@@ -19,6 +19,8 @@ description: |
1919references :
2020 guides :
2121 ' Managing workload identity pools ' ' https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#pools'
22+ ' Configure managed workload identity authentication for Compute Engine ' ' https://cloud.google.com/iam/docs/create-managed-workload-identities'
23+ ' Configure managed workload identity authentication for GKE ' ' https://cloud.google.com/iam/docs/create-managed-workload-identities-gke'
2224 api : ' https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools'
2325docs :
2426base_url : ' projects/{{project}}/locations/global/workloadIdentityPools'
@@ -40,19 +42,42 @@ async:
4042 base_url : ' {{op_id}}'
4143 result :
4244 resource_inside_response : false
45+ iam_policy :
46+ parent_resource_attribute : ' workload_identity_pool_id'
47+ method_name_separator : ' :'
48+ fetch_iam_policy_verb : ' POST'
49+ import_format :
50+ - ' projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}'
51+ - ' {{workload_identity_pool_id}}'
52+ iam_conditions_request_type : ' REQUEST_BODY'
53+ min_version : beta
4354custom_code :
4455 constants : ' templates/terraform/constants/iam_workload_identity_pool.go.tmpl'
4556 decoder : ' templates/terraform/decoders/treat_deleted_state_as_gone.go.tmpl'
4657 test_check_destroy : ' templates/terraform/custom_check_destroy/iam_workload_identity_pool.go.tmpl'
4758examples :
4859 - name : ' iam_workload_identity_pool_basic'
4960 primary_resource_id : ' example'
61+ primary_resource_name :
62+ ' fmt.Sprintf("tf-test-example-pool%s", context["random_suffix"])'
5063 vars :
5164 workload_identity_pool_id : ' example-pool'
52- - name : ' iam_workload_identity_pool_full '
65+ - name : ' iam_workload_identity_pool_full_federation_only_mode '
5366 primary_resource_id : ' example'
67+ primary_resource_name :
68+ ' fmt.Sprintf("tf-test-example-pool%s", context["random_suffix"])'
5469 vars :
5570 workload_identity_pool_id : ' example-pool'
71+ min_version : beta
72+ external_providers :
73+ - ' random'
74+ - name : ' iam_workload_identity_pool_full_trust_domain_mode'
75+ primary_resource_id : ' example'
76+ primary_resource_name :
77+ ' fmt.Sprintf("tf-test-example-pool%s", context["random_suffix"])'
78+ vars :
79+ workload_identity_pool_id : ' example-pool'
80+ min_version : beta
5681parameters :
5782properties :
5883 - name : ' workloadIdentityPoolId'
@@ -70,11 +95,11 @@ properties:
7095 type : Enum
7196 description : |
7297 The state of the pool.
73- * STATE_UNSPECIFIED: State unspecified.
74- * ACTIVE: The pool is active, and may be used in Google Cloud policies.
75- * DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted after
98+ * ` STATE_UNSPECIFIED` : State unspecified.
99+ * ` ACTIVE` : The pool is active, and may be used in Google Cloud policies.
100+ * ` DELETED` : The pool is soft-deleted. Soft-deleted pools are permanently deleted after
76101 approximately 30 days. You can restore a soft-deleted pool using
77- UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is
102+ ` UndeleteWorkloadIdentityPool` . You cannot reuse the ID of a soft-deleted pool until it is
78103 permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or
79104 use existing tokens to access resources. If the pool is undeleted, existing tokens grant
80105 access again.
@@ -101,3 +126,136 @@ properties:
101126 Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use
102127 existing tokens to access resources. If the pool is re-enabled, existing tokens grant
103128 access again.
129+ name : mode
130+ type : Enum
131+ description : |
132+ The mode for the pool is operating in.
133+
134+
135+ ~> **Note** Altering this field requires a new `workload_identity_pool_id`. To automate
136+ `workload_identity_pool_id` changes, append a random string (numbers/lowercase letters) to the
137+ `workload_identity_pool_id`.
138+
139+ * `MODE_UNSPECIFIED`: State unspecified. New pools should not use this mode. Pools with an
140+ unspecified mode will operate as if they are in `FEDERATION_ONLY` mode.
141+ * `FEDERATION_ONLY`: Pools can only be used for federating external workload identities into
142+ Google Cloud. Unless otherwise noted, no structure or format constraints are applied to
143+ workload identities in a `FEDERATION_ONLY` mode pool, and you may not create any resources
144+ within the pool besides providers.
145+ * `TRUST_DOMAIN`: Pools can be used to assign identities to either external workloads or those
146+ hosted on Google Cloud. All identities within a `TRUST_DOMAIN` mode pool must consist of a
147+ single namespace and individual workload identifier. The subject identifier for all identities
148+ must conform to the following import_format:
149+
150+ `ns/<namespace>/sa/<workload_identifier>`
151+
152+ `WorkloadIdentityPoolProvider`(`google.iam.v1.WorkloadIdentityPoolProvider`)s
153+ cannot be created within `TRUST_DOMAIN` mode pools.
154+ min_version : beta
155+ immutable : true
156+ enum_values :
157+ - ' MODE_UNSPECIFIED'
158+ - ' FEDERATION_ONLY'
159+ - ' TRUST_DOMAIN'
160+ - name : ' inlineCertificateIssuanceConfig'
161+ type : NestedObject
162+ description : |
163+ Represents configuration for generating mutual TLS (mTLS) certificates for the identities
164+ within this pool. Defines the Certificate Authority (CA) pool resources and configurations
165+ required for issuance and rotation of mTLS workload certificates.
166+ min_version : beta
167+ properties :
168+ - name : ' caPools'
169+ type : KeyValuePairs
170+ description : |
171+ A required mapping of a cloud region to the CA pool resource located in that region used
172+ for certificate issuance, adhering to these constraints:
173+
174+ * **Key format:** A supported cloud region name equivalent to the location identifier in
175+ the corresponding map entry's value.
176+ * **Value format:** A valid CA pool resource path format like:
177+ `projects/{project}/locations/{location}/caPools/{ca_pool}`
178+ * **Region Matching:** Workloads are ONLY issued certificates from CA pools within the
179+ same region. Also the CA pool region (in value) must match the workload's region (key).
180+ name : ' lifetime'
181+ type : String
182+ description : |
183+ Lifetime of the workload certificates issued by the CA pool in seconds. Must be between
184+ `36000s` (10 hours) to `2592000s` (30 days), ends in the suffix "`s`" (indicating seconds)
185+ and is preceded by the number of seconds. If unspecified, this will be defaulted to
186+ `86400s` (24 hours).
187+ name : ' rotationWindowPercentage'
188+ type : Integer
189+ description : |
190+ Rotation window percentage indicating when certificate rotation should be initiated based
191+ on remaining lifetime. Must be between 10 - 80. If unspecified, this will be defaulted to
192+ 50.
193+ name : ' keyAlgorithm'
194+ type : Enum
195+ description : |
196+ Key algorithm to use when generating the key pair. This key pair will be used to create
197+ the certificate. If unspecified, this will default to `ECDSA_P256`.
198+
199+ * `KEY_ALGORITHM_UNSPECIFIED`: Unspecified key algorithm. Defaults to `ECDSA_P256`.
200+ * `RSA_2048`: Specifies RSA with a 2048-bit modulus.
201+ * `RSA_3072`: Specifies RSA with a 3072-bit modulus.
202+ * `RSA_4096`: Specifies RSA with a 4096-bit modulus.
203+ * `ECDSA_P256`: Specifies ECDSA with curve P256.
204+ * `ECDSA_P384`: Specifies ECDSA with curve P384.
205+ enum_values :
206+ - ' KEY_ALGORITHM_UNSPECIFIED'
207+ - ' RSA_2048'
208+ - ' RSA_3072'
209+ - ' RSA_4096'
210+ - ' ECDSA_P256'
211+ - ' ECDSA_P384'
212+ - name : ' inlineTrustConfig'
213+ type : NestedObject
214+ description : |
215+ Represents config to add additional trusted trust domains. Defines configuration for extending
216+ trust to additional trust domains. By establishing trust with another domain, the current
217+ domain will recognize and accept certificates issued by entities within the trusted domains.
218+ Note that a trust domain automatically trusts itself, eliminating the need for explicit
219+ configuration.
220+ min_version : beta
221+ properties :
222+ - name : ' additionalTrustBundles'
223+ type : Map
224+ description : |
225+ Maps specific trust domains (e.g., "example.com") to their corresponding `TrustStore`
226+ objects, which contain the trusted root certificates for that domain. There can be a
227+ maximum of `10` trust domain entries in this map.
228+
229+ Note that a trust domain automatically trusts itself and don't need to be specified here.
230+ If however, this `WorkloadIdentityPool`'s trust domain contains any trust anchors in the
231+ `additional_trust_bundles` map, those trust anchors will be *appended to* the Trust Bundle
232+ automatically derived from your `InlineCertificateIssuanceConfig`'s `ca_pools`.
233+ key_name : trust_domain
234+ key_description : |
235+ The trusted trust domains (e.g., "example.com") to be extended trust to additional trust
236+ domains to.
237+ value_type :
238+ name : trustStore
239+ type : NestedObject
240+ description : |
241+ Trust store that contains trust anchors and optional intermediate CAs used in PKI to
242+ build trust chain and verify client's identity.
243+ properties :
244+ - name : ' trustAnchors'
245+ type : Array
246+ description : |
247+ List of Trust Anchors to be used while performing validation against a given
248+ `TrustStore`. The incoming end entity's certificate must be chained up to one of the
249+ trust anchors here.
250+ required : true
251+ item_type :
252+ type : NestedObject
253+ description : |
254+ Represents a root of trust.
255+ properties :
256+ - name : ' pemCertificate'
257+ type : String
258+ description : |
259+ PEM certificate of the PKI used for validation. Must only contain one ca
260+ certificate(either root or intermediate cert).
261+ required : true
0 commit comments