Add new oidc.web_sso_config field to WorkforcePoolProvider. (#7658) (#14327)

* Add new oidc.webSsoConfig field to WorkforcePoolProvider.

* Remove required property of oidc.web_sso_config.

* Add default_from_api: true to web_sso_config.

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/7658.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+iamworkforcepool: added `oidc.web_sso_config` field to `google_iam_workforce_pool_provider`
+```

google/resource_iam_workforce_pool_provider.go

@@ -198,6 +198,31 @@ However, existing tokens still grant access.`,
 							Required:    true,
 							Description: `The OIDC issuer URI. Must be a valid URI using the 'https' scheme.`,
 						},
+						"web_sso_config": {
+							Type:        schema.TypeList,
+							Computed:    true,
+							Optional:    true,
+							Description: `Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser.`,
+							MaxItems:    1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"assertion_claims_behavior": {
+										Type:         schema.TypeString,
+										Required:     true,
+										ValidateFunc: validateEnum([]string{"ONLY_ID_TOKEN_CLAIMS"}),
+										Description: `The behavior for how OIDC Claims are included in the 'assertion' object used for attribute mapping and attribute condition.
+* ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims. Possible values: ["ONLY_ID_TOKEN_CLAIMS"]`,
+									},
+									"response_type": {
+										Type:         schema.TypeString,
+										Required:     true,
+										ValidateFunc: validateEnum([]string{"ID_TOKEN"}),
+										Description: `The Response Type to request for in the OIDC Authorization Request for web sign-in.
+* ID_TOKEN: The 'response_type=id_token' selection uses the Implicit Flow for web sign-in. Possible values: ["ID_TOKEN"]`,
+									},
+								},
+							},
+						},
 					},
 				},
 				ExactlyOneOf: []string{"saml", "oidc"},
@@ -646,6 +671,8 @@ func flattenIAMWorkforcePoolWorkforcePoolProviderOidc(v interface{}, d *schema.R
 		flattenIAMWorkforcePoolWorkforcePoolProviderOidcIssuerUri(original["issuerUri"], d, config)
 	transformed["client_id"] =
 		flattenIAMWorkforcePoolWorkforcePoolProviderOidcClientId(original["clientId"], d, config)
+	transformed["web_sso_config"] =
+		flattenIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfig(original["webSsoConfig"], d, config)
 	return []interface{}{transformed}
 }
 func flattenIAMWorkforcePoolWorkforcePoolProviderOidcIssuerUri(v interface{}, d *schema.ResourceData, config *Config) interface{} {
@@ -656,6 +683,29 @@ func flattenIAMWorkforcePoolWorkforcePoolProviderOidcClientId(v interface{}, d *
 	return v
 }
 
+func flattenIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfig(v interface{}, d *schema.ResourceData, config *Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["response_type"] =
+		flattenIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigResponseType(original["responseType"], d, config)
+	transformed["assertion_claims_behavior"] =
+		flattenIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigAssertionClaimsBehavior(original["assertionClaimsBehavior"], d, config)
+	return []interface{}{transformed}
+}
+func flattenIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigResponseType(v interface{}, d *schema.ResourceData, config *Config) interface{} {
+	return v
+}
+
+func flattenIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigAssertionClaimsBehavior(v interface{}, d *schema.ResourceData, config *Config) interface{} {
+	return v
+}
+
 func expandIAMWorkforcePoolWorkforcePoolProviderDisplayName(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
 	return v, nil
 }
@@ -729,6 +779,13 @@ func expandIAMWorkforcePoolWorkforcePoolProviderOidc(v interface{}, d TerraformR
 		transformed["clientId"] = transformedClientId
 	}
 
+	transformedWebSsoConfig, err := expandIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfig(original["web_sso_config"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedWebSsoConfig); val.IsValid() && !isEmptyValue(val) {
+		transformed["webSsoConfig"] = transformedWebSsoConfig
+	}
+
 	return transformed, nil
 }
 
@@ -740,6 +797,40 @@ func expandIAMWorkforcePoolWorkforcePoolProviderOidcClientId(v interface{}, d Te
 	return v, nil
 }
 
+func expandIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfig(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedResponseType, err := expandIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigResponseType(original["response_type"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedResponseType); val.IsValid() && !isEmptyValue(val) {
+		transformed["responseType"] = transformedResponseType
+	}
+
+	transformedAssertionClaimsBehavior, err := expandIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigAssertionClaimsBehavior(original["assertion_claims_behavior"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedAssertionClaimsBehavior); val.IsValid() && !isEmptyValue(val) {
+		transformed["assertionClaimsBehavior"] = transformedAssertionClaimsBehavior
+	}
+
+	return transformed, nil
+}
+
+func expandIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigResponseType(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}
+
+func expandIAMWorkforcePoolWorkforcePoolProviderOidcWebSsoConfigAssertionClaimsBehavior(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}
+
 func resourceIAMWorkforcePoolWorkforcePoolProviderDecoder(d *schema.ResourceData, meta interface{}, res map[string]interface{}) (map[string]interface{}, error) {
 	if v := res["state"]; v == "DELETED" {
 		return nil, nil

google/resource_iam_workforce_pool_provider_generated_test.go

@@ -167,6 +167,10 @@ resource "google_iam_workforce_pool_provider" "example" {
   oidc {
     issuer_uri       = "https://accounts.thirdparty.com"
     client_id        = "client-id"
+    web_sso_config {
+      response_type             = "ID_TOKEN"
+      assertion_claims_behavior = "ONLY_ID_TOKEN_CLAIMS"
+    }
   }
 }
 `, context)
@@ -216,6 +220,10 @@ resource "google_iam_workforce_pool_provider" "example" {
   oidc {
     issuer_uri        = "https://accounts.thirdparty.com"
     client_id         = "client-id"
+    web_sso_config {
+      response_type             = "ID_TOKEN"
+      assertion_claims_behavior = "ONLY_ID_TOKEN_CLAIMS"
+    }
   }
   display_name        = "Display name"
   description         = "A sample OIDC workforce pool provider."

google/resource_iam_workforce_pool_workforce_pool_provider_test.go

@@ -149,6 +149,10 @@ resource "google_iam_workforce_pool_provider" "my_provider" {
   oidc {
     issuer_uri        = "https://accounts.thirdparty.com"
     client_id         = "client-id"
+    web_sso_config {
+      response_type             = "ID_TOKEN"
+      assertion_claims_behavior = "ONLY_ID_TOKEN_CLAIMS"
+    }
   }
   display_name        = "Display name"
   description         = "A sample OIDC workforce pool provider."
@@ -176,6 +180,10 @@ resource "google_iam_workforce_pool_provider" "my_provider" {
   oidc {
     issuer_uri        = "https://test.thirdparty.com"
     client_id         = "new-client-id"
+    web_sso_config {
+      response_type             = "ID_TOKEN"
+      assertion_claims_behavior = "ONLY_ID_TOKEN_CLAIMS"
+    }
   }
   display_name        = "New Display name"
   description         = "A sample OIDC workforce pool provider with updated description."
@@ -203,6 +211,10 @@ resource "google_iam_workforce_pool_provider" "my_provider" {
   oidc {
     issuer_uri       = "https://accounts.thirdparty.com"
     client_id        = "client-id"
+    web_sso_config {
+      response_type             = "ID_TOKEN"
+      assertion_claims_behavior = "ONLY_ID_TOKEN_CLAIMS"
+    }
   }
 }
 `, context)

website/docs/r/iam_workforce_pool_provider.html.markdown

@@ -99,6 +99,10 @@ resource "google_iam_workforce_pool_provider" "example" {
   oidc {
     issuer_uri       = "https://accounts.thirdparty.com"
     client_id        = "client-id"
+    web_sso_config {
+      response_type             = "ID_TOKEN"
+      assertion_claims_behavior = "ONLY_ID_TOKEN_CLAIMS"
+    }
   }
 }
 ```
@@ -122,6 +126,10 @@ resource "google_iam_workforce_pool_provider" "example" {
   oidc {
     issuer_uri        = "https://accounts.thirdparty.com"
     client_id         = "client-id"
+    web_sso_config {
+      response_type             = "ID_TOKEN"
+      assertion_claims_behavior = "ONLY_ID_TOKEN_CLAIMS"
+    }
   }
   display_name        = "Display name"
   description         = "A sample OIDC workforce pool provider."
@@ -271,6 +279,26 @@ The following arguments are supported:
   (Required)
   The client ID. Must match the audience claim of the JWT issued by the identity provider.
 
+* `web_sso_config` -
+  (Optional)
+  Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser.
+  Structure is [documented below](#nested_web_sso_config).
+
+
+<a name="nested_web_sso_config"></a>The `web_sso_config` block supports:
+
+* `response_type` -
+  (Required)
+  The Response Type to request for in the OIDC Authorization Request for web sign-in.
+  * ID_TOKEN: The `response_type=id_token` selection uses the Implicit Flow for web sign-in.
+  Possible values are: `ID_TOKEN`.
+
+* `assertion_claims_behavior` -
+  (Required)
+  The behavior for how OIDC Claims are included in the `assertion` object used for attribute mapping and attribute condition.
+  * ONLY_ID_TOKEN_CLAIMS: Only include ID Token Claims.
+  Possible values are: `ONLY_ID_TOKEN_CLAIMS`.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported: