From 6acf8368b74e1e9a5a35e9d255fd0e24087bb826 Mon Sep 17 00:00:00 2001 From: The Magician Date: Mon, 28 Nov 2022 14:43:49 -0800 Subject: [PATCH] Add new resource WorkforcePoolProvider (#6810) (#13130) * test * Empty entity bug fixed * First attempt * First attempt * completed adding workforce pool provider * fix bugs Signed-off-by: Modular Magician Signed-off-by: Modular Magician --- .changelog/6810.txt | 3 + ...ce_pool_workforce_pool_provider_id_test.go | 1 + ...force_pool_workforce_pool_provider_test.go | 1 + .../iam_workforce_pool_provider.html.markdown | 329 ++++++++++++++++++ 4 files changed, 334 insertions(+) create mode 100644 .changelog/6810.txt create mode 100644 google/resource_iam_workforce_pool_workforce_pool_provider_id_test.go create mode 100644 google/resource_iam_workforce_pool_workforce_pool_provider_test.go create mode 100644 website/docs/r/iam_workforce_pool_provider.html.markdown diff --git a/.changelog/6810.txt b/.changelog/6810.txt new file mode 100644 index 00000000000..6365fb8c4fe --- /dev/null +++ b/.changelog/6810.txt @@ -0,0 +1,3 @@ +```release-note:new-resource +`google_iam_workforce_pool_provider` +``` diff --git a/google/resource_iam_workforce_pool_workforce_pool_provider_id_test.go b/google/resource_iam_workforce_pool_workforce_pool_provider_id_test.go new file mode 100644 index 00000000000..71664db3c87 --- /dev/null +++ b/google/resource_iam_workforce_pool_workforce_pool_provider_id_test.go @@ -0,0 +1 @@ +package google diff --git a/google/resource_iam_workforce_pool_workforce_pool_provider_test.go b/google/resource_iam_workforce_pool_workforce_pool_provider_test.go new file mode 100644 index 00000000000..71664db3c87 --- /dev/null +++ b/google/resource_iam_workforce_pool_workforce_pool_provider_test.go @@ -0,0 +1 @@ +package google diff --git a/website/docs/r/iam_workforce_pool_provider.html.markdown b/website/docs/r/iam_workforce_pool_provider.html.markdown new file mode 100644 index 00000000000..0d0a8cc60ec --- /dev/null +++ b/website/docs/r/iam_workforce_pool_provider.html.markdown @@ -0,0 +1,329 @@ +--- +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in +# .github/CONTRIBUTING.md. +# +# ---------------------------------------------------------------------------- +subcategory: "Cloud IAM" +page_title: "Google: google_iam_workforce_pool_provider" +description: |- + A configuration for an external identity provider. +--- + +# google\_iam\_workforce\_pool\_provider + +A configuration for an external identity provider. +~> **Note:** Ask your Google Cloud account team to request access to workforce identity +federation for your billing/quota project. The account team notifies you when the project is +granted access. + +~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider. +See [Provider Versions](https://terraform.io/docs/providers/google/guides/provider_versions.html) for more details on beta resources. + +To get more information about WorkforcePoolProvider, see: + +* [API documentation](https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools.providers) +* How-to Guides + * [Configure a provider within the workforce pool](https://cloud.google.com/iam/docs/manage-workforce-identity-pools-providers#configure_a_provider_within_the_workforce_pool) + +## Example Usage - Iam Workforce Pool Provider Saml Basic + + +```hcl +resource "google_iam_workforce_pool" "pool" { + provider = google-beta + + workforce_pool_id = "example-pool" + parent = "organizations/123456789" + location = "global" +} + +resource "google_iam_workforce_pool_provider" "example" { + provider = google-beta + + workforce_pool_id = google_iam_workforce_pool.pool.workforce_pool_id + location = google_iam_workforce_pool.pool.location + provider_id = "example-prvdr" + attribute_mapping = { + "google.subject" = "assertion.sub" + } + saml { + idp_metadata_xml = " MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv" + } +} +``` +## Example Usage - Iam Workforce Pool Provider Saml Full + + +```hcl +resource "google_iam_workforce_pool" "pool" { + provider = google-beta + + workforce_pool_id = "example-pool" + parent = "organizations/123456789" + location = "global" +} + +resource "google_iam_workforce_pool_provider" "example" { + provider = google-beta + + workforce_pool_id = google_iam_workforce_pool.pool.workforce_pool_id + location = google_iam_workforce_pool.pool.location + provider_id = "example-prvdr" + attribute_mapping = { + "google.subject" = "assertion.sub" + } + saml { + idp_metadata_xml = " MIIDpDCCAoygAwIBAgIGAX7/5qPhMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi00NTg0MjExHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjIwMjE2MDAxOTEyWhcNMzIwMjE2MDAyMDEyWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNDU4NDIxMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrBl7GKz52cRpxF9xCsirnRuMxnhFBaUrsHqAQrLqWmdlpNYZTVg+T9iQ+aq/iE68L+BRZcZniKIvW58wqqS0ltXVvIkXuDSvnvnkkI5yMIVErR20K8jSOKQm1FmK+fgAJ4koshFiu9oLiqu0Ejc0DuL3/XRsb4RuxjktKTb1khgBBtb+7idEk0sFR0RPefAweXImJkDHDm7SxjDwGJUubbqpdTxasPr0W+AHI1VUzsUsTiHAoyb0XDkYqHfDzhj/ZdIEl4zHQ3bEZvlD984ztAnmX2SuFLLKfXeAAGHei8MMixJvwxYkkPeYZ/5h8WgBZPP4heS2CPjwYExt29L8QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARjJFz++a9Z5IQGFzsZMrX2EDR5ML4xxUiQkbhld1S1PljOLcYFARDmUC2YYHOueU4ee8Jid9nPGEUebV/4Jok+b+oQh+dWMgiWjSLI7h5q4OYZ3VJtdlVwgMFt2iz+/4yBKMUZ50g3Qgg36vE34us+eKitg759JgCNsibxn0qtJgSPm0sgP2L6yTaLnoEUbXBRxCwynTSkp9ZijZqEzbhN0e2dWv7Rx/nfpohpDP6vEiFImKFHpDSv3M/5de1ytQzPFrZBYt9WlzlYwE1aD9FHCxdd+rWgYMVVoRaRmndpV/Rq3QUuDuFJtaoX11bC7ExkOpg9KstZzA63i3VcfYv" + } + display_name = "Display name" + description = "A sample SAML workforce pool provider." + disabled = false + attribute_condition = "true" +} +``` +## Example Usage - Iam Workforce Pool Provider Oidc Basic + + +```hcl +resource "google_iam_workforce_pool" "pool" { + provider = google-beta + + workforce_pool_id = "example-pool" + parent = "organizations/123456789" + location = "global" +} + +resource "google_iam_workforce_pool_provider" "example" { + provider = google-beta + + workforce_pool_id = google_iam_workforce_pool.pool.workforce_pool_id + location = google_iam_workforce_pool.pool.location + provider_id = "example-prvdr" + attribute_mapping = { + "google.subject" = "assertion.sub" + } + oidc { + issuer_uri = "https://accounts.google.com" + client_id = "client-id" + } +} +``` +## Example Usage - Iam Workforce Pool Provider Oidc Full + + +```hcl +resource "google_iam_workforce_pool" "pool" { + provider = google-beta + + workforce_pool_id = "example-pool" + parent = "organizations/123456789" + location = "global" +} + +resource "google_iam_workforce_pool_provider" "example" { + provider = google-beta + + workforce_pool_id = google_iam_workforce_pool.pool.workforce_pool_id + location = google_iam_workforce_pool.pool.location + provider_id = "example-prvdr" + attribute_mapping = { + "google.subject" = "assertion.sub" + } + oidc { + issuer_uri = "https://accounts.google.com" + client_id = "client-id" + } + display_name = "Display name" + description = "A sample OIDC workforce pool provider." + disabled = false + attribute_condition = "true" +} +``` + +## Argument Reference + +The following arguments are supported: + + +* `location` - + (Required) + The location for the resource. + +* `workforce_pool_id` - + (Required) + The ID to use for the pool, which becomes the final component of the resource name. + The IDs must be a globally unique string of 6 to 63 lowercase letters, digits, or hyphens. + It must start with a letter, and cannot have a trailing hyphen. + The prefix `gcp-` is reserved for use by Google, and may not be specified. + +* `provider_id` - + (Required) + The ID for the provider, which becomes the final component of the resource name. + This value must be 4-32 characters, and may contain the characters [a-z0-9-]. + The prefix `gcp-` is reserved for use by Google, and may not be specified. + + +- - - + + +* `display_name` - + (Optional) + A user-specified display name for the provider. Cannot exceed 32 characters. + +* `description` - + (Optional) + A user-specified description of the provider. Cannot exceed 256 characters. + +* `disabled` - + (Optional) + Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. + However, existing tokens still grant access. + +* `attribute_mapping` - + (Optional) + Maps attributes from the authentication credentials issued by an external identity provider + to Google Cloud attributes, such as `subject` and `segment`. + Each key must be a string specifying the Google Cloud IAM attribute to map to. + The following keys are supported: + * `google.subject`: The principal IAM is authenticating. You can reference this value in IAM bindings. + This is also the subject that appears in Cloud Logging logs. This is a required field and + the mapped subject cannot exceed 127 bytes. + * `google.groups`: Groups the authenticating user belongs to. You can grant groups access to + resources using an IAM `principalSet` binding; access applies to all members of the group. + * `google.display_name`: The name of the authenticated user. This is an optional field and + the mapped display name cannot exceed 100 bytes. If not set, `google.subject` will be displayed instead. + This attribute cannot be referenced in IAM bindings. + * `google.profile_photo`: The URL that specifies the authenticated user's thumbnail photo. + This is an optional field. When set, the image will be visible as the user's profile picture. + If not set, a generic user icon will be displayed instead. + This attribute cannot be referenced in IAM bindings. + You can also provide custom attributes by specifying `attribute.{custom_attribute}`, where {custom_attribute} + is the name of the custom attribute to be mapped. You can define a maximum of 50 custom attributes. + The maximum length of a mapped attribute key is 100 characters, and the key may only contain the characters [a-z0-9_]. + You can reference these attributes in IAM policies to define fine-grained access for a workforce pool + to Google Cloud resources. For example: + * `google.subject`: + `principal://iam.googleapis.com/locations/{location}/workforcePools/{pool}/subject/{value}` + * `google.groups`: + `principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/group/{value}` + * `attribute.{custom_attribute}`: + `principalSet://iam.googleapis.com/locations/{location}/workforcePools/{pool}/attribute.{custom_attribute}/{value}` + Each value must be a [Common Expression Language](https://opensource.google/projects/cel) + function that maps an identity provider credential to the normalized attribute specified + by the corresponding map key. + You can use the `assertion` keyword in the expression to access a JSON representation of + the authentication credential issued by the provider. + The maximum length of an attribute mapping expression is 2048 characters. When evaluated, + the total size of all mapped attributes must not exceed 8KB. + For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute. + For example, the following maps the sub claim of the incoming credential to the `subject` attribute + on a Google token: + ``` + {"google.subject": "assertion.sub"} + ``` + An object containing a list of `"key": value` pairs. + Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`. + +* `attribute_condition` - + (Optional) + A [Common Expression Language](https://opensource.google/projects/cel) expression, in + plain text, to restrict what otherwise valid authentication credentials issued by the + provider should not be accepted. + The expression must output a boolean representing whether to allow the federation. + The following keywords may be referenced in the expressions: + * `assertion`: JSON representing the authentication credential issued by the provider. + * `google`: The Google attributes mapped from the assertion in the `attribute_mappings`. + `google.profile_photo` and `google.display_name` are not supported. + * `attribute`: The custom attributes mapped from the assertion in the `attribute_mappings`. + The maximum length of the attribute condition expression is 4096 characters. + If unspecified, all valid authentication credentials will be accepted. + The following example shows how to only allow credentials with a mapped `google.groups` value of `admins`: + ``` + "'admins' in google.groups" + ``` + +* `saml` - + (Optional) + Represents a SAML identity provider. + Structure is [documented below](#nested_saml). + +* `oidc` - + (Optional) + Represents an OpenId Connect 1.0 identity provider. + Structure is [documented below](#nested_oidc). + + +The `saml` block supports: + +* `idp_metadata_xml` - + (Required) + SAML Identity provider configuration metadata xml doc. + The xml document should comply with [SAML 2.0 specification](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). + The max size of the acceptable xml document will be bounded to 128k characters. + The metadata xml document should satisfy the following constraints: + 1) Must contain an Identity Provider Entity ID. + 2) Must contain at least one non-expired signing key certificate. + 3) For each signing key: + a) Valid from should be no more than 7 days from now. + b) Valid to should be no more than 10 years in the future. + 4) Up to 3 IdP signing keys are allowed in the metadata xml. + When updating the provider's metadata xml, at least one non-expired signing key + must overlap with the existing metadata. This requirement is skipped if there are + no non-expired signing keys present in the existing metadata. + +The `oidc` block supports: + +* `issuer_uri` - + (Required) + The OIDC issuer URI. Must be a valid URI using the 'https' scheme. + +* `client_id` - + (Required) + The client ID. Must match the audience claim of the JWT issued by the identity provider. + +## Attributes Reference + +In addition to the arguments listed above, the following computed attributes are exported: + +* `id` - an identifier for the resource with format `locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}` + +* `name` - + Output only. The resource name of the provider. + Format: `locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}` + +* `state` - + The current state of the provider. + * STATE_UNSPECIFIED: State unspecified. + * ACTIVE: The provider is active and may be used to validate authentication credentials. + * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently + deleted after approximately 30 days. You can restore a soft-deleted provider using + [providers.undelete](https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools.providers/undelete#google.iam.admin.v1.WorkforcePools.UndeleteWorkforcePoolProvider). + + +## Timeouts + +This resource provides the following +[Timeouts](/docs/configuration/resources.html#timeouts) configuration options: + +- `create` - Default is 20 minutes. +- `update` - Default is 20 minutes. +- `delete` - Default is 20 minutes. + +## Import + + +WorkforcePoolProvider can be imported using any of these accepted formats: + +``` +$ terraform import google_iam_workforce_pool_provider.default locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}} +$ terraform import google_iam_workforce_pool_provider.default {{location}}/{{workforce_pool_id}}/{{provider_id}} +```