hashicorp · modular-magician · Aug 24, 2023 · Aug 24, 2023
diff --git a/.changelog/8744.txt b/.changelog/8744.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+iam: added `web_sso_config.additional_scopes` field to `google_iam_workforce_pool_provider` resource under
+```
diff --git a/google/services/iamworkforcepool/resource_iam_workforce_pool_provider.go b/google/services/iamworkforcepool/resource_iam_workforce_pool_provider.go
@@ -265,6 +265,15 @@ The 'CODE' Response Type is recommended to avoid the Implicit Flow, for security
 * CODE: The 'response_type=code' selection uses the Authorization Code Flow for web sign-in. Requires a configured client secret.
 * ID_TOKEN: The 'response_type=id_token' selection uses the Implicit Flow for web sign-in. Possible values: ["CODE", "ID_TOKEN"]`,
 									},
+									"additional_scopes": {
+										Type:     schema.TypeList,
+										Optional: true,
+										Description: `Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the 'openid', 'profile' and 'email' scopes that are supported by the identity provider are requested.
+Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.`,
+										Elem: &schema.Schema{
+											Type: schema.TypeString,
+										},
+									},
 								},
 							},
 						},
@@ -841,6 +850,8 @@ func flattenIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfig(v interface{},
 		flattenIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigResponseType(original["responseType"], d, config)
 	transformed["assertion_claims_behavior"] =
 		flattenIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigAssertionClaimsBehavior(original["assertionClaimsBehavior"], d, config)
+	transformed["additional_scopes"] =
+		flattenIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigAdditionalScopes(original["additionalScopes"], d, config)
 	return []interface{}{transformed}
 }
 func flattenIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigResponseType(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
@@ -851,6 +862,10 @@ func flattenIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigAssertionClaims
 	return v
 }
 
+func flattenIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigAdditionalScopes(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func expandIAMWorkforcePoolWorkforcePoolProviderDisplayName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
@@ -1025,6 +1040,13 @@ func expandIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfig(v interface{},
 		transformed["assertionClaimsBehavior"] = transformedAssertionClaimsBehavior
 	}
 
+	transformedAdditionalScopes, err := expandIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigAdditionalScopes(original["additional_scopes"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedAdditionalScopes); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["additionalScopes"] = transformedAdditionalScopes
+	}
+
 	return transformed, nil
 }
 
@@ -1036,6 +1058,10 @@ func expandIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigAssertionClaimsB
 	return v, nil
 }
 
+func expandIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigAdditionalScopes(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func resourceIAMWorkforcePoolWorkforcePoolProviderDecoder(d *schema.ResourceData, meta interface{}, res map[string]interface{}) (map[string]interface{}, error) {
 	if v := res["state"]; v == "DELETED" {
 		return nil, nil

diff --git a/google/services/iamworkforcepool/resource_iam_workforce_pool_provider_generated_test.go b/google/services/iamworkforcepool/resource_iam_workforce_pool_provider_generated_test.go
@@ -241,6 +241,7 @@ resource "google_iam_workforce_pool_provider" "example" {
     web_sso_config {
       response_type             = "CODE"
       assertion_claims_behavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"
+      additional_scopes         = ["groups", "roles"]
     }
   }
   display_name        = "Display name"

diff --git a/google/services/iamworkforcepool/resource_iam_workforce_pool_provider_test.go b/google/services/iamworkforcepool/resource_iam_workforce_pool_provider_test.go
@@ -181,6 +181,7 @@ resource "google_iam_workforce_pool_provider" "my_provider" {
     web_sso_config {
       response_type             = "CODE"
       assertion_claims_behavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"
+      additional_scopes         = ["groups", "roles"]
     }
   }
   display_name        = "Display name"
@@ -217,6 +218,7 @@ resource "google_iam_workforce_pool_provider" "my_provider" {
     web_sso_config {
       response_type             = "ID_TOKEN"
       assertion_claims_behavior = "ONLY_ID_TOKEN_CLAIMS"
+      additional_scopes         = ["new-groups"]
     }
   }
   display_name        = "New Display name"
@@ -248,6 +250,7 @@ resource "google_iam_workforce_pool_provider" "my_provider" {
     web_sso_config {
       response_type             = "ID_TOKEN"
       assertion_claims_behavior = "ONLY_ID_TOKEN_CLAIMS"
+      additional_scopes         = ["new-groups"]
     }
   }
   display_name        = "New Display name"

diff --git a/website/docs/r/iam_workforce_pool_provider.html.markdown b/website/docs/r/iam_workforce_pool_provider.html.markdown
@@ -143,6 +143,7 @@ resource "google_iam_workforce_pool_provider" "example" {
     web_sso_config {
       response_type             = "CODE"
       assertion_claims_behavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"
+      additional_scopes         = ["groups", "roles"]
     }
   }
   display_name        = "Display name"
@@ -340,6 +341,11 @@ The following arguments are supported:
   * ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims.
   Possible values are: `MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS`, `ONLY_ID_TOKEN_CLAIMS`.
 
+* `additional_scopes` -
+  (Optional)
+  Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the `openid`, `profile` and `email` scopes that are supported by the identity provider are requested.
+  Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported: