confluent_identity_pool
provides an Identity Pool resource that enables creating, editing, and deleting identity pools on Confluent Cloud.
resource "confluent_identity_provider" "azure" {
display_name = "My OIDC Provider: Azure AD"
description = "My description"
issuer = "https://login.microsoftonline.com/{tenant_id}/v2.0"
jwks_uri = "https://login.microsoftonline.com/common/discovery/v2.0/keys"
}
resource "confluent_identity_pool" "example" {
identity_provider {
id = confluent_identity_provider.azure.id
}
display_name = "My Identity Pool"
description = "Prod Access to Kafka clusters to Release Engineering"
identity_claim = "claims.sub"
filter = "claims.aud==\"confluent\" && claims.group!=\"invalid_group\""
}
resource "confluent_identity_provider" "okta" {
display_name = "My OIDC Provider: Okta"
description = "My description"
issuer = "https://mycompany.okta.com/oauth2/default"
jwks_uri = "https://mycompany.okta.com/oauth2/default/v1/keys"
}
resource "confluent_identity_pool" "example" {
identity_provider {
id = confluent_identity_provider.okta.id
}
display_name = "My Identity Pool"
description = "Prod Access to Kafka clusters to Release Engineering"
identity_claim = "claims.sub"
filter = "claims.aud==\"confluent\" && claims.group!=\"invalid_group\""
}
The following arguments are supported:
identity_provider
(Required Configuration Block) supports the following:
id
- (Required String) The ID of the Identity Provider associated with the Identity Pool, for example, op-abc123
.display_name
- (Required String) A human-readable name for the Identity Pool.description
- (Required String) A description for the Identity Pool.identity_claim
- (Required String) The JSON Web Token (JWT) claim to extract the authenticating identity to Confluent resources from (see Registered Claim Names for more details). This appears in the audit log records, showing, for example, that "identity Z used identity pool X to access topic A".filter
- (Required String) A filter expression in Supported Common Expression Language (CEL) that specifies which identities can authenticate using your identity pool (see Set identity pool filters for more details).In addition to the preceding arguments, the following attributes are exported:
id
- (Required String) The ID of the Identity Pool, for example, pool-xyz456
.You can import an Identity Pool by using Identity Provider ID and Identity Pool ID, in the format <Identity Provider ID>/<Identity Pool ID>
. The following example shows how to import an Identity Pool:
$ export CONFLUENT_CLOUD_API_KEY="<cloud_api_key>"
$ export CONFLUENT_CLOUD_API_SECRET="<cloud_api_secret>"
$ terraform import confluent_identity_pool.example op-abc123/pool-xyz456