Expose additional workforce identity attributes (#3717)
This commit is contained in:
Julio Castillo
@@ -841,7 +841,9 @@ module "org" {
|
||||
organization_id = var.organization_id
|
||||
workforce_identity_config = {
|
||||
# optional, defaults to 'default'
|
||||
pool_name = "test-pool"
|
||||
pool_name = "test-pool"
|
||||
display_name = "Test Pool"
|
||||
description = "Workforce pool for testing."
|
||||
providers = {
|
||||
saml-basic = {
|
||||
attribute_mapping_template = "azuread"
|
||||
@@ -959,7 +961,7 @@ module "org" {
|
||||
| [tag_bindings](variables-tags.tf#L89) | Tag bindings for this organization, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [tags](variables-tags.tf#L96) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | <code title="map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) id = optional(string) values = optional(map(object({ description = optional(string, "Managed by the Terraform organization module.") iam = optional(map(list(string)), {}) iam_bindings = optional(map(object({ members = list(string) role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) iam_bindings_additive = optional(map(object({ member = string role = string condition = optional(object({ expression = string title = string description = optional(string) })) })), {}) id = optional(string) })), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tags_config](variables-tags.tf#L161) | Fine-grained control on tag resource and IAM creation. | <code title="object({ force_context_ids = optional(bool, false) ignore_iam = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [workforce_identity_config](variables-identity-providers.tf#L17) | Workforce Identity Federation pool and providers. | <code title="object({ pool_name = optional(string, "default") providers = optional(map(object({ description = optional(string) display_name = optional(string) attribute_condition = optional(string) attribute_mapping = optional(map(string), {}) attribute_mapping_template = optional(string) disabled = optional(bool, false) identity_provider = object({ oidc = optional(object({ issuer_uri = string client_id = string client_secret = optional(string) jwks_json = optional(string) web_sso_config = optional(object({ response_type = optional(string, "CODE") assertion_claims_behavior = optional(string, "ONLY_ID_TOKEN_CLAIMS") additional_scopes = optional(list(string)) })) })) saml = optional(object({ idp_metadata_xml = string })) }) oauth2_client_config = optional(object({ extended_attributes = optional(object({ issuer_uri = string client_id = string client_secret = string attributes_type = optional(string) query_filter = optional(string) })) extra_attributes = optional(object({ issuer_uri = string client_id = string client_secret = string attributes_type = optional(string) query_filter = optional(string) })) }), {}) })), {}) })">object({…})</code> | | <code>null</code> |
|
||||
| [workforce_identity_config](variables-identity-providers.tf#L17) | Workforce Identity Federation pool and providers. | <code title="object({ pool_name = optional(string, "default") description = optional(string) disabled = optional(bool) display_name = optional(string) session_duration = optional(string) access_restrictions = optional(object({ disable_programmatic_signin = optional(bool) allowed_services = optional(list(object({ domain = optional(string) }))) })) providers = optional(map(object({ description = optional(string) display_name = optional(string) attribute_condition = optional(string) attribute_mapping = optional(map(string), {}) attribute_mapping_template = optional(string) disabled = optional(bool, false) identity_provider = object({ oidc = optional(object({ issuer_uri = string client_id = string client_secret = optional(string) jwks_json = optional(string) web_sso_config = optional(object({ response_type = optional(string, "CODE") assertion_claims_behavior = optional(string, "ONLY_ID_TOKEN_CLAIMS") additional_scopes = optional(list(string)) })) })) saml = optional(object({ idp_metadata_xml = string })) }) oauth2_client_config = optional(object({ extended_attributes = optional(object({ issuer_uri = string client_id = string client_secret = string attributes_type = optional(string) query_filter = optional(string) })) extra_attributes = optional(object({ issuer_uri = string client_id = string client_secret = string attributes_type = optional(string) query_filter = optional(string) })) }), {}) })), {}) })">object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2025 Google LLC
|
||||
* Copyright 2026 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -42,6 +42,22 @@ resource "google_iam_workforce_pool" "default" {
|
||||
parent = var.organization_id
|
||||
location = "global"
|
||||
workforce_pool_id = var.workforce_identity_config.pool_name
|
||||
description = var.workforce_identity_config.description
|
||||
disabled = var.workforce_identity_config.disabled
|
||||
display_name = var.workforce_identity_config.display_name
|
||||
session_duration = var.workforce_identity_config.session_duration
|
||||
dynamic "access_restrictions" {
|
||||
for_each = var.workforce_identity_config.access_restrictions != null ? [""] : []
|
||||
content {
|
||||
disable_programmatic_signin = var.workforce_identity_config.access_restrictions.disable_programmatic_signin
|
||||
dynamic "allowed_services" {
|
||||
for_each = coalesce(var.workforce_identity_config.access_restrictions.allowed_services, [])
|
||||
content {
|
||||
domain = allowed_services.value.domain
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_iam_workforce_pool_provider" "default" {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2025 Google LLC
|
||||
* Copyright 2026 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -17,7 +17,17 @@
|
||||
variable "workforce_identity_config" {
|
||||
description = "Workforce Identity Federation pool and providers."
|
||||
type = object({
|
||||
pool_name = optional(string, "default")
|
||||
pool_name = optional(string, "default")
|
||||
description = optional(string)
|
||||
disabled = optional(bool)
|
||||
display_name = optional(string)
|
||||
session_duration = optional(string)
|
||||
access_restrictions = optional(object({
|
||||
disable_programmatic_signin = optional(bool)
|
||||
allowed_services = optional(list(object({
|
||||
domain = optional(string)
|
||||
})))
|
||||
}))
|
||||
providers = optional(map(object({
|
||||
description = optional(string)
|
||||
display_name = optional(string)
|
||||
|
||||
Reference in New Issue
Block a user