Add support for IAP (Cloud Identity Aware Proxy) TCP Forwarding

[j-martin]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

GCP announced the beta availability of IAP TCP forwarding. It would be nice to support it.

https://cloud.google.com/iap/docs/using-tcp-forwarding

It looks like we also need support for the Access Context Manager.

New or Affected Resource(s)

TBD, I have no opinion.

• google_XXXXX

Potential Terraform Configuration

TBD, I have no opinion.

# Propose what you think the configuration to take advantage of this feature should look like.
# We may not use it verbatim, but it's helpful in understanding your intent.

References

• Add support for Cloud IAP IAM bindings #2613 is tangentially related

[nat-henderson]

Looks like AccessContextManager will be enabled in the next release of the beta provider. :)

https://github.com/terraform-providers/terraform-provider-google-beta/blob/master/google-beta/resource_accesscontextmanager_service_perimeter.go
https://github.com/terraform-providers/terraform-provider-google-beta/blob/master/google-beta/resource_accesscontextmanager_access_level.go
https://github.com/terraform-providers/terraform-provider-google-beta/blob/master/google-beta/resource_accesscontextmanager_access_policy.go

[nat-henderson]

Would your needs be met here if we also had three sets of IAM resources, following our current model of IAM resources (policy, binding, and member) for IAP tunnels at the levels of project, zone, and instance?

[j-martin]

@ndmckinley as far as IAM goes it sounds reasonable. These are the same levels available in the console.

Unless I am missing something we also need some kind of resource that works with IAP tunnel endpoint. https://iap.googleapis.com/v1beta1/projects/${PROJECT_NUMBER}/iap_tunnel

[nat-henderson]

The only methods available on that resource seem to be IAM methods. What would you expect to control with the terraform resource?

https://cloud.google.com/iap/docs/reference/rest/v1/projects.iap_tunnel

[j-martin]

You are right. I guess what will be important will be the docs. :)

[danawillow]

Looks like this was fixed in GoogleCloudPlatform/magic-modules#1719

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!