From 88ffe3d821b7f4fbfcd1e8dfc91a5722ddf2f645 Mon Sep 17 00:00:00 2001 From: Modular Magician Date: Wed, 25 Mar 2026 22:40:03 +0000 Subject: [PATCH] Promote new fields in google_iam_workload_identity_pool to GA (#16809) [upstream:29edb6e1ea810a8499fbaae104db0e84e74c2b14] Signed-off-by: Modular Magician --- .../backing_file.tf | 15 ++++ .../main.tf | 7 ++ .../motd | 7 ++ .../tutorial.md | 79 +++++++++++++++++++ .../backing_file.tf | 15 ++++ .../main.tf | 36 +++++++++ .../motd | 7 ++ .../tutorial.md | 79 +++++++++++++++++++ .../backing_file.tf | 15 ++++ .../main.tf | 33 ++++++++ .../motd | 7 ++ .../tutorial.md | 79 +++++++++++++++++++ 12 files changed, 379 insertions(+) create mode 100644 iam_workload_identity_pool_full_federation_only_mode/backing_file.tf create mode 100644 iam_workload_identity_pool_full_federation_only_mode/main.tf create mode 100644 iam_workload_identity_pool_full_federation_only_mode/motd create mode 100644 iam_workload_identity_pool_full_federation_only_mode/tutorial.md create mode 100644 iam_workload_identity_pool_full_trust_domain_mode/backing_file.tf create mode 100644 iam_workload_identity_pool_full_trust_domain_mode/main.tf create mode 100644 iam_workload_identity_pool_full_trust_domain_mode/motd create mode 100644 iam_workload_identity_pool_full_trust_domain_mode/tutorial.md create mode 100644 iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca/backing_file.tf create mode 100644 iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca/main.tf create mode 100644 iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca/motd create mode 100644 iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca/tutorial.md diff --git a/iam_workload_identity_pool_full_federation_only_mode/backing_file.tf b/iam_workload_identity_pool_full_federation_only_mode/backing_file.tf new file mode 100644 index 00000000..c60b1199 --- /dev/null +++ b/iam_workload_identity_pool_full_federation_only_mode/backing_file.tf @@ -0,0 +1,15 @@ +# This file has some scaffolding to make sure that names are unique and that +# a region and zone are selected when you try to create your Terraform resources. + +locals { + name_suffix = "${random_pet.suffix.id}" +} + +resource "random_pet" "suffix" { + length = 2 +} + +provider "google" { + region = "us-central1" + zone = "us-central1-c" +} diff --git a/iam_workload_identity_pool_full_federation_only_mode/main.tf b/iam_workload_identity_pool_full_federation_only_mode/main.tf new file mode 100644 index 00000000..bc77cecc --- /dev/null +++ b/iam_workload_identity_pool_full_federation_only_mode/main.tf @@ -0,0 +1,7 @@ +resource "google_iam_workload_identity_pool" "example" { + workload_identity_pool_id = "example-pool-${local.name_suffix}" + display_name = "Name of the pool" + description = "Identity pool operates in FEDERATION_ONLY mode" + disabled = true + mode = "FEDERATION_ONLY" +} diff --git a/iam_workload_identity_pool_full_federation_only_mode/motd b/iam_workload_identity_pool_full_federation_only_mode/motd new file mode 100644 index 00000000..45a906e8 --- /dev/null +++ b/iam_workload_identity_pool_full_federation_only_mode/motd @@ -0,0 +1,7 @@ +=== + +These examples use real resources that will be billed to the +Google Cloud Platform project you use - so make sure that you +run "terraform destroy" before quitting! + +=== diff --git a/iam_workload_identity_pool_full_federation_only_mode/tutorial.md b/iam_workload_identity_pool_full_federation_only_mode/tutorial.md new file mode 100644 index 00000000..9d9d6b52 --- /dev/null +++ b/iam_workload_identity_pool_full_federation_only_mode/tutorial.md @@ -0,0 +1,79 @@ +# Iam Workload Identity Pool Full Federation Only Mode - Terraform + +## Setup + + + +Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform. + + + +Terraform provisions real GCP resources, so anything you create in this session will be billed against this project. + +## Terraforming! + +Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command +to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up +the project name from the environment variable. + +```bash +export GOOGLE_CLOUD_PROJECT={{project-id}} +``` + +After that, let's get Terraform started. Run the following to pull in the providers. + +```bash +terraform init +``` + +With the providers downloaded and a project set, you're ready to use Terraform. Go ahead! + +```bash +terraform apply +``` + +Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan. + +```bash +yes +``` + + +## Post-Apply + +### Editing your config + +Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed. + +```bash +terraform plan +``` + +So let's make a change! Try editing a number, or appending a value to the name in the editor. Then, +run a 'plan' again. + +```bash +terraform plan +``` + +Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes +at the 'yes' prompt. + +```bash +terraform apply +``` + +```bash +yes +``` + +## Cleanup + +Run the following to remove the resources Terraform provisioned: + +```bash +terraform destroy +``` +```bash +yes +``` diff --git a/iam_workload_identity_pool_full_trust_domain_mode/backing_file.tf b/iam_workload_identity_pool_full_trust_domain_mode/backing_file.tf new file mode 100644 index 00000000..c60b1199 --- /dev/null +++ b/iam_workload_identity_pool_full_trust_domain_mode/backing_file.tf @@ -0,0 +1,15 @@ +# This file has some scaffolding to make sure that names are unique and that +# a region and zone are selected when you try to create your Terraform resources. + +locals { + name_suffix = "${random_pet.suffix.id}" +} + +resource "random_pet" "suffix" { + length = 2 +} + +provider "google" { + region = "us-central1" + zone = "us-central1-c" +} diff --git a/iam_workload_identity_pool_full_trust_domain_mode/main.tf b/iam_workload_identity_pool_full_trust_domain_mode/main.tf new file mode 100644 index 00000000..55d4a4c1 --- /dev/null +++ b/iam_workload_identity_pool_full_trust_domain_mode/main.tf @@ -0,0 +1,36 @@ +resource "google_iam_workload_identity_pool" "example" { + workload_identity_pool_id = "example-pool-${local.name_suffix}" + display_name = "Name of the pool" + description = "Identity pool operates in TRUST_DOMAIN mode" + disabled = true + mode = "TRUST_DOMAIN" + inline_certificate_issuance_config { + ca_pools = { + "us-central1" : "projects/project-bar/locations/us-central1/caPools/ca-pool-bar" + "asia-east2" : "projects/project-foo/locations/asia-east2/caPools/ca-pool-foo" + } + lifetime = "86400s" + rotation_window_percentage = 50 + key_algorithm = "ECDSA_P256" + } + inline_trust_config { + additional_trust_bundles { + trust_domain = "example.com" + trust_anchors { + pem_certificate = file("test-fixtures/trust_anchor_1.pem") + } + trust_anchors { + pem_certificate = file("test-fixtures/trust_anchor_2.pem") + } + } + additional_trust_bundles { + trust_domain = "example.net" + trust_anchors { + pem_certificate = file("test-fixtures/trust_anchor_3.pem") + } + trust_anchors { + pem_certificate = file("test-fixtures/trust_anchor_4.pem") + } + } + } +} diff --git a/iam_workload_identity_pool_full_trust_domain_mode/motd b/iam_workload_identity_pool_full_trust_domain_mode/motd new file mode 100644 index 00000000..45a906e8 --- /dev/null +++ b/iam_workload_identity_pool_full_trust_domain_mode/motd @@ -0,0 +1,7 @@ +=== + +These examples use real resources that will be billed to the +Google Cloud Platform project you use - so make sure that you +run "terraform destroy" before quitting! + +=== diff --git a/iam_workload_identity_pool_full_trust_domain_mode/tutorial.md b/iam_workload_identity_pool_full_trust_domain_mode/tutorial.md new file mode 100644 index 00000000..00f5bb17 --- /dev/null +++ b/iam_workload_identity_pool_full_trust_domain_mode/tutorial.md @@ -0,0 +1,79 @@ +# Iam Workload Identity Pool Full Trust Domain Mode - Terraform + +## Setup + + + +Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform. + + + +Terraform provisions real GCP resources, so anything you create in this session will be billed against this project. + +## Terraforming! + +Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command +to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up +the project name from the environment variable. + +```bash +export GOOGLE_CLOUD_PROJECT={{project-id}} +``` + +After that, let's get Terraform started. Run the following to pull in the providers. + +```bash +terraform init +``` + +With the providers downloaded and a project set, you're ready to use Terraform. Go ahead! + +```bash +terraform apply +``` + +Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan. + +```bash +yes +``` + + +## Post-Apply + +### Editing your config + +Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed. + +```bash +terraform plan +``` + +So let's make a change! Try editing a number, or appending a value to the name in the editor. Then, +run a 'plan' again. + +```bash +terraform plan +``` + +Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes +at the 'yes' prompt. + +```bash +terraform apply +``` + +```bash +yes +``` + +## Cleanup + +Run the following to remove the resources Terraform provisioned: + +```bash +terraform destroy +``` +```bash +yes +``` diff --git a/iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca/backing_file.tf b/iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca/backing_file.tf new file mode 100644 index 00000000..c60b1199 --- /dev/null +++ b/iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca/backing_file.tf @@ -0,0 +1,15 @@ +# This file has some scaffolding to make sure that names are unique and that +# a region and zone are selected when you try to create your Terraform resources. + +locals { + name_suffix = "${random_pet.suffix.id}" +} + +resource "random_pet" "suffix" { + length = 2 +} + +provider "google" { + region = "us-central1" + zone = "us-central1-c" +} diff --git a/iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca/main.tf b/iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca/main.tf new file mode 100644 index 00000000..369cdfce --- /dev/null +++ b/iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca/main.tf @@ -0,0 +1,33 @@ +resource "google_iam_workload_identity_pool" "example" { + workload_identity_pool_id = "example-pool-${local.name_suffix}" + display_name = "Name of the pool" + description = "Identity pool operates in TRUST_DOMAIN mode" + disabled = true + mode = "TRUST_DOMAIN" + inline_certificate_issuance_config { + use_default_shared_ca = true + lifetime = "86400s" + rotation_window_percentage = 50 + key_algorithm = "ECDSA_P256" + } + inline_trust_config { + additional_trust_bundles { + trust_domain = "example.com" + trust_anchors { + pem_certificate = file("test-fixtures/trust_anchor_1.pem") + } + trust_anchors { + pem_certificate = file("test-fixtures/trust_anchor_2.pem") + } + } + additional_trust_bundles { + trust_domain = "example.net" + trust_anchors { + pem_certificate = file("test-fixtures/trust_anchor_3.pem") + } + trust_anchors { + pem_certificate = file("test-fixtures/trust_anchor_4.pem") + } + } + } +} diff --git a/iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca/motd b/iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca/motd new file mode 100644 index 00000000..45a906e8 --- /dev/null +++ b/iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca/motd @@ -0,0 +1,7 @@ +=== + +These examples use real resources that will be billed to the +Google Cloud Platform project you use - so make sure that you +run "terraform destroy" before quitting! + +=== diff --git a/iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca/tutorial.md b/iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca/tutorial.md new file mode 100644 index 00000000..8dd33faf --- /dev/null +++ b/iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca/tutorial.md @@ -0,0 +1,79 @@ +# Iam Workload Identity Pool Full Trust Domain Mode With Default Shared Ca - Terraform + +## Setup + + + +Welcome to Terraform in Google Cloud Shell! We need you to let us know what project you'd like to use with Terraform. + + + +Terraform provisions real GCP resources, so anything you create in this session will be billed against this project. + +## Terraforming! + +Let's use {{project-id}} with Terraform! Click the Cloud Shell icon below to copy the command +to your shell, and then run it from the shell by pressing Enter/Return. Terraform will pick up +the project name from the environment variable. + +```bash +export GOOGLE_CLOUD_PROJECT={{project-id}} +``` + +After that, let's get Terraform started. Run the following to pull in the providers. + +```bash +terraform init +``` + +With the providers downloaded and a project set, you're ready to use Terraform. Go ahead! + +```bash +terraform apply +``` + +Terraform will show you what it plans to do, and prompt you to accept. Type "yes" to accept the plan. + +```bash +yes +``` + + +## Post-Apply + +### Editing your config + +Now you've provisioned your resources in GCP! If you run a "plan", you should see no changes needed. + +```bash +terraform plan +``` + +So let's make a change! Try editing a number, or appending a value to the name in the editor. Then, +run a 'plan' again. + +```bash +terraform plan +``` + +Afterwards you can run an apply, which implicitly does a plan and shows you the intended changes +at the 'yes' prompt. + +```bash +terraform apply +``` + +```bash +yes +``` + +## Cleanup + +Run the following to remove the resources Terraform provisioned: + +```bash +terraform destroy +``` +```bash +yes +```