import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * A configuration for an external identity provider. * * To get more information about WorkloadIdentityPoolProvider, see: * * * [API documentation](https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.providers) * * How-to Guides * * [Managing workload identity providers](https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#managing_workload_identity_providers) * * ## Example Usage * * ### Iam Workload Identity Pool Provider Aws Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"}); * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", { * workloadIdentityPoolId: pool.workloadIdentityPoolId, * workloadIdentityPoolProviderId: "example-prvdr", * aws: { * accountId: "999999999999", * }, * }); * ``` * ### Iam Workload Identity Pool Provider Aws Full * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"}); * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", { * workloadIdentityPoolId: pool.workloadIdentityPoolId, * workloadIdentityPoolProviderId: "example-prvdr", * displayName: "Name of provider", * description: "AWS identity pool provider for automated test", * disabled: true, * attributeCondition: "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"", * attributeMapping: { * "google.subject": "assertion.arn", * "attribute.aws_account": "assertion.account", * "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"", * }, * aws: { * accountId: "999999999999", * }, * }); * ``` * ### Iam Workload Identity Pool Provider Github Actions * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"}); * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", { * workloadIdentityPoolId: pool.workloadIdentityPoolId, * workloadIdentityPoolProviderId: "example-prvdr", * displayName: "Name of provider", * description: "GitHub Actions identity pool provider for automated test", * disabled: true, * attributeCondition: ` assertion.repository_owner_id == \\"123456789\\" && * attribute.repository == \\"gh-org/gh-repo\\" && * assertion.ref == \\"refs/heads/main\\" && * assertion.ref_type == \\"branch\\" * `, * attributeMapping: { * "google.subject": "assertion.sub", * "attribute.actor": "assertion.actor", * "attribute.aud": "assertion.aud", * "attribute.repository": "assertion.repository", * }, * oidc: { * issuerUri: "https://token.actions.githubusercontent.com", * }, * }); * ``` * ### Iam Workload Identity Pool Provider Oidc Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"}); * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", { * workloadIdentityPoolId: pool.workloadIdentityPoolId, * workloadIdentityPoolProviderId: "example-prvdr", * attributeMapping: { * "google.subject": "assertion.sub", * }, * oidc: { * issuerUri: "https://sts.windows.net/azure-tenant-id", * }, * }); * ``` * ### Iam Workload Identity Pool Provider Oidc Full * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"}); * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", { * workloadIdentityPoolId: pool.workloadIdentityPoolId, * workloadIdentityPoolProviderId: "example-prvdr", * displayName: "Name of provider", * description: "OIDC identity pool provider for automated test", * disabled: true, * attributeCondition: "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups", * attributeMapping: { * "google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub", * "attribute.tid": "assertion.tid", * "attribute.managed_identity_name": ` { * \\"8bb39bdb-1cc5-4447-b7db-a19e920eb111\\":\\"workload1\\", * \\"55d36609-9bcf-48e0-a366-a3cf19027d2a\\":\\"workload2\\" * }[assertion.oid] * `, * }, * oidc: { * allowedAudiences: [ * "https://example.com/gcp-oidc-federation", * "example.com/gcp-oidc-federation", * ], * issuerUri: "https://sts.windows.net/azure-tenant-id", * }, * }); * ``` * ### Iam Workload Identity Pool Provider Saml Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"}); * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", { * workloadIdentityPoolId: pool.workloadIdentityPoolId, * workloadIdentityPoolProviderId: "example-prvdr", * attributeMapping: { * "google.subject": "assertion.arn", * "attribute.aws_account": "assertion.account", * "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"", * }, * saml: { * idpMetadataXml: std.file({ * input: "test-fixtures/metadata.xml", * }).then(invoke => invoke.result), * }, * }); * ``` * ### Iam Workload Identity Pool Provider Saml Full * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"}); * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", { * workloadIdentityPoolId: pool.workloadIdentityPoolId, * workloadIdentityPoolProviderId: "example-prvdr", * displayName: "Name of provider", * description: "SAML 2.0 identity pool provider for automated test", * disabled: true, * attributeMapping: { * "google.subject": "assertion.arn", * "attribute.aws_account": "assertion.account", * "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"", * }, * saml: { * idpMetadataXml: std.file({ * input: "test-fixtures/metadata.xml", * }).then(invoke => invoke.result), * }, * }); * ``` * ### Iam Workload Identity Pool Provider Oidc Upload Key * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"}); * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", { * workloadIdentityPoolId: pool.workloadIdentityPoolId, * workloadIdentityPoolProviderId: "example-prvdr", * displayName: "Name of provider", * description: "OIDC identity pool provider for automated test", * disabled: true, * attributeCondition: "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups", * attributeMapping: { * "google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub", * "attribute.tid": "assertion.tid", * "attribute.managed_identity_name": ` { * \\"8bb39bdb-1cc5-4447-b7db-a19e920eb111\\":\\"workload1\\", * \\"55d36609-9bcf-48e0-a366-a3cf19027d2a\\":\\"workload2\\" * }[assertion.oid] * `, * }, * oidc: { * allowedAudiences: [ * "https://example.com/gcp-oidc-federation", * "example.com/gcp-oidc-federation", * ], * issuerUri: "https://sts.windows.net/azure-tenant-id", * jwksJson: "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}", * }, * }); * ``` * ### Iam Workload Identity Pool Provider X509 Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"}); * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", { * workloadIdentityPoolId: pool.workloadIdentityPoolId, * workloadIdentityPoolProviderId: "example-prvdr", * attributeMapping: { * "google.subject": "assertion.subject.dn.cn", * }, * x509: { * trustStore: { * trustAnchors: [{ * pemCertificate: std.file({ * input: "test-fixtures/trust_anchor.pem", * }).then(invoke => invoke.result), * }], * }, * }, * }); * ``` * ### Iam Workload Identity Pool Provider X509 Full * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"}); * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", { * workloadIdentityPoolId: pool.workloadIdentityPoolId, * workloadIdentityPoolProviderId: "example-prvdr", * displayName: "Name of provider", * description: "X.509 identity pool provider for automated test", * disabled: true, * attributeMapping: { * "google.subject": "assertion.subject.dn.cn", * }, * x509: { * trustStore: { * trustAnchors: [{ * pemCertificate: std.file({ * input: "test-fixtures/trust_anchor.pem", * }).then(invoke => invoke.result), * }], * intermediateCas: [{ * pemCertificate: std.file({ * input: "test-fixtures/intermediate_ca.pem", * }).then(invoke => invoke.result), * }], * }, * }, * }); * ``` * * ## Import * * WorkloadIdentityPoolProvider can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}` * * `{{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}` * * `{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}` * * When using the `pulumi import` command, WorkloadIdentityPoolProvider can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}} * $ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}} * $ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}} * ``` */ export declare class WorkloadIdentityPoolProvider extends pulumi.CustomResource { /** * Get an existing WorkloadIdentityPoolProvider resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: WorkloadIdentityPoolProviderState, opts?: pulumi.CustomResourceOptions): WorkloadIdentityPoolProvider; /** * Returns true if the given object is an instance of WorkloadIdentityPoolProvider. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is WorkloadIdentityPoolProvider; /** * [A Common Expression Language](https://github.com/google/cel-spec) expression, in * plain text, to restrict what otherwise valid authentication credentials issued by the * provider should not be accepted. * The expression must output a boolean representing whether to allow the federation. * The following keywords may be referenced in the expressions: */ readonly attributeCondition: pulumi.Output; /** * Maps attributes from authentication credentials issued by an external identity provider * to Google Cloud attributes, such as `subject` and `segment`. * Each key must be a string specifying the Google Cloud IAM attribute to map to. * The following keys are supported: * * `google.subject`: The principal IAM is authenticating. You can reference this value * in IAM bindings. This is also the subject that appears in Cloud Logging logs. * Cannot exceed 127 characters. * * `google.groups`: Groups the external identity belongs to. You can grant groups * access to resources using an IAM `principalSet` binding; access applies to all * members of the group. * You can also provide custom attributes by specifying `attribute.{custom_attribute}`, * where `{custom_attribute}` is the name of the custom attribute to be mapped. You can * define a maximum of 50 custom attributes. The maximum length of a mapped attribute key * is 100 characters, and the key may only contain the characters [a-z0-9_]. * You can reference these attributes in IAM policies to define fine-grained access for a * workload to Google Cloud resources. For example: * * `google.subject`: * `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}` * * `google.groups`: * `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}` * * `attribute.{custom_attribute}`: * `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}` * Each value must be a [Common Expression Language](https://github.com/google/cel-spec) * function that maps an identity provider credential to the normalized attribute specified * by the corresponding map key. * You can use the `assertion` keyword in the expression to access a JSON representation of * the authentication credential issued by the provider. * The maximum length of an attribute mapping expression is 2048 characters. When evaluated, * the total size of all mapped attributes must not exceed 8KB. * For AWS providers, the following rules apply: * - If no attribute mapping is defined, the following default mapping applies: * ``` * { * "google.subject":"assertion.arn", * "attribute.aws_role": * "assertion.arn.contains('assumed-role')" * " ? assertion.arn.extract('{account_arn}assumed-role/')" * " + 'assumed-role/'" * " + assertion.arn.extract('assumed-role/{role_name}/')" * " : assertion.arn", * } * ``` * - If any custom attribute mappings are defined, they must include a mapping to the * `google.subject` attribute. * For OIDC providers, the following rules apply: * - Custom attribute mappings must be defined, and must include a mapping to the * `google.subject` attribute. For example, the following maps the `sub` claim of the * incoming credential to the `subject` attribute on a Google token. * ``` * {"google.subject": "assertion.sub"} * ``` */ readonly attributeMapping: pulumi.Output<{ [key: string]: string; } | undefined>; /** * An Amazon Web Services identity provider. Not compatible with the property oidc or saml. * Structure is documented below. */ readonly aws: pulumi.Output; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ readonly deletionPolicy: pulumi.Output; /** * A description for the provider. Cannot exceed 256 characters. */ readonly description: pulumi.Output; /** * Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. * However, existing tokens still grant access. */ readonly disabled: pulumi.Output; /** * A display name for the provider. Cannot exceed 32 characters. */ readonly displayName: pulumi.Output; /** * The resource name of the provider as * `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}`. */ readonly name: pulumi.Output; /** * An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. * Structure is documented below. */ readonly oidc: pulumi.Output; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output; /** * An SAML 2.0 identity provider. Not compatible with the property oidc or aws. * Structure is documented below. */ readonly saml: pulumi.Output; /** * The state of the provider. * * STATE_UNSPECIFIED: State unspecified. * * ACTIVE: The provider is active, and may be used to validate authentication credentials. * * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted * after approximately 30 days. You can restore a soft-deleted provider using * UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider * until it is permanently deleted. */ readonly state: pulumi.Output; /** * The ID used for the pool, which is the final component of the pool resource name. This * value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix * `gcp-` is reserved for use by Google, and may not be specified. */ readonly workloadIdentityPoolId: pulumi.Output; /** * The ID for the provider, which becomes the final component of the resource name. This * value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix * `gcp-` is reserved for use by Google, and may not be specified. */ readonly workloadIdentityPoolProviderId: pulumi.Output; /** * An X.509-type identity provider represents a CA. It is trusted to assert a * client identity if the client has a certificate that chains up to this CA. * Structure is documented below. */ readonly x509: pulumi.Output; /** * Create a WorkloadIdentityPoolProvider resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: WorkloadIdentityPoolProviderArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering WorkloadIdentityPoolProvider resources. */ export interface WorkloadIdentityPoolProviderState { /** * [A Common Expression Language](https://github.com/google/cel-spec) expression, in * plain text, to restrict what otherwise valid authentication credentials issued by the * provider should not be accepted. * The expression must output a boolean representing whether to allow the federation. * The following keywords may be referenced in the expressions: */ attributeCondition?: pulumi.Input; /** * Maps attributes from authentication credentials issued by an external identity provider * to Google Cloud attributes, such as `subject` and `segment`. * Each key must be a string specifying the Google Cloud IAM attribute to map to. * The following keys are supported: * * `google.subject`: The principal IAM is authenticating. You can reference this value * in IAM bindings. This is also the subject that appears in Cloud Logging logs. * Cannot exceed 127 characters. * * `google.groups`: Groups the external identity belongs to. You can grant groups * access to resources using an IAM `principalSet` binding; access applies to all * members of the group. * You can also provide custom attributes by specifying `attribute.{custom_attribute}`, * where `{custom_attribute}` is the name of the custom attribute to be mapped. You can * define a maximum of 50 custom attributes. The maximum length of a mapped attribute key * is 100 characters, and the key may only contain the characters [a-z0-9_]. * You can reference these attributes in IAM policies to define fine-grained access for a * workload to Google Cloud resources. For example: * * `google.subject`: * `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}` * * `google.groups`: * `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}` * * `attribute.{custom_attribute}`: * `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}` * Each value must be a [Common Expression Language](https://github.com/google/cel-spec) * function that maps an identity provider credential to the normalized attribute specified * by the corresponding map key. * You can use the `assertion` keyword in the expression to access a JSON representation of * the authentication credential issued by the provider. * The maximum length of an attribute mapping expression is 2048 characters. When evaluated, * the total size of all mapped attributes must not exceed 8KB. * For AWS providers, the following rules apply: * - If no attribute mapping is defined, the following default mapping applies: * ``` * { * "google.subject":"assertion.arn", * "attribute.aws_role": * "assertion.arn.contains('assumed-role')" * " ? assertion.arn.extract('{account_arn}assumed-role/')" * " + 'assumed-role/'" * " + assertion.arn.extract('assumed-role/{role_name}/')" * " : assertion.arn", * } * ``` * - If any custom attribute mappings are defined, they must include a mapping to the * `google.subject` attribute. * For OIDC providers, the following rules apply: * - Custom attribute mappings must be defined, and must include a mapping to the * `google.subject` attribute. For example, the following maps the `sub` claim of the * incoming credential to the `subject` attribute on a Google token. * ``` * {"google.subject": "assertion.sub"} * ``` */ attributeMapping?: pulumi.Input<{ [key: string]: pulumi.Input; } | undefined>; /** * An Amazon Web Services identity provider. Not compatible with the property oidc or saml. * Structure is documented below. */ aws?: pulumi.Input; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ deletionPolicy?: pulumi.Input; /** * A description for the provider. Cannot exceed 256 characters. */ description?: pulumi.Input; /** * Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. * However, existing tokens still grant access. */ disabled?: pulumi.Input; /** * A display name for the provider. Cannot exceed 32 characters. */ displayName?: pulumi.Input; /** * The resource name of the provider as * `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}`. */ name?: pulumi.Input; /** * An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. * Structure is documented below. */ oidc?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * An SAML 2.0 identity provider. Not compatible with the property oidc or aws. * Structure is documented below. */ saml?: pulumi.Input; /** * The state of the provider. * * STATE_UNSPECIFIED: State unspecified. * * ACTIVE: The provider is active, and may be used to validate authentication credentials. * * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted * after approximately 30 days. You can restore a soft-deleted provider using * UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider * until it is permanently deleted. */ state?: pulumi.Input; /** * The ID used for the pool, which is the final component of the pool resource name. This * value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix * `gcp-` is reserved for use by Google, and may not be specified. */ workloadIdentityPoolId?: pulumi.Input; /** * The ID for the provider, which becomes the final component of the resource name. This * value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix * `gcp-` is reserved for use by Google, and may not be specified. */ workloadIdentityPoolProviderId?: pulumi.Input; /** * An X.509-type identity provider represents a CA. It is trusted to assert a * client identity if the client has a certificate that chains up to this CA. * Structure is documented below. */ x509?: pulumi.Input; } /** * The set of arguments for constructing a WorkloadIdentityPoolProvider resource. */ export interface WorkloadIdentityPoolProviderArgs { /** * [A Common Expression Language](https://github.com/google/cel-spec) expression, in * plain text, to restrict what otherwise valid authentication credentials issued by the * provider should not be accepted. * The expression must output a boolean representing whether to allow the federation. * The following keywords may be referenced in the expressions: */ attributeCondition?: pulumi.Input; /** * Maps attributes from authentication credentials issued by an external identity provider * to Google Cloud attributes, such as `subject` and `segment`. * Each key must be a string specifying the Google Cloud IAM attribute to map to. * The following keys are supported: * * `google.subject`: The principal IAM is authenticating. You can reference this value * in IAM bindings. This is also the subject that appears in Cloud Logging logs. * Cannot exceed 127 characters. * * `google.groups`: Groups the external identity belongs to. You can grant groups * access to resources using an IAM `principalSet` binding; access applies to all * members of the group. * You can also provide custom attributes by specifying `attribute.{custom_attribute}`, * where `{custom_attribute}` is the name of the custom attribute to be mapped. You can * define a maximum of 50 custom attributes. The maximum length of a mapped attribute key * is 100 characters, and the key may only contain the characters [a-z0-9_]. * You can reference these attributes in IAM policies to define fine-grained access for a * workload to Google Cloud resources. For example: * * `google.subject`: * `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}` * * `google.groups`: * `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}` * * `attribute.{custom_attribute}`: * `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}` * Each value must be a [Common Expression Language](https://github.com/google/cel-spec) * function that maps an identity provider credential to the normalized attribute specified * by the corresponding map key. * You can use the `assertion` keyword in the expression to access a JSON representation of * the authentication credential issued by the provider. * The maximum length of an attribute mapping expression is 2048 characters. When evaluated, * the total size of all mapped attributes must not exceed 8KB. * For AWS providers, the following rules apply: * - If no attribute mapping is defined, the following default mapping applies: * ``` * { * "google.subject":"assertion.arn", * "attribute.aws_role": * "assertion.arn.contains('assumed-role')" * " ? assertion.arn.extract('{account_arn}assumed-role/')" * " + 'assumed-role/'" * " + assertion.arn.extract('assumed-role/{role_name}/')" * " : assertion.arn", * } * ``` * - If any custom attribute mappings are defined, they must include a mapping to the * `google.subject` attribute. * For OIDC providers, the following rules apply: * - Custom attribute mappings must be defined, and must include a mapping to the * `google.subject` attribute. For example, the following maps the `sub` claim of the * incoming credential to the `subject` attribute on a Google token. * ``` * {"google.subject": "assertion.sub"} * ``` */ attributeMapping?: pulumi.Input<{ [key: string]: pulumi.Input; } | undefined>; /** * An Amazon Web Services identity provider. Not compatible with the property oidc or saml. * Structure is documented below. */ aws?: pulumi.Input; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ deletionPolicy?: pulumi.Input; /** * A description for the provider. Cannot exceed 256 characters. */ description?: pulumi.Input; /** * Whether the provider is disabled. You cannot use a disabled provider to exchange tokens. * However, existing tokens still grant access. */ disabled?: pulumi.Input; /** * A display name for the provider. Cannot exceed 32 characters. */ displayName?: pulumi.Input; /** * An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml. * Structure is documented below. */ oidc?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * An SAML 2.0 identity provider. Not compatible with the property oidc or aws. * Structure is documented below. */ saml?: pulumi.Input; /** * The ID used for the pool, which is the final component of the pool resource name. This * value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix * `gcp-` is reserved for use by Google, and may not be specified. */ workloadIdentityPoolId: pulumi.Input; /** * The ID for the provider, which becomes the final component of the resource name. This * value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix * `gcp-` is reserved for use by Google, and may not be specified. */ workloadIdentityPoolProviderId: pulumi.Input; /** * An X.509-type identity provider represents a CA. It is trusted to assert a * client identity if the client has a certificate that chains up to this CA. * Structure is documented below. */ x509?: pulumi.Input; } //# sourceMappingURL=workloadIdentityPoolProvider.d.ts.map