hashicorp · modular-magician · Feb 26, 2025 · Feb 26, 2025
@@ -0,0 +1,3 @@
+```release-note:enhancement
+iam: added `AZURE_AD_GROUPS_ID` field to `google_iam_workforce_pool_provider.extra_attributes_oauth2_client.attributes_type` resource
+```
@@ -205,12 +205,20 @@ supported with SAML and OIDC protocol.`,
 						"attributes_type": {
 							Type:         schema.TypeString,
 							Required:     true,
-							ValidateFunc: verify.ValidateEnum([]string{"AZURE_AD_GROUPS_MAIL"}),
+							ValidateFunc: verify.ValidateEnum([]string{"AZURE_AD_GROUPS_MAIL", "AZURE_AD_GROUPS_ID"}),
 							Description: `Represents the IdP and type of claims that should be fetched.
 * AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided
 in ExtraAttributesOAuth2Client and 'mail' property of the 'microsoft.graph.group' object is used for claim mapping.
 See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on
-'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. Possible values: ["AZURE_AD_GROUPS_MAIL"]`,
+'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'.
+* AZURE_AD_GROUPS_ID:  Used to get the user's group claims from the Azure AD identity provider
+using configuration provided in ExtraAttributesOAuth2Client and 'id'
+property of the 'microsoft.graph.group' object is used for claim mapping. See
+https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties
+for more details on 'microsoft.graph.group' properties. The
+group IDs obtained from Azure AD are present in 'assertion.groups' for
+OIDC providers and 'assertion.attributes.groups' for SAML providers for
+attribute mapping. Possible values: ["AZURE_AD_GROUPS_MAIL", "AZURE_AD_GROUPS_ID"]`,
 						},
 						"client_id": {
 							Type:        schema.TypeString,
@@ -264,9 +272,9 @@ See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-
 									"filter": {
 										Type:     schema.TypeString,
 										Optional: true,
-										Description: `The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the
+										Description: `The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL and AZURE_AD_GROUPS_ID, it represents the
 filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The
-groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.`,
+groups should be security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.`,
 									},
 								},
 							},

@@ -131,7 +131,7 @@ resource "google_iam_workforce_pool_provider" "example" {
           plain_text = "client-secret"
         }
       }
-    attributes_type = "AZURE_AD_GROUPS_MAIL"
+    attributes_type = "AZURE_AD_GROUPS_ID"
     query_parameters {
         filter      = "mail:gcp"
     }

@@ -574,7 +574,7 @@ resource "google_iam_workforce_pool_provider" "my_provider" {
           plain_text = "new-client-secret"
         }
       }
-    attributes_type = "AZURE_AD_GROUPS_MAIL"
+    attributes_type = "AZURE_AD_GROUPS_ID"
     query_parameters {
         filter      = "displayName:gcp"
     }

@@ -87,7 +87,7 @@ resource "google_iam_workforce_pool_provider" "example" {
           plain_text = "client-secret"
         }
       }
-    attributes_type = "AZURE_AD_GROUPS_MAIL"
+    attributes_type = "AZURE_AD_GROUPS_ID"
     query_parameters {
         filter      = "mail:gcp"
     }
@@ -517,7 +517,15 @@ The following arguments are supported:
   in ExtraAttributesOAuth2Client and `mail` property of the `microsoft.graph.group` object is used for claim mapping.
   See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on
   `microsoft.graph.group` properties. The attributes obtained from idntity provider are mapped to `assertion.groups`.
-  Possible values are: `AZURE_AD_GROUPS_MAIL`.
+  * AZURE_AD_GROUPS_ID:  Used to get the user's group claims from the Azure AD identity provider
+  using configuration provided in ExtraAttributesOAuth2Client and `id`
+  property of the `microsoft.graph.group` object is used for claim mapping. See
+  https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties
+  for more details on `microsoft.graph.group` properties. The
+  group IDs obtained from Azure AD are present in `assertion.groups` for
+  OIDC providers and `assertion.attributes.groups` for SAML providers for
+  attribute mapping.
+  Possible values are: `AZURE_AD_GROUPS_MAIL`, `AZURE_AD_GROUPS_ID`.
 
 * `query_parameters` -
   (Optional)
@@ -547,9 +555,9 @@ The following arguments are supported:
 
 * `filter` -
   (Optional)
-  The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the
+  The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL and AZURE_AD_GROUPS_ID, it represents the
   filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The
-  groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.
+  groups should be security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.
 
 ## Attributes Reference