request: IAM Workload Identity Federation resources

[wvanderdeijl]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

In September 2020 GCP introduced Workload identity federation that allows external workloads to use AWS, Azure or OIDC credentials to get a Google Cloud accessToken without using a service account key. This is a very important feature for multi-cloud workloads and it would be great if we can use Terraform to provision 'WorkloadIdentityPools' and 'WorkloadIdentityPoolProviders'

New or Affected Resource(s)

I would expect new resources/data sources for:

• google_project_workload_identity_pool
• google_project_workload_identity_pool_provider although the arguments are different for the two types of providers, so perhaps it is easier to split this into two resources: google_project_workload_identity_pool_provider_aws and google_project_workload_identity_pool_provider_oidc

A pools and providers are created/changed async, so they return an Operation that we need to poll, which is similar to many other google cloud resources.

References

• API reference is at https://cloud.google.com/iam/docs/reference/rest/v1beta/projects.locations.workloadIdentityPools and https://cloud.google.com/iam/docs/reference/rest/v1beta/projects.locations.workloadIdentityPools.providers
• Discovery document at https://iam.googleapis.com/$discovery/rest?version=v1beta

[joe-a-t]

@rileykarson I think this should be left open until WorkloadIdentityPoolProviders is also created since both are in the criteria and description of the issue?

[rileykarson]

Yep- whoops! Over-aggressive Fixes statement 🙂

Thanks!

[wvanderdeijl]

Now that the first data source is merged, I’ll create the second data source which should complete this issue.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!