From efbaa732400daba304f80654eba364a46f4e51d5 Mon Sep 17 00:00:00 2001 From: Sarah French <15078782+SarahFrench@users.noreply.github.com> Date: Mon, 2 Dec 2024 15:54:35 +0000 Subject: [PATCH] Update documentation for ephemeral resources: remove broken examples, add notes, misc fixes (#12448) --- ...service_account_access_token.html.markdown | 4 --- .../service_account_id_token.html.markdown | 31 +++++-------------- .../service_account_jwt.html.markdown | 2 ++ .../service_account_key.html.markdown | 3 ++ 4 files changed, 12 insertions(+), 28 deletions(-) diff --git a/mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_access_token.html.markdown b/mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_access_token.html.markdown index c51a08df48e0..c6627448a818 100644 --- a/mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_access_token.html.markdown +++ b/mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_access_token.html.markdown @@ -35,10 +35,6 @@ In the example below, `google_project` will run as `service_B`. provider "google" { } -data "google_client_config" "default" { - provider = google -} - ephemeral "google_service_account_access_token" "default" { provider = google target_service_account = "service_B@projectB.iam.gserviceaccount.com" diff --git a/mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_id_token.html.markdown b/mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_id_token.html.markdown index 00cd9c30b0e4..0e9e15b5cf8a 100644 --- a/mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_id_token.html.markdown +++ b/mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_id_token.html.markdown @@ -12,6 +12,9 @@ For more information see [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html#IDToken). ## Example Usage - ServiceAccount JSON credential file. + +-> **Note:** If you run this example configuration you will be able to see ephemeral.google_service_account_id_token.oidc in terraform plan and apply terminal output but you will not see it in state, as ephemeral resources are excluded from state. In future, when write-only attributes are added to resources in the Google provider, ephemeral resources such as google_service_account_id_token could be used to set field values when creating managed resources. + `google_service_account_id_token` will use the configured [provider credentials](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#credentials-1) ```hcl @@ -21,7 +24,10 @@ For more information see ``` ## Example Usage - Service Account Impersonation. - `google_service_account_access_token` will use background impersonated credentials provided by [google_service_account_access_token](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/service_account_access_token). + +-> **Note:** If you run this example configuration you will be able to see ephemeral.google_service_account_id_token.oidc in terraform plan and apply terminal output but you will not see it in state, as ephemeral resources are excluded from state. In future, when write-only attributes are added to resources in the Google provider, ephemeral resources such as google_service_account_id_token could be used to set field values when creating managed resources. + + Ephemeral resource `google_service_account_id_token` will use background impersonated credentials provided by [google_service_account_access_token](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/service_account_access_token). Note: to use the following, you must grant `target_service_account` the `roles/iam.serviceAccountTokenCreator` role on itself. @@ -50,29 +56,6 @@ For more information see ``` -## Example Usage - Invoking Cloud Run Endpoint - - The following configuration will invoke [Cloud Run](https://cloud.google.com/run/docs/authenticating/service-to-service) endpoint where the service account for Terraform has been granted `roles/run.invoker` role previously. - -```hcl - -ephemeral "google_service_account_id_token" "oidc" { - target_audience = "https://your.cloud.run.app/" -} - -data "http" "cloudrun" { - url = "https://your.cloud.run.app/" - request_headers = { - Authorization = "Bearer ${ephemeral.google_service_account_id_token.oidc.id_token}" - } -} - - -output "cloud_run_response" { - value = data.http.cloudrun.body -} -``` - ## Argument Reference The following arguments are supported: diff --git a/mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_jwt.html.markdown b/mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_jwt.html.markdown index ea9d1413cf3d..ef0f90a609e1 100644 --- a/mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_jwt.html.markdown +++ b/mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_jwt.html.markdown @@ -10,6 +10,8 @@ This ephemeral resource provides a [self-signed JWT](https://cloud.google.com/ia ## Example Usage +-> **Note:** If you run this example configuration you will be able to see ephemeral.google_service_account_jwt.foo in terraform plan and apply terminal output but you will not see it in state, as ephemeral resources are excluded from state. In future, when write-only attributes are added to resources in the Google provider, ephemeral resources such as google_service_account_jwt could be used to set field values when creating managed resources. + Note: in order to use the following, the caller must have _at least_ `roles/iam.serviceAccountTokenCreator` on the `target_service_account`. ```hcl diff --git a/mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_key.html.markdown b/mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_key.html.markdown index 70840675f6ac..43b2cef15938 100644 --- a/mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_key.html.markdown +++ b/mmv1/third_party/terraform/website/docs/ephemeral-resources/service_account_key.html.markdown @@ -10,6 +10,9 @@ Get an ephemeral service account public key. For more information, see [the offi ## Example Usage +-> **Note:** If you run this example configuration you will be able to see ephemeral.google_service_account_key.mykey in terraform plan and apply terminal output but you will not see it in state, as ephemeral resources are excluded from state. In future, when write-only attributes are added to resources in the Google provider, ephemeral resources such as google_service_account_key could be used to set field values when creating managed resources. + + ```hcl resource "google_service_account" "myaccount" { account_id = "dev-foo-account"