Support for the IAP Brands and Clients resources

[JamesDuncanNz]

Please add support for the IAP OAuth brands and clients resources.

Reference:

IAP OAuth Brands
Cloud SDK Documentation
Terraform Module Documentation

IAP OAuth Clients
Cloud SDK Documentation
Terraform Module Documentation

[maqiuyujoyce]

Hi @JamesDuncanNz , thank you for your suggestions. We've added them to the list of resources we're looking into and will let you know when we have more information.

[travisrandolph-bestbuy]

@maqiuyujoyce We are also interested in the enhancement request. Is there any update on supporting IAP Brands and Clients?

[maqiuyujoyce]

Hi @travisrandolph-bestbuy , thanks for your follow up. This is planned for 2021Q1. Will provide updates when we have more information.

[tonybenchsci]

Cross-posting from #304 (comment)

Wishing for:

• Update ComputeBackendService to have a spec.iap.IAPIdentityAwareProxyClientRef which grabs the ID and secret
• Provide/explain a way to bind members to role IAP-secured Web App User against ComputeBackendServices
• Confirmation that pre-creating OAuth 2.0 Client IDs of format IAP-{ComputeBackendService_NAME} does not conflict with (is equivalent to) flipping the IAP button to "ON" on in the GCP UI.

[jcanseco]

Hi @tonybenchsci.

Update ComputeBackendService to have a spec.iap.IAPIdentityAwareProxyClientRef which grabs the ID and secret

Are you referring to the ability to use an IAPIdentityAwareProxyClient's status.secret as the value for a ComputeBackendService spec.iap.oauth2ClientSecret?

Provide/explain a way to bind members to role IAP-secured Web App User against ComputeBackendServices

It seems that Terraform supports this use-case via google_iap_web_backend_service_iam. Can you confirm if that fits what you're looking for?

Confirmation that pre-creating OAuth 2.0 Client IDs of format IAP-{ComputeBackendService_NAME} does not conflict with (is equivalent to) flipping the IAP button to "ON" on in the GCP UI.

Unfortunately, we're not really IAP experts, so it's hard for us to make guarantees. I can try asking an IAP expert internally, though in the meantime, I'd also recommend trying it out yourself to see if the behavior fits your particular use-case.

[tonybenchsci]

@jcanseco Thanks (just saw this).

• Yes, but also being able to references the IAPIdentityAwareProxyClient to get the BackendService's spec.iap.oauth2ClientId
• Yes, that Terraform resource looks correct

[toumorokoshi]

As an update: IAPBrand and IAPIdentityAwareProxyClient are now available in Config Connector versions 1.43.0 and above.

I'm going to close this issue for posterity, and @tonybenchsci I'll open a separate one for the ref request.

For

Provide/explain a way to bind members to role IAP-secured Web App User against ComputeBackendServices

Could you create a new ticket with an example of what you're looking for? I admit I'm not super familiar with IAP, but some clarification on why this isn't achievable via regular IAMPolicy resources, and what the expected UX would look like would be great.