ephemeral: add google_service_account_id_token

mmv1/third_party/terraform/fwprovider/framework_provider.go.tmpl

@@ -309,6 +309,6 @@ func (p *FrameworkProvider) Functions(_ context.Context) []func() function.Funct
 // EphemeralResources defines the resources that are of ephemeral type implemented in the provider.
 func (p *FrameworkProvider) EphemeralResources(_ context.Context) []func() ephemeral.EphemeralResource {
 	return []func() ephemeral.EphemeralResource{
-        // TODO!
+        resourcemanager.GoogleEphemeralServiceAccountIdToken,
 	}
 }

mmv1/third_party/terraform/services/resourcemanager/ephemeral_google_service_account_id_token.go

@@ -0,0 +1,153 @@
+package resourcemanager
+
+import (
+	"context"
+	"fmt"
+
+	"google.golang.org/api/idtoken"
+	"google.golang.org/api/option"
+
+	"github.com/hashicorp/terraform-plugin-framework-validators/setvalidator"
+	"github.com/hashicorp/terraform-plugin-framework/ephemeral"
+	"github.com/hashicorp/terraform-plugin-framework/ephemeral/schema"
+	"github.com/hashicorp/terraform-plugin-framework/schema/validator"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/hashicorp/terraform-provider-google/google/fwmodels"
+	"github.com/hashicorp/terraform-provider-google/google/fwtransport"
+	"github.com/hashicorp/terraform-provider-google/google/fwutils"
+	"github.com/hashicorp/terraform-provider-google/google/fwvalidators"
+	"google.golang.org/api/iamcredentials/v1"
+)
+
+var _ ephemeral.EphemeralResource = &googleEphemeralServiceAccountIdToken{}
+
+func GoogleEphemeralServiceAccountIdToken() ephemeral.EphemeralResource {
+	return &googleEphemeralServiceAccountIdToken{}
+}
+
+type googleEphemeralServiceAccountIdToken struct {
+	providerConfig *fwtransport.FrameworkProviderConfig
+}
+
+func (p *googleEphemeralServiceAccountIdToken) Metadata(ctx context.Context, req ephemeral.MetadataRequest, resp *ephemeral.MetadataResponse) {
+	resp.TypeName = req.ProviderTypeName + "_service_account_id_token"
+}
+
+type ephemeralServiceAccountIdTokenModel struct {
+	TargetAudience       types.String `tfsdk:"target_audience"`
+	TargetServiceAccount types.String `tfsdk:"target_service_account"`
+	Delegates            types.Set    `tfsdk:"delegates"`
+	IncludeEmail         types.Bool   `tfsdk:"include_email"`
+	IdToken              types.String `tfsdk:"id_token"`
+}
+
+func (p *googleEphemeralServiceAccountIdToken) Schema(ctx context.Context, req ephemeral.SchemaRequest, resp *ephemeral.SchemaResponse) {
+	resp.Schema = schema.Schema{
+		Attributes: map[string]schema.Attribute{
+			"target_audience": schema.StringAttribute{
+				Required: true,
+			},
+			"target_service_account": schema.StringAttribute{
+				Optional: true,
+				Validators: []validator.String{
+					fwvalidators.ServiceAccountEmailValidator{},
+				},
+			},
+			"delegates": schema.SetAttribute{
+				Optional:    true,
+				ElementType: types.StringType,
+				Validators: []validator.Set{
+					setvalidator.ValueStringsAre(fwvalidators.ServiceAccountEmailValidator{}),
+				},
+			},
+			"include_email": schema.BoolAttribute{
+				Optional: true,
+				Computed: true,
+			},
+			"id_token": schema.StringAttribute{
+				Computed:  true,
+				Sensitive: true,
+			},
+		},
+	}
+}
+
+func (p *googleEphemeralServiceAccountIdToken) Configure(ctx context.Context, req ephemeral.ConfigureRequest, resp *ephemeral.ConfigureResponse) {
+	// Prevent panic if the provider has not been configured.
+	if req.ProviderData == nil {
+		return
+	}
+
+	pd, ok := req.ProviderData.(*fwtransport.FrameworkProviderConfig)
+	if !ok {
+		resp.Diagnostics.AddError(
+			"Unexpected Data Source Configure Type",
+			fmt.Sprintf("Expected *fwtransport.FrameworkProviderConfig, got: %T. Please report this issue to the provider developers.", req.ProviderData),
+		)
+		return
+	}
+
+	// Required for accessing userAgent and passing as an argument into a util function
+	p.providerConfig = pd
+}
+
+func (p *googleEphemeralServiceAccountIdToken) Open(ctx context.Context, req ephemeral.OpenRequest, resp *ephemeral.OpenResponse) {
+	var data ephemeralServiceAccountIdTokenModel
+
+	resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
+
+	targetAudience := data.TargetAudience.ValueString()
+	creds := fwtransport.GetCredentials(ctx, fwmodels.ProviderModel{}, false, &resp.Diagnostics)
+
+	targetServiceAccount := data.TargetServiceAccount.ValueString()
+	// If a target service account is provided, use the API to generate the idToken
+	if targetServiceAccount != "" {
+		service := p.providerConfig.NewIamCredentialsClient(p.providerConfig.UserAgent)
+		name := fmt.Sprintf("projects/-/serviceAccounts/%s", targetServiceAccount)
+		DelegatesSetValue, _ := data.Delegates.ToSetValue(ctx)
+		tokenRequest := &iamcredentials.GenerateIdTokenRequest{
+			Audience:     targetAudience,
+			IncludeEmail: data.IncludeEmail.ValueBool(),
+			Delegates:    fwutils.StringSet(DelegatesSetValue),
+		}
+		at, err := service.Projects.ServiceAccounts.GenerateIdToken(name, tokenRequest).Do()
+		if err != nil {
+			resp.Diagnostics.AddError(
+				"Error calling iamcredentials.GenerateIdToken",
+				err.Error(),
+			)
+			return
+		}
+
+		data.IdToken = types.StringValue(at.Token)
+		resp.Diagnostics.Append(resp.Result.Set(ctx, data)...)
+		return
+	}
+
+	// If no target service account, use the default credentials
+	ctx = context.Background()
+	co := []option.ClientOption{}
+	if creds.JSON != nil {
+		co = append(co, idtoken.WithCredentialsJSON(creds.JSON))
+	}
+
+	idTokenSource, err := idtoken.NewTokenSource(ctx, targetAudience, co...)
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Unable to retrieve TokenSource",
+			err.Error(),
+		)
+		return
+	}
+	idToken, err := idTokenSource.Token()
+	if err != nil {
+		resp.Diagnostics.AddError(
+			"Unable to retrieve Token",
+			err.Error(),
+		)
+		return
+	}
+
+	data.IdToken = types.StringValue(idToken.AccessToken)
+	resp.Diagnostics.Append(resp.Result.Set(ctx, data)...)
+}

mmv1/third_party/terraform/services/resourcemanager/ephemeral_google_service_account_id_token_test.go

@@ -0,0 +1,107 @@
+package resourcemanager_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+	"github.com/hashicorp/terraform-provider-google/google/envvar"
+)
+
+func TestEphemeralServiceAccountIdToken_basic(t *testing.T) {
+	t.Parallel()
+
+	serviceAccount := envvar.GetTestServiceAccountFromEnv(t)
+	targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, "idtoken", serviceAccount)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		ExternalProviders: map[string]resource.ExternalProvider{
+			"time": {},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccEphemeralServiceAccountIdToken_basic(targetServiceAccountEmail),
+			},
+		},
+	})
+}
+
+func TestEphemeralServiceAccountIdToken_withDelegates(t *testing.T) {
+	t.Parallel()
+
+	initialServiceAccount := envvar.GetTestServiceAccountFromEnv(t)
+	delegateServiceAccountEmailOne := acctest.BootstrapServiceAccount(t, "delegate1", initialServiceAccount)          // SA_2
+	delegateServiceAccountEmailTwo := acctest.BootstrapServiceAccount(t, "delegate2", delegateServiceAccountEmailOne) // SA_3
+	targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, "target", delegateServiceAccountEmailTwo)         // SA_4
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		ExternalProviders: map[string]resource.ExternalProvider{
+			"time": {},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccEphemeralServiceAccountIdToken_withDelegates(delegateServiceAccountEmailOne, delegateServiceAccountEmailTwo, targetServiceAccountEmail),
+			},
+		},
+	})
+}
+
+func TestEphemeralServiceAccountIdToken_withIncludeEmail(t *testing.T) {
+	t.Parallel()
+
+	serviceAccount := envvar.GetTestServiceAccountFromEnv(t)
+	targetServiceAccountEmail := acctest.BootstrapServiceAccount(t, "idtoken-email", serviceAccount)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		ExternalProviders: map[string]resource.ExternalProvider{
+			"time": {},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccEphemeralServiceAccountIdToken_withIncludeEmail(targetServiceAccountEmail),
+			},
+		},
+	})
+}
+
+func testAccEphemeralServiceAccountIdToken_basic(serviceAccountEmail string) string {
+	return fmt.Sprintf(`
+ephemeral "google_service_account_id_token" "token" {
+  target_service_account = "%s"
+  target_audience       = "https://example.com"
+}
+`, serviceAccountEmail)
+}
+
+func testAccEphemeralServiceAccountIdToken_withDelegates(delegateServiceAccountEmailOne, delegateServiceAccountEmailTwo, targetServiceAccountEmail string) string {
+	return fmt.Sprintf(`
+ephemeral "google_service_account_id_token" "token" {
+  target_service_account = "%s"
+  delegates = [
+    "%s",
+    "%s",
+  ]
+  target_audience       = "https://example.com"
+}
+
+# The delegation chain is:
+# SA_1 (initialServiceAccountEmail) -> SA_2 (delegateServiceAccountEmailOne) -> SA_3 (delegateServiceAccountEmailTwo) -> SA_4 (targetServiceAccountEmail)
+`, targetServiceAccountEmail, delegateServiceAccountEmailOne, delegateServiceAccountEmailTwo)
+}
+
+func testAccEphemeralServiceAccountIdToken_withIncludeEmail(serviceAccountEmail string) string {
+	return fmt.Sprintf(`
+ephemeral "google_service_account_id_token" "token" {
+  target_service_account = "%s"
+  target_audience       = "https://example.com"
+  include_email        = true
+}
+`, serviceAccountEmail)
+}