Google Workload Identity Federation (module upgrade)

[dhdersch]

I am requesting that the terraform-provider-gsuite support Google Workload Identity Federation.

After looking at your code, it looks like the only thing that needs to be done to support this feature is to update the library "golang.org/x/oauth2/google" to the latest version.

google.DefaultClient() (which you use) will automatically support Workload Identity Federation. For more information, you can see this here: https://pkg.go.dev/golang.org/x/oauth2/google

[DeviaVir]

https://github.com/DeviaVir/terraform-provider-gsuite/commit/29f99d1f1f46ff93b30e76d5f791ae5e7321c098

[DeviaVir]

Please give v0.1.62 a try https://github.com/DeviaVir/terraform-provider-gsuite/releases/tag/v0.1.62

[dhdersch]

Looks like it works! Looking forward to the new version being published.

[DeviaVir]

This terraform registry dying on random bs is really getting old..............

[DeviaVir]

Done

[dhdersch]

@DeviaVir Unfortunately, I was incorrect. The build I ran to test this did not use workload identity federation like I thought it was because I accidentally still had GOOGLE_CREDENTIALS set to a path with a service account key in it.

The issue is that workload identity federation generally requires the use of GOOGLE_APPLICATION_CREDENTIALS environment variable. In your code, if this environment variable is set, then this condition will be executed:

https://github.com/DeviaVir/terraform-provider-gsuite/blob/master/gsuite/config.go#L62

For this to work, we would want the following condition to run:

https://github.com/DeviaVir/terraform-provider-gsuite/blob/master/gsuite/config.go#L114

This means that there's some code changes that need to be made in order for the provider to support workload identity federation.

I'll try to find some time to work on this in the next couple of weeks and will submit a pull request once I get it working. I'll attempt to do it in such a way that existing clients do not break.