GoogleCloudPlatform · melinath · Aug 25, 2023 · Aug 19, 2023 · Aug 19, 2023 · Aug 19, 2023
diff --git a/mmv1/products/iamworkforcepool/WorkforcePoolProvider.yaml b/mmv1/products/iamworkforcepool/WorkforcePoolProvider.yaml
@@ -70,6 +70,18 @@ examples:
       org_id: :ORG_ID
     ignore_read_extra:
       - 'oidc.0.client_secret.0.value.0.plain_text'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'iam_workforce_pool_provider_oidc_upload_key'
+    min_version: beta
+    skip_docs: true
+    primary_resource_id: 'example'
+    vars:
+      workforce_pool_id: 'example-pool'
+      provider_id: 'example-prvdr'
+    test_env_vars:
+      org_id: :ORG_ID
+    ignore_read_extra:
+      - 'oidc.0.client_secret.0.value.0.plain_text'
 custom_code: !ruby/object:Provider::Terraform::CustomCode
   constants: templates/terraform/constants/iam_workforce_pool_provider.go.erb
   decoder: templates/terraform/decoders/treat_deleted_state_as_gone.go.erb
@@ -319,3 +331,30 @@ properties:
               Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.
             required: false
             item_type: Api::Type::String
+      - !ruby/object:Api::Type::String
+        name: 'jwksJson'
+        min_version: beta
+        description: |
+          OIDC JWKs in JSON String format. For details on definition of a
+          JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
+          use the `jwks_uri` from the discovery document fetched from the
+          .well-known path for the `issuer_uri`. Currently, RSA and EC asymmetric
+          keys are supported. The JWK must use following format and include only
+          the following fields:
+          ```
+          {
+            "keys": [
+              {
+                    "kty": "RSA/EC",
+                    "alg": "<algorithm>",
+                    "use": "sig",
+                    "kid": "<key-id>",
+                    "n": "",
+                    "e": "",
+                    "x": "",
+                    "y": "",
+                    "crv": ""
+              }
+            ]
+          }
+          ```
diff --git a/mmv1/templates/terraform/examples/iam_workforce_pool_provider_oidc_upload_key.tf.erb b/mmv1/templates/terraform/examples/iam_workforce_pool_provider_oidc_upload_key.tf.erb
@@ -0,0 +1,32 @@
+resource "google_iam_workforce_pool" "pool" {
+  provider = google-beta
+
+  workforce_pool_id = "<%= ctx[:vars]["workforce_pool_id"] %>"
+  parent            = "organizations/<%= ctx[:test_env_vars]["org_id"] %>"
+  location          = "global"
+}
+
+resource "google_iam_workforce_pool_provider" "<%= ctx[:primary_resource_id] %>" {
+  provider = google-beta
+
+  workforce_pool_id  = google_iam_workforce_pool.pool.workforce_pool_id
+  location           = google_iam_workforce_pool.pool.location
+  provider_id        = "<%= ctx[:vars]["provider_id"] %>"
+  attribute_mapping  = {
+    "google.subject" = "assertion.sub"
+  }
+  oidc {
+    issuer_uri       = "https://accounts.thirdparty.com"
+    client_id        = "client-id"
+    client_secret {
+      value {
+        plain_text = "client-secret"
+      }
+    }
+    web_sso_config {
+      response_type             = "ID_TOKEN"
+      assertion_claims_behavior = "ONLY_ID_TOKEN_CLAIMS"
+    }
+    jwks_json        = "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"1i-PmZZrF1j2rOUAxkcQaaz3MnOXcwwziuch_XWjvqI\",\"alg\":\"RS256\",\"n\":\"kFpYE2Zm32y--cnUiFLm4cYmFO8tR4-5KU5-aqhRwiHPP0FkgdQZSoSyp_1DO6PruYfluRMviwOpbmM6LH7KemxVdxLKqLDkHSG0XC3dZkACRFNvBBOdFrvJ0ABXv3vVx592lFE0m-Je5-FerRSQCml6E7icNiTSxizEmvDsTIe8mvArjsODDrgWP25bEFwDPBd5cCl3_2gtW6YdaCRewLXdzuB5Wmp_vOu6trTUzEKbnQlWFtDDCPfOpywYXF8dY1Lbwas5iwwIZozwD2_CuTiyXa3T2_4oa119_rQrIC2BAv7q_S1Xoa2lk3q2GZUSVQ5i3gIbJuDHmp-6yh3k4w\"}]}"
+  }
+}