Allow compute_backend_service.iap oauth2_client_id and oauth2_client_secret to be optional based on the recent underlying API changes

[kylgoog]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Would like to see these two required oauth2 client parameters on the compute_backend_service resource iap block becoming optional (with the recent underlying API changes):

• compute_backend_service.iap.oauth2_client_id
• compute_backend_service.iap.oauth2_client_secret

This means a new parameter is probably required

• compute_backend_service.iap.enabled

This is necessary in order to take advantage of a recently launched feature that IAP supports the use of a Google managed OAuth2 client. The creation of a custom OAuth2 client is no longer strictly required. IAP can simply be "enabled" by using a Google managed OAuth client.

This new feature's gcloud equivalent is:
gcloud compute backend-services create backend --global --protocol=HTTPS --iap=enabled

Examples can also be found on the official doc .

The benefit of this feature is that this will skip a lot of resource configuration that would normally come with a custom OAuth2 client (google_iap_brand and its group email address, google_iap_client).

New or Affected Resource(s)

• compute_backend_service

Potential Terraform Configuration

resource "google_compute_backend_service" "default" {
 ...
  iap {
    enabled = true
  }
...
}

References

This was mentioned in an earlier issue #10614 . At that time it wasn't possible via the API. Now this is possible.

More info
https://cloud.google.com/iap/docs/custom-oauth-configuration#google_managed_oauth_client_and_custom_oauth_client_comparison

b/313620253

[SarahFrench]

Note from triage: There is a field in the API called iap.enabled that would need to be added to the resource as part of this request

[raman-nbg]

The resource google_compute_region_backend_service is affected as well.

Via gcloud CLI you can create a regional LB with IAP enabled like this:

gcloud compute backend-services create my-secure-backend-service \
  --region europe-west3 \
  --iap enabled \
  --protocol https

If somebody guides me, I want to contribute and create a PR.

For reference: There was already a similar (or even same) request a while ago: #10614

[SarahFrench]

Hi @raman-nbg - could you please create a new issue for updating the regional version of the resource? The PR that closed this issue would be a useful resource to look at when figuring out what your PR would need to contain. Once you open a PR you'll be assigned a reviewer who can give guidance!

[melinath]

Reopening this issue; the PR merged may have some issues that were not detected in review, so it's been reverted. The behavior of the iap fields is complex enough that we should make sure we know what's happening for both the global and regional resources before moving forward with implementation on either.

[kylgoog]

I don't know which version introduced this, but as of 6.6.0 I can do this in the (global) google_compute_backend_service which matches what's available via gcloud and is exactly what I wanted.

  iap {
    enabled = true
  }

[kylgoog]

I have tested it again in a fresh new project and everything is working as expected on google_compute_backend_service with google provider v6.6.0. Verified that the project has no oauth consent screen and no oauth client. The IAP works just like when it's using the Google oauth client.

The documentation is also explaining oauth2_client_id and oauth2_client_secret as optional parameters as expected.

Closing this. Thanks everyone!!!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.