@pulumi/gcp

import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Represents a collection of external workload identities. You can define IAM policies to * grant these identities access to Google Cloud resources. * * To get more information about WorkloadIdentityPool, see: * * * [API documentation](https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools) * * How-to Guides * * [Configure managed workload identity authentication for Compute Engine](https://cloud.google.com/iam/docs/create-managed-workload-identities) * * [Configure managed workload identity authentication for GKE](https://cloud.google.com/iam/docs/create-managed-workload-identities-gke) * * [Managing workload identity pools](https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#pools) * * ## Example Usage * * ### Iam Workload Identity Pool Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const example = new gcp.iam.WorkloadIdentityPool("example", {workloadIdentityPoolId: "example-pool"}); * ``` * ### Iam Workload Identity Pool Full Federation Only Mode * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const example = new gcp.iam.WorkloadIdentityPool("example", { * workloadIdentityPoolId: "example-pool", * displayName: "Name of the pool", * description: "Identity pool operates in FEDERATION_ONLY mode", * disabled: true, * mode: "FEDERATION_ONLY", * }); * ``` * ### Iam Workload Identity Pool Full Trust Domain Mode * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const example = new gcp.iam.WorkloadIdentityPool("example", { * workloadIdentityPoolId: "example-pool", * displayName: "Name of the pool", * description: "Identity pool operates in TRUST_DOMAIN mode", * disabled: true, * mode: "TRUST_DOMAIN", * inlineCertificateIssuanceConfig: { * caPools: { * "us-central1": "projects/project-bar/locations/us-central1/caPools/ca-pool-bar", * "asia-east2": "projects/project-foo/locations/asia-east2/caPools/ca-pool-foo", * }, * lifetime: "86400s", * rotationWindowPercentage: 50, * keyAlgorithm: "ECDSA_P256", * }, * inlineTrustConfig: { * additionalTrustBundles: [ * { * trustDomain: "example.com", * trustAnchors: [ * { * pemCertificate: std.file({ * input: "test-fixtures/trust_anchor_1.pem", * }).then(invoke => invoke.result), * }, * { * pemCertificate: std.file({ * input: "test-fixtures/trust_anchor_2.pem", * }).then(invoke => invoke.result), * }, * ], * }, * { * trustDomain: "example.net", * trustAnchors: [ * { * pemCertificate: std.file({ * input: "test-fixtures/trust_anchor_3.pem", * }).then(invoke => invoke.result), * }, * { * pemCertificate: std.file({ * input: "test-fixtures/trust_anchor_4.pem", * }).then(invoke => invoke.result), * }, * ], * }, * ], * }, * }); * ``` * * ## Import * * WorkloadIdentityPool can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}` * * * `{{project}}/{{workload_identity_pool_id}}` * * * `{{workload_identity_pool_id}}` * * When using the `pulumi import` command, WorkloadIdentityPool can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:iam/workloadIdentityPool:WorkloadIdentityPool default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}} * ``` * * ```sh * $ pulumi import gcp:iam/workloadIdentityPool:WorkloadIdentityPool default {{project}}/{{workload_identity_pool_id}} * ``` * * ```sh * $ pulumi import gcp:iam/workloadIdentityPool:WorkloadIdentityPool default {{workload_identity_pool_id}} * ``` */ export declare class WorkloadIdentityPool extends pulumi.CustomResource { /** * Get an existing WorkloadIdentityPool resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: WorkloadIdentityPoolState, opts?: pulumi.CustomResourceOptions): WorkloadIdentityPool; /** * Returns true if the given object is an instance of WorkloadIdentityPool. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is WorkloadIdentityPool; /** * A description of the pool. Cannot exceed 256 characters. */ readonly description: pulumi.Output<string | undefined>; /** * Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use * existing tokens to access resources. If the pool is re-enabled, existing tokens grant * access again. */ readonly disabled: pulumi.Output<boolean | undefined>; /** * A display name for the pool. Cannot exceed 32 characters. */ readonly displayName: pulumi.Output<string | undefined>; /** * Represents configuration for generating mutual TLS (mTLS) certificates for the identities * within this pool. Defines the Certificate Authority (CA) pool resources and configurations * required for issuance and rotation of mTLS workload certificates. * Structure is documented below. */ readonly inlineCertificateIssuanceConfig: pulumi.Output<outputs.iam.WorkloadIdentityPoolInlineCertificateIssuanceConfig | undefined>; /** * Represents config to add additional trusted trust domains. Defines configuration for extending * trust to additional trust domains. By establishing trust with another domain, the current * domain will recognize and accept certificates issued by entities within the trusted domains. * Note that a trust domain automatically trusts itself, eliminating the need for explicit * configuration. * Structure is documented below. */ readonly inlineTrustConfig: pulumi.Output<outputs.iam.WorkloadIdentityPoolInlineTrustConfig | undefined>; /** * The mode for the pool is operating in. Pools with an unspecified mode will operate as if they * are in `FEDERATION_ONLY` mode. * * > **Note** This field cannot be changed after the Workload Identity Pool is created. While * `pulumi preview` may show an update if you change this field's value, `pulumi up` * **will fail with an API error** (such as `Error 400: Attempted to update an immutable field.`). * To specify a different `mode`, please create a new Workload Identity Pool resource. * * `FEDERATION_ONLY`: Pools can only be used for federating external workload identities into * Google Cloud. Unless otherwise noted, no structure or format constraints are applied to * workload identities in a `FEDERATION_ONLY` mode pool, and you may not create any resources * within the pool besides providers. * * `TRUST_DOMAIN`: Pools can be used to assign identities to Google Cloud workloads. All * identities within a `TRUST_DOMAIN` mode pool must consist of a single namespace and individual * workload identifier. The subject identifier for all identities must conform to the following * format: `ns/<namespace>/sa/<workload_identifier>`. * `gcp.iam.WorkloadIdentityPoolProvider`s cannot be created within `TRUST_DOMAIN` * mode pools. * Possible values are: `FEDERATION_ONLY`, `TRUST_DOMAIN`. */ readonly mode: pulumi.Output<string | undefined>; /** * The resource name of the pool as * `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}`. */ readonly name: pulumi.Output<string>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output<string>; /** * The state of the pool. * * `STATE_UNSPECIFIED`: State unspecified. * * `ACTIVE`: The pool is active, and may be used in Google Cloud policies. * * `DELETED`: The pool is soft-deleted. Soft-deleted pools are permanently deleted after * approximately 30 days. You can restore a soft-deleted pool using * `UndeleteWorkloadIdentityPool`. You cannot reuse the ID of a soft-deleted pool until it is * permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or * use existing tokens to access resources. If the pool is undeleted, existing tokens grant * access again. */ readonly state: pulumi.Output<string>; /** * The ID to use for the pool, which becomes the final component of the resource name. This * value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix * `gcp-` is reserved for use by Google, and may not be specified. */ readonly workloadIdentityPoolId: pulumi.Output<string>; /** * Create a WorkloadIdentityPool resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: WorkloadIdentityPoolArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering WorkloadIdentityPool resources. */ export interface WorkloadIdentityPoolState { /** * A description of the pool. Cannot exceed 256 characters. */ description?: pulumi.Input<string>; /** * Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use * existing tokens to access resources. If the pool is re-enabled, existing tokens grant * access again. */ disabled?: pulumi.Input<boolean>; /** * A display name for the pool. Cannot exceed 32 characters. */ displayName?: pulumi.Input<string>; /** * Represents configuration for generating mutual TLS (mTLS) certificates for the identities * within this pool. Defines the Certificate Authority (CA) pool resources and configurations * required for issuance and rotation of mTLS workload certificates. * Structure is documented below. */ inlineCertificateIssuanceConfig?: pulumi.Input<inputs.iam.WorkloadIdentityPoolInlineCertificateIssuanceConfig>; /** * Represents config to add additional trusted trust domains. Defines configuration for extending * trust to additional trust domains. By establishing trust with another domain, the current * domain will recognize and accept certificates issued by entities within the trusted domains. * Note that a trust domain automatically trusts itself, eliminating the need for explicit * configuration. * Structure is documented below. */ inlineTrustConfig?: pulumi.Input<inputs.iam.WorkloadIdentityPoolInlineTrustConfig>; /** * The mode for the pool is operating in. Pools with an unspecified mode will operate as if they * are in `FEDERATION_ONLY` mode. * * > **Note** This field cannot be changed after the Workload Identity Pool is created. While * `pulumi preview` may show an update if you change this field's value, `pulumi up` * **will fail with an API error** (such as `Error 400: Attempted to update an immutable field.`). * To specify a different `mode`, please create a new Workload Identity Pool resource. * * `FEDERATION_ONLY`: Pools can only be used for federating external workload identities into * Google Cloud. Unless otherwise noted, no structure or format constraints are applied to * workload identities in a `FEDERATION_ONLY` mode pool, and you may not create any resources * within the pool besides providers. * * `TRUST_DOMAIN`: Pools can be used to assign identities to Google Cloud workloads. All * identities within a `TRUST_DOMAIN` mode pool must consist of a single namespace and individual * workload identifier. The subject identifier for all identities must conform to the following * format: `ns/<namespace>/sa/<workload_identifier>`. * `gcp.iam.WorkloadIdentityPoolProvider`s cannot be created within `TRUST_DOMAIN` * mode pools. * Possible values are: `FEDERATION_ONLY`, `TRUST_DOMAIN`. */ mode?: pulumi.Input<string>; /** * The resource name of the pool as * `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}`. */ name?: pulumi.Input<string>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string>; /** * The state of the pool. * * `STATE_UNSPECIFIED`: State unspecified. * * `ACTIVE`: The pool is active, and may be used in Google Cloud policies. * * `DELETED`: The pool is soft-deleted. Soft-deleted pools are permanently deleted after * approximately 30 days. You can restore a soft-deleted pool using * `UndeleteWorkloadIdentityPool`. You cannot reuse the ID of a soft-deleted pool until it is * permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or * use existing tokens to access resources. If the pool is undeleted, existing tokens grant * access again. */ state?: pulumi.Input<string>; /** * The ID to use for the pool, which becomes the final component of the resource name. This * value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix * `gcp-` is reserved for use by Google, and may not be specified. */ workloadIdentityPoolId?: pulumi.Input<string>; } /** * The set of arguments for constructing a WorkloadIdentityPool resource. */ export interface WorkloadIdentityPoolArgs { /** * A description of the pool. Cannot exceed 256 characters. */ description?: pulumi.Input<string>; /** * Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use * existing tokens to access resources. If the pool is re-enabled, existing tokens grant * access again. */ disabled?: pulumi.Input<boolean>; /** * A display name for the pool. Cannot exceed 32 characters. */ displayName?: pulumi.Input<string>; /** * Represents configuration for generating mutual TLS (mTLS) certificates for the identities * within this pool. Defines the Certificate Authority (CA) pool resources and configurations * required for issuance and rotation of mTLS workload certificates. * Structure is documented below. */ inlineCertificateIssuanceConfig?: pulumi.Input<inputs.iam.WorkloadIdentityPoolInlineCertificateIssuanceConfig>; /** * Represents config to add additional trusted trust domains. Defines configuration for extending * trust to additional trust domains. By establishing trust with another domain, the current * domain will recognize and accept certificates issued by entities within the trusted domains. * Note that a trust domain automatically trusts itself, eliminating the need for explicit * configuration. * Structure is documented below. */ inlineTrustConfig?: pulumi.Input<inputs.iam.WorkloadIdentityPoolInlineTrustConfig>; /** * The mode for the pool is operating in. Pools with an unspecified mode will operate as if they * are in `FEDERATION_ONLY` mode. * * > **Note** This field cannot be changed after the Workload Identity Pool is created. While * `pulumi preview` may show an update if you change this field's value, `pulumi up` * **will fail with an API error** (such as `Error 400: Attempted to update an immutable field.`). * To specify a different `mode`, please create a new Workload Identity Pool resource. * * `FEDERATION_ONLY`: Pools can only be used for federating external workload identities into * Google Cloud. Unless otherwise noted, no structure or format constraints are applied to * workload identities in a `FEDERATION_ONLY` mode pool, and you may not create any resources * within the pool besides providers. * * `TRUST_DOMAIN`: Pools can be used to assign identities to Google Cloud workloads. All * identities within a `TRUST_DOMAIN` mode pool must consist of a single namespace and individual * workload identifier. The subject identifier for all identities must conform to the following * format: `ns/<namespace>/sa/<workload_identifier>`. * `gcp.iam.WorkloadIdentityPoolProvider`s cannot be created within `TRUST_DOMAIN` * mode pools. * Possible values are: `FEDERATION_ONLY`, `TRUST_DOMAIN`. */ mode?: pulumi.Input<string>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string>; /** * The ID to use for the pool, which becomes the final component of the resource name. This * value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix * `gcp-` is reserved for use by Google, and may not be specified. */ workloadIdentityPoolId: pulumi.Input<string>; }