Is your feature request related to a problem? Please describe.
When managing BigQuery connections with Workload Identity Federation (WIF), the dbtcloud_global_connection resource supports WIF configuration, but dbtcloud_bigquery_credential does not expose the credential-level fields required to complete WIF setup.
This means credentials created via Terraform default to service account JSON auth, even when the connection is configured for WIF. The credential must be manually patched via direct API calls to enable WIF authentication.
Describe the solution you'd like
Add WIF-related fields to dbtcloud_bigquery_credential:
auth_type — authentication method, one of service-account-json, oauth-secrets, or external-oauth-wifworkload_pool_provider_path — the fully qualified WIF provider resource name (e.g., //iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/my-pool/providers/my-provider)
These map to the credential_details.fields structure in the v3 API:
{
"credential_details": {
"fields": {
"auth_type": { "value": "external-oauth-wif" },
"workload_pool_provider_path": { "value": "//iam.googleapis.com/..." }
}
}
}Describe alternatives you've considered
Direct API calls via shell script — We currently run an idempotent shell script after terraform apply that POSTs to /api/v3/accounts/{account_id}/projects/{project_id}/credentials/{credential_id}/ with the full credential_details.fields payload. This works but breaks the Terraform-as-source-of-truth model and adds operational complexity.
dbtcloud_extended_attributes — We tried attaching auth_type and workload_pool_provider_path via extended attributes on the profile, but these map to profiles.yml runtime keys and do not set the underlying credential's auth_type in the API.
Additional context
Related: #584 added WIF support to dbtcloud_global_connection. This request completes WIF support on the credential side.
Is your feature request related to a problem? Please describe.
When managing BigQuery connections with Workload Identity Federation (WIF), the
dbtcloud_global_connectionresource supports WIF configuration, butdbtcloud_bigquery_credentialdoes not expose the credential-level fields required to complete WIF setup.This means credentials created via Terraform default to service account JSON auth, even when the connection is configured for WIF. The credential must be manually patched via direct API calls to enable WIF authentication.
Describe the solution you'd like
Add WIF-related fields to
dbtcloud_bigquery_credential:auth_type— authentication method, one ofservice-account-json,oauth-secrets, orexternal-oauth-wifworkload_pool_provider_path— the fully qualified WIF provider resource name (e.g.,//iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/my-pool/providers/my-provider)These map to the
credential_details.fieldsstructure in the v3 API:{ "credential_details": { "fields": { "auth_type": { "value": "external-oauth-wif" }, "workload_pool_provider_path": { "value": "//iam.googleapis.com/..." } } } }Describe alternatives you've considered
Direct API calls via shell script — We currently run an idempotent shell script after
terraform applythat POSTs to/api/v3/accounts/{account_id}/projects/{project_id}/credentials/{credential_id}/with the fullcredential_details.fieldspayload. This works but breaks the Terraform-as-source-of-truth model and adds operational complexity.dbtcloud_extended_attributes— We tried attachingauth_typeandworkload_pool_provider_pathvia extended attributes on the profile, but these map toprofiles.ymlruntime keys and do not set the underlying credential'sauth_typein the API.Additional context
Related: #584 added WIF support to
dbtcloud_global_connection. This request completes WIF support on the credential side.