diff --git a/.changelog/13183.txt b/.changelog/13183.txt new file mode 100644 index 00000000000..a402c2b6887 --- /dev/null +++ b/.changelog/13183.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +iam: added `AZURE_AD_GROUPS_ID` field to `google_iam_workforce_pool_provider.extra_attributes_oauth2_client.attributes_type` resource +``` \ No newline at end of file diff --git a/google/services/iamworkforcepool/resource_iam_workforce_pool_provider.go b/google/services/iamworkforcepool/resource_iam_workforce_pool_provider.go index 3a7b70556b9..c53aba0fc8f 100644 --- a/google/services/iamworkforcepool/resource_iam_workforce_pool_provider.go +++ b/google/services/iamworkforcepool/resource_iam_workforce_pool_provider.go @@ -205,12 +205,20 @@ supported with SAML and OIDC protocol.`, "attributes_type": { Type: schema.TypeString, Required: true, - ValidateFunc: verify.ValidateEnum([]string{"AZURE_AD_GROUPS_MAIL"}), + ValidateFunc: verify.ValidateEnum([]string{"AZURE_AD_GROUPS_MAIL", "AZURE_AD_GROUPS_ID"}), Description: `Represents the IdP and type of claims that should be fetched. * AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided in ExtraAttributesOAuth2Client and 'mail' property of the 'microsoft.graph.group' object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on -'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. Possible values: ["AZURE_AD_GROUPS_MAIL"]`, +'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. +* AZURE_AD_GROUPS_ID: Used to get the user's group claims from the Azure AD identity provider +using configuration provided in ExtraAttributesOAuth2Client and 'id' +property of the 'microsoft.graph.group' object is used for claim mapping. See +https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties +for more details on 'microsoft.graph.group' properties. The +group IDs obtained from Azure AD are present in 'assertion.groups' for +OIDC providers and 'assertion.attributes.groups' for SAML providers for +attribute mapping. Possible values: ["AZURE_AD_GROUPS_MAIL", "AZURE_AD_GROUPS_ID"]`, }, "client_id": { Type: schema.TypeString, @@ -264,9 +272,9 @@ See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest- "filter": { Type: schema.TypeString, Optional: true, - Description: `The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the + Description: `The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL and AZURE_AD_GROUPS_ID, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The -groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.`, +groups should be security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.`, }, }, }, diff --git a/google/services/iamworkforcepool/resource_iam_workforce_pool_provider_generated_test.go b/google/services/iamworkforcepool/resource_iam_workforce_pool_provider_generated_test.go index 9c9d390226d..0e848332e5c 100644 --- a/google/services/iamworkforcepool/resource_iam_workforce_pool_provider_generated_test.go +++ b/google/services/iamworkforcepool/resource_iam_workforce_pool_provider_generated_test.go @@ -131,7 +131,7 @@ resource "google_iam_workforce_pool_provider" "example" { plain_text = "client-secret" } } - attributes_type = "AZURE_AD_GROUPS_MAIL" + attributes_type = "AZURE_AD_GROUPS_ID" query_parameters { filter = "mail:gcp" } diff --git a/google/services/iamworkforcepool/resource_iam_workforce_pool_provider_test.go b/google/services/iamworkforcepool/resource_iam_workforce_pool_provider_test.go index 7b3b1a93217..a446ae9df11 100644 --- a/google/services/iamworkforcepool/resource_iam_workforce_pool_provider_test.go +++ b/google/services/iamworkforcepool/resource_iam_workforce_pool_provider_test.go @@ -574,7 +574,7 @@ resource "google_iam_workforce_pool_provider" "my_provider" { plain_text = "new-client-secret" } } - attributes_type = "AZURE_AD_GROUPS_MAIL" + attributes_type = "AZURE_AD_GROUPS_ID" query_parameters { filter = "displayName:gcp" } diff --git a/website/docs/r/iam_workforce_pool_provider.html.markdown b/website/docs/r/iam_workforce_pool_provider.html.markdown index 118fdc2136a..323dd043e34 100644 --- a/website/docs/r/iam_workforce_pool_provider.html.markdown +++ b/website/docs/r/iam_workforce_pool_provider.html.markdown @@ -87,7 +87,7 @@ resource "google_iam_workforce_pool_provider" "example" { plain_text = "client-secret" } } - attributes_type = "AZURE_AD_GROUPS_MAIL" + attributes_type = "AZURE_AD_GROUPS_ID" query_parameters { filter = "mail:gcp" } @@ -517,7 +517,15 @@ The following arguments are supported: in ExtraAttributesOAuth2Client and `mail` property of the `microsoft.graph.group` object is used for claim mapping. See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on `microsoft.graph.group` properties. The attributes obtained from idntity provider are mapped to `assertion.groups`. - Possible values are: `AZURE_AD_GROUPS_MAIL`. + * AZURE_AD_GROUPS_ID: Used to get the user's group claims from the Azure AD identity provider + using configuration provided in ExtraAttributesOAuth2Client and `id` + property of the `microsoft.graph.group` object is used for claim mapping. See + https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties + for more details on `microsoft.graph.group` properties. The + group IDs obtained from Azure AD are present in `assertion.groups` for + OIDC providers and `assertion.attributes.groups` for SAML providers for + attribute mapping. + Possible values are: `AZURE_AD_GROUPS_MAIL`, `AZURE_AD_GROUPS_ID`. * `query_parameters` - (Optional) @@ -547,9 +555,9 @@ The following arguments are supported: * `filter` - (Optional) - The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the + The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL and AZURE_AD_GROUPS_ID, it represents the filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The - groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details. + groups should be security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details. ## Attributes Reference