feat: add data_source_google_service_account_jwt (#6239) (#12107)

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/6239.txt

@@ -0,0 +1,3 @@
+```release-note:new-datasource
+`google_service_account_jwt`
+```

google/data_source_google_service_account_jwt.go

@@ -0,0 +1,74 @@
+package google
+
+import (
+	"fmt"
+	"strings"
+
+	iamcredentials "google.golang.org/api/iamcredentials/v1"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourceGoogleServiceAccountJwt() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceGoogleServiceAccountJwtRead,
+		Schema: map[string]*schema.Schema{
+			"payload": {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: `A JSON-encoded JWT claims set that will be included in the signed JWT.`,
+			},
+			"target_service_account": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ValidateFunc: validateRegexp("(" + strings.Join(PossibleServiceAccountNames, "|") + ")"),
+			},
+			"delegates": {
+				Type:     schema.TypeSet,
+				Optional: true,
+				Elem: &schema.Schema{
+					Type:         schema.TypeString,
+					ValidateFunc: validateRegexp(ServiceAccountLinkRegex),
+				},
+			},
+			"jwt": {
+				Type:      schema.TypeString,
+				Sensitive: true,
+				Computed:  true,
+			},
+		},
+	}
+}
+
+func dataSourceGoogleServiceAccountJwtRead(d *schema.ResourceData, meta interface{}) error {
+	config := meta.(*Config)
+
+	userAgent, err := generateUserAgentString(d, config.userAgent)
+
+	if err != nil {
+		return err
+	}
+
+	name := fmt.Sprintf("projects/-/serviceAccounts/%s", d.Get("target_service_account").(string))
+
+	jwtRequest := &iamcredentials.SignJwtRequest{
+		Payload:   d.Get("payload").(string),
+		Delegates: convertStringSet(d.Get("delegates").(*schema.Set)),
+	}
+
+	service := config.NewIamCredentialsClient(userAgent)
+
+	jwtResponse, err := service.Projects.ServiceAccounts.SignJwt(name, jwtRequest).Do()
+
+	if err != nil {
+		return fmt.Errorf("error calling iamcredentials.SignJwt: %w", err)
+	}
+
+	d.SetId(name)
+
+	if err := d.Set("jwt", jwtResponse.SignedJwt); err != nil {
+		return fmt.Errorf("error setting jwt attribute: %w", err)
+	}
+
+	return nil
+}

google/data_source_google_service_account_jwt_test.go

@@ -0,0 +1,120 @@
+package google
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"strings"
+	"testing"
+
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+const (
+	jwtTestSubject          = "custom-subject"
+	jwtTestFoo              = "bar"
+	jwtTestComplexFooNested = "baz"
+)
+
+type jwtTestPayload struct {
+	Subject string `json:"sub"`
+
+	Foo string `json:"foo"`
+
+	ComplexFoo struct {
+		Nested string `json:"nested"`
+	} `json:"complexFoo"`
+}
+
+func testAccCheckServiceAccountJwtValue(name, audience string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		ms := s.RootModule()
+
+		rs, ok := ms.Resources[name]
+
+		if !ok {
+			return fmt.Errorf("can't find %s in state", name)
+		}
+
+		jwtString, ok := rs.Primary.Attributes["jwt"]
+
+		if !ok {
+			return fmt.Errorf("jwt not found")
+		}
+
+		jwtParts := strings.Split(jwtString, ".")
+
+		if len(jwtParts) != 3 {
+			return errors.New("jwt does not appear well-formed")
+		}
+
+		decoded, err := base64.RawURLEncoding.DecodeString(jwtParts[1])
+
+		if err != nil {
+			return fmt.Errorf("could not base64 decode jwt body: %w", err)
+		}
+
+		var payload jwtTestPayload
+
+		err = json.NewDecoder(bytes.NewBuffer(decoded)).Decode(&payload)
+
+		if err != nil {
+			return fmt.Errorf("could not decode jwt payload: %w", err)
+		}
+
+		if payload.Subject != jwtTestSubject {
+			return fmt.Errorf("invalid 'sub', expected '%s', got '%s'", jwtTestSubject, payload.Subject)
+		}
+
+		if payload.Foo != jwtTestFoo {
+			return fmt.Errorf("invalid 'foo', expected '%s', got '%s'", jwtTestFoo, payload.Foo)
+		}
+
+		if payload.ComplexFoo.Nested != jwtTestComplexFooNested {
+			return fmt.Errorf("invalid 'foo', expected '%s', got '%s'", jwtTestComplexFooNested, payload.ComplexFoo.Nested)
+		}
+
+		return nil
+	}
+}
+
+func TestAccDataSourceGoogleServiceAccountJwt(t *testing.T) {
+	t.Parallel()
+
+	resourceName := "data.google_service_account_jwt.default"
+	serviceAccount := getTestServiceAccountFromEnv(t)
+	targetServiceAccountEmail := BootstrapServiceAccount(t, getTestProjectFromEnv(), serviceAccount)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCheckGoogleServiceAccountJwt(targetServiceAccountEmail),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckServiceAccountJwtValue(resourceName, targetAudience),
+				),
+			},
+		},
+	})
+}
+
+func testAccCheckGoogleServiceAccountJwt(targetServiceAccount string) string {
+	return fmt.Sprintf(`
+data "google_service_account_jwt" "default" {
+	target_service_account = "%s"
+
+    payload = jsonencode({
+      sub: "%s",
+      foo: "%s",
+      complexFoo: {
+        nested: "%s"
+      }
+    })
+}
+`, targetServiceAccount, jwtTestSubject, jwtTestFoo, jwtTestComplexFooNested)
+}

google/provider.go

@@ -840,6 +840,7 @@ func Provider() *schema.Provider {
 			"google_service_account":                              dataSourceGoogleServiceAccount(),
 			"google_service_account_access_token":                 dataSourceGoogleServiceAccountAccessToken(),
 			"google_service_account_id_token":                     dataSourceGoogleServiceAccountIdToken(),
+			"google_service_account_jwt":                          dataSourceGoogleServiceAccountJwt(),
 			"google_service_account_key":                          dataSourceGoogleServiceAccountKey(),
 			"google_sourcerepo_repository":                        dataSourceGoogleSourceRepoRepository(),
 			"google_spanner_instance":                             dataSourceSpannerInstance(),

website/docs/d/service_account_jwt.html.markdown

@@ -0,0 +1,45 @@
+---
+subcategory: "Cloud Platform"
+layout: "google"
+page_title: "Google: google_service_account_jwt"
+sidebar_current: "docs-google-service-account-jwt"
+description: |-
+  Produces an arbitrary self-signed JWT for service accounts
+---
+
+# google\_service\_account\_jwt
+
+This data source provides a [self-signed JWT](https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-jwt).  Tokens issued from this data source are typically used to call external services that accept JWTs for authentication.
+
+## Example Usage
+
+Note: in order to use the following, the caller must have _at least_ `roles/iam.serviceAccountTokenCreator` on the `target_service_account`.
+
+```hcl
+data "google_service_account_jwt" "foo" {
+  target_service_account = "[email protected]"
+
+  payload = jsonencode({
+    foo: "bar",
+    sub: "subject",
+  })
+}
+
+output "jwt" {
+  value = data.google_service_account_jwt.foo.jwt
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `target_service_account` (Required) - The email of the service account that will sign the JWT.
+* `payload` (Required) - The JSON-encoded JWT claims set to include in the self-signed JWT.
+* `delegates` (Optional) - Delegate chain of approvals needed to perform full impersonation. Specify the fully qualified service account name.
+
+## Attributes Reference
+
+The following attribute is exported:
+
+* `jwt` - The signed JWT containing the JWT Claims Set from the `payload`.

website/google.erb

@@ -1313,6 +1313,10 @@
           <a href="/docs/providers/google/d/service_account_id_token.html">google_service_account_id_token</a>
           </li>
 
+          <li>
+          <a href="/docs/providers/google/d/service_account_jwt.html">google_service_account_jwt</a>
+          </li>
+    
           <li>
           <a href="/docs/providers/google/d/service_account_key.html">google_service_account_key</a>
           </li>