Terraform changes for SCIM Token API (#15727)

Co-authored-by: Stephen Lewis (Burrows) <[email protected]>

Author: jaideoka

mmv1/products/iamworkforcepool/WorkforcePoolProviderScimTenant.yaml

@@ -18,8 +18,8 @@ description: |
   The SCIM tenant configuration allows for the synchronization of user/group identities from external identity provider into Google Cloud using the System for Cross-domain Identity Management (SCIM) protocol.
 references:
   guides:
-    'QUICKSTART_TITLE': 'https://cloud.google.com/iam/docs/workforce-sign-in-microsoft-entra-id-scalable-groups?group_type=extended#extended-attributes'
-  api: 'https://cloud.google.com/sdk/gcloud/reference/iam/workforce-pools/providers/scim-tenants'
+    'Configure a SCIM Tenant': 'https://cloud.google.com/iam/docs/workforce-sign-in-microsoft-entra-id-scalable-groups?group_type=extended#extended-attributes'
+  api: 'https://docs.cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools.providers.scimTenants'
 base_url: 'locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}/scimTenants'
 self_link: 'locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}/scimTenants/{{scim_tenant_id}}'
 create_url: 'locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}/scimTenants?workforcePoolProviderScimTenantId={{scim_tenant_id}}'
@@ -66,15 +66,14 @@ properties:
     output: true
     description: |
       The current state of the scim tenant.
-      * STATE_UNSPECIFIED: State unspecified.
       * ACTIVE: The scim tenant is active and may be used to validate authentication credentials.
       * DELETED: The scim tenant is soft-deleted. Soft-deleted scim tenants are permanently
         deleted after approximately 30 days.
     enum_values:
       - 'STATE_UNSPECIFIED'
       - 'ACTIVE'
       - 'DELETED'
-  - name: 'baseURI'
+  - name: 'baseUri'
     type: String
     description: |
       Represents the base URI as defined in [RFC 7644, Section
@@ -83,6 +82,19 @@ properties:
       Format:
       https://iamscim.googleapis.com/{version}/{tenant_id}/
     output: true
+  - name: 'claimMapping'
+    type: KeyValuePairs
+    description: Maps BYOID claims to SCIM claims. This is a required field for new SCIM Tenants being created.
+  - name: 'purgeTime'
+    type: Time
+    description: The timestamp that represents the time when the SCIM tenant is purged.
+    output: true
+  - name: 'serviceAgent'
+    type: String
+    description: |
+      Service Agent created by SCIM Tenant API. SCIM tokens created under
+      this tenant will be attached to this service agent.
+    output: true
 parameters:
   - name: 'location'
     type: String
@@ -98,7 +110,7 @@ parameters:
     url_param_only: true
     required: true
     immutable: true
-  - name: 'ProviderId'
+  - name: 'providerId'
     type: String
     description: |
       The ID of the provider.

mmv1/products/iamworkforcepool/WorkforcePoolProviderScimToken.yaml

@@ -0,0 +1,110 @@
+# Copyright 2025 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: 'WorkforcePoolProviderScimToken'
+description: |
+  Represents a SCIM Token for a Workforce Pool Provider Scim Tenant.
+  The SCIM Token is used for authenticating SCIM provisioning requests during the synchronization of user/group identities from external identity provider into Google Cloud using the System for Cross-domain Identity Management (SCIM) protocol. This needs to be provided in the Secret (Long Lived) Token field when configuring SCIM on an IdP.
+references:
+  guides:
+    'Create a SCIM Token for the SCIM Tenant': 'https://cloud.google.com/iam/docs/workforce-sign-in-microsoft-entra-id-scalable-groups?group_type=extended#extended-attributes'
+  api: 'https://docs.cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools.providers.scimTenants.tokens'
+base_url: 'locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}/scimTenants/{{scim_tenant_id}}/tokens'
+self_link: 'locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}/scimTenants/{{scim_tenant_id}}/tokens/{{scim_token_id}}'
+create_url: 'locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}/scimTenants/{{scim_tenant_id}}/tokens?workforcePoolProviderScimTokenId={{scim_token_id}}'
+
+import_format:
+  - 'locations/{{location}}/workforcePools/{{workforce_pool_id}}/providers/{{provider_id}}/scimTenants/{{scim_tenant_id}}/tokens/{{scim_token_id}}'
+update_verb: 'PATCH'
+update_mask: true
+timeouts:
+  insert_minutes: 20
+  delete_minutes: 20
+custom_code:
+  decoder: 'templates/terraform/decoders/treat_deleted_state_as_gone.go.tmpl'
+  post_create: 'templates/terraform/post_create/sleep.go.tmpl'
+  post_update: 'templates/terraform/post_create/sleep.go.tmpl'
+examples:
+  - name: 'iam_workforce_pool_provider_scim_token_basic'
+    primary_resource_id: "example"
+    vars:
+      workforce_pool_id: 'example-pool'
+      provider_id: 'example-prvdr'
+      scim_tenant_id: 'example-tenant'
+      scim_token_id: 'example-scim-token'
+    test_env_vars:
+      org_id: 'ORG_ID'
+properties:
+  - name: 'name'
+    type: String
+    description: |
+      Identifier. The resource name of the scim token.
+      Format: `locations/{location}/workforcePools/{workforce_pool}/providers/{workforce_pool_provider}/scimTenants/{scim_tenant_id}/tokens/{scim_token_id}`
+    output: true
+  - name: 'displayName'
+    type: String
+    description:
+      A user-specified display name for the scim token. Cannot exceed 32 characters.
+  - name: 'securityToken'
+    type: String
+    description:
+      The token string provided to the IdP for authentication and will be set only during creation.
+    output: true
+  - name: 'state'
+    type: Enum
+    description: |
+      The current state of the scim token.
+      * ACTIVE: The token is active and may be used to provision users and groups.
+      * DELETED: The token is soft-deleted. Soft-deleted tokens are permanently deleted after approximately 30 days.
+    output: true
+    enum_values:
+      - 'STATE_UNSPECIFIED'
+      - 'ACTIVE'
+      - 'DELETED'
+parameters:
+  - name: 'location'
+    type: String
+    description: |
+      The location for the resource.
+    url_param_only: true
+    required: true
+    immutable: true
+  - name: 'workforcePoolId'
+    type: String
+    description: |
+      The ID of the Workforce Pool.
+    url_param_only: true
+    required: true
+    immutable: true
+  - name: 'providerId'
+    type: String
+    description: |
+      The ID of the Provider.
+    url_param_only: true
+    required: true
+    immutable: true
+  - name: 'scimTenantId'
+    type: String
+    description: |
+      The ID of the SCIM Tenant.
+    url_param_only: true
+    required: true
+    immutable: true
+  - name: 'scimTokenId'
+    type: String
+    description: |
+      The ID to use for the SCIM Token, which becomes the final component of the resource name. This value should be 4-32 characters and follow the pattern: `([a-z]([a-z0-9\\-]{2,30}[a-z0-9]))`.
+    url_param_only: true
+    required: true
+    immutable: true

mmv1/templates/terraform/examples/iam_workforce_pool_provider_scim_tenant_basic.tf.tmpl

@@ -38,7 +38,11 @@ resource "google_iam_workforce_pool_provider_scim_tenant" "{{$.PrimaryResourceId
   scim_tenant_id      = "example-scim-tenant"
   display_name        = "Example SCIM Tenant"
   description         = "A basic SCIM tenant for IAM Workforce Pool Provider"
-  # state is output only, not settable
+  claim_mapping       = {
+    "google.subject"  = "user.externalId",
+    "google.group"    = "group.externalId"
+  }
+  # state, base_uri, purge_time and service_agent are output only, not settable
 }
 
 

mmv1/templates/terraform/examples/iam_workforce_pool_provider_scim_token_basic.tf.tmpl

@@ -0,0 +1,57 @@
+resource "google_iam_workforce_pool" "pool" {
+  workforce_pool_id = "{{index $.Vars "workforce_pool_id"}}"
+  parent            = "organizations/{{index $.TestEnvVars "org_id"}}"
+  location          = "global"
+}
+
+resource "google_iam_workforce_pool_provider" "provider" {
+    location = "global"
+    workforce_pool_id = google_iam_workforce_pool.pool.workforce_pool_id
+    provider_id = "{{index $.Vars "provider_id"}}"
+    attribute_mapping   = {
+    "google.subject"  = "assertion.sub"
+    }
+    oidc {
+      issuer_uri        = "https://accounts.thirdparty.com"
+      client_id         = "client-id"
+      client_secret {
+        value {
+          plain_text = "client-secret"
+        }
+      }
+      web_sso_config {
+        response_type             = "CODE"
+        assertion_claims_behavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"
+        additional_scopes         = ["groups", "roles"]
+      }
+    }
+    display_name        = "Display name"
+    description         = "A sample OIDC workforce pool provider."
+    disabled            = false
+    attribute_condition = "true"
+}
+
+resource "google_iam_workforce_pool_provider_scim_tenant" "tenant" {
+  location            = "global"
+  workforce_pool_id   = google_iam_workforce_pool.pool.workforce_pool_id
+  provider_id         = google_iam_workforce_pool_provider.provider.provider_id
+  scim_tenant_id      = "{{index $.Vars "scim_tenant_id"}}"
+  display_name        = "SCIM Tenant display Name"
+  description         = "A SCIM Tenant for IAM Workforce Pool Provider"
+  claim_mapping       = {
+    "google.subject"  = "user.externalId",
+    "google.group"    = "group.externalId"
+  }
+  # state, base_uri, purge_time and service_agent are output only, not settable
+}
+
+resource "google_iam_workforce_pool_provider_scim_token" "{{$.PrimaryResourceId}}" {
+  location            = "global"
+  workforce_pool_id   = google_iam_workforce_pool.pool.workforce_pool_id
+  provider_id         = google_iam_workforce_pool_provider.provider.provider_id
+  scim_tenant_id      = google_iam_workforce_pool_provider_scim_tenant.tenant.scim_tenant_id
+  scim_token_id       = "example-scim-token"
+  display_name        = "SCIM Token display Name"
+  # security_token and state are output only, not settable
+}
+  

mmv1/third_party/terraform/services/iamworkforcepool/resource_iam_workforce_pool_provider_scim_tenant_test.go

@@ -4,6 +4,7 @@ import (
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
 
 	"github.com/hashicorp/terraform-provider-google/google/acctest"
 	"github.com/hashicorp/terraform-provider-google/google/envvar"
@@ -33,6 +34,11 @@ func TestAccIAMWorkforcePoolWorkforcePoolProviderScimTenant_update(t *testing.T)
 			},
 			{
 				Config: testAccIAMWorkforcePoolWorkforcePoolProviderScimTenant_update(context),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("google_iam_workforce_pool_provider_scim_tenant.scim_tenant", plancheck.ResourceActionUpdate),
+					},
+				},
 			},
 			{
 				ResourceName:            "google_iam_workforce_pool_provider_scim_tenant.scim_tenant",
@@ -86,7 +92,11 @@ resource "google_iam_workforce_pool_provider_scim_tenant" "scim_tenant" {
   scim_tenant_id    = "example-scim-tenant"
   display_name      = "Example SCIM Tenant"
   description       = "A basic SCIM tenant for IAM Workforce Pool Provider"
-  # state is output only, not settable
+  claim_mapping       = {
+    "google.subject"  = "user.externalId",
+    "google.group"    = "group.externalId"
+  }
+  # state, base_uri, purge_time and service_agent are output only, not settable
 }
 
 `, context)
@@ -134,7 +144,11 @@ resource "google_iam_workforce_pool_provider_scim_tenant" "scim_tenant" {
   scim_tenant_id    = "example-scim-tenant"
   display_name      = "Example SCIM Tenant - Updated"
   description       = "A basic SCIM tenant for IAM Workforce Pool Provider - Updated"
-  # state is output only, not settable
+  claim_mapping       = {
+    "google.subject"  = "user.externalId",
+    "google.group"    = "group.externalId"
+  }
+  # state, base_uri, purge_time and service_agent are output only, not settable
 }
 `, context)
 }