@pulumi/gcp/iam/workloadIdentityPoolProvider.d.ts

A Pulumi package for creating and managing Google Cloud Platform resources.

import * as pulumi from "@pulumi/pulumi";
import * as inputs from "../types/input";
import * as outputs from "../types/output";
/**
 * A configuration for an external identity provider.
 *
 * To get more information about WorkloadIdentityPoolProvider, see:
 *
 * * [API documentation](https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.workloadIdentityPools.providers)
 * * How-to Guides
 *     * [Managing workload identity providers](https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers#managing_workload_identity_providers)
 *
 * ## Example Usage
 *
 * ### Iam Workload Identity Pool Provider Aws Basic
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
 * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
 *     workloadIdentityPoolId: pool.workloadIdentityPoolId,
 *     workloadIdentityPoolProviderId: "example-prvdr",
 *     aws: {
 *         accountId: "999999999999",
 *     },
 * });
 * ```
 * ### Iam Workload Identity Pool Provider Aws Full
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
 * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
 *     workloadIdentityPoolId: pool.workloadIdentityPoolId,
 *     workloadIdentityPoolProviderId: "example-prvdr",
 *     displayName: "Name of provider",
 *     description: "AWS identity pool provider for automated test",
 *     disabled: true,
 *     attributeCondition: "attribute.aws_role==\"arn:aws:sts::999999999999:assumed-role/stack-eu-central-1-lambdaRole\"",
 *     attributeMapping: {
 *         "google.subject": "assertion.arn",
 *         "attribute.aws_account": "assertion.account",
 *         "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
 *     },
 *     aws: {
 *         accountId: "999999999999",
 *     },
 * });
 * ```
 * ### Iam Workload Identity Pool Provider Github Actions
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
 * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
 *     workloadIdentityPoolId: pool.workloadIdentityPoolId,
 *     workloadIdentityPoolProviderId: "example-prvdr",
 *     displayName: "Name of provider",
 *     description: "GitHub Actions identity pool provider for automated test",
 *     disabled: true,
 *     attributeCondition: `    assertion.repository_owner_id == "123456789" &&
 *     attribute.repository == "gh-org/gh-repo" &&
 *     assertion.ref == "refs/heads/main" &&
 *     assertion.ref_type == "branch"
 * `,
 *     attributeMapping: {
 *         "google.subject": "assertion.sub",
 *         "attribute.actor": "assertion.actor",
 *         "attribute.aud": "assertion.aud",
 *         "attribute.repository": "assertion.repository",
 *     },
 *     oidc: {
 *         issuerUri: "https://token.actions.githubusercontent.com",
 *     },
 * });
 * ```
 * ### Iam Workload Identity Pool Provider Oidc Basic
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
 * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
 *     workloadIdentityPoolId: pool.workloadIdentityPoolId,
 *     workloadIdentityPoolProviderId: "example-prvdr",
 *     attributeMapping: {
 *         "google.subject": "assertion.sub",
 *     },
 *     oidc: {
 *         issuerUri: "https://sts.windows.net/azure-tenant-id",
 *     },
 * });
 * ```
 * ### Iam Workload Identity Pool Provider Oidc Full
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
 * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
 *     workloadIdentityPoolId: pool.workloadIdentityPoolId,
 *     workloadIdentityPoolProviderId: "example-prvdr",
 *     displayName: "Name of provider",
 *     description: "OIDC identity pool provider for automated test",
 *     disabled: true,
 *     attributeCondition: "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
 *     attributeMapping: {
 *         "google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
 *         "attribute.tid": "assertion.tid",
 *         "attribute.managed_identity_name": `      {
 *         "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
 *         "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
 *       }[assertion.oid]
 * `,
 *     },
 *     oidc: {
 *         allowedAudiences: [
 *             "https://example.com/gcp-oidc-federation",
 *             "example.com/gcp-oidc-federation",
 *         ],
 *         issuerUri: "https://sts.windows.net/azure-tenant-id",
 *     },
 * });
 * ```
 * ### Iam Workload Identity Pool Provider Saml Basic
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 * import * as std from "@pulumi/std";
 *
 * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
 * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
 *     workloadIdentityPoolId: pool.workloadIdentityPoolId,
 *     workloadIdentityPoolProviderId: "example-prvdr",
 *     attributeMapping: {
 *         "google.subject": "assertion.arn",
 *         "attribute.aws_account": "assertion.account",
 *         "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
 *     },
 *     saml: {
 *         idpMetadataXml: std.file({
 *             input: "test-fixtures/metadata.xml",
 *         }).then(invoke => invoke.result),
 *     },
 * });
 * ```
 * ### Iam Workload Identity Pool Provider Saml Full
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 * import * as std from "@pulumi/std";
 *
 * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
 * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
 *     workloadIdentityPoolId: pool.workloadIdentityPoolId,
 *     workloadIdentityPoolProviderId: "example-prvdr",
 *     displayName: "Name of provider",
 *     description: "SAML 2.0 identity pool provider for automated test",
 *     disabled: true,
 *     attributeMapping: {
 *         "google.subject": "assertion.arn",
 *         "attribute.aws_account": "assertion.account",
 *         "attribute.environment": "assertion.arn.contains(\":instance-profile/Production\") ? \"prod\" : \"test\"",
 *     },
 *     saml: {
 *         idpMetadataXml: std.file({
 *             input: "test-fixtures/metadata.xml",
 *         }).then(invoke => invoke.result),
 *     },
 * });
 * ```
 * ### Iam Workload Identity Pool Provider Oidc Upload Key
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 *
 * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
 * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
 *     workloadIdentityPoolId: pool.workloadIdentityPoolId,
 *     workloadIdentityPoolProviderId: "example-prvdr",
 *     displayName: "Name of provider",
 *     description: "OIDC identity pool provider for automated test",
 *     disabled: true,
 *     attributeCondition: "\"e968c2ef-047c-498d-8d79-16ca1b61e77e\" in assertion.groups",
 *     attributeMapping: {
 *         "google.subject": "\"azure::\" + assertion.tid + \"::\" + assertion.sub",
 *         "attribute.tid": "assertion.tid",
 *         "attribute.managed_identity_name": `      {
 *         "8bb39bdb-1cc5-4447-b7db-a19e920eb111":"workload1",
 *         "55d36609-9bcf-48e0-a366-a3cf19027d2a":"workload2"
 *       }[assertion.oid]
 * `,
 *     },
 *     oidc: {
 *         allowedAudiences: [
 *             "https://example.com/gcp-oidc-federation",
 *             "example.com/gcp-oidc-federation",
 *         ],
 *         issuerUri: "https://sts.windows.net/azure-tenant-id",
 *         jwksJson: "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\"}]}",
 *     },
 * });
 * ```
 * ### Iam Workload Identity Pool Provider X509 Basic
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 * import * as std from "@pulumi/std";
 *
 * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
 * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
 *     workloadIdentityPoolId: pool.workloadIdentityPoolId,
 *     workloadIdentityPoolProviderId: "example-prvdr",
 *     attributeMapping: {
 *         "google.subject": "assertion.subject.dn.cn",
 *     },
 *     x509: {
 *         trustStore: {
 *             trustAnchors: [{
 *                 pemCertificate: std.file({
 *                     input: "test-fixtures/trust_anchor.pem",
 *                 }).then(invoke => invoke.result),
 *             }],
 *         },
 *     },
 * });
 * ```
 * ### Iam Workload Identity Pool Provider X509 Full
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as gcp from "@pulumi/gcp";
 * import * as std from "@pulumi/std";
 *
 * const pool = new gcp.iam.WorkloadIdentityPool("pool", {workloadIdentityPoolId: "example-pool"});
 * const example = new gcp.iam.WorkloadIdentityPoolProvider("example", {
 *     workloadIdentityPoolId: pool.workloadIdentityPoolId,
 *     workloadIdentityPoolProviderId: "example-prvdr",
 *     displayName: "Name of provider",
 *     description: "X.509 identity pool provider for automated test",
 *     disabled: true,
 *     attributeMapping: {
 *         "google.subject": "assertion.subject.dn.cn",
 *     },
 *     x509: {
 *         trustStore: {
 *             trustAnchors: [{
 *                 pemCertificate: std.file({
 *                     input: "test-fixtures/trust_anchor.pem",
 *                 }).then(invoke => invoke.result),
 *             }],
 *             intermediateCas: [{
 *                 pemCertificate: std.file({
 *                     input: "test-fixtures/intermediate_ca.pem",
 *                 }).then(invoke => invoke.result),
 *             }],
 *         },
 *     },
 * });
 * ```
 *
 * ## Import
 *
 * WorkloadIdentityPoolProvider can be imported using any of these accepted formats:
 *
 * * `projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}`
 *
 * * `{{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}`
 *
 * * `{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}`
 *
 * When using the `pulumi import` command, WorkloadIdentityPoolProvider can be imported using one of the formats above. For example:
 *
 * ```sh
 * $ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default projects/{{project}}/locations/global/workloadIdentityPools/{{workload_identity_pool_id}}/providers/{{workload_identity_pool_provider_id}}
 * ```
 *
 * ```sh
 * $ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{project}}/{{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}
 * ```
 *
 * ```sh
 * $ pulumi import gcp:iam/workloadIdentityPoolProvider:WorkloadIdentityPoolProvider default {{workload_identity_pool_id}}/{{workload_identity_pool_provider_id}}
 * ```
 */
export declare class WorkloadIdentityPoolProvider extends pulumi.CustomResource {
    /**
     * Get an existing WorkloadIdentityPoolProvider resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: WorkloadIdentityPoolProviderState, opts?: pulumi.CustomResourceOptions): WorkloadIdentityPoolProvider;
    /**
     * Returns true if the given object is an instance of WorkloadIdentityPoolProvider.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj: any): obj is WorkloadIdentityPoolProvider;
    /**
     * [A Common Expression Language](https://opensource.google/projects/cel) expression, in
     * plain text, to restrict what otherwise valid authentication credentials issued by the
     * provider should not be accepted.
     * The expression must output a boolean representing whether to allow the federation.
     * The following keywords may be referenced in the expressions:
     */
    readonly attributeCondition: pulumi.Output<string | undefined>;
    /**
     * Maps attributes from authentication credentials issued by an external identity provider
     * to Google Cloud attributes, such as `subject` and `segment`.
     * Each key must be a string specifying the Google Cloud IAM attribute to map to.
     * The following keys are supported:
     * * `google.subject`: The principal IAM is authenticating. You can reference this value
     * in IAM bindings. This is also the subject that appears in Cloud Logging logs.
     * Cannot exceed 127 characters.
     * * `google.groups`: Groups the external identity belongs to. You can grant groups
     * access to resources using an IAM `principalSet` binding; access applies to all
     * members of the group.
     * You can also provide custom attributes by specifying `attribute.{custom_attribute}`,
     * where `{custom_attribute}` is the name of the custom attribute to be mapped. You can
     * define a maximum of 50 custom attributes. The maximum length of a mapped attribute key
     * is 100 characters, and the key may only contain the characters [a-z0-9_].
     * You can reference these attributes in IAM policies to define fine-grained access for a
     * workload to Google Cloud resources. For example:
     * * `google.subject`:
     * `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}`
     * * `google.groups`:
     * `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}`
     * * `attribute.{custom_attribute}`:
     * `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}`
     * Each value must be a [Common Expression Language](https://opensource.google/projects/cel)
     * function that maps an identity provider credential to the normalized attribute specified
     * by the corresponding map key.
     * You can use the `assertion` keyword in the expression to access a JSON representation of
     * the authentication credential issued by the provider.
     * The maximum length of an attribute mapping expression is 2048 characters. When evaluated,
     * the total size of all mapped attributes must not exceed 8KB.
     * For AWS providers, the following rules apply:
     * - If no attribute mapping is defined, the following default mapping applies:
     * ```
     * {
     * "google.subject":"assertion.arn",
     * "attribute.aws_role":
     * "assertion.arn.contains('assumed-role')"
     * " ? assertion.arn.extract('{account_arn}assumed-role/')"
     * "   + 'assumed-role/'"
     * "   + assertion.arn.extract('assumed-role/{role_name}/')"
     * " : assertion.arn",
     * }
     * ```
     * - If any custom attribute mappings are defined, they must include a mapping to the
     * `google.subject` attribute.
     * For OIDC providers, the following rules apply:
     * - Custom attribute mappings must be defined, and must include a mapping to the
     * `google.subject` attribute. For example, the following maps the `sub` claim of the
     * incoming credential to the `subject` attribute on a Google token.
     * ```
     * {"google.subject": "assertion.sub"}
     * ```
     */
    readonly attributeMapping: pulumi.Output<{
        [key: string]: string;
    } | undefined>;
    /**
     * An Amazon Web Services identity provider. Not compatible with the property oidc or saml.
     * Structure is documented below.
     */
    readonly aws: pulumi.Output<outputs.iam.WorkloadIdentityPoolProviderAws | undefined>;
    /**
     * A description for the provider. Cannot exceed 256 characters.
     */
    readonly description: pulumi.Output<string | undefined>;
    /**
     * Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
     * However, existing tokens still grant access.
     */
    readonly disabled: pulumi.Output<boolean | undefined>;
    /**
     * A display name for the provider. Cannot exceed 32 characters.
     */
    readonly displayName: pulumi.Output<string | undefined>;
    /**
     * The resource name of the provider as
     * `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}`.
     */
    readonly name: pulumi.Output<string>;
    /**
     * An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml.
     * Structure is documented below.
     */
    readonly oidc: pulumi.Output<outputs.iam.WorkloadIdentityPoolProviderOidc | undefined>;
    /**
     * The ID of the project in which the resource belongs.
     * If it is not provided, the provider project is used.
     */
    readonly project: pulumi.Output<string>;
    /**
     * An SAML 2.0 identity provider. Not compatible with the property oidc or aws.
     * Structure is documented below.
     */
    readonly saml: pulumi.Output<outputs.iam.WorkloadIdentityPoolProviderSaml | undefined>;
    /**
     * The state of the provider.
     * * STATE_UNSPECIFIED: State unspecified.
     * * ACTIVE: The provider is active, and may be used to validate authentication credentials.
     * * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted
     * after approximately 30 days. You can restore a soft-deleted provider using
     * UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider
     * until it is permanently deleted.
     */
    readonly state: pulumi.Output<string>;
    /**
     * The ID used for the pool, which is the final component of the pool resource name. This
     * value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
     * `gcp-` is reserved for use by Google, and may not be specified.
     */
    readonly workloadIdentityPoolId: pulumi.Output<string>;
    /**
     * The ID for the provider, which becomes the final component of the resource name. This
     * value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
     * `gcp-` is reserved for use by Google, and may not be specified.
     */
    readonly workloadIdentityPoolProviderId: pulumi.Output<string>;
    /**
     * An X.509-type identity provider represents a CA. It is trusted to assert a
     * client identity if the client has a certificate that chains up to this CA.
     * Structure is documented below.
     */
    readonly x509: pulumi.Output<outputs.iam.WorkloadIdentityPoolProviderX509 | undefined>;
    /**
     * Create a WorkloadIdentityPoolProvider resource with the given unique name, arguments, and options.
     *
     * @param name The _unique_ name of the resource.
     * @param args The arguments to use to populate this resource's properties.
     * @param opts A bag of options that control this resource's behavior.
     */
    constructor(name: string, args: WorkloadIdentityPoolProviderArgs, opts?: pulumi.CustomResourceOptions);
}
/**
 * Input properties used for looking up and filtering WorkloadIdentityPoolProvider resources.
 */
export interface WorkloadIdentityPoolProviderState {
    /**
     * [A Common Expression Language](https://opensource.google/projects/cel) expression, in
     * plain text, to restrict what otherwise valid authentication credentials issued by the
     * provider should not be accepted.
     * The expression must output a boolean representing whether to allow the federation.
     * The following keywords may be referenced in the expressions:
     */
    attributeCondition?: pulumi.Input<string>;
    /**
     * Maps attributes from authentication credentials issued by an external identity provider
     * to Google Cloud attributes, such as `subject` and `segment`.
     * Each key must be a string specifying the Google Cloud IAM attribute to map to.
     * The following keys are supported:
     * * `google.subject`: The principal IAM is authenticating. You can reference this value
     * in IAM bindings. This is also the subject that appears in Cloud Logging logs.
     * Cannot exceed 127 characters.
     * * `google.groups`: Groups the external identity belongs to. You can grant groups
     * access to resources using an IAM `principalSet` binding; access applies to all
     * members of the group.
     * You can also provide custom attributes by specifying `attribute.{custom_attribute}`,
     * where `{custom_attribute}` is the name of the custom attribute to be mapped. You can
     * define a maximum of 50 custom attributes. The maximum length of a mapped attribute key
     * is 100 characters, and the key may only contain the characters [a-z0-9_].
     * You can reference these attributes in IAM policies to define fine-grained access for a
     * workload to Google Cloud resources. For example:
     * * `google.subject`:
     * `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}`
     * * `google.groups`:
     * `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}`
     * * `attribute.{custom_attribute}`:
     * `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}`
     * Each value must be a [Common Expression Language](https://opensource.google/projects/cel)
     * function that maps an identity provider credential to the normalized attribute specified
     * by the corresponding map key.
     * You can use the `assertion` keyword in the expression to access a JSON representation of
     * the authentication credential issued by the provider.
     * The maximum length of an attribute mapping expression is 2048 characters. When evaluated,
     * the total size of all mapped attributes must not exceed 8KB.
     * For AWS providers, the following rules apply:
     * - If no attribute mapping is defined, the following default mapping applies:
     * ```
     * {
     * "google.subject":"assertion.arn",
     * "attribute.aws_role":
     * "assertion.arn.contains('assumed-role')"
     * " ? assertion.arn.extract('{account_arn}assumed-role/')"
     * "   + 'assumed-role/'"
     * "   + assertion.arn.extract('assumed-role/{role_name}/')"
     * " : assertion.arn",
     * }
     * ```
     * - If any custom attribute mappings are defined, they must include a mapping to the
     * `google.subject` attribute.
     * For OIDC providers, the following rules apply:
     * - Custom attribute mappings must be defined, and must include a mapping to the
     * `google.subject` attribute. For example, the following maps the `sub` claim of the
     * incoming credential to the `subject` attribute on a Google token.
     * ```
     * {"google.subject": "assertion.sub"}
     * ```
     */
    attributeMapping?: pulumi.Input<{
        [key: string]: pulumi.Input<string>;
    }>;
    /**
     * An Amazon Web Services identity provider. Not compatible with the property oidc or saml.
     * Structure is documented below.
     */
    aws?: pulumi.Input<inputs.iam.WorkloadIdentityPoolProviderAws>;
    /**
     * A description for the provider. Cannot exceed 256 characters.
     */
    description?: pulumi.Input<string>;
    /**
     * Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
     * However, existing tokens still grant access.
     */
    disabled?: pulumi.Input<boolean>;
    /**
     * A display name for the provider. Cannot exceed 32 characters.
     */
    displayName?: pulumi.Input<string>;
    /**
     * The resource name of the provider as
     * `projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}`.
     */
    name?: pulumi.Input<string>;
    /**
     * An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml.
     * Structure is documented below.
     */
    oidc?: pulumi.Input<inputs.iam.WorkloadIdentityPoolProviderOidc>;
    /**
     * The ID of the project in which the resource belongs.
     * If it is not provided, the provider project is used.
     */
    project?: pulumi.Input<string>;
    /**
     * An SAML 2.0 identity provider. Not compatible with the property oidc or aws.
     * Structure is documented below.
     */
    saml?: pulumi.Input<inputs.iam.WorkloadIdentityPoolProviderSaml>;
    /**
     * The state of the provider.
     * * STATE_UNSPECIFIED: State unspecified.
     * * ACTIVE: The provider is active, and may be used to validate authentication credentials.
     * * DELETED: The provider is soft-deleted. Soft-deleted providers are permanently deleted
     * after approximately 30 days. You can restore a soft-deleted provider using
     * UndeleteWorkloadIdentityPoolProvider. You cannot reuse the ID of a soft-deleted provider
     * until it is permanently deleted.
     */
    state?: pulumi.Input<string>;
    /**
     * The ID used for the pool, which is the final component of the pool resource name. This
     * value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
     * `gcp-` is reserved for use by Google, and may not be specified.
     */
    workloadIdentityPoolId?: pulumi.Input<string>;
    /**
     * The ID for the provider, which becomes the final component of the resource name. This
     * value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
     * `gcp-` is reserved for use by Google, and may not be specified.
     */
    workloadIdentityPoolProviderId?: pulumi.Input<string>;
    /**
     * An X.509-type identity provider represents a CA. It is trusted to assert a
     * client identity if the client has a certificate that chains up to this CA.
     * Structure is documented below.
     */
    x509?: pulumi.Input<inputs.iam.WorkloadIdentityPoolProviderX509>;
}
/**
 * The set of arguments for constructing a WorkloadIdentityPoolProvider resource.
 */
export interface WorkloadIdentityPoolProviderArgs {
    /**
     * [A Common Expression Language](https://opensource.google/projects/cel) expression, in
     * plain text, to restrict what otherwise valid authentication credentials issued by the
     * provider should not be accepted.
     * The expression must output a boolean representing whether to allow the federation.
     * The following keywords may be referenced in the expressions:
     */
    attributeCondition?: pulumi.Input<string>;
    /**
     * Maps attributes from authentication credentials issued by an external identity provider
     * to Google Cloud attributes, such as `subject` and `segment`.
     * Each key must be a string specifying the Google Cloud IAM attribute to map to.
     * The following keys are supported:
     * * `google.subject`: The principal IAM is authenticating. You can reference this value
     * in IAM bindings. This is also the subject that appears in Cloud Logging logs.
     * Cannot exceed 127 characters.
     * * `google.groups`: Groups the external identity belongs to. You can grant groups
     * access to resources using an IAM `principalSet` binding; access applies to all
     * members of the group.
     * You can also provide custom attributes by specifying `attribute.{custom_attribute}`,
     * where `{custom_attribute}` is the name of the custom attribute to be mapped. You can
     * define a maximum of 50 custom attributes. The maximum length of a mapped attribute key
     * is 100 characters, and the key may only contain the characters [a-z0-9_].
     * You can reference these attributes in IAM policies to define fine-grained access for a
     * workload to Google Cloud resources. For example:
     * * `google.subject`:
     * `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}`
     * * `google.groups`:
     * `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}`
     * * `attribute.{custom_attribute}`:
     * `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}`
     * Each value must be a [Common Expression Language](https://opensource.google/projects/cel)
     * function that maps an identity provider credential to the normalized attribute specified
     * by the corresponding map key.
     * You can use the `assertion` keyword in the expression to access a JSON representation of
     * the authentication credential issued by the provider.
     * The maximum length of an attribute mapping expression is 2048 characters. When evaluated,
     * the total size of all mapped attributes must not exceed 8KB.
     * For AWS providers, the following rules apply:
     * - If no attribute mapping is defined, the following default mapping applies:
     * ```
     * {
     * "google.subject":"assertion.arn",
     * "attribute.aws_role":
     * "assertion.arn.contains('assumed-role')"
     * " ? assertion.arn.extract('{account_arn}assumed-role/')"
     * "   + 'assumed-role/'"
     * "   + assertion.arn.extract('assumed-role/{role_name}/')"
     * " : assertion.arn",
     * }
     * ```
     * - If any custom attribute mappings are defined, they must include a mapping to the
     * `google.subject` attribute.
     * For OIDC providers, the following rules apply:
     * - Custom attribute mappings must be defined, and must include a mapping to the
     * `google.subject` attribute. For example, the following maps the `sub` claim of the
     * incoming credential to the `subject` attribute on a Google token.
     * ```
     * {"google.subject": "assertion.sub"}
     * ```
     */
    attributeMapping?: pulumi.Input<{
        [key: string]: pulumi.Input<string>;
    }>;
    /**
     * An Amazon Web Services identity provider. Not compatible with the property oidc or saml.
     * Structure is documented below.
     */
    aws?: pulumi.Input<inputs.iam.WorkloadIdentityPoolProviderAws>;
    /**
     * A description for the provider. Cannot exceed 256 characters.
     */
    description?: pulumi.Input<string>;
    /**
     * Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
     * However, existing tokens still grant access.
     */
    disabled?: pulumi.Input<boolean>;
    /**
     * A display name for the provider. Cannot exceed 32 characters.
     */
    displayName?: pulumi.Input<string>;
    /**
     * An OpenId Connect 1.0 identity provider. Not compatible with the property aws or saml.
     * Structure is documented below.
     */
    oidc?: pulumi.Input<inputs.iam.WorkloadIdentityPoolProviderOidc>;
    /**
     * The ID of the project in which the resource belongs.
     * If it is not provided, the provider project is used.
     */
    project?: pulumi.Input<string>;
    /**
     * An SAML 2.0 identity provider. Not compatible with the property oidc or aws.
     * Structure is documented below.
     */
    saml?: pulumi.Input<inputs.iam.WorkloadIdentityPoolProviderSaml>;
    /**
     * The ID used for the pool, which is the final component of the pool resource name. This
     * value should be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
     * `gcp-` is reserved for use by Google, and may not be specified.
     */
    workloadIdentityPoolId: pulumi.Input<string>;
    /**
     * The ID for the provider, which becomes the final component of the resource name. This
     * value must be 4-32 characters, and may contain the characters [a-z0-9-]. The prefix
     * `gcp-` is reserved for use by Google, and may not be specified.
     */
    workloadIdentityPoolProviderId: pulumi.Input<string>;
    /**
     * An X.509-type identity provider represents a CA. It is trusted to assert a
     * client identity if the client has a certificate that chains up to this CA.
     * Structure is documented below.
     */
    x509?: pulumi.Input<inputs.iam.WorkloadIdentityPoolProviderX509>;
}