Skip to content

Commit

Permalink
Added optional field jwks_json to workloadidentityprovider (#8067) (
Browse files Browse the repository at this point in the history
#14938)

```release-note:enhancement
container: Added optional field `jwks_json` to `workloadidentityprovider`
```

Signed-off-by: Modular Magician <[email protected]>
Co-authored-by: Jieqing(Jay) Chen <[email protected]>
  • Loading branch information
modular-magician and Jieqing(Jay) Chen authored Jun 20, 2023
1 parent 8561fca commit f832b63
Show file tree
Hide file tree
Showing 4 changed files with 169 additions and 1 deletion.
3 changes: 3 additions & 0 deletions .changelog/8067.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:enhancement
container: Added optional field `jwks_json` to `workloadidentityprovider`
```
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,63 @@ EOT
`, context)
}

func TestAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderOidcUploadKeyExample(t *testing.T) {
t.Parallel()

context := map[string]interface{}{
"random_suffix": RandString(t, 10),
}

VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckIAMBetaWorkloadIdentityPoolProviderDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderOidcUploadKeyExample(context),
},
{
ResourceName: "google_iam_workload_identity_pool_provider.example",
ImportState: true,
ImportStateVerify: true,
ImportStateVerifyIgnore: []string{"workload_identity_pool_id", "workload_identity_pool_provider_id"},
},
},
})
}

func testAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderOidcUploadKeyExample(context map[string]interface{}) string {
return tpgresource.Nprintf(`
resource "google_iam_workload_identity_pool" "pool" {
workload_identity_pool_id = "tf-test-example-pool%{random_suffix}"
}
resource "google_iam_workload_identity_pool_provider" "example" {
workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id
workload_identity_pool_provider_id = "tf-test-example-prvdr%{random_suffix}"
display_name = "Name of provider"
description = "OIDC identity pool provider for automated test"
disabled = true
attribute_condition = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups"
attribute_mapping = {
"google.subject" = "\"azure::\" + assertion.tid + \"::\" + assertion.sub"
"attribute.tid" = "assertion.tid"
"attribute.managed_identity_name" = <<EOT
{
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
EOT
}
oidc {
allowed_audiences = ["https://example.com/gcp-oidc-federation", "example.com/gcp-oidc-federation"]
issuer_uri = "https://sts.windows.net/azure-tenant-id"
jwks_json = "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}"
}
}
`, context)
}

func testAccCheckIAMBetaWorkloadIdentityPoolProviderDestroyProducer(t *testing.T) func(s *terraform.State) error {
return func(s *terraform.State) error {
for name, rs := range s.RootModule().Resources {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,33 @@ https://iam.googleapis.com/projects/<project-number>/locations/<location>/worklo
Type: schema.TypeString,
},
},
"jwks_json": {
Type: schema.TypeString,
Optional: true,
Description: `OIDC JWKs in JSON String format. For details on definition of a
JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
use the 'jwks_uri' from the discovery document fetched from the
.well-known path for the 'issuer_uri'. Currently, RSA and EC asymmetric
keys are supported. The JWK must use following format and include only
the following fields:
'''
{
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}
'''`,
},
},
},
ExactlyOneOf: []string{"aws", "oidc"},
Expand Down Expand Up @@ -558,7 +585,8 @@ func resourceIAMBetaWorkloadIdentityPoolProviderUpdate(d *schema.ResourceData, m

if d.HasChange("oidc") {
updateMask = append(updateMask, "oidc.allowed_audiences",
"oidc.issuer_uri")
"oidc.issuer_uri",
"oidc.jwks_json")
}
// updateMask is a URL parameter but not present in the schema, so ReplaceVars
// won't set it
Expand Down Expand Up @@ -730,6 +758,8 @@ func flattenIAMBetaWorkloadIdentityPoolProviderOidc(v interface{}, d *schema.Res
flattenIAMBetaWorkloadIdentityPoolProviderOidcAllowedAudiences(original["allowedAudiences"], d, config)
transformed["issuer_uri"] =
flattenIAMBetaWorkloadIdentityPoolProviderOidcIssuerUri(original["issuerUri"], d, config)
transformed["jwks_json"] =
flattenIAMBetaWorkloadIdentityPoolProviderOidcJwksJson(original["jwksJson"], d, config)
return []interface{}{transformed}
}
func flattenIAMBetaWorkloadIdentityPoolProviderOidcAllowedAudiences(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
Expand All @@ -740,6 +770,10 @@ func flattenIAMBetaWorkloadIdentityPoolProviderOidcIssuerUri(v interface{}, d *s
return v
}

func flattenIAMBetaWorkloadIdentityPoolProviderOidcJwksJson(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
return v
}

func expandIAMBetaWorkloadIdentityPoolProviderDisplayName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
return v, nil
}
Expand Down Expand Up @@ -813,6 +847,13 @@ func expandIAMBetaWorkloadIdentityPoolProviderOidc(v interface{}, d tpgresource.
transformed["issuerUri"] = transformedIssuerUri
}

transformedJwksJson, err := expandIAMBetaWorkloadIdentityPoolProviderOidcJwksJson(original["jwks_json"], d, config)
if err != nil {
return nil, err
} else if val := reflect.ValueOf(transformedJwksJson); val.IsValid() && !tpgresource.IsEmptyValue(val) {
transformed["jwksJson"] = transformedJwksJson
}

return transformed, nil
}

Expand All @@ -824,6 +865,10 @@ func expandIAMBetaWorkloadIdentityPoolProviderOidcIssuerUri(v interface{}, d tpg
return v, nil
}

func expandIAMBetaWorkloadIdentityPoolProviderOidcJwksJson(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
return v, nil
}

func resourceIAMBetaWorkloadIdentityPoolProviderDecoder(d *schema.ResourceData, meta interface{}, res map[string]interface{}) (map[string]interface{}, error) {
if v := res["state"]; v == "DELETED" {
return nil, nil
Expand Down
63 changes: 63 additions & 0 deletions website/docs/r/iam_workload_identity_pool_provider.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,43 @@ EOT
}
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=iam_workload_identity_pool_provider_oidc_upload_key&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Iam Workload Identity Pool Provider Oidc Upload Key


```hcl
resource "google_iam_workload_identity_pool" "pool" {
workload_identity_pool_id = "example-pool"
}
resource "google_iam_workload_identity_pool_provider" "example" {
workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id
workload_identity_pool_provider_id = "example-prvdr"
display_name = "Name of provider"
description = "OIDC identity pool provider for automated test"
disabled = true
attribute_condition = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups"
attribute_mapping = {
"google.subject" = "\"azure::\" + assertion.tid + \"::\" + assertion.sub"
"attribute.tid" = "assertion.tid"
"attribute.managed_identity_name" = <<EOT
{
"8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
"55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
}[assertion.oid]
EOT
}
oidc {
allowed_audiences = ["https://example.com/gcp-oidc-federation", "example.com/gcp-oidc-federation"]
issuer_uri = "https://sts.windows.net/azure-tenant-id"
jwks_json = "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}"
}
}
```

## Argument Reference

Expand Down Expand Up @@ -286,6 +323,32 @@ The following arguments are supported:
(Required)
The OIDC issuer URL.
* `jwks_json` -
(Optional)
OIDC JWKs in JSON String format. For details on definition of a
JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
use the `jwks_uri` from the discovery document fetched from the
.well-known path for the `issuer_uri`. Currently, RSA and EC asymmetric
keys are supported. The JWK must use following format and include only
the following fields:
```
{
"keys": [
{
"kty": "RSA/EC",
"alg": "<algorithm>",
"use": "sig",
"kid": "<key-id>",
"n": "",
"e": "",
"x": "",
"y": "",
"crv": ""
}
]
}
```
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
Expand Down

0 comments on commit f832b63

Please sign in to comment.