Add mode, inline cert iss & trust config to workload identity pool

Author: stevenyang72

mmv1/products/cloudrun/Service.yaml

@@ -45,6 +45,7 @@ iam_policy:
   parent_resource_attribute: 'service'
   base_url: 'v1/projects/{{project}}/locations/{{location}}/services/{{service}}'
   example_config_body: 'templates/terraform/iam/iam_attributes.go.tmpl'
+  min_version: beta
   import_format:
     - 'projects/{{project}}/locations/{{location}}/services/{{service}}'
     - '{{service}}'

mmv1/products/iambeta/WorkloadIdentityPool.yaml

@@ -19,6 +19,8 @@ description: |
 references:
   guides:
     'Managing workload identity pools': 'https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#pools'
+    'Configure managed workload identity authentication for Compute Engine': 'https://cloud.google.com/iam/docs/create-managed-workload-identities'
+    'Configure managed workload identity authentication for GKE': 'https://cloud.google.com/iam/docs/create-managed-workload-identities-gke'
   api: 'https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools'
 docs:
 base_url: 'projects/{{project}}/locations/global/workloadIdentityPools'
@@ -40,19 +42,37 @@ async:
     base_url: '{{op_id}}'
   result:
     resource_inside_response: false
+iam_policy:
+  parent_resource_attribute: 'workload_identity_pool_id'
+  method_name_separator: ':'
+  fetch_iam_policy_verb: 'POST'
+  import_format: 
+    - 'projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}'
+  min_version: beta
 custom_code:
   constants: 'templates/terraform/constants/iam_workload_identity_pool.go.tmpl'
   decoder: 'templates/terraform/decoders/treat_deleted_state_as_gone.go.tmpl'
   test_check_destroy: 'templates/terraform/custom_check_destroy/iam_workload_identity_pool.go.tmpl'
 examples:
   - name: 'iam_workload_identity_pool_basic'
     primary_resource_id: 'example'
+    primary_resource_name: 'fmt.Sprintf("tf-test-example-pool%s", context["random_suffix"])'
     vars:
       workload_identity_pool_id: 'example-pool'
-  - name: 'iam_workload_identity_pool_full'
+  - name: 'iam_workload_identity_pool_full_federation_only_mode'
     primary_resource_id: 'example'
+    primary_resource_name: 'fmt.Sprintf("tf-test-example-pool%s", context["random_suffix"])'
     vars:
       workload_identity_pool_id: 'example-pool'
+    min_version: beta
+    external_providers:
+      - "random"
+  - name: 'iam_workload_identity_pool_full_trust_domain_mode'
+    primary_resource_id: 'example'
+    primary_resource_name: 'fmt.Sprintf("tf-test-example-pool%s", context["random_suffix"])'
+    vars:
+      workload_identity_pool_id: 'example-pool'
+    min_version: beta
 parameters:
 properties:
   - name: 'workloadIdentityPoolId'
@@ -70,11 +90,11 @@ properties:
     type: Enum
     description: |
       The state of the pool.
-      * STATE_UNSPECIFIED: State unspecified.
-      * ACTIVE: The pool is active, and may be used in Google Cloud policies.
-      * DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after
+      * `STATE_UNSPECIFIED`: State unspecified.
+      * `ACTIVE`: The pool is active, and may be used in Google Cloud policies.
+      * `DELETED`: The pool is soft-deleted. Soft-deleted pools are permanently deleted after
         approximately 30 days. You can restore a soft-deleted pool using
-        UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is
+        `UndeleteWorkloadIdentityPool`. You cannot reuse the ID of a soft-deleted pool until it is
         permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or
         use existing tokens to access resources. If the pool is undeleted, existing tokens grant
         access again.
@@ -101,3 +121,155 @@ properties:
       Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use
       existing tokens to access resources. If the pool is re-enabled, existing tokens grant
       access again.
+  - name: mode
+    type: Enum
+    description: |
+      The mode for the pool is operating in.
+
+
+      ~> **Note** Altering this field requires a new `workload_identity_pool_id`. To automate 
+      `workload_identity_pool_id` changes, append a random string (numbers/lowercase letters) to the 
+      `workload_identity_pool_id` (see `FEDERATION_ONLY` mode example above).
+
+      * `MODE_UNSPECIFIED`: State unspecified. New pools should not use this mode. Pools with an
+      unspecified mode will operate as if they are in `FEDERATION_ONLY` mode.
+      * `FEDERATION_ONLY`: Pools can only be used for federating external workload identities into 
+      Google Cloud. Unless otherwise noted, no structure or format constraints are applied to 
+      workload identities in a `FEDERATION_ONLY` mode pool, and you may not create any resources 
+      within the pool besides providers.
+      * `TRUST_DOMAIN`: Pools can be used to assign identities to either external workloads or those 
+      hosted on Google Cloud. All identities within a `TRUST_DOMAIN` mode pool must consist of a 
+      single namespace and individual workload identifier. The subject identifier for all identities
+      must conform to the following import_format: 
+
+      `ns/<namespace>/sa/<workload_identifier>`
+
+      `WorkloadIdentityPoolProvider`(`google.iam.v1.WorkloadIdentityPoolProvider`)s 
+      cannot be created within `TRUST_DOMAIN` mode pools.
+    min_version: beta
+    immutable: true
+    enum_values:
+      - 'MODE_UNSPECIFIED'
+      - 'FEDERATION_ONLY'
+      - 'TRUST_DOMAIN'
+  - name: 'inlineCertificateIssuanceConfig'
+    type: NestedObject
+    description: |
+      Represents configuration for generating mutual TLS (mTLS) certificates for the identities 
+      within this pool. Defines the Certificate Authority (CA) pool resources and configurations
+      required for issuance and rotation of mTLS workload certificates.
+    min_version: beta
+    properties:
+      - name: 'caPools'
+        type: KeyValuePairs
+        description: |
+          A required mapping of a cloud region to the CA pool resource located in that region used 
+          for certificate issuance, adhering to these constraints:
+
+          * **Key format:** A supported cloud region name equivalent to the location identifier in 
+          the corresponding map entry's value.
+          * **Value format:** A valid CA pool resource path format like: 
+          `projects/{project}/locations/{location}/caPools/{ca_pool}`
+          * **Region Matching:** Workloads are ONLY issued certificates from CA pools within the 
+          same region. Also the CA pool region (in value) must match the workload's region (key).
+      - name: 'lifetime'
+        type: String
+        description: |
+          Lifetime of the workload certificates issued by the CA pool in seconds. Must be between 
+          `36000s` (10 hours) to `2592000s` (30 days), ends in the suffix "`s`" (indicating seconds) 
+          and is preceded by the number of seconds. If unspecified, this will be defaulted to 
+          `86400s` (24 hours).
+      - name: 'rotationWindowPercentage'
+        type: Integer
+        description: |
+          Rotation window percentage indicating when certificate rotation should be initiated based 
+          on remaining lifetime. Must be between 10 - 80. If unspecified, this will be defaulted to 
+          50.
+      - name: 'keyAlgorithm'
+        type: Enum
+        description: |
+          Key algorithm to use when generating the key pair. This key pair will be used to create 
+          the certificate. If unspecified, this will default to `ECDSA_P256`.
+
+          * `KEY_ALGORITHM_UNSPECIFIED`: Unspecified key algorithm. Defaults to `ECDSA_P256`.
+          * `RSA_2048`: Specifies RSA with a 2048-bit modulus.
+          * `RSA_3072`: Specifies RSA with a 3072-bit modulus.
+          * `RSA_4096`: Specifies RSA with a 4096-bit modulus.
+          * `ECDSA_P256`: Specifies ECDSA with curve P256.
+          * `ECDSA_P384`: Specifies ECDSA with curve P384.
+        enum_values:
+          - 'KEY_ALGORITHM_UNSPECIFIED'
+          - 'RSA_2048'
+          - 'RSA_3072'
+          - 'RSA_4096'
+          - 'ECDSA_P256'
+          - 'ECDSA_P384'
+  - name: 'inlineTrustConfig'
+    type: NestedObject
+    description: |
+      Represents config to add additional trusted trust domains. Defines configuration for extending 
+      trust to additional trust domains. By establishing trust with another domain, the current 
+      domain will recognize and accept certificates issued by entities within the trusted domains. 
+      Note that a trust domain automatically trusts itself, eliminating the need for explicit 
+      configuration.
+    min_version: beta
+    properties:
+      - name: 'additionalTrustBundles'
+        type: Map
+        description: |
+          Maps specific trust domains (e.g., "example.com") to their corresponding `TrustStore` 
+          objects, which contain the trusted root certificates for that domain. There can be a 
+          maximum of `10` trust domain entries in this map.
+
+          Note that a trust domain automatically trusts itself and don't need to be specified here. 
+          If however, this `WorkloadIdentityPool`'s trust domain contains any trust anchors in the 
+          `additional_trust_bundles` map, those trust anchors will be *appended to* the Trust Bundle
+          automatically derived from your `InlineCertificateIssuanceConfig`'s `ca_pools`.
+        key_name: trust_domain
+        key_description: |
+          The trusted trust domains (e.g., "example.com") to be extended trust to additional trust 
+          domains to.
+        value_type:
+          name: trustStore
+          type: NestedObject
+          description: |
+            Trust store that contains trust anchors and optional intermediate CAs used in PKI to 
+            build trust chain and verify client's identity.
+          properties:
+            - name: 'trustAnchors'
+              type: Array
+              description: |
+                List of Trust Anchors to be used while performing validation against a given 
+                `TrustStore`. The incoming end entity's certificate must be chained up to one of the 
+                trust anchors here.
+              required: true
+              item_type:
+                type: NestedObject
+                description: |
+                  Represents a root of trust.
+                properties:
+                  - name: 'pemCertificate'
+                    type: String
+                    description: |
+                      PEM certificate of the PKI used for validation. Must only contain one ca 
+                      certificate(either root or intermediate cert).
+                    required: true
+            - name: 'intermediateCas'
+              type: Array
+              description: |
+                Set of intermediate CA certificates used for building the trust chain to trust 
+                anchor.
+
+
+                ~> **Note** Intermediate CAs are only supported when configuring X.509 federation.
+              item_type:
+                type: NestedObject
+                description: |
+                  Intermediate CA certificates used for building the trust chain to trust anchor.
+                properties:
+                  - name: 'pemCertificate'
+                    type: String
+                    description: |
+                      PEM certificate of the PKI used for validation. Must only contain one ca 
+                      certificate.
+                    required: true

mmv1/templates/terraform/examples/iam_workload_identity_pool_full.tf.tmpl

@@ -0,0 +1,15 @@
+resource "random_string" "pool_id_suffix" {
+  length  = 2
+  upper   = false
+  special = false
+}
+
+resource "google_iam_workload_identity_pool" "{{$.PrimaryResourceId}}" {
+  provider = google-beta
+
+  workload_identity_pool_id = "{{index $.Vars "workload_identity_pool_id"}}${random_string.pool_id_suffix.result}"
+  display_name              = "Name of the pool"
+  description               = "Identity pool operates in FEDERATION_ONLY mode"
+  disabled                  = true
+  mode                      = "FEDERATION_ONLY"
+}

mmv1/templates/terraform/examples/iam_workload_identity_pool_full_federation_only_mode.tf.tmpl

@@ -0,0 +1,38 @@
+resource "google_iam_workload_identity_pool" "{{$.PrimaryResourceId}}" {
+  provider = google-beta
+
+  workload_identity_pool_id = "{{index $.Vars "workload_identity_pool_id"}}"
+  display_name              = "Name of the pool"
+  description               = "Identity pool operates in TRUST_DOMAIN mode"
+  disabled                  = true
+  mode                      = "TRUST_DOMAIN"
+  inline_certificate_issuance_config {
+    ca_pools = {      
+      "us-central1" : "projects/project-bar/locations/us-central1/caPools/ca-pool-bar"
+      "asia-east2" : "projects/project-foo/locations/asia-east2/caPools/ca-pool-foo"
+    }
+    lifetime                   = "86400s"
+    rotation_window_percentage = 50
+    key_algorithm              = "ECDSA_P256"
+  }
+  inline_trust_config {
+    additional_trust_bundles {
+      trust_domain = "ca-pool-foo.global.project-foo.workload.id.goog"
+      trust_anchors {
+        pem_certificate = file("test-fixtures/trust_anchor_1.pem")
+      }
+      trust_anchors {
+        pem_certificate = file("test-fixtures/trust_anchor_2.pem")
+      }
+    }
+    additional_trust_bundles {
+      trust_domain = "ca-pool-bar.global.project-bar.workload.id.goog"
+      trust_anchors {
+        pem_certificate = file("test-fixtures/trust_anchor_3.pem")
+      }
+      trust_anchors {
+        pem_certificate = file("test-fixtures/trust_anchor_4.pem")
+      }
+    }
+  }
+}