Resource to create OAuth 2.0 credentials

[andyshinn]

IAP support was added to google_compute_backend_service a while ago. But there isn't a way to create OAuth 2.0 credentials for it yet. It would be great if there was a resource to handle this so I can create IAP enabled backends where I don't have existing credentials.

Terraform Version

$ terraform -v
Terraform v0.11.5
+ provider.google v1.6.0
+ provider.ns1 v1.0.0
+ provider.random v1.1.0
+ provider.zerotier (unversioned)

Important Factoids

I can't actually find any API for managing OAuth 2.0 credentials. I am not sure if this is even possible since I can't find any API for it. Maybe this needs to be a API feature before a provider feature?

References

The IAP documentation and code PRs.

• Add IAP documentation #839
• Add IAP support for backend services #471

[ellmkay]

Yes, this would be really helpful, or at least some documentation detailing how this can be handled externally from terraform if this is not added.

[paddycarver]

From what I can tell, no programmatic way exists to create an API client or to retrieve the credentials of one, which kind of ties our hands here. I think the best we can do is document how to handle this manually.

[seboudry]

After a little investigation I came to the same conclusion: there is no API to handle API Credentials stuff.
Too bad, we have to add manual steps and store OAuth client secrets somewhere for other automated tasks.
https://console.cloud.google.com/apis/credentials

Is there any open issue somewhere to ask Google for a Credentials API ?

[paddycarver]

I'm not seeing one, but I'll admit to very light searching. https://issuetracker.google.com seems to be the appropriate place to open one.

[seboudry]

I opened a feature request https://issuetracker.google.com/issues/116182848

[jwcmd]

It looks like that google issue is finally resolved!

https://issuetracker.google.com/issues/116182848#comment75

https://cloud.google.com/iap/docs/reference/rest#rest-resource:-v1.projects.brands
https://cloud.google.com/iap/docs/programmatic-oauth-clients

🎂

[seboudry]

Can't wait for Terraform resources :D

[fredzqm]

Hi,
I can't wait to use this soon. Is this getting released?

I didn't see it in the release note of 3.14.0, even though it has already included the related code changes.
https://github.com/terraform-providers/terraform-provider-google/releases

[slevenick]

Hey @fredzqm this should be included in the 3.15.0 release. There were test failures so I pulled it out of the 3.14.0

[nlamirault]

@slevenick any news on this feature ? Thanks.

[pdecat]

IAP OAuth brand and client resources were released in 3.15.0:

• https://www.terraform.io/docs/providers/google/r/iap_brand.html
• https://www.terraform.io/docs/providers/google/r/iap_client.html

[nlamirault]

@pdecat THanks !

[MPV]

This sounds nice, but I'm not entirely following: how would you create and use this for using Google as an IdP/identity provider for another application?

For web applications being set up in the "api credentials in GCP" you need to provide a redirect url, but I don't see that being needed for any of the iap_* resources?

[slevenick]

This sounds nice, but I'm not entirely following: how would you create and use this for using Google as an IdP/identity provider for another application?

For web applications being set up in the "api credentials in GCP" you need to provide a redirect url, but I don't see that being needed for any of the iap_* resources?

I'm not sure I understand your question. This resource is to allow programmatic generation of OAuth client_id and secret for use in IAP resources. Are you looking for something like the identity_platform resources? https://www.terraform.io/docs/providers/google/r/identity_platform_oauth_idp_config.html

These resources are for this flow: https://cloud.google.com/iap/docs/programmatic-oauth-clients

[em-pe]

As far as I understand when you use this resource, redirect uris are configured automatically for IAP (and IAP only!) it's managed on google side.

[pietrodn]

I think that MPV is trying to configure this authentication flow.

The idea is to use IAP to provide an authentication layer for third-party SaaS web applications (example: Looker).

How can this configuration be automated in Terraform?

[MPV]

Would that be these resources instead?
https://www.terraform.io/docs/providers/google/r/identity_platform_oauth_idp_config.html

In order to do this, I mean (in my case as IdP for a Kubernetes cluster):
https://developers.google.com/identity/protocols/oauth2/openid-connect

I've also been wanting to do this (as IdP for an OpenShift cluster), but couldn't find any matching TF resources?
https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow#creatingcred

[MPV]

@pietrodn Is right about what GCP configuration I'm trying to do with Terraform. 👍

I created a new issue #6074 for that now, which maybe isn't related to IAP (after reading up on that now, sorry for the confusion/mixup on my part, folks). 😊

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!