Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions mmv1/products/compute/Instance.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1007,3 +1007,15 @@ properties:
type: String
description: 'kms key service account'
is_missing_in_cai: true
- name: 'workloadIdentityConfig'
type: NestedObject
description: 'Workload identity config.'
properties:
- name: 'identity'
api_name: 'identity'
type: String
description: 'Identity SPIFFE id.'
- name: 'identityCertificateEnabled'
api_name: 'identityCertificateEnabled'
type: Boolean
description: 'Specifies whether identity certificates are enabled.'
Original file line number Diff line number Diff line change
Expand Up @@ -1626,3 +1626,28 @@ func stripInitializeParams(instanceMap map[string]interface{}) {
}
}


func expandWorkloadIdentityConfig(d tpgresource.TerraformResourceData) *compute.WorkloadIdentityConfig {
iek, ok := d.GetOk("workload_identity_config")
if !ok {
return nil
}

wicRes := iek.([]interface{})[0].(map[string]interface{})
return &compute.WorkloadIdentityConfig{
Identity: wicRes["identity"].(string),
IdentityCertificateEnabled: wicRes["identity_certificate_enabled"].(bool),
}
}

func flattenWorkloadIdentityConfig(v *compute.WorkloadIdentityConfig) []map[string]interface{} {
if v == nil {
return nil
}
return []map[string]interface{}{
{
"identity": v.Identity,
"identity_certificate_enabled": v.IdentityCertificateEnabled,
},
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,11 @@ var (
"shielded_instance_config.0.enable_vtpm",
"shielded_instance_config.0.enable_integrity_monitoring",
}

workloadIdentityConfigKeys = []string{
"workload_identity_config.0.identity",
"workload_identity_config.0.identity_certificate_enabled",
}
)

// This checks if the project provided in subnetwork's self_link matches
Expand Down Expand Up @@ -1716,6 +1721,31 @@ be from 0 to 999,999,999 inclusive.`,
Description: `Specifies whether the disks restored from source snapshots or source machine image should erase Windows specific VSS signature.`,
},
{{- end }}
"workload_identity_config": {
Type: schema.TypeList,
MaxItems: 1,
Optional: true,
Description: `Workload identity config.`,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"identity": {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
AtLeastOneOf: workloadIdentityConfigKeys,
Description: `Identity SPIFFE id.`,
},
"identity_certificate_enabled": {
Type: schema.TypeBool,
Optional: true,
ForceNew: true,
Computed: true,
AtLeastOneOf: workloadIdentityConfigKeys,
Description: `Specifies whether identity certificates are enabled.`,
},
},
},
},
//UDP schema start
"deletion_policy": tpgresource.DeletionPolicySchemaEntry("DELETE"),
//UDP schema end
Expand Down Expand Up @@ -1968,6 +1998,7 @@ func expandComputeInstance(project string, d *schema.ResourceData, config *trans
{{- if ne $.TargetVersionName `ga` }}
EraseWindowsVssSignature: d.Get("erase_windows_vss_signature").(bool),
{{- end }}
WorkloadIdentityConfig: expandWorkloadIdentityConfig(d),
}
if cic := expandConfidentialInstanceConfig(d); cic != nil {
instance.ConfidentialInstanceConfig = &compute.ConfidentialInstanceConfig{
Expand Down Expand Up @@ -2571,6 +2602,17 @@ func populateComputeInstanceResourceData(d *schema.ResourceData, instance *compu
}
{{- end }}

d.SetId(fmt.Sprintf("projects/%s/zones/%s/instances/%s", project, zone, instance.Name))


if err := tpgresource.DeletionPolicyReadDefault(d, config, "DELETE"); err != nil{
return err
}

if err := d.Set("workload_identity_config", flattenWorkloadIdentityConfig(instance.WorkloadIdentityConfig)); err != nil {
return fmt.Errorf("Error setting workload_identity_config: %s", err)
}

return nil
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,8 @@ fields:
field: 'tags_fingerprint'
- field: 'terraform_labels'
provider_only: true
- api_field: 'workloadIdentityConfig.identity'
- api_field: 'workloadIdentityConfig.identityCertificateEnabled'
- api_field: 'zone'
{{- if ne $.TargetVersionName "ga" }}
- api_field: 'eraseWindowsVssSignature'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -417,6 +417,40 @@ func TestAccComputeInstanceFromMachineImage_VSSWindows(t *testing.T) {
}
{{- end }}

func TestAccComputeInstanceFromMachineImage_workloadIdentity(t *testing.T) {
t.Parallel()

var instance map[string]interface{}
instanceName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
generatedInstanceName := fmt.Sprintf("tf-test-generated-%s", acctest.RandString(t, 10))
randomSuffix := acctest.RandString(t, 10)
resourceName := "google_compute_instance_from_machine_image.foobar"

context := map[string]interface{}{
"instance_name": instanceName,
"generated_instance_name": generatedInstanceName,
"random_suffix": randomSuffix,
"identity_id": "tf-test-id-1-" + randomSuffix,
"identity_certificate_enabled": true,
}

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckComputeInstanceFromMachineImageDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccComputeInstanceFromMachineImage_workloadIdentity(context),
Check: resource.ComposeTestCheckFunc(
testAccCheckComputeInstanceExists(t, resourceName, &instance),
resource.TestCheckResourceAttr(resourceName, "workload_identity_config.0.identity", fmt.Sprintf("ns/tf-test-ns-%s/sa/tf-test-id-1-%s", randomSuffix, randomSuffix)),
resource.TestCheckResourceAttr(resourceName, "workload_identity_config.0.identity_certificate_enabled", "true"),
),
},
},
})
}

func testAccCheckComputeInstanceFromMachineImageDestroyProducer(t *testing.T) func(s *terraform.State) error {
return func(s *terraform.State) error {
config := acctest.GoogleProviderConfig(t)
Expand Down Expand Up @@ -1490,6 +1524,68 @@ resource "google_compute_instance_from_machine_image" "foobar" {
`, context)
}

func testAccComputeInstanceFromMachineImage_workloadIdentity(context map[string]interface{}) string {
return acctest.Nprintf(`
data "google_compute_image" "my_image" {
family = "debian-11"
project = "debian-cloud"
}

resource "google_iam_workload_identity_pool" "pool" {
workload_identity_pool_id = "tf-test-pool-%{random_suffix}"
mode = "TRUST_DOMAIN"
}

resource "google_iam_workload_identity_pool_namespace" "ns" {
workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id
workload_identity_pool_namespace_id = "tf-test-ns-%{random_suffix}"
}

resource "google_iam_workload_identity_pool_managed_identity" "id" {
workload_identity_pool_id = google_iam_workload_identity_pool_namespace.ns.workload_identity_pool_id
workload_identity_pool_namespace_id = google_iam_workload_identity_pool_namespace.ns.workload_identity_pool_namespace_id
workload_identity_pool_managed_identity_id = "%{identity_id}"
}

resource "google_compute_instance" "vm" {
name = "%{instance_name}-source"
machine_type = "e2-medium"
zone = "us-central1-a"

boot_disk {
initialize_params {
image = data.google_compute_image.my_image.self_link
}
}

network_interface {
network = "default"
}

workload_identity_config {
identity = "ns/tf-test-ns-%{random_suffix}/sa/%{identity_id}"
identity_certificate_enabled = %{identity_certificate_enabled}
}
}

resource "google_compute_machine_image" "foobar" {
name = "image-%{random_suffix}"
source_instance = google_compute_instance.vm.self_link
}

resource "google_compute_instance_from_machine_image" "foobar" {
name = "%{generated_instance_name}"
zone = "us-central1-a"
source_machine_image = google_compute_machine_image.foobar.self_link

workload_identity_config {
identity = "ns/tf-test-ns-%{random_suffix}/sa/%{identity_id}"
identity_certificate_enabled = %{identity_certificate_enabled}
}
}
`, context)
}

{{ if ne $.TargetVersionName `ga` -}}
func testAccComputeInstanceFromMachineImage_VSSWindows(context map[string]interface{}) string {
return acctest.Nprintf(`
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,8 @@ fields:
field: 'tags_fingerprint'
- field: 'terraform_labels'
provider_only: true
- api_field: 'workloadIdentityConfig.identity'
- api_field: 'workloadIdentityConfig.identityCertificateEnabled'
- api_field: 'zone'
{{- if ne $.TargetVersionName "ga" }}
- api_field: 'eraseWindowsVssSignature'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -632,6 +632,40 @@ func TestAccComputeInstanceFromTemplate_DiskForceAttach(t *testing.T) {
})
}

func TestAccComputeInstanceFromTemplate_workloadIdentity(t *testing.T) {
t.Parallel()

var instance map[string]interface{}
instanceName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
templateName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
randomSuffix := acctest.RandString(t, 10)
resourceName := "google_compute_instance_from_template.foobar"

context := map[string]interface{}{
"instance_name": instanceName,
"template_name": templateName,
"random_suffix": randomSuffix,
"identity_id": "tf-test-id-1-" + randomSuffix,
"identity_certificate_enabled": true,
}

acctest.VcrTest(t, resource.TestCase{
PreCheck: func() { acctest.AccTestPreCheck(t) },
ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
CheckDestroy: testAccCheckComputeInstanceFromTemplateDestroyProducer(t),
Steps: []resource.TestStep{
{
Config: testAccComputeInstanceFromTemplate_workloadIdentity(context),
Check: resource.ComposeTestCheckFunc(
testAccCheckComputeInstanceExists(t, resourceName, &instance),
resource.TestCheckResourceAttr(resourceName, "workload_identity_config.0.identity", fmt.Sprintf("ns/tf-test-ns-%s/sa/tf-test-id-1-%s", randomSuffix, randomSuffix)),
resource.TestCheckResourceAttr(resourceName, "workload_identity_config.0.identity_certificate_enabled", "true"),
),
},
},
})
}

{{ if ne $.TargetVersionName `ga` -}}
func TestAccComputeInstanceFromTemplate_VSSWindows(t *testing.T) {
t.Parallel()
Expand Down Expand Up @@ -2736,3 +2770,54 @@ resource "google_compute_instance_from_template" "foobar" {
`, context)
}
{{- end }}

func testAccComputeInstanceFromTemplate_workloadIdentity(context map[string]interface{}) string {
return acctest.Nprintf(`
data "google_compute_image" "my_image" {
family = "debian-11"
project = "debian-cloud"
}

resource "google_iam_workload_identity_pool" "pool" {
workload_identity_pool_id = "tf-test-pool-%{random_suffix}"
mode = "TRUST_DOMAIN"
}

resource "google_iam_workload_identity_pool_namespace" "ns" {
workload_identity_pool_id = google_iam_workload_identity_pool.pool.workload_identity_pool_id
workload_identity_pool_namespace_id = "tf-test-ns-%{random_suffix}"
}

resource "google_iam_workload_identity_pool_managed_identity" "id" {
workload_identity_pool_id = google_iam_workload_identity_pool_namespace.ns.workload_identity_pool_id
workload_identity_pool_namespace_id = google_iam_workload_identity_pool_namespace.ns.workload_identity_pool_namespace_id
workload_identity_pool_managed_identity_id = "%{identity_id}"
}

resource "google_compute_instance_template" "foobar" {
name = "%{template_name}"
machine_type = "e2-medium"

disk {
source_image = data.google_compute_image.my_image.self_link
auto_delete = true
boot = true
}

network_interface {
network = "default"
}
}

resource "google_compute_instance_from_template" "foobar" {
name = "%{instance_name}"
zone = "us-central1-a"
source_instance_template = google_compute_instance_template.foobar.self_link

workload_identity_config {
identity = "ns/tf-test-ns-%{random_suffix}/sa/%{identity_id}"
identity_certificate_enabled = %{identity_certificate_enabled}
}
}
`, context)
}
Original file line number Diff line number Diff line change
Expand Up @@ -282,6 +282,8 @@ fields:
field: 'tags_fingerprint'
- field: 'terraform_labels'
provider_only: true
- api_field: 'workloadIdentityConfig.identity'
- api_field: 'workloadIdentityConfig.identityCertificateEnabled'
- api_field: 'zone'
{{- if ne $.TargetVersionName "ga" }}
- api_field: 'eraseWindowsVssSignature'
Expand Down
Loading
Loading