feat: added oauth settings (#16446) (#26170)

[upstream:70e1ba4be092ed225bcec910f9df989bfa97c875]

Signed-off-by: Modular Magician <magic-modules@google.com>

Author: modular-magician

.changelog/16446.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+iap: added `client_id`, `client_secret`, and `client_secret_sha256` fields to `google_iap_settings` resource
+```

google/services/iap/resource_iap_settings.go

@@ -227,6 +227,17 @@ can be configured. The possible values are:
 							MaxItems:    1,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
+									"client_id": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Description: `OAuth 2.0 client ID used in the OAuth flow to generate an access token. If this field is set, you can skip obtaining the OAuth credentials in this.`,
+									},
+									"client_secret": {
+										Type:        schema.TypeString,
+										Optional:    true,
+										Description: `OAuth secret paired with client ID.`,
+										Sensitive:   true,
+									},
 									"login_hint": {
 										Type:     schema.TypeString,
 										Optional: true,
@@ -245,6 +256,11 @@ since access behavior is managed by IAM policies.
 											Type: schema.TypeString,
 										},
 									},
+									"client_secret_sha256": {
+										Type:        schema.TypeString,
+										Computed:    true,
+										Description: `OAuth secret sha256 paired with client ID.`,
+									},
 								},
 							},
 						},
@@ -748,6 +764,12 @@ func flattenIapSettingsAccessSettingsOauthSettings(v interface{}, d *schema.Reso
 	transformed := make(map[string]interface{})
 	transformed["login_hint"] =
 		flattenIapSettingsAccessSettingsOauthSettingsLoginHint(original["loginHint"], d, config)
+	transformed["client_id"] =
+		flattenIapSettingsAccessSettingsOauthSettingsClientId(original["clientId"], d, config)
+	transformed["client_secret"] =
+		flattenIapSettingsAccessSettingsOauthSettingsClientSecret(original["clientSecret"], d, config)
+	transformed["client_secret_sha256"] =
+		flattenIapSettingsAccessSettingsOauthSettingsClientSecretSha256(original["clientSecretSha256"], d, config)
 	transformed["programmatic_clients"] =
 		flattenIapSettingsAccessSettingsOauthSettingsProgrammaticClients(original["programmaticClients"], d, config)
 	return []interface{}{transformed}
@@ -756,6 +778,18 @@ func flattenIapSettingsAccessSettingsOauthSettingsLoginHint(v interface{}, d *sc
 	return v
 }
 
+func flattenIapSettingsAccessSettingsOauthSettingsClientId(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
+func flattenIapSettingsAccessSettingsOauthSettingsClientSecret(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return d.Get("access_settings.0.oauth_settings.0.client_secret")
+}
+
+func flattenIapSettingsAccessSettingsOauthSettingsClientSecretSha256(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenIapSettingsAccessSettingsOauthSettingsProgrammaticClients(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -1112,6 +1146,27 @@ func expandIapSettingsAccessSettingsOauthSettings(v interface{}, d tpgresource.T
 		transformed["loginHint"] = transformedLoginHint
 	}
 
+	transformedClientId, err := expandIapSettingsAccessSettingsOauthSettingsClientId(original["client_id"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedClientId); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["clientId"] = transformedClientId
+	}
+
+	transformedClientSecret, err := expandIapSettingsAccessSettingsOauthSettingsClientSecret(original["client_secret"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedClientSecret); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["clientSecret"] = transformedClientSecret
+	}
+
+	transformedClientSecretSha256, err := expandIapSettingsAccessSettingsOauthSettingsClientSecretSha256(original["client_secret_sha256"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedClientSecretSha256); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["clientSecretSha256"] = transformedClientSecretSha256
+	}
+
 	transformedProgrammaticClients, err := expandIapSettingsAccessSettingsOauthSettingsProgrammaticClients(original["programmatic_clients"], d, config)
 	if err != nil {
 		return nil, err
@@ -1126,6 +1181,18 @@ func expandIapSettingsAccessSettingsOauthSettingsLoginHint(v interface{}, d tpgr
 	return v, nil
 }
 
+func expandIapSettingsAccessSettingsOauthSettingsClientId(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandIapSettingsAccessSettingsOauthSettingsClientSecret(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandIapSettingsAccessSettingsOauthSettingsClientSecretSha256(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandIapSettingsAccessSettingsOauthSettingsProgrammaticClients(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }

google/services/iap/resource_iap_settings_generated_meta.yaml

@@ -11,6 +11,9 @@ fields:
     - api_field: accessSettings.gcipSettings.loginPageUri
     - api_field: accessSettings.gcipSettings.tenantIds
     - api_field: accessSettings.identitySources
+    - api_field: accessSettings.oauthSettings.clientId
+    - api_field: accessSettings.oauthSettings.clientSecret
+    - api_field: accessSettings.oauthSettings.clientSecretSha256
     - api_field: accessSettings.oauthSettings.loginHint
     - api_field: accessSettings.oauthSettings.programmaticClients
     - api_field: accessSettings.reauthSettings.maxAge

google/services/iap/resource_iap_settings_generated_test.go

@@ -69,7 +69,7 @@ func TestAccIapSettings_iapSettingsBasicExample(t *testing.T) {
 				ResourceName:            "google_iap_settings.iap_settings",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"access_settings.0.workforce_identity_settings.0.oauth2.0.client_secret", "name"},
+				ImportStateVerifyIgnore: []string{"access_settings.0.oauth_settings.0.client_secret", "access_settings.0.workforce_identity_settings.0.oauth2.0.client_secret", "name"},
 			},
 		},
 	})
@@ -148,6 +148,66 @@ resource "google_iap_settings" "iap_settings" {
 `, context)
 }
 
+func TestAccIapSettings_iapSettingsOauthStorageExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckIapSettingsDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIapSettings_iapSettingsOauthStorageExample(context),
+			},
+			{
+				ResourceName:            "google_iap_settings.iap_settings_oauth",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"access_settings.0.oauth_settings.0.client_secret", "access_settings.0.workforce_identity_settings.0.oauth2.0.client_secret", "name"},
+			},
+		},
+	})
+}
+
+func testAccIapSettings_iapSettingsOauthStorageExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+data "google_project" "project" {
+}
+
+resource "google_compute_region_backend_service" "default" {
+  name                            = "tf-test-iap-settings-oauth%{random_suffix}"
+  region                          = "us-central1"
+  health_checks                   = [google_compute_health_check.default.id]
+  connection_draining_timeout_sec = 10
+  session_affinity                = "CLIENT_IP"
+}
+
+resource "google_compute_health_check" "default" {
+  name               = "tf-test-iap-bs-health-check-oauth%{random_suffix}"
+  check_interval_sec = 1
+  timeout_sec        = 1
+
+  tcp_health_check {
+    port = "80"
+  }
+}
+
+resource "google_iap_settings" "iap_settings_oauth" {
+  name = "projects/${data.google_project.project.number}/iap_web/compute-us-central1/services/${google_compute_region_backend_service.default.name}"
+  access_settings {
+    oauth_settings {
+      client_id     = "test-client-id"
+      client_secret = "test-client-secret"
+    }
+  }
+}
+`, context)
+}
+
 func testAccCheckIapSettingsDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {

google/services/iap/resource_iap_settings_test.go

@@ -49,7 +49,7 @@ func TestAccIapSettings_update(t *testing.T) {
 				ResourceName:            "google_iap_settings.iap_settings",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"access_settings.0.workforce_identity_settings.0.oauth2.0.client_secret"},
+				ImportStateVerifyIgnore: []string{"access_settings.0.oauth_settings.0.client_secret", "access_settings.0.workforce_identity_settings.0.oauth2.0.client_secret"},
 			},
 			{
 				Config: testAccIapSettings_update(context),
@@ -58,7 +58,7 @@ func TestAccIapSettings_update(t *testing.T) {
 				ResourceName:            "google_iap_settings.iap_settings",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"access_settings.0.workforce_identity_settings.0.oauth2.0.client_secret"},
+				ImportStateVerifyIgnore: []string{"access_settings.0.oauth_settings.0.client_secret", "access_settings.0.workforce_identity_settings.0.oauth2.0.client_secret"},
 			},
 		},
 	})
@@ -195,3 +195,63 @@ resource "google_iap_settings" "iap_settings" {
 }
 `, context)
 }
+
+func TestAccIapSettings_iapSettingsOauthStorageBasic(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckIapSettingsDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIapSettings_iapSettingsOauthStorageBasic(context),
+			},
+			{
+				ResourceName:            "google_iap_settings.iap_settings_oauth",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"access_settings.0.oauth_settings.0.client_secret", "access_settings.0.workforce_identity_settings.0.oauth2.0.client_secret", "name"},
+			},
+		},
+	})
+}
+
+func testAccIapSettings_iapSettingsOauthStorageBasic(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+data "google_project" "project" {
+}
+
+resource "google_compute_region_backend_service" "default" {
+  name                            = "tf-test-iap-settings-oauth%{random_suffix}"
+  region                          = "us-central1"
+  health_checks                   = [google_compute_health_check.default.id]
+  connection_draining_timeout_sec = 10
+  session_affinity                = "CLIENT_IP"
+}
+
+resource "google_compute_health_check" "default" {
+  name               = "tf-test-iap-bs-health-check-oauth%{random_suffix}"
+  check_interval_sec = 1
+  timeout_sec        = 1
+
+  tcp_health_check {
+    port = "80"
+  }
+}
+
+resource "google_iap_settings" "iap_settings_oauth" {
+  name = "projects/${data.google_project.project.number}/iap_web/compute-us-central1/services/${google_compute_region_backend_service.default.name}"
+  access_settings {
+    oauth_settings {
+      client_id     = "test-client-id"
+      client_secret = "test-client-secret"
+    }
+  }
+}
+`, context)
+}

website/docs/r/iap_settings.html.markdown

@@ -31,7 +31,7 @@ To get more information about Settings, see:
     * [Customizing IAP](https://cloud.google.com/iap/docs/customizing)
 
 ~> **Warning:** All arguments including the following potentially sensitive
-values will be stored in the raw state as plain text: `access_settings.workforce_identity_settings.oauth2.client_secret`.
+values will be stored in the raw state as plain text: `access_settings.oauth_settings.client_secret`, `access_settings.workforce_identity_settings.oauth2.client_secret`.
 [Read more about sensitive data in state](https://developer.hashicorp.com/terraform/language/manage-sensitive-data).
 
 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
@@ -112,6 +112,46 @@ resource "google_iap_settings" "iap_settings" {
   }
 }
 ```
+<div class = "oics-button" style="float: right; margin: 0 0 -15px">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=iap_settings_oauth_storage&open_in_editor=main.tf" target="_blank">
+    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
+  </a>
+</div>
+## Example Usage - Iap Settings Oauth Storage
+
+
+```hcl
+data "google_project" "project" {
+}
+
+resource "google_compute_region_backend_service" "default" {
+  name                            = "iap-settings-oauth"
+  region                          = "us-central1"
+  health_checks                   = [google_compute_health_check.default.id]
+  connection_draining_timeout_sec = 10
+  session_affinity                = "CLIENT_IP"
+}
+
+resource "google_compute_health_check" "default" {
+  name               = "iap-bs-health-check-oauth"
+  check_interval_sec = 1
+  timeout_sec        = 1
+
+  tcp_health_check {
+    port = "80"
+  }
+}
+
+resource "google_iap_settings" "iap_settings_oauth" {
+  name = "projects/${data.google_project.project.number}/iap_web/compute-us-central1/services/${google_compute_region_backend_service.default.name}"
+  access_settings {
+    oauth_settings {
+      client_id     = "test-client-id"
+      client_secret = "test-client-secret"
+    }
+  }
+}
+```
 
 ## Argument Reference
 
@@ -223,6 +263,19 @@ The following arguments are supported:
   since access behavior is managed by IAM policies.
   * loginHint setting is not a replacement for access control. Always enforce an appropriate access policy if you want to restrict access to users outside your domain.
 
+* `client_id` -
+  (Optional)
+  OAuth 2.0 client ID used in the OAuth flow to generate an access token. If this field is set, you can skip obtaining the OAuth credentials in this.
+
+* `client_secret` -
+  (Optional)
+  OAuth secret paired with client ID.
+  **Note**: This property is sensitive and will not be displayed in the plan.
+
+* `client_secret_sha256` -
+  (Output)
+  OAuth secret sha256 paired with client ID.
+
 * `programmatic_clients` -
   (Optional)
   List of client ids allowed to use IAP programmatically.