Add workload identity pool managed identity. (GoogleCloudPlatform#14048)

Author: stevenyang72

mmv1/products/iambeta/WorkloadIdentityPoolManagedIdentity.yaml

@@ -0,0 +1,115 @@
+# Copyright 2025 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: 'WorkloadIdentityPoolManagedIdentity'
+description: |
+  Represents a managed identity for a workload identity pool namespace.
+references:
+  guides:
+    'Configure managed workload identity authentication for Compute Engine': 'https://cloud.google.com/iam/docs/create-managed-workload-identities'
+    'Configure managed workload identity authentication for GKE': 'https://cloud.google.com/iam/docs/create-managed-workload-identities-gke'
+  api: 'https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.namespaces.managedIdentities'
+min_version: beta
+base_url: 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities'
+self_link: 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities/{{workload_identity_pool_managed_identity_id}}'
+create_url: 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities?workloadIdentityPoolManagedIdentityId={{workload_identity_pool_managed_identity_id}}'
+update_verb: 'PATCH'
+update_mask: true
+import_format:
+  - 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/namespaces/{{workload_identity_pool_namespace_id}}/managedIdentities/{{workload_identity_pool_managed_identity_id}}'
+autogen_async: true
+custom_code:
+  constants: 'templates/terraform/constants/iam_workload_identity_pool_managed_identity.go.tmpl'
+  decoder: 'templates/terraform/decoders/treat_deleted_state_as_gone.go.tmpl'
+  test_check_destroy: 'templates/terraform/custom_check_destroy/iam_workload_identity_pool_managed_identity.go.tmpl'
+examples:
+  - name: 'iam_workload_identity_pool_managed_identity_basic'
+    primary_resource_id: 'example'
+    vars:
+      workload_identity_pool_id: 'example-pool'
+      workload_identity_pool_namespace_id: 'example-namespace'
+      workload_identity_pool_managed_identity_id: 'example-managed-identity'
+  - name: 'iam_workload_identity_pool_managed_identity_full'
+    primary_resource_id: 'example'
+    vars:
+      workload_identity_pool_id: 'example-pool'
+      workload_identity_pool_namespace_id: 'example-namespace'
+      workload_identity_pool_managed_identity_id: 'example-managed-identity'
+parameters:
+  - name: 'workload_identity_pool_id'
+    type: String
+    required: true
+    immutable: true
+    url_param_only: true
+    description: |
+      The ID to use for the pool, which becomes the final component of the resource name. This
+      value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
+      `gcp-` is reserved for use by Google, and may not be specified.
+  - name: 'workload_identity_pool_namespace_id'
+    type: String
+    required: true
+    immutable: true
+    url_param_only: true
+    description: |
+      The ID to use for the namespace. This value must:
+      * contain at most 63 characters
+      * contain only lowercase alphanumeric characters or `-`
+      * start with an alphanumeric character
+      * end with an alphanumeric character
+
+
+      The prefix `gcp-` will be reserved for future uses.
+  - name: 'workload_identity_pool_managed_identity_id'
+    type: String
+    required: true
+    immutable: true
+    url_param_only: true
+    description: |
+      The ID to use for the managed identity. This value must:
+      * contain at most 63 characters
+      * contain only lowercase alphanumeric characters or `-`
+      * start with an alphanumeric character
+      * end with an alphanumeric character
+
+
+      The prefix `gcp-` will be reserved for future uses.
+properties:
+  - name: 'name'
+    type: String
+    description: |
+      The resource name of the managed identity as
+      `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/namespaces/{workload_identity_pool_namespace_id}/managedIdentities/{workload_identity_pool_managed_identity_id}`.
+    output: true
+  - name: 'description'
+    type: String
+    description: |
+      A description of the managed identity. Cannot exceed 256 characters.
+  - name: 'state'
+    type: Enum
+    description: |
+      The current state of the managed identity.
+      * `ACTIVE`: The managed identity is active.
+      * `DELETED`: The managed identity is soft-deleted. Soft-deleted managed identities are
+      permanently deleted after approximately 30 days. You can restore a soft-deleted managed
+      identity using UndeleteWorkloadIdentityPoolManagedIdentity. You cannot reuse the ID of a
+      soft-deleted managed identity until it is permanently deleted.
+    output: true
+    enum_values:
+      - 'ACTIVE'
+      - 'DELETED'
+  - name: 'disabled'
+    type: Boolean
+    description: |
+      Whether the managed identity is disabled. If disabled, credentials may no longer be issued for
+      the identity, however existing credentials will still be accepted until they expire.

mmv1/templates/terraform/constants/iam_workload_identity_pool_managed_identity.go.tmpl

@@ -0,0 +1,44 @@
+const workloadIdentityPoolManagedIdentityIdRegexp = `^[0-9a-z-]+$`
+
+func ValidateWorkloadIdentityPoolManagedIdentityId(v interface{}, k string) (ws []string, errors []error) {
+	value := v.(string)
+
+	if !regexp.MustCompile(workloadIdentityPoolManagedIdentityIdRegexp).MatchString(value) {
+		errors = append(errors, fmt.Errorf(
+			"%q must contain only lowercase letters (a-z), numbers (0-9), or dashes (-)", k))
+	}
+
+	if len(value) < 2 {
+		errors = append(errors, fmt.Errorf(
+			"%q cannot be less than 2 characters", k))
+		return
+	}
+
+	if len(value) > 63 {
+		errors = append(errors, fmt.Errorf(
+			"%q cannot be greater than 63 characters", k))
+	}
+
+	isLowerAlphaNumeric := func(r byte) bool {
+		return (r >= '0' && r <= '9') || (r >= 'a' && r <= 'z')
+	}
+
+	firstChar := value[0]
+	if !isLowerAlphaNumeric(firstChar) {
+		errors = append(errors, fmt.Errorf(
+			"%q must start with an alphanumeric character", k))
+	}
+	
+	lastChar := value[len(value) - 1]
+	if !isLowerAlphaNumeric(lastChar) {
+		errors = append(errors, fmt.Errorf(
+			"%q must end with an alphanumeric character", k))
+	}
+
+	if strings.HasPrefix(value, "gcp-") {
+		errors = append(errors, fmt.Errorf(
+			"%q (%q) can not start with \"gcp-\"", k, value))
+	}
+
+	return
+}

mmv1/templates/terraform/custom_check_destroy/iam_workload_identity_pool_managed_identity.go.tmpl

@@ -0,0 +1,22 @@
+config := acctest.GoogleProviderConfig(t)
+
+url, err := tpgresource.ReplaceVarsForTest(config, rs, "{{"{{"}}IAMBetaBasePath{{"}}"}}projects/{{"{{"}}project{{"}}"}}/locations/global/workloadIdentityPools/{{"{{"}}workload_identity_pool_id{{"}}"}}/namespaces/{{"{{"}}workload_identity_pool_namespace_id{{"}}"}}/managedIdentities/{{"{{"}}workload_identity_pool_managed_identity_id{{"}}"}}")
+if err != nil {
+  return err
+}
+
+res, err := transport_tpg.SendRequest(transport_tpg.SendRequestOptions{
+	Config: config,
+	Method: "GET",
+	RawURL: url,
+	UserAgent: config.UserAgent,
+})
+if err != nil {
+  return nil
+}
+
+if v := res["state"]; v == "DELETED" {
+	return nil
+}
+
+return fmt.Errorf("IAMBetaWorkloadIdentityPoolManagedIdentity still exists at %s", url)

mmv1/templates/terraform/examples/iam_workload_identity_pool_managed_identity_basic.tf.tmpl

@@ -0,0 +1,21 @@
+resource "google_iam_workload_identity_pool" "pool" {
+  provider = google-beta
+
+  workload_identity_pool_id = "{{index $.Vars "workload_identity_pool_id"}}"
+  mode                      = "TRUST_DOMAIN"
+}
+
+resource "google_iam_workload_identity_pool_namespace" "ns" {
+  provider = google-beta
+
+  workload_identity_pool_id           = google_iam_workload_identity_pool.pool.workload_identity_pool_id
+  workload_identity_pool_namespace_id = "{{index $.Vars "workload_identity_pool_namespace_id"}}"
+}
+
+resource "google_iam_workload_identity_pool_managed_identity" "{{$.PrimaryResourceId}}" {
+  provider = google-beta
+
+  workload_identity_pool_id                  = google_iam_workload_identity_pool.pool.workload_identity_pool_id
+  workload_identity_pool_namespace_id        = google_iam_workload_identity_pool_namespace.ns.workload_identity_pool_namespace_id
+  workload_identity_pool_managed_identity_id = "{{index $.Vars "workload_identity_pool_managed_identity_id"}}"
+}

mmv1/templates/terraform/examples/iam_workload_identity_pool_managed_identity_full.tf.tmpl

@@ -0,0 +1,23 @@
+resource "google_iam_workload_identity_pool" "pool" {
+  provider = google-beta
+
+  workload_identity_pool_id = "{{index $.Vars "workload_identity_pool_id"}}"
+  mode                      = "TRUST_DOMAIN"
+}
+
+resource "google_iam_workload_identity_pool_namespace" "ns" {
+  provider = google-beta
+
+  workload_identity_pool_id           = google_iam_workload_identity_pool.pool.workload_identity_pool_id
+  workload_identity_pool_namespace_id = "{{index $.Vars "workload_identity_pool_namespace_id"}}"
+}
+
+resource "google_iam_workload_identity_pool_managed_identity" "{{$.PrimaryResourceId}}" {
+  provider = google-beta
+
+  workload_identity_pool_id                  = google_iam_workload_identity_pool.pool.workload_identity_pool_id
+  workload_identity_pool_namespace_id        = google_iam_workload_identity_pool_namespace.ns.workload_identity_pool_namespace_id
+  workload_identity_pool_managed_identity_id = "{{index $.Vars "workload_identity_pool_managed_identity_id"}}"
+  description                                = "Example Managed Identity in a Workload Identity Pool Namespace"
+  disabled                                   = true
+}