Added optional field jwks_json to workloadidentityprovider (#8067) (#14938)

```release-note:enhancement
container: Added optional field `jwks_json` to `workloadidentityprovider`
```

Signed-off-by: Modular Magician <[email protected]>
Co-authored-by: Jieqing(Jay) Chen <[email protected]>

Author: modular-magician

.changelog/8067.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+container: Added optional field `jwks_json` to `workloadidentityprovider`
+```

google/resource_iam_workload_identity_pool_provider_generated_test.go

@@ -221,6 +221,63 @@ EOT
 `, context)
 }
 
+func TestAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderOidcUploadKeyExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": RandString(t, 10),
+	}
+
+	VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckIAMBetaWorkloadIdentityPoolProviderDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderOidcUploadKeyExample(context),
+			},
+			{
+				ResourceName:            "google_iam_workload_identity_pool_provider.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"workload_identity_pool_id", "workload_identity_pool_provider_id"},
+			},
+		},
+	})
+}
+
+func testAccIAMBetaWorkloadIdentityPoolProvider_iamWorkloadIdentityPoolProviderOidcUploadKeyExample(context map[string]interface{}) string {
+	return tpgresource.Nprintf(`
+resource "google_iam_workload_identity_pool" "pool" {
+  workload_identity_pool_id = "tf-test-example-pool%{random_suffix}"
+}
+
+resource "google_iam_workload_identity_pool_provider" "example" {
+  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = "tf-test-example-prvdr%{random_suffix}"
+  display_name                       = "Name of provider"
+  description                        = "OIDC identity pool provider for automated test"
+  disabled                           = true
+  attribute_condition                = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups"
+  attribute_mapping                  = {
+    "google.subject"                  = "\"azure::\" + assertion.tid + \"::\" + assertion.sub"
+    "attribute.tid"                   = "assertion.tid"
+    "attribute.managed_identity_name" = <<EOT
+      {
+        "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
+        "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
+      }[assertion.oid]
+EOT
+  }
+  oidc {
+    allowed_audiences = ["https://example.com/gcp-oidc-federation", "example.com/gcp-oidc-federation"]
+    issuer_uri        = "https://sts.windows.net/azure-tenant-id"
+    jwks_json         = "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}"
+  }
+}
+`, context)
+}
+
 func testAccCheckIAMBetaWorkloadIdentityPoolProviderDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {

google/services/iambeta/resource_iam_workload_identity_pool_provider.go

@@ -245,6 +245,33 @@ https://iam.googleapis.com/projects/<project-number>/locations/<location>/worklo
 								Type: schema.TypeString,
 							},
 						},
+						"jwks_json": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Description: `OIDC JWKs in JSON String format. For details on definition of a
+JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
+use the 'jwks_uri' from the discovery document fetched from the
+.well-known path for the 'issuer_uri'. Currently, RSA and EC asymmetric
+keys are supported. The JWK must use following format and include only
+the following fields:
+'''
+{
+  "keys": [
+    {
+          "kty": "RSA/EC",
+          "alg": "<algorithm>",
+          "use": "sig",
+          "kid": "<key-id>",
+          "n": "",
+          "e": "",
+          "x": "",
+          "y": "",
+          "crv": ""
+    }
+  ]
+}
+'''`,
+						},
 					},
 				},
 				ExactlyOneOf: []string{"aws", "oidc"},
@@ -558,7 +585,8 @@ func resourceIAMBetaWorkloadIdentityPoolProviderUpdate(d *schema.ResourceData, m
 
 	if d.HasChange("oidc") {
 		updateMask = append(updateMask, "oidc.allowed_audiences",
-			"oidc.issuer_uri")
+			"oidc.issuer_uri",
+			"oidc.jwks_json")
 	}
 	// updateMask is a URL parameter but not present in the schema, so ReplaceVars
 	// won't set it
@@ -730,6 +758,8 @@ func flattenIAMBetaWorkloadIdentityPoolProviderOidc(v interface{}, d *schema.Res
 		flattenIAMBetaWorkloadIdentityPoolProviderOidcAllowedAudiences(original["allowedAudiences"], d, config)
 	transformed["issuer_uri"] =
 		flattenIAMBetaWorkloadIdentityPoolProviderOidcIssuerUri(original["issuerUri"], d, config)
+	transformed["jwks_json"] =
+		flattenIAMBetaWorkloadIdentityPoolProviderOidcJwksJson(original["jwksJson"], d, config)
 	return []interface{}{transformed}
 }
 func flattenIAMBetaWorkloadIdentityPoolProviderOidcAllowedAudiences(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
@@ -740,6 +770,10 @@ func flattenIAMBetaWorkloadIdentityPoolProviderOidcIssuerUri(v interface{}, d *s
 	return v
 }
 
+func flattenIAMBetaWorkloadIdentityPoolProviderOidcJwksJson(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func expandIAMBetaWorkloadIdentityPoolProviderDisplayName(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
@@ -813,6 +847,13 @@ func expandIAMBetaWorkloadIdentityPoolProviderOidc(v interface{}, d tpgresource.
 		transformed["issuerUri"] = transformedIssuerUri
 	}
 
+	transformedJwksJson, err := expandIAMBetaWorkloadIdentityPoolProviderOidcJwksJson(original["jwks_json"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedJwksJson); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["jwksJson"] = transformedJwksJson
+	}
+
 	return transformed, nil
 }
 
@@ -824,6 +865,10 @@ func expandIAMBetaWorkloadIdentityPoolProviderOidcIssuerUri(v interface{}, d tpg
 	return v, nil
 }
 
+func expandIAMBetaWorkloadIdentityPoolProviderOidcJwksJson(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func resourceIAMBetaWorkloadIdentityPoolProviderDecoder(d *schema.ResourceData, meta interface{}, res map[string]interface{}) (map[string]interface{}, error) {
 	if v := res["state"]; v == "DELETED" {
 		return nil, nil

website/docs/r/iam_workload_identity_pool_provider.html.markdown

@@ -139,6 +139,43 @@ EOT
   }
 }
 ```
+<div class = "oics-button" style="float: right; margin: 0 0 -15px">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.jpy.wang%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=iam_workload_identity_pool_provider_oidc_upload_key&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
+    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
+  </a>
+</div>
+## Example Usage - Iam Workload Identity Pool Provider Oidc Upload Key
+
+
+```hcl
+resource "google_iam_workload_identity_pool" "pool" {
+  workload_identity_pool_id = "example-pool"
+}
+
+resource "google_iam_workload_identity_pool_provider" "example" {
+  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = "example-prvdr"
+  display_name                       = "Name of provider"
+  description                        = "OIDC identity pool provider for automated test"
+  disabled                           = true
+  attribute_condition                = "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups"
+  attribute_mapping                  = {
+    "google.subject"                  = "\"azure::\" + assertion.tid + \"::\" + assertion.sub"
+    "attribute.tid"                   = "assertion.tid"
+    "attribute.managed_identity_name" = <<EOT
+      {
+        "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
+        "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
+      }[assertion.oid]
+EOT
+  }
+  oidc {
+    allowed_audiences = ["https://example.com/gcp-oidc-federation", "example.com/gcp-oidc-federation"]
+    issuer_uri        = "https://sts.windows.net/azure-tenant-id"
+    jwks_json         = "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}"
+  }
+}
+```
 
 ## Argument Reference
 
@@ -286,6 +323,32 @@ The following arguments are supported:
   (Required)
   The OIDC issuer URL.
 
+* `jwks_json` -
+  (Optional)
+  OIDC JWKs in JSON String format. For details on definition of a
+  JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
+  use the `jwks_uri` from the discovery document fetched from the
+  .well-known path for the `issuer_uri`. Currently, RSA and EC asymmetric
+  keys are supported. The JWK must use following format and include only
+  the following fields:
+  ```
+  {
+    "keys": [
+      {
+            "kty": "RSA/EC",
+            "alg": "<algorithm>",
+            "use": "sig",
+            "kid": "<key-id>",
+            "n": "",
+            "e": "",
+            "x": "",
+            "y": "",
+            "crv": ""
+      }
+    ]
+  }
+  ```
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are exported: