add scim tenant resource (#15299)

vishakhamodi-google · web-flow · commit 36d6926ec755 · 2025-10-03T18:07:59.000Z
diff --git a/mmv1/products/iamworkforcepool/WorkforcePoolProviderScimTenant.yaml b/mmv1/products/iamworkforcepool/WorkforcePoolProviderScimTenant.yaml
@@ -0,0 +1,114 @@
+# Copyright 2025 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: 'WorkforcePoolProviderScimTenant'
+description: |
+  Represents a SCIM tenant configuration for a Workforce Pool Provider.
+  The SCIM tenant configuration allows for the synchronization of user/group identities from external identity provider into Google Cloud using the System for Cross-domain Identity Management (SCIM) protocol.
+references:
+  guides:
+    'QUICKSTART_TITLE': 'https://cloud.google.com/iam/docs/workforce-sign-in-microsoft-entra-id-scalable-groups?group_type=extended#extended-attributes'
+  api: 'https://cloud.google.com/sdk/gcloud/reference/iam/workforce-pools/providers/scim-tenants'
+base_url: 'locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}/scimTenants'
+self_link: 'locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}/scimTenants/{{scim_tenant_id}}'
+create_url: 'locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}/scimTenants?workforcePoolProviderScimTenantId={{scim_tenant_id}}'
+
+import_format:
+  - 'locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}/scimTenants/{{scim_tenant_id}}'
+update_verb: 'PATCH'
+update_mask: true
+timeouts:
+  insert_minutes: 20
+  delete_minutes: 20
+custom_code:
+  decoder: 'templates/terraform/decoders/treat_deleted_state_as_gone.go.tmpl'
+  post_create: 'templates/terraform/post_create/sleep.go.tmpl'
+  post_update: 'templates/terraform/post_create/sleep.go.tmpl'
+examples:
+  - name: 'iam_workforce_pool_provider_scim_tenant_basic'
+    primary_resource_id: "example"
+    vars:
+      workforce_pool_id: 'example-pool'
+      provider_id: 'example-prvdr'
+      scim_tenant_id: 'example-scim-tenant'
+    test_env_vars:
+      org_id: 'ORG_ID'
+properties:
+  - name: 'name'
+    type: String
+    description: |
+      Identifier. The resource name of the scim tenant.
+      Format: `locations/{location}/workforcePools/{workforce_pool}/providers/{workforce_pool_provider}/scimTenants/{scim_tenant_id}
+    output: true
+  - name: 'displayName'
+    type: String
+    description:
+      A user-specified display name for the scim tenant. Cannot exceed 32
+      characters.
+  - name: 'description'
+    type: String
+    description:
+      A user-specified description of the provider. Cannot exceed 256
+      characters.
+  - name: 'state'
+    type: Enum
+    output: true
+    description: |
+      The current state of the scim tenant.
+      * STATE_UNSPECIFIED: State unspecified.
+      * ACTIVE: The scim tenant is active and may be used to validate authentication credentials.
+      * DELETED: The scim tenant is soft-deleted. Soft-deleted scim tenants are permanently
+        deleted after approximately 30 days.
+    enum_values:
+      - 'STATE_UNSPECIFIED'
+      - 'ACTIVE'
+      - 'DELETED'
+  - name: 'baseURI'
+    type: String
+    description: |
+      Represents the base URI as defined in [RFC 7644, Section
+      1.3](https://datatracker.ietf.org/doc/html/rfc7644#section-1.3). Clients
+      must use this as the root address for managing resources under the tenant.
+      Format:
+      https://iamscim.googleapis.com/{version}/{tenant_id}/
+    output: true
+parameters:
+  - name: 'location'
+    type: String
+    description: |
+      The location for the resource.
+    url_param_only: true
+    required: true
+    immutable: true
+  - name: 'workforcePoolId'
+    type: String
+    description: |
+      The ID of the workforce pool.
+    url_param_only: true
+    required: true
+    immutable: true
+  - name: 'ProviderId'
+    type: String
+    description: |
+      The ID of the provider.
+    url_param_only: true
+    required: true
+    immutable: true
+  - name: 'scimTenantId'
+    type: String
+    description: |
+      The ID to use for the SCIM tenant, which becomes the final component of the resource name. This value must be 4-32 characters, and may contain the characters [a-z0-9-].
+    url_param_only: true
+    required: true
+    immutable: true
diff --git a/mmv1/templates/terraform/examples/iam_workforce_pool_provider_scim_tenant_basic.tf.tmpl b/mmv1/templates/terraform/examples/iam_workforce_pool_provider_scim_tenant_basic.tf.tmpl
@@ -0,0 +1,44 @@
+resource "google_iam_workforce_pool" "pool" {
+  workforce_pool_id = "{{index $.Vars "workforce_pool_id"}}"
+  parent            = "organizations/{{index $.TestEnvVars "org_id"}}"
+  location          = "global"
+}
+
+resource "google_iam_workforce_pool_provider" "provider" {
+    location = "global"
+    workforce_pool_id = google_iam_workforce_pool.pool.workforce_pool_id
+    provider_id = "{{index $.Vars "provider_id"}}"
+    attribute_mapping   = {
+    "google.subject"  = "assertion.sub"
+    }
+    oidc {
+      issuer_uri        = "https://accounts.thirdparty.com"
+      client_id         = "client-id"
+      client_secret {
+        value {
+          plain_text = "client-secret"
+        }
+      }
+      web_sso_config {
+        response_type             = "CODE"
+        assertion_claims_behavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"
+        additional_scopes         = ["groups", "roles"]
+      }
+    }
+    display_name        = "Display name"
+    description         = "A sample OIDC workforce pool provider."
+    disabled            = false
+    attribute_condition = "true"
+}
+
+resource "google_iam_workforce_pool_provider_scim_tenant" "{{$.PrimaryResourceId}}" {
+  location            = "global"
+  workforce_pool_id   = google_iam_workforce_pool.pool.workforce_pool_id
+  provider_id         = google_iam_workforce_pool_provider.provider.provider_id
+  scim_tenant_id      = "example-scim-tenant"
+  display_name        = "Example SCIM Tenant"
+  description         = "A basic SCIM tenant for IAM Workforce Pool Provider"
+  # state is output only, not settable
+}
+
+  
diff --git a/mmv1/third_party/terraform/services/iamworkforcepool/resource_iam_workforce_pool_provider_scim_tenant_test.go b/mmv1/third_party/terraform/services/iamworkforcepool/resource_iam_workforce_pool_provider_scim_tenant_test.go
@@ -0,0 +1,140 @@
+package iamworkforcepool_test
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+	"github.com/hashicorp/terraform-provider-google/google/envvar"
+)
+
+func TestAccIAMWorkforcePoolWorkforcePoolProviderScimTenant_update(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"org_id":        envvar.GetTestOrgFromEnv(t),
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckIAMWorkforcePoolWorkforcePoolProviderScimTenantDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIAMWorkforcePoolWorkforcePoolProviderScimTenant_full(context),
+			},
+			{
+				ResourceName:            "google_iam_workforce_pool_provider_scim_tenant.scim_tenant",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"state"},
+			},
+			{
+				Config: testAccIAMWorkforcePoolWorkforcePoolProviderScimTenant_update(context),
+			},
+			{
+				ResourceName:            "google_iam_workforce_pool_provider_scim_tenant.scim_tenant",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"state"},
+			},
+		},
+	})
+}
+
+func testAccIAMWorkforcePoolWorkforcePoolProviderScimTenant_full(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_iam_workforce_pool" "pool" {
+  workforce_pool_id = "tf-test-example-pool%{random_suffix}"
+  parent            = "organizations/%{org_id}"
+  location          = "global"
+}
+
+resource "google_iam_workforce_pool_provider" "provider" {
+  workforce_pool_id = google_iam_workforce_pool.pool.workforce_pool_id
+  location          = "global"
+  provider_id       = "tf-test-provider-%{random_suffix}"
+  attribute_mapping = {
+    "google.subject" = "assertion.sub"
+  }
+  oidc {
+    issuer_uri = "https://accounts.thirdparty.com"
+    client_id  = "client-id"
+    client_secret {
+      value {
+        plain_text = "client-secret"
+      }
+    }
+    web_sso_config {
+      response_type             = "CODE"
+      assertion_claims_behavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"
+      additional_scopes         = ["groups", "roles"]
+    }
+  }
+  display_name        = "Display name"
+  description         = "A sample OIDC workforce pool provider."
+  disabled            = false
+  attribute_condition = "true"
+}
+
+resource "google_iam_workforce_pool_provider_scim_tenant" "scim_tenant" {
+  location          = "global"
+  workforce_pool_id = google_iam_workforce_pool.pool.workforce_pool_id
+  provider_id       = google_iam_workforce_pool_provider.provider.provider_id
+  scim_tenant_id    = "example-scim-tenant"
+  display_name      = "Example SCIM Tenant"
+  description       = "A basic SCIM tenant for IAM Workforce Pool Provider"
+  # state is output only, not settable
+}
+
+`, context)
+}
+
+func testAccIAMWorkforcePoolWorkforcePoolProviderScimTenant_update(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_iam_workforce_pool" "pool" {
+  workforce_pool_id = "tf-test-example-pool%{random_suffix}"
+  parent            = "organizations/%{org_id}"
+  location          = "global"
+}
+
+resource "google_iam_workforce_pool_provider" "provider" {
+  workforce_pool_id = google_iam_workforce_pool.pool.workforce_pool_id
+  location          = "global"
+  provider_id       = "tf-test-provider-%{random_suffix}"
+  attribute_mapping = {
+    "google.subject" = "assertion.sub"
+  }
+  oidc {
+    issuer_uri = "https://accounts.thirdparty.com"
+    client_id  = "client-id"
+    client_secret {
+      value {
+        plain_text = "client-secret"
+      }
+    }
+    web_sso_config {
+      response_type             = "CODE"
+      assertion_claims_behavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"
+      additional_scopes         = ["groups", "roles"]
+    }
+  }
+  display_name        = "Display name"
+  description         = "A sample OIDC workforce pool provider."
+  disabled            = false
+  attribute_condition = "true"
+}
+
+resource "google_iam_workforce_pool_provider_scim_tenant" "scim_tenant" {
+  location          = "global"
+  workforce_pool_id = google_iam_workforce_pool.pool.workforce_pool_id
+  provider_id       = google_iam_workforce_pool_provider.provider.provider_id
+  scim_tenant_id    = "example-scim-tenant"
+  display_name      = "Example SCIM Tenant - Updated"
+  description       = "A basic SCIM tenant for IAM Workforce Pool Provider - Updated"
+  # state is output only, not settable
+}
+`, context)
+}
