Creating "OAuth 2.0 Client IDs" (from GCP console) using this provider #6074
Comments
|
Labeling documentation since we think this is already doable, but we could be more explicit with how. |
|
How #1287 ? @danawillow I am also looking for https://console.cloud.google.com/apis/credentials |
|
Would like to be able to create credentials of type IOS rather than the Web Application type that gets created from the resources referenced in #1287 |
|
Just to add: we would like to be able to create OAUTH2 Client Ids (Web applications), as mentioned by MPV, for the Oauth screen (brand) that's already created via Console in a GCP Project. |
Can't you just import oauth screen to Terraform? |
|
@Chupaka, what I meant is that we (in our case) dont need to create the Oauth screen from terraform, as it is already created in GCP. What we need is the ability to create OAuth2 clients (web applications) with Terraform, that can be related to that Oauth screen. |
|
Just want to add that it would be very helpful to have that for me too. Ideally, it should allow create OAuth 2.0 client with type |
|
@Backstreets and @imortkz can you elaborate on what you would like to be able to accomplish via Terraform? Specifically if there are APIs that provide the functionality but we haven't implemented it in Terraform. Generally you can find this by finding a series of I think some of the issue here is that the APIs don't exist, which means we can't support the use case in Terraform. If this is the case it may be helpful to file tickets against the upstream APIs to add this functionality here: https://cloud.google.com/support/docs/issue-trackers What is currently supported at the moment would be using a manually created |
|
Hm, yeah I see the issue. This step is seemingly impossible via terraform or any programmatic tool. I don't see applicable REST resources for the redirect URLs or even the type of client. The existing resources are here but only allow for setting a few fields. I think at this point the only way to configure these fields is through the console, but I would recommend filing a feature request |
|
In my case this is the situation: Im creating an IAP protected infra with terraform, and for the back ends I use: resource "google_compute_backend_service" "my-be" { The only way I found to be able to do this is by creating the oauth2 client by hand, including its Authorized redirect URI, and then having the oauth2_client_id email address and secret explicitly written in a var file, so I can use them in the iap block of the compute_back_end resource shown above. I think there could be two alternatives for this: 1) being able to create the oauth2_client from terraform, including its redirect urls, and reference its id and secret without having to write the secret to a file (and destroy the oauth2_client when using terraform destroy), or 2) be able to reference an oauth2_client_id previously create by hand, and get its secret by reference and use it in iap block. Does it make sense? Thanks a lot, regards |
|
Thanks for the detailed explanation. I believe #2 should be possible. If you create the oauth client by hand, and then use the iap_client resource to import it, you should be able to get the client id and secret. Unfortunately, option 1 would require new API endpoints, as the existing ones do not allow configuring redirect URLs, so this is not an option currently. |
|
Hmm Im guess i'm having a hard time understanding how to relate the "brand" in: $ terraform import google_iap_client.default {{brand}}/identityAwareProxyClients/{{client_id}} [brand - (Required) Identifier of the brand to which this client is attached to. The format is projects/{project_number}/brands/{brand_id}/identityAwareProxyClients/{client_id}.] with the OAuth 2.0 Client I created manually in the console to use with IAP. Can´t find what would be my "brand" or how to identify the client I need to import. |
|
@Backstreets you can get the brand with:
and then you can get the client info with:
|
|
@gmartinez-anchor Thanks, will give a try! |
|
Just a quick qs: If I import the client that way, and then I do a terraform destroy of my infra, will it destroy the imported client too? I mean, will I have to recreate the client by hand everytime or it will be preserved as it was not created by TF? |
|
If the client is imported it will then be managed by terraform. You can prevent this by tagging it as prevent destroy but that will cause terraform that attempt to destroy this client to fail. To get around that you could It may be more useful to you as a datasource though. I would recommend filing an issue for adding a datasource for this resource |
|
Thanks a lot @slevenick , will do that. |
|
I find myself also in need of this resource. My use case is fully automating our internal GitLab installation including single sign-on via Google. From the instructions at https://docs.gitlab.com/ee/integration/google.html it seems that what's missing is the functionality described by @MPV and more specifically what @imortkz describes in their comment above. |
|
@MajorBreakfast unfortunately that is not possible in Terraform as APIs to manage many of the fields on I do not expect APIs for managing these fields to be available in the near future, so I will add notes on the |
|
@slevenick and can we have a |
|
@stepan111 At the project I'm working on, we were able to create a neat automated setup for this use case and I'm quite happy with it. So, maybe this helps: We create the OAuth brand centrally at the location where we create the google cloud project. The brand is a singleton and can only be created once per project. For each use case we create a different IAP client. The lack of a data source is no problem because we don't share the IAP clients. To create the client we derive the brand id from the project number. I realize that the discussion around a data source is off-topic ^^' Just wanting to help. Additional discussion should probably happen in a different issue, though |
|
@stepan111 "and can we have a data source to reference existing resources ?" This is exactly what enhancement request #6482 is about. |
|
Closing, I added a note on this behavior to the client resource. Fully configuring the client is not possible via the API, and must be done manually. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
ghost
locked and limited conversation to collaborators
Community Note
Description
I'd like to be able to use Terraform to create the
OAuth 2.0 Client IDsshowing up here:https://console.cloud.google.com/apis/credentials
Ideally both
Type: OtherandType: Web application.I have found this resource, but I'm not sure if this is the same as the
Type: Other?https://www.terraform.io/docs/providers/google/r/identity_platform_oauth_idp_config.html
I couldn't find any equivalent TF resource for
Type: Web application?New or Affected Resource(s)
identity_platform_oauth_idp_config?Potential Terraform Configuration
References
OIDC:
https://developers.google.com/identity/protocols/oauth2/openid-connect
OAuth2 for web applications:
https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow#creatingcred
We also discussed this briefly in #1287 (comment).
The text was updated successfully, but these errors were encountered: