google_compute_backend_service does not have Google generate OAuth ID and secret for IAP

[rafals26]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.9.1
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v6.4.0
+ provider registry.terraform.io/hashicorp/random v3.6.3

Affected Resource(s)

google_compute_backend_service

Terraform Configuration

resource "google_compute_backend_service" "iap-backend-service" {
    name                  = "${local.iap_name}-backend-service"
    load_balancing_scheme = "EXTERNAL_MANAGED"

    backend {
      group = google_compute_region_network_endpoint_group.iap-neg.id
    }
    iap {
        enabled = true
    }
}

Debug Output

No response

Expected Behavior

With IAP enabled, but OAuth ID and Secret not provided explicitly, I would expect them to be automatically configured by Google. This works fine when enabling IAP manually in Google Console (web browser) or via gcloud.

See Google managed OAuth client: https://cloud.google.com/iap/docs/custom-oauth-configuration#google_managed_oauth_client_and_custom_oauth_client_comparison

Actual Behavior

The IAP gets enabled, but does not work properly. An error oauth client for this resource is misconfigured is displayed in Google Console (web browser). No OAuth 2.0 Client IDs get created. OAuth ID and Secret are empty in Terraform State:

    {
      "module": "module.iap",
      "mode": "managed",
      "type": "google_compute_backend_service",
      "name": "iap-backend-service",
      "provider": "provider[\"registry.terraform.io/hashicorp/google\"]",
      "instances": [
        {
            "iap": [
              {
                "enabled": true,
                "oauth2_client_id": "",
                "oauth2_client_secret": "",
                "oauth2_client_secret_sha256": "redacted"
              }
            }
          }

Steps to reproduce

1. terraform apply the code
2. wait for Load Balancer and IAP to be enabled / created
3. check IAP status - it will show error

Important Factoids

No response

References

The possibility of having IAP enabled, but OAuth parameters not being provided explicitly was added in version 6.0 of the provider. See https://github.com/hashicorp/terraform-provider-google/issues/16585 and https://github.com/hashicorp/terraform-provider-google/releases/tag/v6.0.0.

b/370538143

[ggtisc]

Hi @rafals26!

According to the terraform registry documentation the oauth2 arguments are optional, and also there is a warning at top level saying:

All arguments including the following potentially sensitive values will be stored in the raw state as plain text: iap.oauth2_client_secret, iap.oauth2_client_secret_sha256, security_settings.aws_v4_authentication.access_key. [Read more about sensitive data in state](https://www.terraform.io/language/state/sensitive-data).

I suggest you to follow this example to configure this feature, since if you just enable the iap the oauth values will be configured generically until the user configures them according to their needs.

[rafals26]

Hey @ggtisc

I'm not very much worried about secrets being stored in Terraform state. I pasted the state output in the opening message and in the scenario I'm describing the secrets are simply not there. The only field that had some content (which I redacted) was oauth2_client_secret_sha256:

            "iap": [
              {
                "enabled": true,
                "oauth2_client_id": "",
                "oauth2_client_secret": "",
                "oauth2_client_secret_sha256": "redacted"
              }

since if you just enable the iap the oauth values will be configured generically until the user configures them according to their needs.

If I understand you correctly, that's what I did:

resource "google_compute_backend_service" "iap-backend-service" {
    name                  = "${local.iap_name}-backend-service"
    load_balancing_scheme = "EXTERNAL_MANAGED"

    backend {
      group = google_compute_region_network_endpoint_group.iap-neg.id
    }
    iap {
        enabled = true
    }
}

With this configuration I expected for IAP to get enabled and then for Google to automatically generate all keys necessary. That's how it works when you enable IAP in the Google Console (or via gcloud - so the API supports this scenario):

What actually happened was that IAP was enabled, but there were no OAuth keys generated. It seems to me that the scenario the Terraform code follows is "Custom OAuth client" as per the screenshot above.

[ggtisc]

According to the documentation since you are using terraform you need to configure your own oauth2_client_id and oauth2_client_secret. But this could be an enhancement for future releases.

[rafals26]

But this could be an enhancement for future releases.

Personally I think it definitely should. I don't think there are that many use cases where one wants to enable IAP, but leave the OAuth keys empty.

Assuming Terraform wants to mimic the options shared on the screenshot above, I would say we have two main scenarios:

• IAP gets enabled and keys get provided by the user - in this case all the fields could even be mandatory (as it was before the 6.0 release)
• IAP gets enabled, but no keys are provided - in this case they should have Google autogenerate everything needed (Google managed OAuth client)

Additionally we could have a third scenario with IAP enabled, but empty keys provided (eg. oauth2_client_id = ""), in such case we could leave the actual output blank (the current behaviour even with no keys provided at all)

[arnabadg-google]

From the dev team:

When there is no oauth clientid/secret configured for IAP, IAP uses Google-Managed Oauth client as documented here: https://cloud.google.com/iap/docs/custom-oauth-configuration#google_managed_oauth_client_and_custom_oauth_client_comparison.

The functionality is WAI. The UI support is under works. We will stop showing error on the backends using google-managed clients. We will update the documentation to include the error.

[BBBmau]

Note: When setting iap.enabled = true we are enabled IAP however this doesn't automatically configure oauth and secret. This should be updated on the terraform documentation.

[rafals26]

Honestly I would be in favour of changing how the feature work (so to configure secrets automatically based on Google managed OAuth client) instead of just changing the docs.