GoogleCloudPlatform · rileykarson · Apr 1, 2020 · Mar 5, 2020 · Mar 5, 2020 · Mar 5, 2020
diff --git a/products/oslogin/api.yaml b/products/oslogin/api.yaml
@@ -0,0 +1,67 @@
+# Copyright 2020 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+--- !ruby/object:Api::Product
+name: OSLogin
+display_name: OS Login
+versions:
+  - !ruby/object:Api::Product::Version
+    name: ga
+    base_url: https://oslogin.googleapis.com/v1/
+apis_required:
+  - !ruby/object:Api::Product::ApiReference
+    name: Identity and Access Management (IAM) API
+    url: https://console.cloud.google.com/apis/library/iam.googleapis.com/
+scopes:
+  - https://www.googleapis.com/auth/cloud-platform
+  - https://www.googleapis.com/auth/compute    
+objects:
+  - !ruby/object:Api::Resource
+    name: 'SSHPublicKey'
+    kind: user#sshPublicKeys
+    base_url: "users/{{user}}/sshPublicKeys/{{fingerprint}}"
+    create_url: "users/{{user}}:importSshPublicKey"
+    create_verb: :POST    
+    update_verb: :PATCH
+    description: |
+      The SSH public key information associated with a Google account.
+    references: !ruby/object:Api::Resource::ReferenceLinks
+      guides:
+        'Official Documentation':
+          'https://cloud.google.com/compute/docs/oslogin'
+      api: 'https://cloud.google.com/compute/docs/oslogin/rest'      
+    update_mask: true
+    parameters:
+      - !ruby/object:Api::Type::String
+        name: user
+        description: |
+          The user email.
+        input: true
+        url_param_only: true
+        required: true      
+      - !ruby/object:Api::Type::String
+        name: fingerprint
+        description: |
+          The SHA-256 fingerprint of the SSH public key.
+        output: true
+    properties:
+      - !ruby/object:Api::Type::String
+        name: 'key'
+        description: |
+          Public key text in SSH format, defined by RFC4253 section 6.6.
+        required: true
+      - !ruby/object:Api::Type::String
+        name: 'expirationTimeUsec'
+        description: |
+          An expiration time in microseconds since epoch.
+        required: false
diff --git a/products/oslogin/terraform.yaml b/products/oslogin/terraform.yaml
@@ -0,0 +1,24 @@
+# Copyright 2020 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+--- !ruby/object:Provider::Terraform::Config
+overrides: !ruby/object:Overrides::ResourceOverrides
+  SSHPublicKey: !ruby/object:Overrides::Terraform::ResourceOverride
+    id_format: "users/{{user}}/sshPublicKeys/{{fingerprint}}"
+    import_format: ["users/{{user}}/sshPublicKeys/{{fingerprint}}"]
+    examples:
+      - !ruby/object:Provider::Terraform::Examples
+        name: "os_login_ssh_key_provided_user"
+        primary_resource_id: "cache"
+    custom_code: !ruby/object:Provider::Terraform::CustomCode
+      post_create: templates/terraform/post_create/sshkeyfingerprint.go.erb
diff --git a/provider/terraform/examples.rb b/provider/terraform/examples.rb
@@ -228,12 +228,14 @@ def substitute_test_paths(config)
         config.gsub!('path/to/certificate.crt', 'test-fixtures/ssl_cert/test.crt')
         config.gsub!('path/to/index.zip', '%{zip_path}')
         config.gsub!('verified-domain.com', 'tf-test-domain%{random_suffix}.gcp.tfacc.hashicorptest.com')
+        config.gsub!('path/to/id_rsa.pub', 'test-fixtures/ssh_rsa.pub')
         config
       end
 
       def substitute_example_paths(config)
         config.gsub!('../static/img/header-logo.png', '../static/header-logo.png')
         config.gsub!('path/to/private.key', '../static/ssl_cert/test.key')
+        config.gsub!('path/to/id_rsa.pub', '../static/ssh_rsa.pub')
         config.gsub!('path/to/certificate.crt', '../static/ssl_cert/test.crt')
         config
       end

diff --git a/templates/terraform/examples/os_login_ssh_key_provided_user.tf.erb b/templates/terraform/examples/os_login_ssh_key_provided_user.tf.erb
@@ -0,0 +1,7 @@
+data "google_client_openid_userinfo" "me" {
+}
+
+resource "google_os_login_ssh_public_key" "<%= ctx[:primary_resource_id] %>" {
+  user =  data.google_client_openid_userinfo.me.email
+  key = file("path/to/id_rsa.pub")
+}
diff --git a/templates/terraform/post_create/sshkeyfingerprint.go.erb b/templates/terraform/post_create/sshkeyfingerprint.go.erb
@@ -0,0 +1,21 @@
+
+loginProfile, ok := res["loginProfile"]
+if !ok {
+  return fmt.Errorf("Create response didn't contain critical fields. Create may not have succeeded.")
+}
+
+// `fingerprint` is autogenerated from the api so needs to be set post-create
+sshPublicKeys := loginProfile.(map[string]interface{})["sshPublicKeys"]
+for _,sshPublicKey := range sshPublicKeys.(map[string]interface{}) {
+  if sshPublicKey.(map[string]interface{})["key"].(string)== d.Get("key") {
+    d.Set("fingerprint", sshPublicKey.(map[string]interface{})["fingerprint"].(string))
+    break
+  }
+}
+
+// Store the ID now
+id, err = replaceVars(d, config, "users/{{user}}/sshPublicKeys/{{fingerprint}}")
+if err != nil {
+	return fmt.Errorf("Error constructing id: %s", err)
+}
+d.SetId(id)
diff --git a/third_party/terraform/data_sources/data_source_google_client_openid_userinfo.go b/third_party/terraform/data_sources/data_source_google_client_openid_userinfo.go
@@ -1,7 +1,6 @@
 package google
 
 import (
-	"fmt"
 	"time"
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
@@ -22,15 +21,11 @@ func dataSourceGoogleClientOpenIDUserinfo() *schema.Resource {
 func dataSourceGoogleClientOpenIDUserinfoRead(d *schema.ResourceData, meta interface{}) error {
 	config := meta.(*Config)
 
-	// See https://github.com/golang/oauth2/issues/306 for a recommendation to do this from a Go maintainer
-	// URL retrieved from https://accounts.google.com/.well-known/openid-configuration
-	res, err := sendRequest(config, "GET", "", "https://openidconnect.googleapis.com/v1/userinfo", nil)
+	email, err := GetCurrentUserEmail(config)
 	if err != nil {
-		return fmt.Errorf("error retrieving userinfo for your provider credentials. have you enabled the 'https://www.googleapis.com/auth/userinfo.email' scope? error: %s", err)
+		return err
 	}
-
 	d.SetId(time.Now().UTC().String())
-	d.Set("email", res["email"])
-
+	d.Set("email", email)
 	return nil
 }
diff --git a/third_party/terraform/utils/test-fixtures/ssh_rsa.pub b/third_party/terraform/utils/test-fixtures/ssh_rsa.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EXYZTDAQABAAABAQDK/Mq0qy+O5AaNc1Ag5SGb+toqGiMu9cnLA5irVDsuAIs+HACy7z+T8QnN6z/q3TtgWs5jZG4JPGQ4xj+ai3esM+hRIwGWmvxkNfJWAVzK61yBTUHh6p1PrS12h3tLmupDTBVtOzzcbszo9eD+3kXtKsNoxiRPGFhzGa20fBlVRwJkb22LAlXbrtdKWiyozjRA5DBiXmLbUQmF9PkyYwAHUvp6g6I0lgJioxvVLLdp6h6uThAtIudsbKXG5s9Vr2hJ0mlcnVa/la0bUqBEcxfECs6b2CXsWRBNVEjodSJ4cI4rtwKxuZgRXWflnQtDN5PJyPqhtynSTXYnRohXekUr
diff --git a/third_party/terraform/utils/userinfo.go b/third_party/terraform/utils/userinfo.go
@@ -0,0 +1,15 @@
+package google
+
+import (
+	"fmt"
+)
+
+func GetCurrentUserEmail(config *Config) (string, error) {
+	// See https://github.com/golang/oauth2/issues/306 for a recommendation to do this from a Go maintainer
+	// URL retrieved from https://accounts.google.com/.well-known/openid-configuration
+	res, err := sendRequest(config, "GET", "", "https://openidconnect.googleapis.com/v1/userinfo", nil)
+	if err != nil {
+		return "", fmt.Errorf("error retrieving userinfo for your provider credentials. have you enabled the 'https://www.googleapis.com/auth/userinfo.email' scope? error: %s", err)
+	}
+	return res["email"].(string), nil
+}
diff --git a/third_party/terraform/website-compiled/google.erb b/third_party/terraform/website-compiled/google.erb
@@ -1265,6 +1265,14 @@
     </ul>
     </li>
 
+    <li<%%= sidebar_current("docs-google-os-login-ssh-public-key") %>>
+    <a href="#">Google OS Login</a>
+    <ul class="nav">
+      <li<%%= sidebar_current("docs-google-os-login-ssh-public-key") %>>
+      <a href="/docs/providers/google/r/os_login_ssh_public_key.html">google_os_login_ssh_public_key</a>
+    </ul>
+    </li>
+
     <li<%%= sidebar_current("docs-google-pubsub") %>>
     <a href="#">Google PubSub Resources</a>
     <ul class="nav">
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		ssh-rsa AAAAB3NzaC1yc2EXYZTDAQABAAABAQDK/Mq0qy+O5AaNc1Ag5SGb+toqGiMu9cnLA5irVDsuAIs+HACy7z+T8QnN6z/q3TtgWs5jZG4JPGQ4xj+ai3esM+hRIwGWmvxkNfJWAVzK61yBTUHh6p1PrS12h3tLmupDTBVtOzzcbszo9eD+3kXtKsNoxiRPGFhzGa20fBlVRwJkb22LAlXbrtdKWiyozjRA5DBiXmLbUQmF9PkyYwAHUvp6g6I0lgJioxvVLLdp6h6uThAtIudsbKXG5s9Vr2hJ0mlcnVa/la0bUqBEcxfECs6b2CXsWRBNVEjodSJ4cI4rtwKxuZgRXWflnQtDN5PJyPqhtynSTXYnRohXekUr