add docs and changelog

CHANGELOG.md

@@ -4,8 +4,9 @@ FEATURES:
 * Add support for `iam_tags` in `vault_aws_secret_backend_role` ([#2231](https://github.com/hashicorp/terraform-provider-vault/pull/2231)).
 * Add support for `inheritable` on `vault_quota_rate_limit` and `vault_quota_lease_count`. Requires Vault 1.15+.: ([#2133](https://github.com/hashicorp/terraform-provider-vault/pull/2133)).
 * Add support for new WIF fields in `vault_gcp_secret_backend`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2249](https://github.com/hashicorp/terraform-provider-vault/pull/2249)). 
-* Add support for new WIF fields in `vault_aws_auth_backend_client`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2243](https://github.com/hashicorp/terraform-provider-vault/pull/2243)).
 * Add support for new WIF fields in `vault_azure_secret_backend`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2250](https://github.com/hashicorp/terraform-provider-vault/pull/2250))
+* Add support for new WIF fields in `vault_aws_auth_backend_client`. Requires Vault 1.17+. *Available only for Vault Enterprise* ([#2243](https://github.com/hashicorp/terraform-provider-vault/pull/2243)).
+* Add support for new WIF fields in `vault_gcp_auth_backend` ([#2256](https://github.com/hashicorp/terraform-provider-vault/pull/2256))
 * Add new data source and resource `vault_pki_secret_backend_config_est`. Requires Vault 1.16+. *Available only for Vault Enterprise* ([#2246](https://github.com/hashicorp/terraform-provider-vault/pull/2246))
 
 IMPROVEMENTS:

vault/resource_gcp_auth_backend_test.go

@@ -168,15 +168,24 @@ func TestGCPAuthBackend_WIF(t *testing.T) {
 		CheckDestroy:      testGCPAuthBackendDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testGCPAuthBackend_WIFConfig(path),
+				Config: testGCPAuthBackend_WIFConfig_basic(path),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(resourceName, "path", path),
 					resource.TestCheckResourceAttr(resourceName, consts.FieldIdentityTokenAudience, "test"),
 					resource.TestCheckResourceAttr(resourceName, consts.FieldIdentityTokenTTL, "30"),
-					resource.TestCheckResourceAttr(resourceName, consts.FieldIdentityTokenKey, "test"),
 					resource.TestCheckResourceAttr(resourceName, consts.FieldServiceAccountEmail, "test"),
 				),
 			},
+			{
+				Config: testGCPAuthBackend_WIFConfig_updated(path),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "path", path),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldIdentityTokenAudience, "test-updated"),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldIdentityTokenTTL, "1800"),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldIdentityTokenKey, "test"),
+					resource.TestCheckResourceAttr(resourceName, consts.FieldServiceAccountEmail, "test-updated"),
+				),
+			},
 			testutil.GetImportTestStep(resourceName, false, nil,
 				consts.FieldCredentials,
 				consts.FieldDisableRemount,
@@ -355,7 +364,19 @@ resource "vault_gcp_auth_backend" "test" {
 `, credentials, path)
 }
 
-func testGCPAuthBackend_WIFConfig(path string) string {
+func testGCPAuthBackend_WIFConfig_basic(path string) string {
+	return fmt.Sprintf(
+		`
+resource "vault_gcp_auth_backend" "test" {
+ path                    = "%s"
+ service_account_email   = "test"
+ identity_token_audience = "test"
+ identity_token_ttl      = 30
+}
+`, path)
+}
+
+func testGCPAuthBackend_WIFConfig_updated(path string) string {
 	return fmt.Sprintf(
 		`
 resource "vault_identity_oidc_key" "test" {
@@ -365,9 +386,9 @@ resource "vault_identity_oidc_key" "test" {
 
 resource "vault_gcp_auth_backend" "test" {
  path                    = "%s"
- service_account_email   = "test"
- identity_token_audience = "test"
- identity_token_ttl      = 30
+ service_account_email   = "test-updated"
+ identity_token_audience = "test-updated"
+ identity_token_ttl      = 1800
  identity_token_key      = vault_identity_oidc_key.test.name
 }
 `, path)

website/docs/r/gcp_auth_backend.html.md

@@ -45,6 +45,20 @@ The following arguments are supported:
 
 * `local` - (Optional) Specifies if the auth method is local only.
 
+* `service_account_email` – (Optional) Service Account to impersonate for plugin workload identity federation.
+  Required with `identity_token_audience`. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+
+* `identity_token_audience` - (Optional) The audience claim value for plugin identity
+  tokens. Must match an allowed audience configured for the target [Workload Identity Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#prepare).
+  Mutually exclusive with `credentials`.  Requires Vault 1.17+. *Available only for Vault Enterprise*.
+
+* `identity_token_ttl` - (Optional) The TTL of generated tokens. Defaults to
+  1 hour. Uses [duration format strings](https://developer.hashicorp.com/vault/docs/concepts/duration-format).
+  Requires Vault 1.17+. *Available only for Vault Enterprise*.
+
+* `identity_token_key` - (Optional) The key to use for signing plugin identity
+  tokens. Requires Vault 1.17+. *Available only for Vault Enterprise*.
+
 * `custom_endpoint` - (Optional) Specifies overrides to
   [service endpoints](https://cloud.google.com/apis/design/glossary#api_service_endpoint)
   used when making API requests. This allows specific requests made during authentication