feat:(storagetransfer) added federated identity config for azure storage transfer (#14427) (#23900)

[upstream:37253ecc2343ec83233e8136677f03556fc1baeb]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/14427.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+storagetransfer: added `federated_identity_config` to resource `google_storage_transfer_job`
+```

google/services/storagetransfer/resource_storage_transfer_job.go

@@ -8,7 +8,7 @@
 //
 //	This code is generated by Magic Modules using the following:
 //
-//	Source file: https://github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/third_party/terraform/services/storagetransfer/resource_storage_transfer_job.go.tmpl
+//	Source file: https://github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/third_party/terraform/services/storagetransfer/resource_storage_transfer_job.go
 //
 //	DO NOT EDIT this file directly. Any changes made to this file will be
 //	overwritten during the next generation cycle.
@@ -115,6 +115,11 @@ var (
 		"transfer_spec.0.aws_s3_data_source.0.aws_access_key",
 		"transfer_spec.0.aws_s3_data_source.0.role_arn",
 	}
+	azureOptionCredentials = []string{
+		"transfer_spec.0.azure_blob_storage_data_source.0.azure_credentials",
+		"transfer_spec.0.azure_blob_storage_data_source.0.credentials_secret",
+		"transfer_spec.0.azure_blob_storage_data_source.0.federated_identity_config",
+	}
 )
 
 func ResourceStorageTransferJob() *schema.Resource {
@@ -825,9 +830,10 @@ func azureBlobStorageDataSchema() *schema.Resource {
 				Description: `Root path to transfer objects. Must be an empty string or full path name that ends with a '/'. This field is treated as an object prefix. As such, it should generally not begin with a '/'.`,
 			},
 			"azure_credentials": {
-				Type:     schema.TypeList,
-				Required: true,
-				MaxItems: 1,
+				Type:         schema.TypeList,
+				Optional:     true,
+				ExactlyOneOf: azureOptionCredentials,
+				MaxItems:     1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"sas_token": {
@@ -840,6 +846,35 @@ func azureBlobStorageDataSchema() *schema.Resource {
 				},
 				Description: ` Credentials used to authenticate API requests to Azure.`,
 			},
+			"credentials_secret": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ExactlyOneOf: azureOptionCredentials,
+				Description:  `The Resource name of a secret in Secret Manager containing SAS Credentials in JSON form. Service Agent must have permissions to access secret. If credentials_secret is specified, do not specify azure_credentials.`,
+			},
+			"federated_identity_config": {
+				Type:         schema.TypeList,
+				Optional:     true,
+				ExactlyOneOf: azureOptionCredentials,
+				MaxItems:     1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"client_id": {
+							Type:        schema.TypeString,
+							Required:    true,
+							Sensitive:   true,
+							Description: `The client (application) ID of the application with federated credentials.`,
+						},
+						"tenant_id": {
+							Type:        schema.TypeString,
+							Required:    true,
+							Sensitive:   true,
+							Description: `The tenant (directory) ID of the application with federated credentials.`,
+						},
+					},
+				},
+				Description: ` Workload Identity Details used to authenticate API requests to Azure.`,
+			},
 		},
 	}
 }
@@ -1131,6 +1166,30 @@ func resourceStorageTransferJobStateImporter(d *schema.ResourceData, meta interf
 	return []*schema.ResourceData{d}, nil
 }
 
+func expandAzureFederatedIdentifyConfig(federatedIdentifyConfig []interface{}) *storagetransfer.FederatedIdentityConfig {
+	if len(federatedIdentifyConfig) == 0 || federatedIdentifyConfig[0] == nil {
+		return nil
+	}
+
+	federatedIdentifyCfg := federatedIdentifyConfig[0].(map[string]interface{})
+	return &storagetransfer.FederatedIdentityConfig{
+		ClientId: federatedIdentifyCfg["client_id"].(string),
+		TenantId: federatedIdentifyCfg["tenant_id"].(string),
+	}
+}
+
+func flattenAzureFederatedIdentifyConfig(d *schema.ResourceData) []map[string]interface{} {
+	if (d.Get("transfer_spec.0.azure_blob_storage_data_source.0.federated_identity_config.0.client_id") == "") || (d.Get("transfer_spec.0.azure_blob_storage_data_source.0.federated_identity_config.0.tenant_id") == "") {
+		return []map[string]interface{}{}
+	}
+
+	data := map[string]interface{}{
+		"client_id": d.Get("transfer_spec.0.azure_blob_storage_data_source.0.federated_identity_config.0.client_id"),
+		"tenant_id": d.Get("transfer_spec.0.azure_blob_storage_data_source.0.federated_identity_config.0.tenant_id"),
+	}
+	return []map[string]interface{}{data}
+}
+
 func expandDates(dates []interface{}) *storagetransfer.Date {
 	if len(dates) == 0 || dates[0] == nil {
 		return nil
@@ -1430,6 +1489,10 @@ func expandAzureCredentials(azureCredentials []interface{}) *storagetransfer.Azu
 }
 
 func flattenAzureCredentials(d *schema.ResourceData) []map[string]interface{} {
+	if d.Get("transfer_spec.0.azure_blob_storage_data_source.0.azure_credentials.0.sas_token") == "" {
+		return []map[string]interface{}{}
+	}
+
 	data := map[string]interface{}{
 		"sas_token": d.Get("transfer_spec.0.azure_blob_storage_data_source.0.azure_credentials.0.sas_token"),
 	}
@@ -1445,19 +1508,23 @@ func expandAzureBlobStorageData(azureBlobStorageDatas []interface{}) *storagetra
 	azureBlobStorageData := azureBlobStorageDatas[0].(map[string]interface{})
 
 	return &storagetransfer.AzureBlobStorageData{
-		Container:        azureBlobStorageData["container"].(string),
-		Path:             azureBlobStorageData["path"].(string),
-		StorageAccount:   azureBlobStorageData["storage_account"].(string),
-		AzureCredentials: expandAzureCredentials(azureBlobStorageData["azure_credentials"].([]interface{})),
+		Container:               azureBlobStorageData["container"].(string),
+		Path:                    azureBlobStorageData["path"].(string),
+		StorageAccount:          azureBlobStorageData["storage_account"].(string),
+		AzureCredentials:        expandAzureCredentials(azureBlobStorageData["azure_credentials"].([]interface{})),
+		CredentialsSecret:       azureBlobStorageData["credentials_secret"].(string),
+		FederatedIdentityConfig: expandAzureFederatedIdentifyConfig(azureBlobStorageData["federated_identity_config"].([]interface{})),
 	}
 }
 
 func flattenAzureBlobStorageData(azureBlobStorageData *storagetransfer.AzureBlobStorageData, d *schema.ResourceData) []map[string]interface{} {
 	data := map[string]interface{}{
-		"container":         azureBlobStorageData.Container,
-		"path":              azureBlobStorageData.Path,
-		"storage_account":   azureBlobStorageData.StorageAccount,
-		"azure_credentials": flattenAzureCredentials(d),
+		"container":                 azureBlobStorageData.Container,
+		"path":                      azureBlobStorageData.Path,
+		"storage_account":           azureBlobStorageData.StorageAccount,
+		"azure_credentials":         flattenAzureCredentials(d),
+		"federated_identity_config": flattenAzureFederatedIdentifyConfig(d),
+		"credentials_secret":        azureBlobStorageData.CredentialsSecret,
 	}
 
 	return []map[string]interface{}{data}

google/services/storagetransfer/resource_storage_transfer_job_meta.yaml

@@ -51,6 +51,9 @@ fields:
   - field: 'transfer_spec.aws_s3_data_source.role_arn'
   - field: 'transfer_spec.azure_blob_storage_data_source.azure_credentials.sas_token'
   - field: 'transfer_spec.azure_blob_storage_data_source.container'
+  - field: 'transfer_spec.azure_blob_storage_data_source.credentials_secret'
+  - field: 'transfer_spec.azure_blob_storage_data_source.federated_identity_config.client_id'
+  - field: 'transfer_spec.azure_blob_storage_data_source.federated_identity_config.tenant_id'
   - field: 'transfer_spec.azure_blob_storage_data_source.path'
   - field: 'transfer_spec.azure_blob_storage_data_source.storage_account'
   - field: 'transfer_spec.gcs_data_sink.bucket_name'

website/docs/r/storage_transfer_job.html.markdown

@@ -296,14 +296,22 @@ The `aws_access_key` block supports:
 
 * `path` - (Required) Root path to transfer objects. Must be an empty string or full path name that ends with a '/'. This field is treated as an object prefix. As such, it should generally not begin with a '/'.
 
-* `credentials_secret` - (Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Full Resource name of a secret in Secret Manager containing [SAS Credentials in JSON form](https://cloud.google.com/storage-transfer/docs/reference/rest/v1/TransferSpec#azureblobstoragedata:~:text=begin%20with%20a%20%27/%27.-,credentialsSecret,-string). Service Agent for Storage Transfer must have permissions to access secret. If credentials_secret is specified, do not specify azure_credentials.`,
+* `credentials_secret` - (Optional, (https://terraform.io/docs/providers/google/guides/provider_versions.html)) Full Resource name of a secret in Secret Manager containing [SAS Credentials in JSON form](https://cloud.google.com/storage-transfer/docs/reference/rest/v1/TransferSpec#azureblobstoragedata:~:text=begin%20with%20a%20%27/%27.-,credentialsSecret,-string). Service Agent for Storage Transfer must have permissions to access secret. If credentials_secret is specified, do not specify azure_credentials.`,
 
-* `azure_credentials` - (Required in GA, Optional in [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html)) Credentials used to authenticate API requests to Azure block.
+* `azure_credentials` - (Optional, (https://terraform.io/docs/providers/google/guides/provider_versions.html)) Credentials used to authenticate API requests to Azure block.
+
+* `federated_identity_config` - (Optional) Federated identity config of a user registered Azure application. Structure [documented below](#nested_federated_identity_config).
 
 The `azure_credentials` block supports:
 
 * `sas_token` - (Required) Azure shared access signature. See [Grant limited access to Azure Storage resources using shared access signatures (SAS)](https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview).
 
+<a name="nested_federated_identity_config"></a>The `federated_identity_config` block supports:
+
+* `client_id` - (Required) The client (application) ID of the application with federated credentials.
+
+* `tenant_id` - (Required) The client (directory) ID of the application with federated credentials.
+
 <a name="nested_schedule_start_end_date"></a>The `schedule_start_date` and `schedule_end_date` blocks support:
 
 * `year` - (Required) Year of date. Must be from 1 to 9999.