Add WIF credential input to integration and export resources#417
Merged
Conversation
Commit bd71f95 exposed the server-computed `wif_subject` as a read-only attribute. This commit makes WIF usable end-to-end by allowing customers to configure WIF credentials in Terraform instead of static service account JSON / IAM access keys. - mondoo_integration_gcp, mondoo_export_gcs_bucket: `credentials.private_key` is now optional; adds `credentials.wif { audience, service_account_email }` as an alternative. ConflictsWith + AtLeastOneOf enforce exactly one auth method. - mondoo_integration_aws: adds `credentials.wif { audience, role_arn }` alongside the existing `role` and `key` options. - mondoo_export_bigquery: `service_account_key` is now optional with RequiresReplace dropped; adds `credentials.wif { audience, service_account_email }` gated by ExactlyOneOf so users can flip between static creds and WIF without recreating the export. Read and ImportState round-trip the new WIF fields (wifAudience / wifServiceAccountEmail for GCP-family, wifAudience / wifRoleArn for AWS) from the server response. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Service account impersonation is an optional step for GCP workload identity federation - customers can also grant the identity pool's principal direct access to the resource. Only send the field to the server when it is set, and map an empty server response back to null in state so an unset value does not churn in subsequent plans. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![mondoo-code-review[bot]](https://avatars.githubusercontent.com/in/2834902?s=60&v=4){kind=small}
vjeffrey
previously approved these changes
Apr 17, 2026
- Replace the per-attribute ConflictsWith + AtLeastOneOf pairing with a single ExactlyOneOf ConfigValidator on the GCP integration, GCS bucket export, and AWS integration. BigQuery already used ExactlyOneOf; drop the redundant string-level ConflictsWith on its service_account_key. - Require both WifAudience and WifRoleArn to be non-empty before importing a wif credential block on the AWS integration so a partial server response cannot write a state that fails validation on the next plan. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #416 (which exposed the computed
wif_subjectattribute). Makes WIF (Workload Identity Federation) configurable end-to-end for the four resources where the server supports it, so customers can run without long-lived service account JSON / IAM access keys.mondoo_integration_gcp,mondoo_export_gcs_bucket: staticcredentials.private_keyis now optional; newcredentials.wif { audience, service_account_email }block as an alternative. ConflictsWith +AtLeastOneOfenforce exactly one auth method.mondoo_integration_aws: newcredentials.wif { audience, role_arn }alongside the existingroleandkeyoptions; all three pair-wise conflict.mondoo_export_bigquery:service_account_keyis now optional withRequiresReplace()dropped; newcredentials.wif { audience, service_account_email }block gated byExactlyOneOfso users can flip between static creds and WIF without recreating the export.ReadandImportStateround-trip the new WIF fields from the server response.go generate ./....Examples
mondoo_integration_gcpWIF (no static credentials):
Static service account (unchanged behavior):
mondoo_integration_awsWIF:
Existing
roleandkeyoptions are unchanged.mondoo_export_gcs_bucketWIF:
mondoo_export_bigqueryWIF (note:
credentialsis a new top-level block added specifically to hostwif; the staticservice_account_keystays at top level for backward compatibility):Static service account (unchanged aside from being optional and no longer triggering replace):
Test plan
go build ./...andgo vet ./...pass (verified locally).go generate ./...regenerates docs with only the expected diff.MONDOO_CONFIG_*, not runnable locally).wif_subjectpopulates.mondoo_export_bigqueryresource fromservice_account_keytocredentials.wifand confirm in-place update (no replace), validating theRequiresReplaceremoval.service_account_keyandcredentials.wifonmondoo_export_bigquery→ExactlyOneOferror.credentials = {}on the other three resources →AtLeastOneOferror.role/key/wifonmondoo_integration_aws→ ConflictsWith error.Notes
mondoo-gobump is needed — the input / output fields are already present in the pinned version.mondoo_gcs_bucket_exportresource is intentionally left untouched.🤖 Generated with Claude Code