import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Represents a collection of external workload identities. You can define IAM policies to * grant these identities access to Google Cloud resources. * * To get more information about WorkloadIdentityPool, see: * * * [API documentation](https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools) * * How-to Guides * * [Configure managed workload identity authentication for Compute Engine](https://cloud.google.com/iam/docs/create-managed-workload-identities) * * [Configure managed workload identity authentication for GKE](https://cloud.google.com/iam/docs/create-managed-workload-identities-gke) * * [Managing workload identity pools](https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#pools) * * ## Example Usage * * ### Iam Workload Identity Pool Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const example = new gcp.iam.WorkloadIdentityPool("example", {workloadIdentityPoolId: "example-pool"}); * ``` * ### Iam Workload Identity Pool Full Federation Only Mode * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const example = new gcp.iam.WorkloadIdentityPool("example", { * workloadIdentityPoolId: "example-pool", * displayName: "Name of the pool", * description: "Identity pool operates in FEDERATION_ONLY mode", * disabled: true, * mode: "FEDERATION_ONLY", * }); * ``` * ### Iam Workload Identity Pool Full Trust Domain Mode * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const example = new gcp.iam.WorkloadIdentityPool("example", { * workloadIdentityPoolId: "example-pool", * displayName: "Name of the pool", * description: "Identity pool operates in TRUST_DOMAIN mode", * disabled: true, * mode: "TRUST_DOMAIN", * inlineCertificateIssuanceConfig: { * caPools: { * "us-central1": "projects/project-bar/locations/us-central1/caPools/ca-pool-bar", * "asia-east2": "projects/project-foo/locations/asia-east2/caPools/ca-pool-foo", * }, * lifetime: "86400s", * rotationWindowPercentage: 50, * keyAlgorithm: "ECDSA_P256", * }, * inlineTrustConfig: { * additionalTrustBundles: [ * { * trustDomain: "example.com", * trustDefaultSharedCa: false, * trustAnchors: [ * { * pemCertificate: std.file({ * input: "test-fixtures/trust_anchor_1.pem", * }).then(invoke => invoke.result), * }, * { * pemCertificate: std.file({ * input: "test-fixtures/trust_anchor_2.pem", * }).then(invoke => invoke.result), * }, * ], * }, * { * trustDomain: "example.net", * trustDefaultSharedCa: false, * trustAnchors: [ * { * pemCertificate: std.file({ * input: "test-fixtures/trust_anchor_3.pem", * }).then(invoke => invoke.result), * }, * { * pemCertificate: std.file({ * input: "test-fixtures/trust_anchor_4.pem", * }).then(invoke => invoke.result), * }, * ], * }, * ], * }, * attestationRules: [{ * googleCloudResource: "//run.googleapis.com/projects/1111111111111/type/Service/*", * }], * }); * ``` * ### Iam Workload Identity Pool Full Trust Domain Mode With Default Shared Ca * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const example = new gcp.iam.WorkloadIdentityPool("example", { * workloadIdentityPoolId: "example-pool", * displayName: "Name of the pool", * description: "Identity pool operates in TRUST_DOMAIN mode", * disabled: true, * mode: "TRUST_DOMAIN", * inlineCertificateIssuanceConfig: { * useDefaultSharedCa: true, * lifetime: "86400s", * rotationWindowPercentage: 50, * keyAlgorithm: "ECDSA_P256", * }, * inlineTrustConfig: { * additionalTrustBundles: [ * { * trustDomain: "example.com", * trustDefaultSharedCa: true, * trustAnchors: [ * { * pemCertificate: std.file({ * input: "test-fixtures/trust_anchor_1.pem", * }).then(invoke => invoke.result), * }, * { * pemCertificate: std.file({ * input: "test-fixtures/trust_anchor_2.pem", * }).then(invoke => invoke.result), * }, * ], * }, * { * trustDomain: "example.net", * trustDefaultSharedCa: true, * trustAnchors: [ * { * pemCertificate: std.file({ * input: "test-fixtures/trust_anchor_3.pem", * }).then(invoke => invoke.result), * }, * { * pemCertificate: std.file({ * input: "test-fixtures/trust_anchor_4.pem", * }).then(invoke => invoke.result), * }, * ], * }, * ], * }, * }); * ``` * * ## Import * * WorkloadIdentityPool can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}` * * `{{project}}/{{workload_identity_pool_id}}` * * `{{workload_identity_pool_id}}` * * When using the `pulumi import` command, WorkloadIdentityPool can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:iam/workloadIdentityPool:WorkloadIdentityPool default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}} * $ pulumi import gcp:iam/workloadIdentityPool:WorkloadIdentityPool default {{project}}/{{workload_identity_pool_id}} * $ pulumi import gcp:iam/workloadIdentityPool:WorkloadIdentityPool default {{workload_identity_pool_id}} * ``` */ export declare class WorkloadIdentityPool extends pulumi.CustomResource { /** * Get an existing WorkloadIdentityPool resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: WorkloadIdentityPoolState, opts?: pulumi.CustomResourceOptions): WorkloadIdentityPool; /** * Returns true if the given object is an instance of WorkloadIdentityPool. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is WorkloadIdentityPool; /** * Defines which workloads can receive an identity within a pool. When an AttestationRule is * defined under a managed identity, matching workloads may receive that identity. A maximum of * 50 AttestationRules can be set. * Structure is documented below. */ readonly attestationRules: pulumi.Output; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ readonly deletionPolicy: pulumi.Output; /** * A description of the pool. Cannot exceed 256 characters. */ readonly description: pulumi.Output; /** * Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use * existing tokens to access resources. If the pool is re-enabled, existing tokens grant * access again. */ readonly disabled: pulumi.Output; /** * A display name for the pool. Cannot exceed 32 characters. */ readonly displayName: pulumi.Output; /** * Represents configuration for generating mutual TLS (mTLS) certificates for the identities * within this pool. Defines the Certificate Authority (CA) pool resources and configurations * required for issuance and rotation of mTLS workload certificates. * Structure is documented below. */ readonly inlineCertificateIssuanceConfig: pulumi.Output; /** * Represents config to add additional trusted trust domains. Defines configuration for extending * trust to additional trust domains. By establishing trust with another domain, the current * domain will recognize and accept certificates issued by entities within the trusted domains. * Note that a trust domain automatically trusts itself, eliminating the need for explicit * configuration. * Structure is documented below. */ readonly inlineTrustConfig: pulumi.Output; /** * The mode for the pool is operating in. Pools with an unspecified mode will operate as if they * are in `FEDERATION_ONLY` mode. * * > **Note** This field cannot be changed after the Workload Identity Pool is created. While * `pulumi preview` may show an update if you change this field's value, `pulumi up` * **will fail with an API error** (such as `Error 400: Attempted to update an immutable field.`). * To specify a different `mode`, please create a new Workload Identity Pool resource. * * `FEDERATION_ONLY`: Pools can only be used for federating external workload identities into * Google Cloud. Unless otherwise noted, no structure or format constraints are applied to * workload identities in a `FEDERATION_ONLY` mode pool, and you may not create any resources * within the pool besides providers. * * `TRUST_DOMAIN`: Pools can be used to assign identities to Google Cloud workloads. All * identities within a `TRUST_DOMAIN` mode pool must consist of a single namespace and individual * workload identifier. The subject identifier for all identities must conform to the following * format: `ns//sa/`. * `gcp.iam.WorkloadIdentityPoolProvider`s cannot be created within `TRUST_DOMAIN` * mode pools. * * `SYSTEM_TRUST_DOMAIN`: Pools are managed by Google Cloud services. Neither * `gcp.iam.WorkloadIdentityPoolNamespace`s nor `gcp.iam.WorkloadIdentityPoolProvider`s * can be created within `SYSTEM_TRUST_DOMAIN` mode pools. All identities within a * `SYSTEM_TRUST_DOMAIN` mode pool are in one of the following formats: * * `spiffe:///ns//sa/` * * `spiffe:///resources//` * Possible values are: `FEDERATION_ONLY`, `TRUST_DOMAIN`, `SYSTEM_TRUST_DOMAIN`. */ readonly mode: pulumi.Output; /** * The resource name of the pool as * `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}`. */ readonly name: pulumi.Output; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output; /** * The state of the pool. * * `STATE_UNSPECIFIED`: State unspecified. * * `ACTIVE`: The pool is active, and may be used in Google Cloud policies. * * `DELETED`: The pool is soft-deleted. Soft-deleted pools are permanently deleted after * approximately 30 days. You can restore a soft-deleted pool using * `UndeleteWorkloadIdentityPool`. You cannot reuse the ID of a soft-deleted pool until it is * permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or * use existing tokens to access resources. If the pool is undeleted, existing tokens grant * access again. */ readonly state: pulumi.Output; /** * The ID to use for the pool, which becomes the final component of the resource name. This * value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix * `gcp-` is reserved for use by Google, and may not be specified. */ readonly workloadIdentityPoolId: pulumi.Output; /** * Create a WorkloadIdentityPool resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: WorkloadIdentityPoolArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering WorkloadIdentityPool resources. */ export interface WorkloadIdentityPoolState { /** * Defines which workloads can receive an identity within a pool. When an AttestationRule is * defined under a managed identity, matching workloads may receive that identity. A maximum of * 50 AttestationRules can be set. * Structure is documented below. */ attestationRules?: pulumi.Input[] | undefined>; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ deletionPolicy?: pulumi.Input; /** * A description of the pool. Cannot exceed 256 characters. */ description?: pulumi.Input; /** * Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use * existing tokens to access resources. If the pool is re-enabled, existing tokens grant * access again. */ disabled?: pulumi.Input; /** * A display name for the pool. Cannot exceed 32 characters. */ displayName?: pulumi.Input; /** * Represents configuration for generating mutual TLS (mTLS) certificates for the identities * within this pool. Defines the Certificate Authority (CA) pool resources and configurations * required for issuance and rotation of mTLS workload certificates. * Structure is documented below. */ inlineCertificateIssuanceConfig?: pulumi.Input; /** * Represents config to add additional trusted trust domains. Defines configuration for extending * trust to additional trust domains. By establishing trust with another domain, the current * domain will recognize and accept certificates issued by entities within the trusted domains. * Note that a trust domain automatically trusts itself, eliminating the need for explicit * configuration. * Structure is documented below. */ inlineTrustConfig?: pulumi.Input; /** * The mode for the pool is operating in. Pools with an unspecified mode will operate as if they * are in `FEDERATION_ONLY` mode. * * > **Note** This field cannot be changed after the Workload Identity Pool is created. While * `pulumi preview` may show an update if you change this field's value, `pulumi up` * **will fail with an API error** (such as `Error 400: Attempted to update an immutable field.`). * To specify a different `mode`, please create a new Workload Identity Pool resource. * * `FEDERATION_ONLY`: Pools can only be used for federating external workload identities into * Google Cloud. Unless otherwise noted, no structure or format constraints are applied to * workload identities in a `FEDERATION_ONLY` mode pool, and you may not create any resources * within the pool besides providers. * * `TRUST_DOMAIN`: Pools can be used to assign identities to Google Cloud workloads. All * identities within a `TRUST_DOMAIN` mode pool must consist of a single namespace and individual * workload identifier. The subject identifier for all identities must conform to the following * format: `ns//sa/`. * `gcp.iam.WorkloadIdentityPoolProvider`s cannot be created within `TRUST_DOMAIN` * mode pools. * * `SYSTEM_TRUST_DOMAIN`: Pools are managed by Google Cloud services. Neither * `gcp.iam.WorkloadIdentityPoolNamespace`s nor `gcp.iam.WorkloadIdentityPoolProvider`s * can be created within `SYSTEM_TRUST_DOMAIN` mode pools. All identities within a * `SYSTEM_TRUST_DOMAIN` mode pool are in one of the following formats: * * `spiffe:///ns//sa/` * * `spiffe:///resources//` * Possible values are: `FEDERATION_ONLY`, `TRUST_DOMAIN`, `SYSTEM_TRUST_DOMAIN`. */ mode?: pulumi.Input; /** * The resource name of the pool as * `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}`. */ name?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * The state of the pool. * * `STATE_UNSPECIFIED`: State unspecified. * * `ACTIVE`: The pool is active, and may be used in Google Cloud policies. * * `DELETED`: The pool is soft-deleted. Soft-deleted pools are permanently deleted after * approximately 30 days. You can restore a soft-deleted pool using * `UndeleteWorkloadIdentityPool`. You cannot reuse the ID of a soft-deleted pool until it is * permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or * use existing tokens to access resources. If the pool is undeleted, existing tokens grant * access again. */ state?: pulumi.Input; /** * The ID to use for the pool, which becomes the final component of the resource name. This * value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix * `gcp-` is reserved for use by Google, and may not be specified. */ workloadIdentityPoolId?: pulumi.Input; } /** * The set of arguments for constructing a WorkloadIdentityPool resource. */ export interface WorkloadIdentityPoolArgs { /** * Defines which workloads can receive an identity within a pool. When an AttestationRule is * defined under a managed identity, matching workloads may receive that identity. A maximum of * 50 AttestationRules can be set. * Structure is documented below. */ attestationRules?: pulumi.Input[] | undefined>; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ deletionPolicy?: pulumi.Input; /** * A description of the pool. Cannot exceed 256 characters. */ description?: pulumi.Input; /** * Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use * existing tokens to access resources. If the pool is re-enabled, existing tokens grant * access again. */ disabled?: pulumi.Input; /** * A display name for the pool. Cannot exceed 32 characters. */ displayName?: pulumi.Input; /** * Represents configuration for generating mutual TLS (mTLS) certificates for the identities * within this pool. Defines the Certificate Authority (CA) pool resources and configurations * required for issuance and rotation of mTLS workload certificates. * Structure is documented below. */ inlineCertificateIssuanceConfig?: pulumi.Input; /** * Represents config to add additional trusted trust domains. Defines configuration for extending * trust to additional trust domains. By establishing trust with another domain, the current * domain will recognize and accept certificates issued by entities within the trusted domains. * Note that a trust domain automatically trusts itself, eliminating the need for explicit * configuration. * Structure is documented below. */ inlineTrustConfig?: pulumi.Input; /** * The mode for the pool is operating in. Pools with an unspecified mode will operate as if they * are in `FEDERATION_ONLY` mode. * * > **Note** This field cannot be changed after the Workload Identity Pool is created. While * `pulumi preview` may show an update if you change this field's value, `pulumi up` * **will fail with an API error** (such as `Error 400: Attempted to update an immutable field.`). * To specify a different `mode`, please create a new Workload Identity Pool resource. * * `FEDERATION_ONLY`: Pools can only be used for federating external workload identities into * Google Cloud. Unless otherwise noted, no structure or format constraints are applied to * workload identities in a `FEDERATION_ONLY` mode pool, and you may not create any resources * within the pool besides providers. * * `TRUST_DOMAIN`: Pools can be used to assign identities to Google Cloud workloads. All * identities within a `TRUST_DOMAIN` mode pool must consist of a single namespace and individual * workload identifier. The subject identifier for all identities must conform to the following * format: `ns//sa/`. * `gcp.iam.WorkloadIdentityPoolProvider`s cannot be created within `TRUST_DOMAIN` * mode pools. * * `SYSTEM_TRUST_DOMAIN`: Pools are managed by Google Cloud services. Neither * `gcp.iam.WorkloadIdentityPoolNamespace`s nor `gcp.iam.WorkloadIdentityPoolProvider`s * can be created within `SYSTEM_TRUST_DOMAIN` mode pools. All identities within a * `SYSTEM_TRUST_DOMAIN` mode pool are in one of the following formats: * * `spiffe:///ns//sa/` * * `spiffe:///resources//` * Possible values are: `FEDERATION_ONLY`, `TRUST_DOMAIN`, `SYSTEM_TRUST_DOMAIN`. */ mode?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * The ID to use for the pool, which becomes the final component of the resource name. This * value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix * `gcp-` is reserved for use by Google, and may not be specified. */ workloadIdentityPoolId: pulumi.Input; } //# sourceMappingURL=workloadIdentityPool.d.ts.map