Skip to content

Commit 22d00f9

Browse files
Add WorkloadIdentityConfig to Compute Instance and InstanceTemplate
1 parent 56a2662 commit 22d00f9

16 files changed

Lines changed: 537 additions & 0 deletions

mmv1/products/compute/Instance.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1007,3 +1007,15 @@ properties:
10071007
type: String
10081008
description: 'kms key service account'
10091009
is_missing_in_cai: true
1010+
- name: 'workloadIdentityConfig'
1011+
type: NestedObject
1012+
description: 'Workload identity config.'
1013+
properties:
1014+
- name: 'identity'
1015+
api_name: 'identity'
1016+
type: String
1017+
description: 'Identity SPIFFE id.'
1018+
- name: 'identityCertificateEnabled'
1019+
api_name: 'identityCertificateEnabled'
1020+
type: Boolean
1021+
description: 'Specifies whether identity certificates are enabled.'

mmv1/third_party/terraform/services/compute/compute_instance_helpers.go.tmpl

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1626,3 +1626,28 @@ func stripInitializeParams(instanceMap map[string]interface{}) {
16261626
}
16271627
}
16281628

1629+
1630+
func expandWorkloadIdentityConfig(d tpgresource.TerraformResourceData) *compute.WorkloadIdentityConfig {
1631+
iek, ok := d.GetOk("workload_identity_config")
1632+
if !ok {
1633+
return nil
1634+
}
1635+
1636+
wicRes := iek.([]interface{})[0].(map[string]interface{})
1637+
return &compute.WorkloadIdentityConfig{
1638+
Identity: wicRes["identity"].(string),
1639+
IdentityCertificateEnabled: wicRes["identity_certificate_enabled"].(bool),
1640+
}
1641+
}
1642+
1643+
func flattenWorkloadIdentityConfig(v *compute.WorkloadIdentityConfig) []map[string]interface{} {
1644+
if v == nil {
1645+
return nil
1646+
}
1647+
return []map[string]interface{}{
1648+
{
1649+
"identity": v.Identity,
1650+
"identity_certificate_enabled": v.IdentityCertificateEnabled,
1651+
},
1652+
}
1653+
}

mmv1/third_party/terraform/services/compute/resource_compute_instance.go.tmpl

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -134,6 +134,11 @@ var (
134134
"shielded_instance_config.0.enable_vtpm",
135135
"shielded_instance_config.0.enable_integrity_monitoring",
136136
}
137+
138+
workloadIdentityConfigKeys = []string{
139+
"workload_identity_config.0.identity",
140+
"workload_identity_config.0.identity_certificate_enabled",
141+
}
137142
)
138143

139144
// This checks if the project provided in subnetwork's self_link matches
@@ -1716,6 +1721,31 @@ be from 0 to 999,999,999 inclusive.`,
17161721
Description: `Specifies whether the disks restored from source snapshots or source machine image should erase Windows specific VSS signature.`,
17171722
},
17181723
{{- end }}
1724+
"workload_identity_config": {
1725+
Type: schema.TypeList,
1726+
MaxItems: 1,
1727+
Optional: true,
1728+
Description: `Workload identity config.`,
1729+
Elem: &schema.Resource{
1730+
Schema: map[string]*schema.Schema{
1731+
"identity": {
1732+
Type: schema.TypeString,
1733+
Optional: true,
1734+
ForceNew: true,
1735+
AtLeastOneOf: workloadIdentityConfigKeys,
1736+
Description: `Identity SPIFFE id.`,
1737+
},
1738+
"identity_certificate_enabled": {
1739+
Type: schema.TypeBool,
1740+
Optional: true,
1741+
ForceNew: true,
1742+
Computed: true,
1743+
AtLeastOneOf: workloadIdentityConfigKeys,
1744+
Description: `Specifies whether identity certificates are enabled.`,
1745+
},
1746+
},
1747+
},
1748+
},
17191749
//UDP schema start
17201750
"deletion_policy": tpgresource.DeletionPolicySchemaEntry("DELETE"),
17211751
//UDP schema end
@@ -1968,6 +1998,7 @@ func expandComputeInstance(project string, d *schema.ResourceData, config *trans
19681998
{{- if ne $.TargetVersionName `ga` }}
19691999
EraseWindowsVssSignature: d.Get("erase_windows_vss_signature").(bool),
19702000
{{- end }}
2001+
WorkloadIdentityConfig: expandWorkloadIdentityConfig(d),
19712002
}
19722003
if cic := expandConfidentialInstanceConfig(d); cic != nil {
19732004
instance.ConfidentialInstanceConfig = &compute.ConfidentialInstanceConfig{
@@ -2571,6 +2602,17 @@ func populateComputeInstanceResourceData(d *schema.ResourceData, instance *compu
25712602
}
25722603
{{- end }}
25732604

2605+
d.SetId(fmt.Sprintf("projects/%s/zones/%s/instances/%s", project, zone, instance.Name))
2606+
2607+
2608+
if err := tpgresource.DeletionPolicyReadDefault(d, config, "DELETE"); err != nil{
2609+
return err
2610+
}
2611+
2612+
if err := d.Set("workload_identity_config", flattenWorkloadIdentityConfig(instance.WorkloadIdentityConfig)); err != nil {
2613+
return fmt.Errorf("Error setting workload_identity_config: %s", err)
2614+
}
2615+
25742616
return nil
25752617
}
25762618

mmv1/third_party/terraform/services/compute/resource_compute_instance_from_machine_image_meta.yaml.tmpl

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -266,6 +266,8 @@ fields:
266266
field: 'tags_fingerprint'
267267
- field: 'terraform_labels'
268268
provider_only: true
269+
- api_field: 'workloadIdentityConfig.identity'
270+
- api_field: 'workloadIdentityConfig.identityCertificateEnabled'
269271
- api_field: 'zone'
270272
{{- if ne $.TargetVersionName "ga" }}
271273
- api_field: 'eraseWindowsVssSignature'

mmv1/third_party/terraform/services/compute/resource_compute_instance_from_template_meta.yaml.tmpl

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -279,6 +279,8 @@ fields:
279279
field: 'tags_fingerprint'
280280
- field: 'terraform_labels'
281281
provider_only: true
282+
- api_field: 'workloadIdentityConfig.identity'
283+
- api_field: 'workloadIdentityConfig.identityCertificateEnabled'
282284
- api_field: 'zone'
283285
{{- if ne $.TargetVersionName "ga" }}
284286
- api_field: 'eraseWindowsVssSignature'

mmv1/third_party/terraform/services/compute/resource_compute_instance_meta.yaml.tmpl

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -282,6 +282,8 @@ fields:
282282
field: 'tags_fingerprint'
283283
- field: 'terraform_labels'
284284
provider_only: true
285+
- api_field: 'workloadIdentityConfig.identity'
286+
- api_field: 'workloadIdentityConfig.identityCertificateEnabled'
285287
- api_field: 'zone'
286288
{{- if ne $.TargetVersionName "ga" }}
287289
- api_field: 'eraseWindowsVssSignature'

mmv1/third_party/terraform/services/compute/resource_compute_instance_template.go.tmpl

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1343,6 +1343,32 @@ be from 0 to 999,999,999 inclusive.`,
13431343
ValidateFunc: validation.StringInSlice([]string{"NONE", "STOP", ""}, false),
13441344
Description: `Action to be taken when a customer's encryption key is revoked. Supports "STOP" and "NONE", with "NONE" being the default.`,
13451345
},
1346+
"workload_identity_config": {
1347+
Type: schema.TypeList,
1348+
MaxItems: 1,
1349+
Optional: true,
1350+
ForceNew: true,
1351+
Description: `Workload identity config.`,
1352+
Elem: &schema.Resource{
1353+
Schema: map[string]*schema.Schema{
1354+
"identity": {
1355+
Type: schema.TypeString,
1356+
Optional: true,
1357+
ForceNew: true,
1358+
AtLeastOneOf: workloadIdentityConfigKeys,
1359+
Description: `Identity SPIFFE id.`,
1360+
},
1361+
"identity_certificate_enabled": {
1362+
Type: schema.TypeBool,
1363+
Optional: true,
1364+
Computed: true,
1365+
ForceNew: true,
1366+
AtLeastOneOf: workloadIdentityConfigKeys,
1367+
Description: `Specifies whether identity certificates are enabled.`,
1368+
},
1369+
},
1370+
},
1371+
},
13461372
},
13471373
UseJSONNumber: true,
13481374
}
@@ -1745,6 +1771,7 @@ func resourceComputeInstanceTemplateCreate(d *schema.ResourceData, meta interfac
17451771
ResourcePolicies: resourcePolicies,
17461772
ReservationAffinity: reservationAffinity,
17471773
KeyRevocationActionType: d.Get("key_revocation_action_type").(string),
1774+
WorkloadIdentityConfig: expandWorkloadIdentityConfig(d),
17481775
}
17491776
if cic := expandConfidentialInstanceConfig(d); cic != nil {
17501777
instanceProperties.ConfidentialInstanceConfig = &compute.ConfidentialInstanceConfig{
@@ -2327,6 +2354,12 @@ func resourceComputeInstanceTemplateRead(d *schema.ResourceData, meta interface{
23272354
}
23282355
}
23292356

2357+
if instanceTemplate.Properties.WorkloadIdentityConfig != nil {
2358+
if err = d.Set("workload_identity_config", flattenWorkloadIdentityConfig(instanceTemplate.Properties.WorkloadIdentityConfig)); err != nil {
2359+
return fmt.Errorf("Error setting workload_identity_config: %s", err)
2360+
}
2361+
}
2362+
23302363
return nil
23312364
}
23322365

mmv1/third_party/terraform/services/compute/resource_compute_instance_template_meta.yaml.tmpl

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -272,3 +272,7 @@ fields:
272272
api_field: 'properties.tags.fingerprint'
273273
- field: 'terraform_labels'
274274
provider_only: true
275+
- field: 'workload_identity_config.identity'
276+
api_field: 'properties.workloadIdentityConfig.identity'
277+
- field: 'workload_identity_config.identity_certificate_enabled'
278+
api_field: 'properties.workloadIdentityConfig.identityCertificateEnabled'

mmv1/third_party/terraform/services/compute/resource_compute_instance_template_test.go.tmpl

Lines changed: 75 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,36 @@ func TestAccComputeInstanceTemplate_basic(t *testing.T) {
5959
})
6060
}
6161

62+
func TestAccComputeInstanceTemplate_workloadIdentity(t *testing.T) {
63+
t.Parallel()
64+
65+
var instanceTemplate map[string]interface{}
66+
suffix := acctest.RandString(t, 10)
67+
68+
acctest.VcrTest(t, resource.TestCase{
69+
PreCheck: func() { acctest.AccTestPreCheck(t) },
70+
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
71+
CheckDestroy: testAccCheckComputeInstanceTemplateDestroyProducer(t),
72+
Steps: []resource.TestStep{
73+
{
74+
Config: testAccComputeInstanceTemplate_workloadIdentity(suffix),
75+
Check: resource.ComposeTestCheckFunc(
76+
testAccCheckComputeInstanceTemplateExists(
77+
t, "google_compute_instance_template.foobar", &instanceTemplate),
78+
resource.TestCheckResourceAttr("google_compute_instance_template.foobar", "workload_identity_config.0.identity", fmt.Sprintf("ns/tf-test-ns-%s/sa/tf-test-id-%s", suffix, suffix)),
79+
resource.TestCheckResourceAttr("google_compute_instance_template.foobar", "workload_identity_config.0.identity_certificate_enabled", "true"),
80+
),
81+
},
82+
{
83+
ResourceName: "google_compute_instance_template.foobar",
84+
ImportState: true,
85+
ImportStateVerify: true,
86+
ImportStateVerifyIgnore: []string{"labels", "terraform_labels"},
87+
},
88+
},
89+
})
90+
}
91+
6292
func TestAccComputeInstanceTemplate_imageShorthand(t *testing.T) {
6393
t.Parallel()
6494

@@ -5856,6 +5886,51 @@ resource "google_compute_instance_template" "foobar" {
58565886
`, context)
58575887
}
58585888

5889+
func testAccComputeInstanceTemplate_workloadIdentity(suffix string) string {
5890+
return fmt.Sprintf(`
5891+
data "google_compute_image" "my_image" {
5892+
family = "debian-11"
5893+
project = "debian-cloud"
5894+
}
5895+
5896+
resource "google_iam_workload_identity_pool" "pool" {
5897+
workload_identity_pool_id = "tf-test-pool-%s"
5898+
mode = "TRUST_DOMAIN"
5899+
}
5900+
5901+
resource "google_iam_workload_identity_pool_namespace" "ns" {
5902+
workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id
5903+
workload_identity_pool_namespace_id = "tf-test-ns-%s"
5904+
}
5905+
5906+
resource "google_iam_workload_identity_pool_managed_identity" "id" {
5907+
workload_identity_pool_id = google_iam_workload_identity_pool_namespace.ns.workload_identity_pool_id
5908+
workload_identity_pool_namespace_id = google_iam_workload_identity_pool_namespace.ns.workload_identity_pool_namespace_id
5909+
workload_identity_pool_managed_identity_id = "tf-test-id-%s"
5910+
}
5911+
5912+
resource "google_compute_instance_template" "foobar" {
5913+
name = "tf-test-instance-template-%s"
5914+
machine_type = "e2-medium"
5915+
5916+
disk {
5917+
source_image = data.google_compute_image.my_image.self_link
5918+
auto_delete = true
5919+
boot = true
5920+
}
5921+
5922+
network_interface {
5923+
network = "default"
5924+
}
5925+
5926+
workload_identity_config {
5927+
identity = "ns/tf-test-ns-%s/sa/tf-test-id-%s"
5928+
identity_certificate_enabled = true
5929+
}
5930+
}
5931+
`, suffix, suffix, suffix, suffix, suffix, suffix)
5932+
}
5933+
58595934

58605935
{{ if ne $.TargetVersionName `ga` -}}
58615936
func testAccComputeInstanceTemplate_aliasIpv6Range(suffix string) string {

0 commit comments

Comments
 (0)