You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add WIF credential input to integration and export resources (#417)
* Add WIF credential input to integration and export resources
Commit bd71f95 exposed the server-computed `wif_subject` as a read-only
attribute. This commit makes WIF usable end-to-end by allowing customers
to configure WIF credentials in Terraform instead of static service
account JSON / IAM access keys.
- mondoo_integration_gcp, mondoo_export_gcs_bucket: `credentials.private_key`
is now optional; adds `credentials.wif { audience, service_account_email }`
as an alternative. ConflictsWith + AtLeastOneOf enforce exactly one
auth method.
- mondoo_integration_aws: adds `credentials.wif { audience, role_arn }`
alongside the existing `role` and `key` options.
- mondoo_export_bigquery: `service_account_key` is now optional with
RequiresReplace dropped; adds `credentials.wif { audience, service_account_email }`
gated by ExactlyOneOf so users can flip between static creds and WIF
without recreating the export.
Read and ImportState round-trip the new WIF fields (wifAudience /
wifServiceAccountEmail for GCP-family, wifAudience / wifRoleArn for AWS)
from the server response.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Make wif.service_account_email optional for GCP-family resources
Service account impersonation is an optional step for GCP workload
identity federation - customers can also grant the identity pool's
principal direct access to the resource. Only send the field to the
server when it is set, and map an empty server response back to null
in state so an unset value does not churn in subsequent plans.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* Simplify WIF credential validators and harden AWS import
- Replace the per-attribute ConflictsWith + AtLeastOneOf pairing with a
single ExactlyOneOf ConfigValidator on the GCP integration, GCS bucket
export, and AWS integration. BigQuery already used ExactlyOneOf; drop
the redundant string-level ConflictsWith on its service_account_key.
- Require both WifAudience and WifRoleArn to be non-empty before
importing a wif credential block on the AWS integration so a partial
server response cannot write a state that fails validation on the
next plan.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
-`name` (String) A descriptive name for the integration.
39
-
-`service_account_key` (String, Sensitive) Google service account JSON key content.
40
39
41
40
### Optional
42
41
42
+
-`credentials` (Attributes) Credentials for the BigQuery export. Provide `wif` for workload identity federation instead of the top-level `service_account_key`. (see [below for nested schema](#nestedatt--credentials))
43
43
-`scope_mrn` (String) The MRN of the scope (space, organization, or platform) for the export integration.
44
+
-`service_account_key` (String, Sensitive) Google service account JSON key content. Mutually exclusive with `credentials.wif`.
44
45
-`space_id` (String, Deprecated) Mondoo space identifier. If there is no space ID, the provider space is used.
45
46
46
47
### Read-Only
47
48
48
49
-`mrn` (String) Mondoo resource name (MRN) of the integration.
49
50
-`wif_subject` (String) Computed OIDC subject used when Mondoo requests a WIF token for this integration. Configure your cloud provider's trust policy to accept this subject.
51
+
52
+
<aid="nestedatt--credentials"></a>
53
+
### Nested Schema for `credentials`
54
+
55
+
Optional:
56
+
57
+
-`wif` (Attributes) Workload identity federation configuration. Mutually exclusive with `service_account_key`. (see [below for nested schema](#nestedatt--credentials--wif))
58
+
59
+
<aid="nestedatt--credentials--wif"></a>
60
+
### Nested Schema for `credentials.wif`
61
+
62
+
Required:
63
+
64
+
-`audience` (String) WIF audience URL for GCP workload identity federation.
65
+
66
+
Optional:
67
+
68
+
-`service_account_email` (String) Optional GCP service account email to impersonate via workload identity federation.
Copy file name to clipboardExpand all lines: docs/resources/export_gcs_bucket.md
+14-2Lines changed: 14 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,7 +41,7 @@ Export data to a Google Cloud Storage bucket.
41
41
### Required
42
42
43
43
-`bucket_name` (String) Name of the Google Cloud Storage bucket to export data to.
44
-
-`credentials` (Attributes) Credentials for the Google Cloud Storage bucket. (see [below for nested schema](#nestedatt--credentials))
44
+
-`credentials` (Attributes) Credentials for the Google Cloud Storage bucket. Provide either a static service account `private_key` or a `wif` block for workload identity federation. (see [below for nested schema](#nestedatt--credentials))
45
45
-`name` (String) Name of the export integration.
46
46
47
47
### Optional
@@ -58,6 +58,18 @@ Export data to a Google Cloud Storage bucket.
58
58
<aid="nestedatt--credentials"></a>
59
59
### Nested Schema for `credentials`
60
60
61
+
Optional:
62
+
63
+
-`private_key` (String, Sensitive) Private key for the service account in JSON format. Mutually exclusive with `wif`.
64
+
-`wif` (Attributes) Workload identity federation configuration. Mutually exclusive with `private_key`. (see [below for nested schema](#nestedatt--credentials--wif))
65
+
66
+
<aid="nestedatt--credentials--wif"></a>
67
+
### Nested Schema for `credentials.wif`
68
+
61
69
Required:
62
70
63
-
-`private_key` (String, Sensitive) Private key for the service account in JSON format.
71
+
-`audience` (String) WIF audience URL for GCP workload identity federation.
72
+
73
+
Optional:
74
+
75
+
-`service_account_email` (String) Optional GCP service account email to impersonate via workload identity federation.
-`credentials` (Attributes) (see [below for nested schema](#nestedatt--credentials))
50
+
-`credentials` (Attributes) Credentials for the AWS integration. Exactly one of `role`, `key`, or `wif` must be configured. (see [below for nested schema](#nestedatt--credentials))
-`key` (Attributes) (see [below for nested schema](#nestedatt--credentials--key))
68
-
-`role` (Attributes) (see [below for nested schema](#nestedatt--credentials--role))
67
+
-`key` (Attributes) Static IAM access key credentials. Mutually exclusive with `role` and `wif`. (see [below for nested schema](#nestedatt--credentials--key))
68
+
-`role` (Attributes) IAM role credentials. Mutually exclusive with `key` and `wif`. (see [below for nested schema](#nestedatt--credentials--role))
69
+
-`wif` (Attributes) Workload identity federation credentials. Uses Mondoo as an OIDC identity provider to assume an IAM role via web identity. Mutually exclusive with `role` and `key`. (see [below for nested schema](#nestedatt--credentials--wif))
69
70
70
71
<aid="nestedatt--credentials--key"></a>
71
72
### Nested Schema for `credentials.key`
@@ -87,6 +88,15 @@ Optional:
87
88
88
89
-`external_id` (String, Sensitive)
89
90
91
+
92
+
<aid="nestedatt--credentials--wif"></a>
93
+
### Nested Schema for `credentials.wif`
94
+
95
+
Required:
96
+
97
+
-`audience` (String) Audience value configured in the AWS IAM OIDC identity provider.
98
+
-`role_arn` (String) ARN of the IAM role to assume via web identity federation.
-`credentials` (Attributes) (see [below for nested schema](#nestedatt--credentials))
76
+
-`credentials` (Attributes) Credentials for the GCP integration. Provide either a static service account `private_key` or a `wif` block for workload identity federation. (see [below for nested schema](#nestedatt--credentials))
-`private_key` (String, Sensitive) GCP service account JSON key. Mutually exclusive with `wif`.
95
+
-`wif` (Attributes) Workload identity federation configuration. Mutually exclusive with `private_key`. (see [below for nested schema](#nestedatt--credentials--wif))
96
+
97
+
<aid="nestedatt--credentials--wif"></a>
98
+
### Nested Schema for `credentials.wif`
99
+
92
100
Required:
93
101
94
-
-`private_key` (String, Sensitive)
102
+
-`audience` (String) WIF audience URL for GCP workload identity federation.
103
+
104
+
Optional:
105
+
106
+
-`service_account_email` (String) Optional GCP service account email to impersonate via workload identity federation.
MarkdownDescription: "Google service account JSON key content.",
113
-
Required: true,
138
+
MarkdownDescription: "Google service account JSON key content. Mutually exclusive with `credentials.wif`.",
139
+
Optional: true,
114
140
Sensitive: true,
115
-
PlanModifiers: []planmodifier.String{
116
-
stringplanmodifier.RequiresReplace(),
141
+
},
142
+
"credentials": schema.SingleNestedAttribute{
143
+
MarkdownDescription: "Credentials for the BigQuery export. Provide `wif` for workload identity federation instead of the top-level `service_account_key`.",
144
+
Optional: true,
145
+
Attributes: map[string]schema.Attribute{
146
+
"wif": schema.SingleNestedAttribute{
147
+
MarkdownDescription: "Workload identity federation configuration. Mutually exclusive with `service_account_key`.",
148
+
Optional: true,
149
+
Attributes: map[string]schema.Attribute{
150
+
"audience": schema.StringAttribute{
151
+
MarkdownDescription: "WIF audience URL for GCP workload identity federation.",
152
+
Required: true,
153
+
},
154
+
"service_account_email": schema.StringAttribute{
155
+
MarkdownDescription: "Optional GCP service account email to impersonate via workload identity federation.",
0 commit comments