Skip to content

Commit f7f52fc

Browse files
feat: added oauth settings (#16446) (#26170)
[upstream:70e1ba4be092ed225bcec910f9df989bfa97c875] Signed-off-by: Modular Magician <magic-modules@google.com>
1 parent 9b4fcd9 commit f7f52fc

File tree

6 files changed

+250
-4
lines changed

6 files changed

+250
-4
lines changed

.changelog/16446.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
```release-note:enhancement
2+
iap: added `client_id`, `client_secret`, and `client_secret_sha256` fields to `google_iap_settings` resource
3+
```

google/services/iap/resource_iap_settings.go

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -227,6 +227,17 @@ can be configured. The possible values are:
227227
MaxItems: 1,
228228
Elem: &schema.Resource{
229229
Schema: map[string]*schema.Schema{
230+
"client_id": {
231+
Type: schema.TypeString,
232+
Optional: true,
233+
Description: `OAuth 2.0 client ID used in the OAuth flow to generate an access token. If this field is set, you can skip obtaining the OAuth credentials in this.`,
234+
},
235+
"client_secret": {
236+
Type: schema.TypeString,
237+
Optional: true,
238+
Description: `OAuth secret paired with client ID.`,
239+
Sensitive: true,
240+
},
230241
"login_hint": {
231242
Type: schema.TypeString,
232243
Optional: true,
@@ -245,6 +256,11 @@ since access behavior is managed by IAM policies.
245256
Type: schema.TypeString,
246257
},
247258
},
259+
"client_secret_sha256": {
260+
Type: schema.TypeString,
261+
Computed: true,
262+
Description: `OAuth secret sha256 paired with client ID.`,
263+
},
248264
},
249265
},
250266
},
@@ -748,6 +764,12 @@ func flattenIapSettingsAccessSettingsOauthSettings(v interface{}, d *schema.Reso
748764
transformed := make(map[string]interface{})
749765
transformed["login_hint"] =
750766
flattenIapSettingsAccessSettingsOauthSettingsLoginHint(original["loginHint"], d, config)
767+
transformed["client_id"] =
768+
flattenIapSettingsAccessSettingsOauthSettingsClientId(original["clientId"], d, config)
769+
transformed["client_secret"] =
770+
flattenIapSettingsAccessSettingsOauthSettingsClientSecret(original["clientSecret"], d, config)
771+
transformed["client_secret_sha256"] =
772+
flattenIapSettingsAccessSettingsOauthSettingsClientSecretSha256(original["clientSecretSha256"], d, config)
751773
transformed["programmatic_clients"] =
752774
flattenIapSettingsAccessSettingsOauthSettingsProgrammaticClients(original["programmaticClients"], d, config)
753775
return []interface{}{transformed}
@@ -756,6 +778,18 @@ func flattenIapSettingsAccessSettingsOauthSettingsLoginHint(v interface{}, d *sc
756778
return v
757779
}
758780

781+
func flattenIapSettingsAccessSettingsOauthSettingsClientId(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
782+
return v
783+
}
784+
785+
func flattenIapSettingsAccessSettingsOauthSettingsClientSecret(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
786+
return d.Get("access_settings.0.oauth_settings.0.client_secret")
787+
}
788+
789+
func flattenIapSettingsAccessSettingsOauthSettingsClientSecretSha256(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
790+
return v
791+
}
792+
759793
func flattenIapSettingsAccessSettingsOauthSettingsProgrammaticClients(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
760794
return v
761795
}
@@ -1112,6 +1146,27 @@ func expandIapSettingsAccessSettingsOauthSettings(v interface{}, d tpgresource.T
11121146
transformed["loginHint"] = transformedLoginHint
11131147
}
11141148

1149+
transformedClientId, err := expandIapSettingsAccessSettingsOauthSettingsClientId(original["client_id"], d, config)
1150+
if err != nil {
1151+
return nil, err
1152+
} else if val := reflect.ValueOf(transformedClientId); val.IsValid() && !tpgresource.IsEmptyValue(val) {
1153+
transformed["clientId"] = transformedClientId
1154+
}
1155+
1156+
transformedClientSecret, err := expandIapSettingsAccessSettingsOauthSettingsClientSecret(original["client_secret"], d, config)
1157+
if err != nil {
1158+
return nil, err
1159+
} else if val := reflect.ValueOf(transformedClientSecret); val.IsValid() && !tpgresource.IsEmptyValue(val) {
1160+
transformed["clientSecret"] = transformedClientSecret
1161+
}
1162+
1163+
transformedClientSecretSha256, err := expandIapSettingsAccessSettingsOauthSettingsClientSecretSha256(original["client_secret_sha256"], d, config)
1164+
if err != nil {
1165+
return nil, err
1166+
} else if val := reflect.ValueOf(transformedClientSecretSha256); val.IsValid() && !tpgresource.IsEmptyValue(val) {
1167+
transformed["clientSecretSha256"] = transformedClientSecretSha256
1168+
}
1169+
11151170
transformedProgrammaticClients, err := expandIapSettingsAccessSettingsOauthSettingsProgrammaticClients(original["programmatic_clients"], d, config)
11161171
if err != nil {
11171172
return nil, err
@@ -1126,6 +1181,18 @@ func expandIapSettingsAccessSettingsOauthSettingsLoginHint(v interface{}, d tpgr
11261181
return v, nil
11271182
}
11281183

1184+
func expandIapSettingsAccessSettingsOauthSettingsClientId(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
1185+
return v, nil
1186+
}
1187+
1188+
func expandIapSettingsAccessSettingsOauthSettingsClientSecret(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
1189+
return v, nil
1190+
}
1191+
1192+
func expandIapSettingsAccessSettingsOauthSettingsClientSecretSha256(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
1193+
return v, nil
1194+
}
1195+
11291196
func expandIapSettingsAccessSettingsOauthSettingsProgrammaticClients(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
11301197
return v, nil
11311198
}

google/services/iap/resource_iap_settings_generated_meta.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@ fields:
1111
- api_field: accessSettings.gcipSettings.loginPageUri
1212
- api_field: accessSettings.gcipSettings.tenantIds
1313
- api_field: accessSettings.identitySources
14+
- api_field: accessSettings.oauthSettings.clientId
15+
- api_field: accessSettings.oauthSettings.clientSecret
16+
- api_field: accessSettings.oauthSettings.clientSecretSha256
1417
- api_field: accessSettings.oauthSettings.loginHint
1518
- api_field: accessSettings.oauthSettings.programmaticClients
1619
- api_field: accessSettings.reauthSettings.maxAge

google/services/iap/resource_iap_settings_generated_test.go

Lines changed: 61 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,7 @@ func TestAccIapSettings_iapSettingsBasicExample(t *testing.T) {
6969
ResourceName: "google_iap_settings.iap_settings",
7070
ImportState: true,
7171
ImportStateVerify: true,
72-
ImportStateVerifyIgnore: []string{"access_settings.0.workforce_identity_settings.0.oauth2.0.client_secret", "name"},
72+
ImportStateVerifyIgnore: []string{"access_settings.0.oauth_settings.0.client_secret", "access_settings.0.workforce_identity_settings.0.oauth2.0.client_secret", "name"},
7373
},
7474
},
7575
})
@@ -148,6 +148,66 @@ resource "google_iap_settings" "iap_settings" {
148148
`, context)
149149
}
150150

151+
func TestAccIapSettings_iapSettingsOauthStorageExample(t *testing.T) {
152+
t.Parallel()
153+
154+
context := map[string]interface{}{
155+
"random_suffix": acctest.RandString(t, 10),
156+
}
157+
158+
acctest.VcrTest(t, resource.TestCase{
159+
PreCheck: func() { acctest.AccTestPreCheck(t) },
160+
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
161+
CheckDestroy: testAccCheckIapSettingsDestroyProducer(t),
162+
Steps: []resource.TestStep{
163+
{
164+
Config: testAccIapSettings_iapSettingsOauthStorageExample(context),
165+
},
166+
{
167+
ResourceName: "google_iap_settings.iap_settings_oauth",
168+
ImportState: true,
169+
ImportStateVerify: true,
170+
ImportStateVerifyIgnore: []string{"access_settings.0.oauth_settings.0.client_secret", "access_settings.0.workforce_identity_settings.0.oauth2.0.client_secret", "name"},
171+
},
172+
},
173+
})
174+
}
175+
176+
func testAccIapSettings_iapSettingsOauthStorageExample(context map[string]interface{}) string {
177+
return acctest.Nprintf(`
178+
data "google_project" "project" {
179+
}
180+
181+
resource "google_compute_region_backend_service" "default" {
182+
name = "tf-test-iap-settings-oauth%{random_suffix}"
183+
region = "us-central1"
184+
health_checks = [google_compute_health_check.default.id]
185+
connection_draining_timeout_sec = 10
186+
session_affinity = "CLIENT_IP"
187+
}
188+
189+
resource "google_compute_health_check" "default" {
190+
name = "tf-test-iap-bs-health-check-oauth%{random_suffix}"
191+
check_interval_sec = 1
192+
timeout_sec = 1
193+
194+
tcp_health_check {
195+
port = "80"
196+
}
197+
}
198+
199+
resource "google_iap_settings" "iap_settings_oauth" {
200+
name = "projects/${data.google_project.project.number}/iap_web/compute-us-central1/services/${google_compute_region_backend_service.default.name}"
201+
access_settings {
202+
oauth_settings {
203+
client_id = "test-client-id"
204+
client_secret = "test-client-secret"
205+
}
206+
}
207+
}
208+
`, context)
209+
}
210+
151211
func testAccCheckIapSettingsDestroyProducer(t *testing.T) func(s *terraform.State) error {
152212
return func(s *terraform.State) error {
153213
for name, rs := range s.RootModule().Resources {

google/services/iap/resource_iap_settings_test.go

Lines changed: 62 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ func TestAccIapSettings_update(t *testing.T) {
4949
ResourceName: "google_iap_settings.iap_settings",
5050
ImportState: true,
5151
ImportStateVerify: true,
52-
ImportStateVerifyIgnore: []string{"access_settings.0.workforce_identity_settings.0.oauth2.0.client_secret"},
52+
ImportStateVerifyIgnore: []string{"access_settings.0.oauth_settings.0.client_secret", "access_settings.0.workforce_identity_settings.0.oauth2.0.client_secret"},
5353
},
5454
{
5555
Config: testAccIapSettings_update(context),
@@ -58,7 +58,7 @@ func TestAccIapSettings_update(t *testing.T) {
5858
ResourceName: "google_iap_settings.iap_settings",
5959
ImportState: true,
6060
ImportStateVerify: true,
61-
ImportStateVerifyIgnore: []string{"access_settings.0.workforce_identity_settings.0.oauth2.0.client_secret"},
61+
ImportStateVerifyIgnore: []string{"access_settings.0.oauth_settings.0.client_secret", "access_settings.0.workforce_identity_settings.0.oauth2.0.client_secret"},
6262
},
6363
},
6464
})
@@ -195,3 +195,63 @@ resource "google_iap_settings" "iap_settings" {
195195
}
196196
`, context)
197197
}
198+
199+
func TestAccIapSettings_iapSettingsOauthStorageBasic(t *testing.T) {
200+
t.Parallel()
201+
202+
context := map[string]interface{}{
203+
"random_suffix": acctest.RandString(t, 10),
204+
}
205+
206+
acctest.VcrTest(t, resource.TestCase{
207+
PreCheck: func() { acctest.AccTestPreCheck(t) },
208+
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
209+
CheckDestroy: testAccCheckIapSettingsDestroyProducer(t),
210+
Steps: []resource.TestStep{
211+
{
212+
Config: testAccIapSettings_iapSettingsOauthStorageBasic(context),
213+
},
214+
{
215+
ResourceName: "google_iap_settings.iap_settings_oauth",
216+
ImportState: true,
217+
ImportStateVerify: true,
218+
ImportStateVerifyIgnore: []string{"access_settings.0.oauth_settings.0.client_secret", "access_settings.0.workforce_identity_settings.0.oauth2.0.client_secret", "name"},
219+
},
220+
},
221+
})
222+
}
223+
224+
func testAccIapSettings_iapSettingsOauthStorageBasic(context map[string]interface{}) string {
225+
return acctest.Nprintf(`
226+
data "google_project" "project" {
227+
}
228+
229+
resource "google_compute_region_backend_service" "default" {
230+
name = "tf-test-iap-settings-oauth%{random_suffix}"
231+
region = "us-central1"
232+
health_checks = [google_compute_health_check.default.id]
233+
connection_draining_timeout_sec = 10
234+
session_affinity = "CLIENT_IP"
235+
}
236+
237+
resource "google_compute_health_check" "default" {
238+
name = "tf-test-iap-bs-health-check-oauth%{random_suffix}"
239+
check_interval_sec = 1
240+
timeout_sec = 1
241+
242+
tcp_health_check {
243+
port = "80"
244+
}
245+
}
246+
247+
resource "google_iap_settings" "iap_settings_oauth" {
248+
name = "projects/${data.google_project.project.number}/iap_web/compute-us-central1/services/${google_compute_region_backend_service.default.name}"
249+
access_settings {
250+
oauth_settings {
251+
client_id = "test-client-id"
252+
client_secret = "test-client-secret"
253+
}
254+
}
255+
}
256+
`, context)
257+
}

website/docs/r/iap_settings.html.markdown

Lines changed: 54 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ To get more information about Settings, see:
3131
* [Customizing IAP](https://cloud.google.com/iap/docs/customizing)
3232

3333
~> **Warning:** All arguments including the following potentially sensitive
34-
values will be stored in the raw state as plain text: `access_settings.workforce_identity_settings.oauth2.client_secret`.
34+
values will be stored in the raw state as plain text: `access_settings.oauth_settings.client_secret`, `access_settings.workforce_identity_settings.oauth2.client_secret`.
3535
[Read more about sensitive data in state](https://developer.hashicorp.com/terraform/language/manage-sensitive-data).
3636

3737
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
@@ -112,6 +112,46 @@ resource "google_iap_settings" "iap_settings" {
112112
}
113113
}
114114
```
115+
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
116+
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md&cloudshell_working_dir=iap_settings_oauth_storage&open_in_editor=main.tf" target="_blank">
117+
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
118+
</a>
119+
</div>
120+
## Example Usage - Iap Settings Oauth Storage
121+
122+
123+
```hcl
124+
data "google_project" "project" {
125+
}
126+
127+
resource "google_compute_region_backend_service" "default" {
128+
name = "iap-settings-oauth"
129+
region = "us-central1"
130+
health_checks = [google_compute_health_check.default.id]
131+
connection_draining_timeout_sec = 10
132+
session_affinity = "CLIENT_IP"
133+
}
134+
135+
resource "google_compute_health_check" "default" {
136+
name = "iap-bs-health-check-oauth"
137+
check_interval_sec = 1
138+
timeout_sec = 1
139+
140+
tcp_health_check {
141+
port = "80"
142+
}
143+
}
144+
145+
resource "google_iap_settings" "iap_settings_oauth" {
146+
name = "projects/${data.google_project.project.number}/iap_web/compute-us-central1/services/${google_compute_region_backend_service.default.name}"
147+
access_settings {
148+
oauth_settings {
149+
client_id = "test-client-id"
150+
client_secret = "test-client-secret"
151+
}
152+
}
153+
}
154+
```
115155

116156
## Argument Reference
117157

@@ -223,6 +263,19 @@ The following arguments are supported:
223263
since access behavior is managed by IAM policies.
224264
* loginHint setting is not a replacement for access control. Always enforce an appropriate access policy if you want to restrict access to users outside your domain.
225265

266+
* `client_id` -
267+
(Optional)
268+
OAuth 2.0 client ID used in the OAuth flow to generate an access token. If this field is set, you can skip obtaining the OAuth credentials in this.
269+
270+
* `client_secret` -
271+
(Optional)
272+
OAuth secret paired with client ID.
273+
**Note**: This property is sensitive and will not be displayed in the plan.
274+
275+
* `client_secret_sha256` -
276+
(Output)
277+
OAuth secret sha256 paired with client ID.
278+
226279
* `programmatic_clients` -
227280
(Optional)
228281
List of client ids allowed to use IAP programmatically.

0 commit comments

Comments
 (0)