Adding support for extended attributes in workforce pool provider (#15077)

Author: googankushjain

mmv1/products/iamworkforcepool/WorkforcePoolProvider.yaml

@@ -114,6 +114,26 @@ examples:
     ignore_read_extra:
       - 'oidc.0.client_secret.0.value.0.plain_text'
       - 'extra_attributes_oauth2_client.0.client_secret.0.value.0.plain_text'
+  - name: 'iam_workforce_pool_provider_extended_attributes_oauth2_config_client_basic'
+    primary_resource_id: 'example'
+    vars:
+      workforce_pool_id: 'example-pool'
+      provider_id: 'example-prvdr'
+    test_env_vars:
+      org_id: 'ORG_ID'
+    ignore_read_extra:
+      - 'oidc.0.client_secret.0.value.0.plain_text'
+      - 'extended_attributes_oauth2_client.0.client_secret.0.value.0.plain_text'
+  - name: 'iam_workforce_pool_provider_extended_attributes_oauth2_config_client_full'
+    primary_resource_id: 'example'
+    vars:
+      workforce_pool_id: 'example-pool'
+      provider_id: 'example-prvdr'
+    test_env_vars:
+      org_id: 'ORG_ID'
+    ignore_read_extra:
+      - 'oidc.0.client_secret.0.value.0.plain_text'
+      - 'extended_attributes_oauth2_client.0.client_secret.0.value.0.plain_text'
 parameters:
 properties:
   - name: 'location'
@@ -461,3 +481,78 @@ properties:
               The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL and AZURE_AD_GROUPS_ID, it represents the
               filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The
               groups should be security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.
+  - name: 'extendedAttributesOauth2Client'
+    type: NestedObject
+    description: |
+      The configuration for OAuth 2.0 client used to get the extended group
+      memberships for user identities. Only the `AZURE_AD_GROUPS_ID` attribute
+      type is supported. Extended groups supports a subset of Google Cloud
+      services. When the user accesses these services, extended group memberships
+      override the mapped `google.groups` attribute. Extended group memberships
+      cannot be used in attribute mapping or attribute condition expressions.
+
+      To keep extended group memberships up to date, extended groups are
+      retrieved when the user signs in and at regular intervals during the user's
+      active session. Each user identity in the workforce identity pool must map
+      to a unique Microsoft Entra ID user.
+    properties:
+      - name: 'issuerUri'
+        type: String
+        description: |
+          The OIDC identity provider's issuer URI. Must be a valid URI using the `https` scheme. Required to get the OIDC discovery document.
+        required: true
+      - name: 'clientId'
+        type: String
+        description: |
+          The OAuth 2.0 client ID for retrieving extended attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
+        required: true
+      - name: 'clientSecret'
+        type: NestedObject
+        description: |
+          The OAuth 2.0 client secret for retrieving extended attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
+        required: true
+        properties:
+          - name: 'value'
+            type: NestedObject
+            description: |
+              The value of the client secret.
+            custom_flatten: 'templates/terraform/custom_flatten/iam_workforce_pool_provider_extended_attributes_oauth2_config_client_secret_value.go.tmpl'
+            properties:
+              - name: 'plainText'
+                type: String
+                description: |
+                  The plain text of the client secret value.
+                required: true
+                validation:
+                  function: 'validation.StringIsNotEmpty'
+              - name: 'thumbprint'
+                type: String
+                description: |
+                  A thumbprint to represent the current client secret value.
+                output: true
+      - name: 'attributesType'
+        type: Enum
+        description: |
+          Represents the IdP and type of claims that should be fetched.
+          * AZURE_AD_GROUPS_ID:  Used to get the user's group claims from the Azure AD identity provider
+          using configuration provided in ExtendedAttributesOAuth2Client and `id`
+          property of the `microsoft.graph.group` object is used for claim mapping. See
+          https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties
+          for more details on `microsoft.graph.group` properties. The
+          group IDs obtained from Azure AD are present in `assertion.groups` for
+          OIDC providers and `assertion.attributes.groups` for SAML providers for
+          attribute mapping.
+        required: true
+        enum_values:
+          - 'AZURE_AD_GROUPS_ID'
+      - name: 'queryParameters'
+        type: NestedObject
+        description: |
+          Represents the parameters to control which claims are fetched from an IdP.
+        properties:
+          - name: 'filter'
+            type: String
+            description: |
+              The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_ID, it represents the
+              filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The
+              groups should be security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.

mmv1/templates/terraform/custom_flatten/iam_workforce_pool_provider_extended_attributes_oauth2_config_client_secret_value.go.tmpl

@@ -0,0 +1,29 @@
+{{/*
+	The license inside this block applies to this file
+	Copyright 2024 Google Inc.
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/ -}}
+func flatten{{$.GetPrefix}}{{$.TitlelizeProperty}}(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["thumbprint"] = original["thumbprint"]
+	// Trigger a diff based on the plain_text if there is no change in the thumbprint,
+	// otherwise leave plain_text empty to always trigger a diff.
+	if original["thumbprint"].(string) == d.Get("extended_attributes_oauth2_client.0.client_secret.0.value.0.thumbprint").(string) {
+		transformed["plain_text"] = d.Get("extended_attributes_oauth2_client.0.client_secret.0.value.0.plain_text")
+	}
+	return []interface{}{transformed}
+}

mmv1/templates/terraform/examples/iam_workforce_pool_provider_extended_attributes_oauth2_config_client_basic.tf.tmpl

@@ -0,0 +1,37 @@
+resource "google_iam_workforce_pool" "pool" {
+  workforce_pool_id = "{{index $.Vars "workforce_pool_id"}}"
+  parent            = "organizations/{{index $.TestEnvVars "org_id"}}"
+  location          = "global"
+}
+
+resource "google_iam_workforce_pool_provider" "{{$.PrimaryResourceId}}" {
+  workforce_pool_id  = google_iam_workforce_pool.pool.workforce_pool_id
+  location           = google_iam_workforce_pool.pool.location
+  provider_id        = "{{index $.Vars "provider_id"}}"
+  attribute_mapping  = {
+    "google.subject" = "assertion.sub"
+  }
+  oidc {
+    issuer_uri        = "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0"
+    client_id         = "https://analysis.windows.net/powerbi/connector/GoogleBigQuery"
+    web_sso_config {
+      response_type             = "CODE"
+      assertion_claims_behavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"
+    }
+    client_secret {
+        value {
+          plain_text = "client-secret"
+        }
+      }
+  }
+  extended_attributes_oauth2_client {
+    issuer_uri       = "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0"
+    client_id        = "client-id"
+    client_secret {
+        value {
+          plain_text = "client-secret"
+        }
+      }
+    attributes_type = "AZURE_AD_GROUPS_ID"
+  }
+}

mmv1/templates/terraform/examples/iam_workforce_pool_provider_extended_attributes_oauth2_config_client_full.tf.tmpl

@@ -0,0 +1,40 @@
+resource "google_iam_workforce_pool" "pool" {
+  workforce_pool_id = "{{index $.Vars "workforce_pool_id"}}"
+  parent            = "organizations/{{index $.TestEnvVars "org_id"}}"
+  location          = "global"
+}
+
+resource "google_iam_workforce_pool_provider" "{{$.PrimaryResourceId}}" {
+  workforce_pool_id  = google_iam_workforce_pool.pool.workforce_pool_id
+  location           = google_iam_workforce_pool.pool.location
+  provider_id        = "{{index $.Vars "provider_id"}}"
+  attribute_mapping  = {
+    "google.subject" = "assertion.sub"
+  }
+  oidc {
+    issuer_uri        = "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0"
+    client_id         = "https://analysis.windows.net/powerbi/connector/GoogleBigQuery"
+    client_secret {
+      value {
+        plain_text = "client-secret"
+      }
+    }
+    web_sso_config {
+      response_type             = "CODE"
+      assertion_claims_behavior = "MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS"
+    }
+  }
+  extended_attributes_oauth2_client {
+    issuer_uri       = "https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0"
+    client_id        = "client-id"
+    client_secret {
+        value {
+          plain_text = "client-secret"
+        }
+      }
+    attributes_type = "AZURE_AD_GROUPS_ID"
+    query_parameters {
+        filter      = "mail:gcp"
+    }
+  }
+}

mmv1/templates/terraform/post_create/iam_workforce_pool_provider.go.tmpl

@@ -1,7 +1,8 @@
 createdOidcClientSecret := d.Get("oidc.0.client_secret.0.value.0.plain_text")
 createdExtraAttributesClientSecret := d.Get("extra_attributes_oauth2_client.0.client_secret.0.value.0.plain_text")
+createdExtendedAttributesClientSecret := d.Get("extended_attributes_oauth2_client.0.client_secret.0.value.0.plain_text")
 
-if (createdOidcClientSecret != nil && createdOidcClientSecret != "") || (createdExtraAttributesClientSecret != nil && createdExtraAttributesClientSecret != "") {
+if (createdOidcClientSecret != nil && createdOidcClientSecret != "") || (createdExtraAttributesClientSecret != nil && createdExtraAttributesClientSecret != "") || (createdExtendedAttributesClientSecret != nil && createdExtendedAttributesClientSecret != "") {
 	// After the create, reading from the API returns a new thumbprint
 	// for the client secret value, which clears the plain_text. We set the plain_text since
 	// this case should not warrant a diff.
@@ -20,6 +21,17 @@ if (createdOidcClientSecret != nil && createdOidcClientSecret != "") || (created
 		}
 	}
 
+	// Populate ExtendedAttributesOauth2Client the client secret plain text 
+	if createdExtendedAttributesClientSecret != nil && createdExtendedAttributesClientSecret != "" {
+		extendedAttributesOauth2Client := d.Get("extended_attributes_oauth2_client")
+		clientSecret := extendedAttributesOauth2Client.([]interface{})[0].(map[string]interface{})["client_secret"]
+		clientSecretValue := clientSecret.([]interface{})[0].(map[string]interface{})["value"]
+		clientSecretValue.([]interface{})[0].(map[string]interface{})["plain_text"] = createdExtendedAttributesClientSecret
+		if err := d.Set("extended_attributes_oauth2_client", extendedAttributesOauth2Client); err != nil {
+			return err
+		}
+	}
+
 	// Populate OIDC the client secret plain text 
 	if createdOidcClientSecret != nil && createdOidcClientSecret != "" {
 		oidc := d.Get("oidc")

mmv1/templates/terraform/post_update/iam_workforce_pool_provider.go.tmpl

@@ -1,6 +1,7 @@
-if d.HasChange("oidc") || d.HasChange("extra_attributes_oauth2_client") {
+if d.HasChange("oidc") || d.HasChange("extra_attributes_oauth2_client") || d.HasChange("extended_attributes_oauth2_client") {
 	updatedOidcClientSecret := d.Get("oidc.0.client_secret.0.value.0.plain_text")
 	updatedExtraAttributesOauth2ClientSecret := d.Get("extra_attributes_oauth2_client.0.client_secret.0.value.0.plain_text")
+	updatedExtendedAttributesOauth2ClientSecret := d.Get("extended_attributes_oauth2_client.0.client_secret.0.value.0.plain_text")
 	// After the update, reading from the API returns a different thumbprint
 	// for the client secret value, which clears the plain_text. We set the plain_text since
 	// this case should not warrant a diff.
@@ -27,5 +28,15 @@ if d.HasChange("oidc") || d.HasChange("extra_attributes_oauth2_client") {
 			return err
 		}
 	}
+
+	if updatedExtendedAttributesOauth2ClientSecret != nil && updatedExtendedAttributesOauth2ClientSecret != "" {
+		extendedAttributesOauth2Client := d.Get("extended_attributes_oauth2_client")
+		clientSecret := extendedAttributesOauth2Client.([]interface{})[0].(map[string]interface{})["client_secret"]
+		clientSecretValue := clientSecret.([]interface{})[0].(map[string]interface{})["value"]
+		clientSecretValue.([]interface{})[0].(map[string]interface{})["plain_text"] = updatedExtendedAttributesOauth2ClientSecret
+		if err := d.Set("extended_attributes_oauth2_client", extendedAttributesOauth2Client); err != nil {
+			return err
+		}
+	}
 	return nil
 }