Allow configuring Identity-Aware Proxy (IAP) customization settings

[tbcardoso]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

It would be useful to have a resource that configures the Identity-Aware Proxy (IAP) customization settings described in https://cloud.google.com/iap/docs/customizing.

For example, we need to let some IAP proxies pass through HTTP OPTIONS requests. For that, we need to set access_settings.cors_settings.allow_http_options to true.

New or Affected Resource(s)

• google_iap_settings (new resource)

Potential Terraform Configuration

resource "google_iap_settings" "allow_cors" {
  resource_type = "compute"
  service       = "google_compute_backend_service.istio_global_http_iap_bes.self_link"

  accessSettings {
    corsSettings {
      allowHttpOptions = true
    }
  }
}

Workaround

It's possible to workaround this limitation by using a null resource with a local-exec provisioner:

locals {
  iap_settings = <<-EOT
  accessSettings:
    corsSettings:
      allowHttpOptions: true
  EOT
}

resource "null_resource" "iap_settings" {
  triggers = {
    bes_iap_settings = local.bes_iap_settings
    project_id       = data.google_project.project.project_id
    bes_name         = google_compute_backend_service.bes.name
  }

  provisioner "local-exec" {
    command = <<-EOT
    echo '${local.bes_iap_settings}' | \
    gcloud iap settings set /dev/stdin \
      --project=${data.google_project.project.project_id} \
      --resource-type=compute \
      --service=${google_compute_backend_service.bes.name}
    EOT
  }
}

References

• b/194854185

b/305197972

[wvanderdeijl]

The resource documentation can be found at https://cloud.google.com/iap/docs/reference/rest/v1/IapSettings

We are mainly interested in the accessSettings.gcipSettings and not the accessSettings. corsSettings from this original request. But I hope all fields of IapSettings will be included if this resource is created

[dinvlad]

Any updates on this?

[sankit2020]

Please also add support for PolicyDelegationSettings.

This bug should be linked : https://b.corp.google.com/issues/195649321

[maucaro]

I am also interested, as @wvanderdeijl , in accessSettings.gcipSettings. Any updates?

[Ironlink]

I am interested in this. I would like to be able to set the default cookie domain for IAP at a project level.

[MattiasOlla]

We'd also be interested in this, especially allowed_domains_settings.

[markConklin]

plus 1. thank you.

[jacobshirley]

It's been nearly 4 years.. will this ever be added?

[radsec]

++