Add mode, inline cert iss & trust config to workload identity pool

[stevenyang72]

Release Note Template for Downstream PRs (will be copied)

See Write release notes for guidance.

iambeta: added `mode`, `inline_certificate_issuance_config`, and `inline_trust_config` fields to `google_iam_workload_identity_pool` resource

`google_iam_workload_identity_pool_iam_*`

[github-actions]

Hello! I am a robot. Tests will require approval from a repository maintainer to run. Googlers: see go/terraform-auto-test-runs to set up automatic test runs.

@BBBmau, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look.

You can help make sure that review is quick by doing a self-review and by running impacted tests locally.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 15 files changed, 420 insertions(+), 599 deletions(-))
google-beta provider: Diff ( 16 files changed, 1562 insertions(+), 20 deletions(-))
terraform-google-conversion: Diff ( 4 files changed, 542 insertions(+))

Breaking Change(s) Detected

The following breaking change(s) were detected within your pull request.

• Resource google_cloud_run_service_iam_binding was either removed or renamed - reference
• Resource google_cloud_run_service_iam_member was either removed or renamed - reference
• Resource google_cloud_run_service_iam_policy was either removed or renamed - reference

If you believe this detection to be incorrect please raise the concern with your reviewer.
If you intend to make this change you will need to wait for a major release window.
An override-breaking-change label can be added to allow merging.

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_iam_workload_identity_pool (38 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_iam_workload_identity_pool" "primary" {
  inline_trust_config {
    additional_trust_bundles {
      intermediate_cas {
        pem_certificate = # value needed
      }
    }
  }
}

Resource: google_iam_workload_identity_pool_iam_binding (2 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_iam_workload_identity_pool_iam_binding" "primary" {
  condition {
    description = # value needed
    expression  = # value needed
    title       = # value needed
  }
}

Resource: google_iam_workload_identity_pool_iam_member (1 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_iam_workload_identity_pool_iam_member" "primary" {
  condition {
    description = # value needed
    expression  = # value needed
    title       = # value needed
  }
}

Missing service labels

The following new resources do not have corresponding service labels:

• google_iam_workload_identity_pool_iam_binding
• google_iam_workload_identity_pool_iam_member
• google_iam_workload_identity_pool_iam_policy

If you believe this detection to be incorrect please raise the concern with your reviewer. Googlers: This error is safe to ignore once you've completed go/fix-missing-service-labels.
An override-missing-service-label label can be added to allow merging.

Missing doc report (experimental)

The following resources have fields missing in documents.

• google_iam_workload_identity_pool_iam_binding
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]
• google_iam_workload_identity_pool_iam_member
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]
• google_iam_workload_identity_pool_iam_policy
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]

[modular-magician]

Tests analytics

Total tests: 24
Passed tests: 18
Skipped tests: 0
Affected tests: 6

Click here to see the affected service packages

• iambeta

Action taken

Found 6 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

• TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated
• TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated
• TestAccIAMBetaWorkloadIdentityPoolIamPolicyGenerated
• TestAccIAMBetaWorkloadIdentityPool_beta_update
• TestAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolFullFederationOnlyModeExample
• TestAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolFullTrustDomainModeExample

Get to know how VCR tests work

[modular-magician]

🟢 Tests passed during RECORDING mode:
TestAccIAMBetaWorkloadIdentityPool_beta_update [Debug log]
TestAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolFullFederationOnlyModeExample [Debug log]
TestAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolFullTrustDomainModeExample [Debug log]

🔴 Tests failed when rerunning REPLAYING mode:
TestAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolFullFederationOnlyModeExample [Error message] [Debug log]

Tests failed due to non-determinism or randomness when the VCR replayed the response after the HTTP request was made.

Please fix these to complete your PR. If you believe these test failures to be incorrect or unrelated to your change, or if you have any questions, please raise the concern with your reviewer.

---

🔴 Tests failed during RECORDING mode:
TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated [Error message] [Debug log]
TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated [Error message] [Debug log]
TestAccIAMBetaWorkloadIdentityPoolIamPolicyGenerated [Error message] [Debug log]

🔴 Errors occurred during RECORDING mode. Please fix them to complete your PR.

View the build log or the debug log for each test

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 11 files changed, 416 insertions(+), 50 deletions(-))
google-beta provider: Diff ( 14 files changed, 1558 insertions(+), 20 deletions(-))
terraform-google-conversion: Diff ( 4 files changed, 542 insertions(+))

Missing test report

Your PR includes resource fields which are not covered by any test.

Resource: google_iam_workload_identity_pool (38 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_iam_workload_identity_pool" "primary" {
  inline_trust_config {
    additional_trust_bundles {
      intermediate_cas {
        pem_certificate = # value needed
      }
    }
  }
}

Resource: google_iam_workload_identity_pool_iam_binding (2 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_iam_workload_identity_pool_iam_binding" "primary" {
  condition {
    description = # value needed
    expression  = # value needed
    title       = # value needed
  }
}

Resource: google_iam_workload_identity_pool_iam_member (1 total tests)
Please add an acceptance test which includes these fields. The test should include the following:

resource "google_iam_workload_identity_pool_iam_member" "primary" {
  condition {
    description = # value needed
    expression  = # value needed
    title       = # value needed
  }
}

Missing service labels

The following new resources do not have corresponding service labels:

• google_iam_workload_identity_pool_iam_binding
• google_iam_workload_identity_pool_iam_member
• google_iam_workload_identity_pool_iam_policy

If you believe this detection to be incorrect please raise the concern with your reviewer. Googlers: This error is safe to ignore once you've completed go/fix-missing-service-labels.
An override-missing-service-label label can be added to allow merging.

Missing doc report (experimental)

The following resources have fields missing in documents.

• google_iam_workload_identity_pool_iam_binding
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]
• google_iam_workload_identity_pool_iam_member
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]
• google_iam_workload_identity_pool_iam_policy
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]

[modular-magician]

Tests analytics

Total tests: 24
Passed tests: 20
Skipped tests: 0
Affected tests: 4

Click here to see the affected service packages

• iambeta

Action taken

Found 4 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

• TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated
• TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated
• TestAccIAMBetaWorkloadIdentityPoolIamPolicyGenerated
• TestAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolFullFederationOnlyModeExample

Get to know how VCR tests work

[modular-magician]

🟢 Tests passed during RECORDING mode:
TestAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolFullFederationOnlyModeExample [Debug log]

🔴 Tests failed when rerunning REPLAYING mode:
TestAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolFullFederationOnlyModeExample [Error message] [Debug log]

Tests failed due to non-determinism or randomness when the VCR replayed the response after the HTTP request was made.

Please fix these to complete your PR. If you believe these test failures to be incorrect or unrelated to your change, or if you have any questions, please raise the concern with your reviewer.

---

🔴 Tests failed during RECORDING mode:
TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated [Error message] [Debug log]
TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated [Error message] [Debug log]
TestAccIAMBetaWorkloadIdentityPoolIamPolicyGenerated [Error message] [Debug log]

🔴 Errors occurred during RECORDING mode. Please fix them to complete your PR.

View the build log or the debug log for each test

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 11 files changed, 470 insertions(+), 50 deletions(-))
google-beta provider: Diff ( 14 files changed, 1896 insertions(+), 20 deletions(-))
terraform-google-conversion: Diff ( 4 files changed, 514 insertions(+))

Missing service labels

The following new resources do not have corresponding service labels:

• google_iam_workload_identity_pool_iam_binding
• google_iam_workload_identity_pool_iam_member
• google_iam_workload_identity_pool_iam_policy

If you believe this detection to be incorrect please raise the concern with your reviewer. Googlers: This error is safe to ignore once you've completed go/fix-missing-service-labels.
An override-missing-service-label label can be added to allow merging.

Missing doc report (experimental)

The following resources have fields missing in documents.

• google_iam_workload_identity_pool_iam_binding
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]
• google_iam_workload_identity_pool_iam_member
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]
• google_iam_workload_identity_pool_iam_policy
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]

[modular-magician]

Tests analytics

Total tests: 29
Passed tests: 18
Skipped tests: 2
Affected tests: 9

Click here to see the affected service packages

• iambeta

#### Non-exercised tests

🔴 Tests were added that are skipped in VCR:

• TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated_withAndWithoutCondition
• TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated_withAndWithoutCondition

Action taken

Found 9 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

• TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated
• TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated_withCondition
• TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated
• TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated_withCondition
• TestAccIAMBetaWorkloadIdentityPoolIamPolicyGenerated
• TestAccIAMBetaWorkloadIdentityPoolIamPolicyGenerated_withCondition
• TestAccIAMBetaWorkloadIdentityPool_beta_update
• TestAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolFullFederationOnlyModeExample
• TestAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolFullTrustDomainModeExample

Get to know how VCR tests work

[modular-magician]

🟢 Tests passed during RECORDING mode:
TestAccIAMBetaWorkloadIdentityPool_beta_update [Debug log]
TestAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolFullFederationOnlyModeExample [Debug log]
TestAccIAMBetaWorkloadIdentityPool_iamWorkloadIdentityPoolFullTrustDomainModeExample [Debug log]

🟢 No issues found for passed tests after REPLAYING rerun.

---

🔴 Tests failed during RECORDING mode:
TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated [Error message] [Debug log]
TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated_withCondition [Error message] [Debug log]
TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated [Error message] [Debug log]
TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated_withCondition [Error message] [Debug log]
TestAccIAMBetaWorkloadIdentityPoolIamPolicyGenerated [Error message] [Debug log]
TestAccIAMBetaWorkloadIdentityPoolIamPolicyGenerated_withCondition [Error message] [Debug log]

🔴 Errors occurred during RECORDING mode. Please fix them to complete your PR.

View the build log or the debug log for each test

[stevenyang72]

Hi @BBBmau,

Thanks for taking the time to review this PR!

Could you please remove the service/run label? I had initially included changes affecting Cloud Run configs but reverted them in a later commit. Apologies for any confusion caused by the temporary breaking change detected by the bot.

Regarding the failing VCR tests related to IAM policy (TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated, TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated, TestAccIAMBetaWorkloadIdentityPoolIamPolicyGenerated), this appears to be due to an issue on the API side which is currently being addressed. I'll provide an update here once that's resolved.

In the meantime, would you be able to review the other parts of the PR related to the Workload Identity Pool changes?

Please let me know if I can provide any further context to assist with the review. Thanks again!

[github-actions]

@BBBmau This PR has been waiting for review for 3 weekdays. Please take a look! Use the label disable-review-reminders to disable these notifications.

[shuyama1]

Assigning a Googler for review, as the feature documentation is currently internal.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 11 files changed, 471 insertions(+), 50 deletions(-))
google-beta provider: Diff ( 14 files changed, 1901 insertions(+), 20 deletions(-))
terraform-google-conversion: Diff ( 4 files changed, 514 insertions(+))

Missing service labels

The following new resources do not have corresponding service labels:

• google_iam_workload_identity_pool_iam_binding
• google_iam_workload_identity_pool_iam_member
• google_iam_workload_identity_pool_iam_policy

If you believe this detection to be incorrect please raise the concern with your reviewer. Googlers: This error is safe to ignore once you've completed go/fix-missing-service-labels.
An override-missing-service-label label can be added to allow merging.

Missing doc report (experimental)

The following resources have fields missing in documents.

• google_iam_workload_identity_pool_iam_binding
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]
• google_iam_workload_identity_pool_iam_member
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]
• google_iam_workload_identity_pool_iam_policy
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]

[modular-magician]

Tests analytics

Total tests: 29
Passed tests: 21
Skipped tests: 2
Affected tests: 6

Click here to see the affected service packages

• iambeta

#### Non-exercised tests

🔴 Tests were added that are skipped in VCR:

• TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated_withAndWithoutCondition
• TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated_withAndWithoutCondition

Action taken

Found 6 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests

• TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated
• TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated_withCondition
• TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated
• TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated_withCondition
• TestAccIAMBetaWorkloadIdentityPoolIamPolicyGenerated
• TestAccIAMBetaWorkloadIdentityPoolIamPolicyGenerated_withCondition

Get to know how VCR tests work

[modular-magician]

🟢 Tests passed during RECORDING mode:
TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated [Debug log]

🟢 No issues found for passed tests after REPLAYING rerun.

---

🔴 Tests failed during RECORDING mode:
TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated [Error message] [Debug log]
TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated_withCondition [Error message] [Debug log]
TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated_withCondition [Error message] [Debug log]
TestAccIAMBetaWorkloadIdentityPoolIamPolicyGenerated [Error message] [Debug log]
TestAccIAMBetaWorkloadIdentityPoolIamPolicyGenerated_withCondition [Error message] [Debug log]

🔴 Errors occurred during RECORDING mode. Please fix them to complete your PR.

View the build log or the debug log for each test

[modular-magician]

Tests analytics

Total tests: 29
Passed tests: 27
Skipped tests: 2
Affected tests: 0

Click here to see the affected service packages

• iambeta

#### Non-exercised tests

🔴 Tests were added that are skipped in VCR:

• TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated_withAndWithoutCondition
• TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated_withAndWithoutCondition
  🟢 All tests passed!

View the build log

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 11 files changed, 468 insertions(+), 50 deletions(-))
google-beta provider: Diff ( 14 files changed, 1926 insertions(+), 20 deletions(-))
terraform-google-conversion: Diff ( 4 files changed, 514 insertions(+))

Multiple resources added

This PR adds multiple new resources: google_iam_workload_identity_pool_iam_binding, google_iam_workload_identity_pool_iam_member, google_iam_workload_identity_pool_iam_policy. This makes review significantly more difficult. Please split it into multiple PRs, one per resource.
An override-multiple-resources label can be added to allow merging.

Missing doc report (experimental)

The following resources have fields missing in documents.

• google_iam_workload_identity_pool_iam_binding
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]
• google_iam_workload_identity_pool_iam_member
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]
• google_iam_workload_identity_pool_iam_policy
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]

[stevenyang72]

Hi @c2thorn, it seems the CI step mmv1 / unit-tests (pull_request) is broken by third_party/terraform/services/netapp/resource_netapp_storage_pool_test.go.tmpl, which could be caused by #13929, could you please help verify that?

I believe the Basic PR checks / disallow-large-prs (pull_request) is also broken by #13929, where I had to change resource_iam_workload_identity_pool_test.go (which was a template file before #13929) back to template file because this PR is adding test cases against beta-only fields.

[modular-magician]

Tests analytics

Total tests: 29
Passed tests: 27
Skipped tests: 2
Affected tests: 0

Click here to see the affected service packages

• iambeta

#### Non-exercised tests

🔴 Tests were added that are skipped in VCR:

• TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated_withAndWithoutCondition
• TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated_withAndWithoutCondition
  🟢 All tests passed!

View the build log

[c2thorn]

Hi @c2thorn, it seems the CI step mmv1 / unit-tests (pull_request) is broken by third_party/terraform/services/netapp/resource_netapp_storage_pool_test.go.tmpl, which could be caused by #13929, could you please help verify that?

I believe the Basic PR checks / disallow-large-prs (pull_request) is also broken by #13929, where I had to change resource_iam_workload_identity_pool_test.go (which was a template file before #13929) back to template file because this PR is adding test cases against beta-only fields.

You're right, we had an issue with unfortunate timing to a change in our CI. The fix PR was just merged. I believe to resolve it in your PR, you will need to rebase to a commit after 3cb32fa. Sorry for the added trouble.

[stevenyang72]

Hi @c2thorn, it seems the CI step mmv1 / unit-tests (pull_request) is broken by third_party/terraform/services/netapp/resource_netapp_storage_pool_test.go.tmpl, which could be caused by #13929, could you please help verify that?
I believe the Basic PR checks / disallow-large-prs (pull_request) is also broken by #13929, where I had to change resource_iam_workload_identity_pool_test.go (which was a template file before #13929) back to template file because this PR is adding test cases against beta-only fields.

You're right, we had an issue with unfortunate timing to a change in our CI. The fix PR was just merged. I believe to resolve it in your PR, you will need to rebase to a commit after 3cb32fa. Sorry for the added trouble.

Hi @c2thorn, no worries. Thanks for your prompt help! Rebased this one on top of 3cb32fa.

[modular-magician]

Hi there, I'm the Modular magician. I've detected the following information about your changes:

Diff report

Your PR generated some diffs in downstreams - here they are.

google provider: Diff ( 11 files changed, 468 insertions(+), 50 deletions(-))
google-beta provider: Diff ( 14 files changed, 1926 insertions(+), 20 deletions(-))
terraform-google-conversion: Diff ( 4 files changed, 514 insertions(+))

Multiple resources added

This PR adds multiple new resources: google_iam_workload_identity_pool_iam_binding, google_iam_workload_identity_pool_iam_member, google_iam_workload_identity_pool_iam_policy. This makes review significantly more difficult. Please split it into multiple PRs, one per resource.
An override-multiple-resources label can be added to allow merging.

Missing doc report (experimental)

The following resources have fields missing in documents.

• google_iam_workload_identity_pool_iam_binding
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]
• google_iam_workload_identity_pool_iam_member
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]
• google_iam_workload_identity_pool_iam_policy
  • Expected Document Path: /website/docs/r/iam_workload_identity_pool_iam.html.markdown
  • Fields: [workload_identity_pool_id]

[modular-magician]

Tests analytics

Total tests: 29
Passed tests: 27
Skipped tests: 2
Affected tests: 0

Click here to see the affected service packages

• iambeta

#### Non-exercised tests

🔴 Tests were added that are skipped in VCR:

• TestAccIAMBetaWorkloadIdentityPoolIamBindingGenerated_withAndWithoutCondition
• TestAccIAMBetaWorkloadIdentityPoolIamMemberGenerated_withAndWithoutCondition
  🟢 All tests passed!

View the build log

[c2thorn]

added the google_iam_workload_identity_pool_iam_* release note.
LGTM