@@ -19,6 +19,8 @@ description: |
1919references :
2020 guides :
2121 ' Managing workload identity pools ' ' https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#pools'
22+ ' Configure managed workload identity authentication for Compute Engine ' ' https://cloud.google.com/iam/docs/create-managed-workload-identities'
23+ ' Configure managed workload identity authentication for GKE ' ' https://cloud.google.com/iam/docs/create-managed-workload-identities-gke'
2224 api : ' https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools'
2325docs :
2426base_url : ' projects/{{project}}/locations/global/workloadIdentityPools'
@@ -40,19 +42,43 @@ async:
4042 base_url : ' {{op_id}}'
4143 result :
4244 resource_inside_response : false
45+ iam_policy :
46+ parent_resource_attribute : ' workload_identity_pool_id'
47+ method_name_separator : ' :'
48+ fetch_iam_policy_verb : ' POST'
49+ import_format :
50+ - ' projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}'
51+ - ' {{workload_identity_pool_id}}'
52+ allowed_iam_role : ' roles/iam.workloadIdentityPoolViewer'
53+ iam_conditions_request_type : ' REQUEST_BODY'
54+ min_version : beta
4355custom_code :
4456 constants : ' templates/terraform/constants/iam_workload_identity_pool.go.tmpl'
4557 decoder : ' templates/terraform/decoders/treat_deleted_state_as_gone.go.tmpl'
4658 test_check_destroy : ' templates/terraform/custom_check_destroy/iam_workload_identity_pool.go.tmpl'
4759examples :
4860 - name : ' iam_workload_identity_pool_basic'
4961 primary_resource_id : ' example'
62+ primary_resource_name :
63+ ' fmt.Sprintf("tf-test-example-pool%s", context["random_suffix"])'
5064 vars :
5165 workload_identity_pool_id : ' example-pool'
52- - name : ' iam_workload_identity_pool_full '
66+ - name : ' iam_workload_identity_pool_full_federation_only_mode '
5367 primary_resource_id : ' example'
68+ primary_resource_name :
69+ ' fmt.Sprintf("tf-test-example-pool%s", context["random_suffix"])'
5470 vars :
5571 workload_identity_pool_id : ' example-pool'
72+ min_version : beta
73+ external_providers :
74+ - ' random'
75+ - name : ' iam_workload_identity_pool_full_trust_domain_mode'
76+ primary_resource_id : ' example'
77+ primary_resource_name :
78+ ' fmt.Sprintf("tf-test-example-pool%s", context["random_suffix"])'
79+ vars :
80+ workload_identity_pool_id : ' example-pool'
81+ min_version : beta
5682parameters :
5783properties :
5884 - name : ' workloadIdentityPoolId'
@@ -70,11 +96,11 @@ properties:
7096 type : Enum
7197 description : |
7298 The state of the pool.
73- * STATE_UNSPECIFIED: State unspecified.
74- * ACTIVE: The pool is active, and may be used in Google Cloud policies.
75- * DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after
99+ * ` STATE_UNSPECIFIED` : State unspecified.
100+ * ` ACTIVE` : The pool is active, and may be used in Google Cloud policies.
101+ * ` DELETED` : The pool is soft-deleted. Soft-deleted pools are permanently deleted after
76102 approximately 30 days. You can restore a soft-deleted pool using
77- UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is
103+ ` UndeleteWorkloadIdentityPool` . You cannot reuse the ID of a soft-deleted pool until it is
78104 permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or
79105 use existing tokens to access resources. If the pool is undeleted, existing tokens grant
80106 access again.
@@ -101,3 +127,133 @@ properties:
101127 Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use
102128 existing tokens to access resources. If the pool is re-enabled, existing tokens grant
103129 access again.
130+ name : mode
131+ type : Enum
132+ description : |
133+ The mode for the pool is operating in. Pools with an unspecified mode will operate as if they
134+ are in `FEDERATION_ONLY` mode.
135+
136+
137+ ~> **Note** This field cannot be changed after the Workload Identity Pool is created. While
138+ `terraform plan` may show an update if you change this field's value, `terraform apply`
139+ **will fail with an API error** (such as `Error 400: Attempted to update an immutable field.`).
140+ To specify a different `mode`, please create a new Workload Identity Pool resource.
141+
142+ * `FEDERATION_ONLY`: Pools can only be used for federating external workload identities into
143+ Google Cloud. Unless otherwise noted, no structure or format constraints are applied to
144+ workload identities in a `FEDERATION_ONLY` mode pool, and you may not create any resources
145+ within the pool besides providers.
146+ * `TRUST_DOMAIN`: Pools can be used to assign identities to Google Cloud workloads. All
147+ identities within a `TRUST_DOMAIN` mode pool must consist of a single namespace and individual
148+ workload identifier. The subject identifier for all identities must conform to the following
149+ format: `ns/<namespace>/sa/<workload_identifier>`.
150+ `google_iam_workload_identity_pool_provider`s cannot be created within `TRUST_DOMAIN`
151+ mode pools.
152+ min_version : beta
153+ enum_values :
154+ - ' FEDERATION_ONLY'
155+ - ' TRUST_DOMAIN'
156+ - name : ' inlineCertificateIssuanceConfig'
157+ type : NestedObject
158+ description : |
159+ Represents configuration for generating mutual TLS (mTLS) certificates for the identities
160+ within this pool. Defines the Certificate Authority (CA) pool resources and configurations
161+ required for issuance and rotation of mTLS workload certificates.
162+ min_version : beta
163+ properties :
164+ - name : ' caPools'
165+ type : KeyValuePairs
166+ description : |
167+ A required mapping of a cloud region to the CA pool resource located in that region used
168+ for certificate issuance, adhering to these constraints:
169+
170+ * **Key format:** A supported cloud region name equivalent to the location identifier in
171+ the corresponding map entry's value.
172+ * **Value format:** A valid CA pool resource path format like:
173+ `projects/{project}/locations/{location}/caPools/{ca_pool}`
174+ * **Region Matching:** Workloads are ONLY issued certificates from CA pools within the
175+ same region. Also the CA pool region (in value) must match the workload's region (key).
176+ required : true
177+ - name : ' lifetime'
178+ type : String
179+ description : |
180+ Lifetime of the workload certificates issued by the CA pool in seconds. Must be between
181+ `86400s` (24 hours) to `2592000s` (30 days), ends in the suffix "`s`" (indicating seconds)
182+ and is preceded by the number of seconds. If unspecified, this will be defaulted to
183+ `86400s` (24 hours).
184+ default_from_api : true
185+ - name : ' rotationWindowPercentage'
186+ type : Integer
187+ description : |
188+ Rotation window percentage indicating when certificate rotation should be initiated based
189+ on remaining lifetime. Must be between `50` - `80`. If unspecified, this will be defaulted
190+ to `50`.
191+ default_from_api : true
192+ - name : ' keyAlgorithm'
193+ type : Enum
194+ description : |
195+ Key algorithm to use when generating the key pair. This key pair will be used to create
196+ the certificate. If unspecified, this will default to `ECDSA_P256`.
197+
198+ * `RSA_2048`: Specifies RSA with a 2048-bit modulus.
199+ * `RSA_3072`: Specifies RSA with a 3072-bit modulus.
200+ * `RSA_4096`: Specifies RSA with a 4096-bit modulus.
201+ * `ECDSA_P256`: Specifies ECDSA with curve P256.
202+ * `ECDSA_P384`: Specifies ECDSA with curve P384.
203+ default_from_api : true
204+ enum_values :
205+ - ' RSA_2048'
206+ - ' RSA_3072'
207+ - ' RSA_4096'
208+ - ' ECDSA_P256'
209+ - ' ECDSA_P384'
210+ - name : ' inlineTrustConfig'
211+ type : NestedObject
212+ description : |
213+ Represents config to add additional trusted trust domains. Defines configuration for extending
214+ trust to additional trust domains. By establishing trust with another domain, the current
215+ domain will recognize and accept certificates issued by entities within the trusted domains.
216+ Note that a trust domain automatically trusts itself, eliminating the need for explicit
217+ configuration.
218+ min_version : beta
219+ properties :
220+ - name : ' additionalTrustBundles'
221+ type : Map
222+ description : |
223+ Maps specific trust domains (e.g., "example.com") to their corresponding `TrustStore`
224+ objects, which contain the trusted root certificates for that domain. There can be a
225+ maximum of `10` trust domain entries in this map.
226+
227+ Note that a trust domain automatically trusts itself and don't need to be specified here.
228+ If however, this `WorkloadIdentityPool`'s trust domain contains any trust anchors in the
229+ `additional_trust_bundles` map, those trust anchors will be *appended to* the Trust Bundle
230+ automatically derived from your `InlineCertificateIssuanceConfig`'s `ca_pools`.
231+ key_name : trust_domain
232+ key_description : |
233+ The trusted trust domains (e.g., "example.com") to be extended trust to additional trust
234+ domains to.
235+ value_type :
236+ name : trustStore
237+ type : NestedObject
238+ description : |
239+ Trust store that contains trust anchors and optional intermediate CAs used in PKI to
240+ build trust chain and verify client's identity.
241+ properties :
242+ - name : ' trustAnchors'
243+ type : Array
244+ description : |
245+ List of Trust Anchors to be used while performing validation against a given
246+ `TrustStore`. The incoming end entity's certificate must be chained up to one of the
247+ trust anchors here.
248+ required : true
249+ item_type :
250+ type : NestedObject
251+ description : |
252+ Represents a root of trust.
253+ properties :
254+ - name : ' pemCertificate'
255+ type : String
256+ description : |
257+ PEM certificate of the PKI used for validation. Must only contain one ca
258+ certificate(either root or intermediate cert).
259+ required : true
0 commit comments