Support X509 Federation (GoogleCloudPlatform#11493)

Co-authored-by: Jieqing(Jay) Chen <[email protected]>

Author: 2 people

mmv1/products/iambeta/WorkloadIdentityPoolProvider.yaml

@@ -71,6 +71,18 @@ examples:
     vars:
       workload_identity_pool_id: 'example-pool'
       workload_identity_pool_provider_id: 'example-prvdr'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'iam_workload_identity_pool_provider_x509_basic'
+    primary_resource_id: 'example'
+    vars:
+      workload_identity_pool_id: 'example-pool'
+      workload_identity_pool_provider_id: 'example-prvdr'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'iam_workload_identity_pool_provider_x509_full'
+    primary_resource_id: 'example'
+    vars:
+      workload_identity_pool_id: 'example-pool'
+      workload_identity_pool_provider_id: 'example-prvdr'
 custom_code: !ruby/object:Provider::Terraform::CustomCode
   constants: templates/terraform/constants/iam_workload_identity_pool_provider.go.erb
   decoder: templates/terraform/decoders/treat_deleted_state_as_gone.go.erb
@@ -222,6 +234,7 @@ properties:
       - aws
       - oidc
       - saml
+      - x509
     properties:
       - !ruby/object:Api::Type::String
         name: accountId
@@ -236,6 +249,7 @@ properties:
       - aws
       - oidc
       - saml
+      - x509
     update_mask_fields:
       - 'oidc.allowed_audiences'
       - 'oidc.issuer_uri'
@@ -297,8 +311,57 @@ properties:
       - aws
       - oidc
       - saml
+      - x509
     properties:
       - !ruby/object:Api::Type::String
         name: idpMetadataXml
         description: SAML Identity provider configuration metadata xml doc.
         required: true
+  - !ruby/object:Api::Type::NestedObject
+    name: x509
+    description: |
+      An X.509-type identity provider represents a CA. It is trusted to assert a
+      client identity if the client has a certificate that chains up to this CA.
+    exactly_one_of:
+      - aws
+      - oidc
+      - saml
+      - x509
+    properties:
+      - !ruby/object:Api::Type::NestedObject
+        name: trustStore
+        description: |
+          A Trust store, use this trust store as a wrapper to config the trust
+          anchor and optional intermediate cas to help build the trust chain for
+          the incoming end entity certificate. Follow the x509 guidelines to
+          define those PEM encoded certs. Only 1 trust store is currently
+          supported.
+        required: true
+        properties:
+          - !ruby/object:Api::Type::Array
+            name: trustAnchors
+            description: |
+              List of Trust Anchors to be used while performing validation
+              against a given TrustStore. The incoming end entity's certificate
+              must be chained up to one of the trust anchors here.
+            required: true
+            item_type: !ruby/object:Api::Type::NestedObject
+              properties:
+                - !ruby/object:Api::Type::String
+                  name: pemCertificate
+                  description: |
+                    PEM certificate of the PKI used for validation. Must only contain one
+                    ca certificate(either root or intermediate cert).
+          - !ruby/object:Api::Type::Array
+            name: intermediateCas
+            description: |
+              Set of intermediate CA certificates used for building the trust chain to
+              trust anchor.
+              IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
+            item_type: !ruby/object:Api::Type::NestedObject
+              properties:
+                - !ruby/object:Api::Type::String
+                  name: pemCertificate
+                  description: |
+                    PEM certificate of the PKI used for validation. Must only contain one
+                    ca certificate(either root or intermediate cert).

mmv1/templates/terraform/examples/iam_workload_identity_pool_provider_x509_basic.tf.erb

@@ -0,0 +1,18 @@
+resource "google_iam_workload_identity_pool" "pool" {
+  workload_identity_pool_id = "<%= ctx[:vars]["workload_identity_pool_id"] %>"
+}
+
+resource "google_iam_workload_identity_pool_provider" "<%= ctx[:primary_resource_id] %>" {
+  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = "<%= ctx[:vars]["workload_identity_pool_provider_id"] %>"
+  attribute_mapping                  = {
+    "google.subject"        = "assertion.subject.dn.cn"
+  }
+  x509 {
+    trust_store {
+        trust_anchors {
+            pem_certificate = file("test-fixtures/trust_anchor.pem")
+        }
+    }
+  }
+}

mmv1/templates/terraform/examples/iam_workload_identity_pool_provider_x509_full.tf.erb

@@ -0,0 +1,24 @@
+resource "google_iam_workload_identity_pool" "pool" {
+  workload_identity_pool_id = "<%= ctx[:vars]["workload_identity_pool_id"] %>"
+}
+
+resource "google_iam_workload_identity_pool_provider" "<%= ctx[:primary_resource_id] %>" {
+  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = "<%= ctx[:vars]["workload_identity_pool_provider_id"] %>"
+  display_name                       = "Name of provider"
+  description                        = "X.509 identity pool provider for automated test"
+  disabled                           = true
+  attribute_mapping                  = {
+    "google.subject"        = "assertion.subject.dn.cn"
+  }
+  x509 {
+    trust_store {
+        trust_anchors {
+            pem_certificate = file("test-fixtures/trust_anchor.pem")
+        }
+        intermediate_cas {
+            pem_certificate = file("test-fixtures/intermediate_ca.pem")
+        }
+    }
+  }
+}

mmv1/third_party/terraform/services/iambeta/resource_iam_workload_identity_pool_provider_test.go.erb

@@ -240,4 +240,96 @@ resource "google_iam_workload_identity_pool_provider" "my_provider" {
 `, context)
 }
 
+func TestAccIAMBetaWorkloadIdentityPoolProvider_x509(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"random_suffix": acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckIAMBetaWorkloadIdentityPoolProviderDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccIAMBetaWorkloadIdentityPoolProvider_x509_full(context),
+			},
+			{
+				ResourceName:            "google_iam_workload_identity_pool_provider.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"workload_identity_pool_id", "workload_identity_pool_provider_id"},
+			},
+      {
+				Config: testAccIAMBetaWorkloadIdentityPoolProvider_x509_update(context),
+			},
+			{
+				ResourceName:            "google_iam_workload_identity_pool_provider.example",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"workload_identity_pool_id", "workload_identity_pool_provider_id"},
+			},
+		},
+	})
+}
+
+func testAccIAMBetaWorkloadIdentityPoolProvider_x509_full(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_iam_workload_identity_pool" "pool" {
+  workload_identity_pool_id = "tf-test-example-pool%{random_suffix}"
+}
+
+resource "google_iam_workload_identity_pool_provider" "example" {
+  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = "tf-test-example-prvdr%{random_suffix}"
+  display_name                       = "Name of provider"
+  description                        = "X.509 identity pool provider for automated test"
+  disabled                           = true
+  attribute_mapping                  = {
+    "google.subject"        = "assertion.subject.dn.cn"
+  }
+  x509 {
+    trust_store {
+        trust_anchors {
+            pem_certificate = file("test-fixtures/trust_anchor.pem")
+        }
+        intermediate_cas {
+            pem_certificate = file("test-fixtures/intermediate_ca.pem")
+        }
+    }
+  }
+}
+`, context)
+}
+
+func testAccIAMBetaWorkloadIdentityPoolProvider_x509_update(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_iam_workload_identity_pool" "pool" {
+  workload_identity_pool_id = "tf-test-example-pool%{random_suffix}"
+}
+
+resource "google_iam_workload_identity_pool_provider" "example" {
+  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
+  workload_identity_pool_provider_id = "tf-test-example-prvdr%{random_suffix}"
+  display_name                       = "Name of provider"
+  description                        = "X.509 identity pool provider for automated test"
+  disabled                           = true
+  attribute_mapping                  = {
+    "google.subject"        = "assertion.subject.dn.cn"
+  }
+  x509 {
+    trust_store {
+        trust_anchors {
+            pem_certificate = file("test-fixtures/trust_anchor_updated.pem")
+        }
+        trust_anchors {
+            pem_certificate = file("test-fixtures/intermediate_ca.pem")
+        }
+    }
+  }
+}
+`, context)
+}
+
 <% end -%>

mmv1/third_party/terraform/services/iambeta/test-fixtures/intermediate_ca.pem

@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIIDvjCCAqagAwIBAgIIXHIdYNfGCLMwDQYJKoZIhvcNAQELBQAwXDEXMBUGA1UEChMOR29vZ2xlIFRFU1RJTkcxHDAaBgNVBAsTE0dvb2dsZSBURVNUSU5HIHVuaXQxIzAhBgNVBAMMGkdvb2dsZSAqKlRlc3RpbmcqKiBSb290IENBMCAXDTIwMDEwMTAwMDAwMFoYDzIxMzAwMTAxMDAwMDAwWjBkMRcwFQYDVQQKEw5Hb29nbGUgVEVTVElORzEcMBoGA1UECxMTR29vZ2xlIFRFU1RJTkcgdW5pdDErMCkGA1UEAwwiR29vZ2xlICoqVGVzdGluZyoqIEludGVybWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALVSyoOVAMfOYf10VxNwmRs/afgbkYJ5gPXzn3aetEtFrcqDiG8LdgniLhHcp3c/O1U0EKANMLWyMlHP0KC4wjMrYXS8doQ7B6kGXj070hRSHN7acF0ImSRw3i9idiiSgOIJzlbYXeh8NLqDAYESyWFht7RRdbCJx1v2U9T8F5QVeT96Dw3exSKQAIdL2J8ol9kgJNINimd7GxOQ3f1+vDOBiAtAj4zWCjjqdNqh5ivyrTu28J/umM35wtHS6iX6GvnwqTsRy8zS/KeN+Dq6PEk/j04mrOG3w82SFp+IvTNH6S/DxRyiE5yoAfgfunKotV34JVr/INH2RsEgbWtwK5ECAwEAAaN6MHgwDgYDVR0PAQH/BAQDAgIEMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHRMBAf8EBTADAQH/MBkGA1UdDgQSBBB0QukRw23faHpDoa0xl+L+MBsGA1UdIwQUMBKAEMRB36Doz2ZXloHKRyZ8hN0wDQYJKoZIhvcNAQELBQADggEBAIPBiuirnZbv4JWDiAIXvCE5pbwej0aKFWEDV2Z8lY0RFPt1CXrDJJL91MXHZ1yviUSJINJErJn7wyGV2bm/N7DUpRE0g9IMgEank64UUl+OyQTXd0LIsjlqWA6Sj/hDZUdw6mi9a98ENUr6CiECtOxpGF9kj4G4WcnyvPP/phs1b8cAfQ+tPurrDRBAdeoQIj756QL7fvMijKNdG5KeCURu9L4BZmCeuy/3v2C2XjiFZHx4cZDOHJizrx04GqzV5PSXw5OYZiXfn5WPGMsyh7ufkQJKJcpv2t3M0gyc1omD0xWkxCl4dTdVef9HrboJnZkUrma509fpVL6F8I2Jkt8=
+-----END CERTIFICATE-----

mmv1/third_party/terraform/services/iambeta/test-fixtures/trust_anchor.pem

@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIIDtjCCAp6gAwIBAgIIMu9pvsFWIUcwDQYJKoZIhvcNAQELBQAwXDEXMBUGA1UEChMOR29vZ2xlIFRFU1RJTkcxHDAaBgNVBAsTE0dvb2dsZSBURVNUSU5HIHVuaXQxIzAhBgNVBAMMGkdvb2dsZSAqKlRlc3RpbmcqKiBSb290IENBMCAXDTIwMDEwMTAwMDAwMFoYDzIxMzAwMTAxMDAwMDAwWjBcMRcwFQYDVQQKEw5Hb29nbGUgVEVTVElORzEcMBoGA1UECxMTR29vZ2xlIFRFU1RJTkcgdW5pdDEjMCEGA1UEAwwaR29vZ2xlICoqVGVzdGluZyoqIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHqdf17AA4iwl+HGtTD/qJJv9XZTjzjHiaRYWuGQ3iddf1LhYklLqHvpqOCBlhkg6NIZmoDPKicEi8pfGSzp6btcElyrr1ekECk5jEBcdl6tX/gTSYv7v1h9DkSJDHBAnoSsVW0/PNwI+YGEE2kizGMeg1moXlTHEB+yeGCik/+4eVRas/+wrlrTE5lMFMq8WhdnBx6udcc/BEauvlTybHaN3rJUVpVrJWeVoPGGtXR6MJrdbVScn9GYOLP6sXMPTr+pTY6ebrjs7K/wTVQqLJ1zArCvAEH8FvuAhiI19yM1uBRAds/fJbSUvFsEiIlDC4y7DAK7yWHUAjQIBV1xhDAgMBAAGjejB4MA4GA1UdDwEB/wQEAwICBDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAZBgNVHQ4EEgQQxEHfoOjPZleWgcpHJnyE3TAbBgNVHSMEFDASgBDEQd+g6M9mV5aBykcmfITdMA0GCSqGSIb3DQEBCwUAA4IBAQBcECwxgaK4ZgYO7guayK5QRpTb3Y6zpkmSOkj9h1+HF5Ch/o5FiweJi8k28h9Mfz//gKU2cXXWfXuY81CFEBstjw7jYt3+d4owS5sYKu5WswGj4jsQXRrt0tO0+0UngP560eggFCyLChG75lp54r92hTPk4fY4varURZH7X0jg9W7MO6E6/HmKdMIxanuWdkbpPe6kj5I7SNvVhqsncoga8iZJ6QK/rsC2LTax4dxUUSkP5vmwwiYbgXYbk9JcXI+OyVcMvVxN/akI9/JgYHOol6NdChTBwU0yjNb9B5TrgtP1/fs+LugINrN1R1hgVHDVlE4mwHej+5XL6m9xAxkc
+-----END CERTIFICATE-----

mmv1/third_party/terraform/services/iambeta/test-fixtures/trust_anchor_updated.pem

@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIIDtzCCAp+gAwIBAgIJAJbcoF4dvsxvMA0GCSqGSIb3DQEBCwUAMFwxFzAVBgNVBAoTDkdvb2dsZSBURVNUSU5HMRwwGgYDVQQLExNHb29nbGUgVEVTVElORyB1bml0MSMwIQYDVQQDDBpHb29nbGUgKipUZXN0aW5nKiogUm9vdCBDQTAgFw0yMDAxMDEwMDAwMDBaGA8yMTMwMDEwMTAwMDAwMFowXDEXMBUGA1UEChMOR29vZ2xlIFRFU1RJTkcxHDAaBgNVBAsTE0dvb2dsZSBURVNUSU5HIHVuaXQxIzAhBgNVBAMMGkdvb2dsZSAqKlRlc3RpbmcqKiBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzVxH5w07E7O649oZHElZEyMGpYW1rS/yU58AYp9UgDjgNZchDCByn96uUdKiwzQRyFg+Nu/DifcpKbB8rzQtJoDqqpdPqmd2uxw13UNGeScsFGFoqIdOeU/l+SCAB1GvNHpMNoeFFzH9Ly1fFWRHXa/Upw1WYtKxMKM8pVLqodowTKuVMQHVMpVILhb1nlpZvsFR5i2LhG1U4jxVOVGC7OHTsUHNlFo547kM5MNnArl6vPx2LOZgA+2JeOM0zbiMk4DK+ks5eaXXapy5QMQ16PUIlq1oTgAYMRXk31TrmdMwu79FeIz3vHXgJnGhdmLqse3rE05cWuoEsuao01NpYwIDAQABo3oweDAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wGQYDVR0OBBIEEMRB36Doz2ZXloHKRyZ8hN0wGwYDVR0jBBQwEoAQxEHfoOjPZleWgcpHJnyE3TANBgkqhkiG9w0BAQsFAAOCAQEAiim4OoNHHskwK1etk1Xswb+pB1OweUFD9iSHvkgnTw+RLuep+OYsKciz5GeZIWiKkWZMnJYTd41bX29fdIdcd1b3MjFVQ8jqKVkblb1NjYWLIwZshimtbIEZTDb/sxalQiwSH/SE2fi/8E8P8jxbntCeOyDw1/lce3tkYrJHlTNDZLNnr5Od+stpYi8EaPSnilEgLIMTsBwyaxUp8yWbxT8+M0JhJYmpHnSkC0vc2aLTYmgyv7URl14XIK2aumSISAuaCXYGj0hx8Wz0YNn1uydnZw7kmzn4ncZqfwoJuHJl/5kWq0nycgcieUNg65VxEhqHTnC6NXKjyBZKVXQaxQ==
+-----END CERTIFICATE-----