terraform-provider-google icon indicating copy to clipboard operation
terraform-provider-google copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Allow configuring Identity-Aware Proxy (IAP) customization settings

Open tbcardoso opened this issue 5 years ago • 9 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

It would be useful to have a resource that configures the Identity-Aware Proxy (IAP) customization settings described in https://cloud.google.com/iap/docs/customizing.

For example, we need to let some IAP proxies pass through HTTP OPTIONS requests. For that, we need to set access_settings.cors_settings.allow_http_options to true.

New or Affected Resource(s)

  • google_iap_settings (new resource)

Potential Terraform Configuration

resource "google_iap_settings" "allow_cors" {
  resource_type = "compute"
  service       = "google_compute_backend_service.istio_global_http_iap_bes.self_link"

  accessSettings {
    corsSettings {
      allowHttpOptions = true
    }
  }
}

Workaround

It's possible to workaround this limitation by using a null resource with a local-exec provisioner:

locals {
  iap_settings = <<-EOT
  accessSettings:
    corsSettings:
      allowHttpOptions: true
  EOT
}

resource "null_resource" "iap_settings" {
  triggers = {
    bes_iap_settings = local.bes_iap_settings
    project_id       = data.google_project.project.project_id
    bes_name         = google_compute_backend_service.bes.name
  }

  provisioner "local-exec" {
    command = <<-EOT
    echo '${local.bes_iap_settings}' | \
    gcloud iap settings set /dev/stdin \
      --project=${data.google_project.project.project_id} \
      --resource-type=compute \
      --service=${google_compute_backend_service.bes.name}
    EOT
  }
}

References

  • ~b/194854185~

b/305197972

tbcardoso avatar May 27 '20 17:05 tbcardoso

The resource documentation can be found at https://cloud.google.com/iap/docs/reference/rest/v1/IapSettings

We are mainly interested in the accessSettings.gcipSettings and not the accessSettings. corsSettings from this original request. But I hope all fields of IapSettings will be included if this resource is created

wvanderdeijl avatar Feb 19 '21 14:02 wvanderdeijl

Any updates on this?

dinvlad avatar Apr 01 '21 06:04 dinvlad

Please also add support for PolicyDelegationSettings.

This bug should be linked : https://b.corp.google.com/issues/195649321

sankit2020 avatar Aug 06 '21 21:08 sankit2020

I am also interested, as @wvanderdeijl , in accessSettings.gcipSettings. Any updates?

maucaro avatar Oct 24 '22 11:10 maucaro

I am interested in this. I would like to be able to set the default cookie domain for IAP at a project level.

Ironlink avatar Nov 13 '23 09:11 Ironlink

We'd also be interested in this, especially allowed_domains_settings.

MattiasOlla avatar Nov 15 '23 08:11 MattiasOlla

plus 1. thank you.

markConklin avatar Jan 31 '24 21:01 markConklin

It's been nearly 4 years.. will this ever be added?

jacobshirley avatar Mar 24 '24 18:03 jacobshirley

++

rdiers avatar May 06 '24 19:05 rdiers