hcp_iam_workload_identity_provider (Resource)

The workload identity provider resource allows federating an external identity to a HCP Service Principal.

Example Usage: AWS

resource "hcp_service_principal" "workload_sp" {
  name = "my-app-runtime"
}

resource "hcp_iam_workload_identity_provider" "example" {
  name              = "aws-example"
  service_principal = hcp_service_principal.workload_sp.resource_name
  description       = "Allow my-app on AWS to act as my-app-runtime service principal"

  aws {
    # Only allow workloads from this AWS Account to exchange identity
    account_id = "123456789012"
  }

  # Only allow workload's running with the correct AWS IAM Role
  conditional_access = "aws.arn matches `^arn:aws:sts::123456789012:assumed-role/my-app-role`"
}

Example Usage: Azure

resource "hcp_service_principal" "workload_sp" {
  name = "my-app-runtime"
}

resource "hcp_iam_workload_identity_provider" "example" {
  name              = "azure-example"
  service_principal = hcp_service_principal.workload_sp.resource_name
  description       = "Allow my-app on Azure to act as my-app-runtime service principal"

  oidc {
    # The issuer uri should be as follows where the ID in the path is replaced
    # with your Azure Tenant ID
    issuer_uri = "https://sts.windows.net/60a0d497-45cd-413d-95ca-e154bbb9129b"

    # The allowed audience should be set to the Object ID of the Azure Managed
    # Identity. In this example, this would be the Object ID of a User Managed
    # Identity that will be attached to "my-app" workloads on Azure.
    allowed_audiences = ["api://10bacc1d-f3f5-499d-a14c-684c1471b27f"]
  }

  # Only allow workload's that are assigned the expected managed identity.
  # The access_token given to Azure workload's will have the oid claim set to
  # that of the managed identity.
  conditional_access = "jwt_claims.oid == `066c643f-86c0-490a-854c-35e77ddc7851`"
}

Example Usage: GCP

resource "hcp_service_principal" "workload_sp" {
  name = "my-app-runtime"
}

resource "hcp_iam_workload_identity_provider" "example" {
  name              = "gcp-example"
  service_principal = hcp_service_principal.workload_sp.resource_name
  description       = "Allow my-app on GCP to act as my-app-runtime service principal"

  oidc {
    issuer_uri = "https://accounts.google.com"
  }

  # Only allow workload's that are assigned the expected service account ID
  # GCP will set the subject to that of the service account associated with the
  # workload.
  conditional_access = "jwt_claims.sub == `107517467455664443766`"
}

Schema

Required

Optional

Read-Only

Nested Schema for aws

Required:

Nested Schema for oidc

Required:

Optional:

Import

Import is supported using the following syntax:

# Workload identity providers can be imported by specifying the resource name
terraform import hcp_iam_workload_identity_provider.example iam/project/840e3701-55b6-4f86-8c17-b1fe397303c5/service-principal/my-app-runtime/workload-identity-provider/aws