
+          - !ruby/object:Api::Type::Boolean
+            name: 'accessToken'
+            description: |
+              Whether to pass the user's OAuth identity provider's access token.
+          - !ruby/object:Api::Type::Boolean
+            name: 'refreshToken'
+            description: |
+              Whether to pass the user's OAuth identity provider's refresh token.
+  - !ruby/object:Api::Type::NestedObject
+    name: 'quota'
+    description: |
+      Configuration related to quotas.
+    properties:
+      - !ruby/object:Api::Type::NestedObject
+        name: 'signUpQuotaConfig'
+        description: |
+          Quota for the Signup endpoint, if overwritten. Signup quota is measured in sign ups per project per hour per IP.
+        properties:
+          - !ruby/object:Api::Type::Integer
+            name: 'quota'
+            description: |
+              Corresponds to the 'refill_token_count' field in QuotaServer config.
+          - !ruby/object:Api::Type::Time
+            name: 'startTime'
+            description: |
+              When this quota will take affect.
+          - !ruby/object:Api::Type::String
+            name: 'quotaDuration'
+            description: |
+              How long this quota will be active for.
+  - !ruby/object:Api::Type::Array
+    name: authorizedDomains
+    description: |
+      List of domains authorized for OAuth redirects.
+    item_type: Api::Type::String

mmv1/templates/terraform/examples/identity_platform_project_default_config.tf.erb

@@ -18,4 +18,30 @@ resource "google_identity_platform_project_default_config" "<%= ctx[:primary_res
             }
         }
     }
-}
+
+    blocking_functions {
+        triggers {
+            "beforeSignIn" = {
+                function_uri = "new_uri-before-sign-in"
+            }
+        }
+
+        forward_inbound_credentials {
+            refresh_token = true
+            access_token = true
+            id_token = true
+        }
+    }
+
+    quota {
+        sign_up_quota_config {
+            quota = 1000
+        }
+    }
+
+    authorized_domains = [
+        "localhost",
+        "project_id.firebaseapp.com",
+        "project_id.web.app",
+    ]
+}