pulumi-gcp 7.17.0a1712163201__py3-none-any.whl → 7.17.0a1712602552__py3-none-any.whl

pulumi_gcp/gkehub/membership_binding.py

@@ -419,15 +419,15 @@ class MembershipBinding(pulumi.CustomResource):
             network="default",
             subnetwork="default")
         membership = gcp.gkehub.Membership("membership",
-            membership_id="tf-test-membership_74000",
+            membership_id="tf-test-membership_75125",
             endpoint=gcp.gkehub.MembershipEndpointArgs(
                 gke_cluster=gcp.gkehub.MembershipEndpointGkeClusterArgs(
                     resource_link=primary.id.apply(lambda id: f"//container.googleapis.com/{id}"),
                 ),
             ))
-        scope = gcp.gkehub.Scope("scope", scope_id="tf-test-scope_75125")
+        scope = gcp.gkehub.Scope("scope", scope_id="tf-test-scope_88722")
         membership_binding = gcp.gkehub.MembershipBinding("membership_binding",
-            membership_binding_id="tf-test-membership-binding_88722",
+            membership_binding_id="tf-test-membership-binding_39249",
             scope=scope.name,
             membership_id=membership.membership_id,
             location="global",
@@ -512,15 +512,15 @@ class MembershipBinding(pulumi.CustomResource):
             network="default",
             subnetwork="default")
         membership = gcp.gkehub.Membership("membership",
-            membership_id="tf-test-membership_74000",
+            membership_id="tf-test-membership_75125",
             endpoint=gcp.gkehub.MembershipEndpointArgs(
                 gke_cluster=gcp.gkehub.MembershipEndpointGkeClusterArgs(
                     resource_link=primary.id.apply(lambda id: f"//container.googleapis.com/{id}"),
                 ),
             ))
-        scope = gcp.gkehub.Scope("scope", scope_id="tf-test-scope_75125")
+        scope = gcp.gkehub.Scope("scope", scope_id="tf-test-scope_88722")
         membership_binding = gcp.gkehub.MembershipBinding("membership_binding",
-            membership_binding_id="tf-test-membership-binding_88722",
+            membership_binding_id="tf-test-membership-binding_39249",
             scope=scope.name,
             membership_id=membership.membership_id,
             location="global",

pulumi_gcp/gkehub/membership_rbac_role_binding.py

@@ -364,7 +364,7 @@ class MembershipRbacRoleBinding(pulumi.CustomResource):
             network="default",
             subnetwork="default")
         membership = gcp.gkehub.Membership("membership",
-            membership_id="tf-test-membership_39249",
+            membership_id="tf-test-membership_74391",
             endpoint=gcp.gkehub.MembershipEndpointArgs(
                 gke_cluster=gcp.gkehub.MembershipEndpointGkeClusterArgs(
                     resource_link=primary.id.apply(lambda id: f"//container.googleapis.com/{id}"),
@@ -372,7 +372,7 @@ class MembershipRbacRoleBinding(pulumi.CustomResource):
             ))
         project = gcp.organizations.get_project()
         membership_rbac_role_binding = gcp.gkehub.MembershipRbacRoleBinding("membership_rbac_role_binding",
-            membership_rbac_role_binding_id="tf-test-membership-rbac-role-binding_74391",
+            membership_rbac_role_binding_id="tf-test-membership-rbac-role-binding_16511",
             membership_id=membership.membership_id,
             user=f"service-{project.number}@gcp-sa-anthossupport.iam.gserviceaccount.com",
             role=gcp.gkehub.MembershipRbacRoleBindingRoleArgs(
@@ -444,7 +444,7 @@ class MembershipRbacRoleBinding(pulumi.CustomResource):
             network="default",
             subnetwork="default")
         membership = gcp.gkehub.Membership("membership",
-            membership_id="tf-test-membership_39249",
+            membership_id="tf-test-membership_74391",
             endpoint=gcp.gkehub.MembershipEndpointArgs(
                 gke_cluster=gcp.gkehub.MembershipEndpointGkeClusterArgs(
                     resource_link=primary.id.apply(lambda id: f"//container.googleapis.com/{id}"),
@@ -452,7 +452,7 @@ class MembershipRbacRoleBinding(pulumi.CustomResource):
             ))
         project = gcp.organizations.get_project()
         membership_rbac_role_binding = gcp.gkehub.MembershipRbacRoleBinding("membership_rbac_role_binding",
-            membership_rbac_role_binding_id="tf-test-membership-rbac-role-binding_74391",
+            membership_rbac_role_binding_id="tf-test-membership-rbac-role-binding_16511",
             membership_id=membership.membership_id,
             user=f"service-{project.number}@gcp-sa-anthossupport.iam.gserviceaccount.com",
             role=gcp.gkehub.MembershipRbacRoleBindingRoleArgs(

pulumi_gcp/gkehub/namespace.py

@@ -424,9 +424,9 @@ class Namespace(pulumi.CustomResource):
         import pulumi
         import pulumi_gcp as gcp
 
-        scope = gcp.gkehub.Scope("scope", scope_id="tf-test-scope_16511")
+        scope = gcp.gkehub.Scope("scope", scope_id="tf-test-scope_8493")
         namespace = gcp.gkehub.Namespace("namespace",
-            scope_namespace_id="tf-test-namespace_8493",
+            scope_namespace_id="tf-test-namespace_9106",
             scope_id=scope.scope_id,
             scope=scope.name,
             namespace_labels={
@@ -510,9 +510,9 @@ class Namespace(pulumi.CustomResource):
         import pulumi
         import pulumi_gcp as gcp
 
-        scope = gcp.gkehub.Scope("scope", scope_id="tf-test-scope_16511")
+        scope = gcp.gkehub.Scope("scope", scope_id="tf-test-scope_8493")
         namespace = gcp.gkehub.Namespace("namespace",
-            scope_namespace_id="tf-test-namespace_8493",
+            scope_namespace_id="tf-test-namespace_9106",
             scope_id=scope.scope_id,
             scope=scope.name,
             namespace_labels={

pulumi_gcp/gkehub/scope_rbac_role_binding.py

@@ -453,9 +453,9 @@ class ScopeRbacRoleBinding(pulumi.CustomResource):
         import pulumi
         import pulumi_gcp as gcp
 
-        scope = gcp.gkehub.Scope("scope", scope_id="tf-test-scope_9106")
+        scope = gcp.gkehub.Scope("scope", scope_id="tf-test-scope_27169")
         scope_rbac_role_binding = gcp.gkehub.ScopeRbacRoleBinding("scope_rbac_role_binding",
-            scope_rbac_role_binding_id="tf-test-scope-rbac-role-binding_27169",
+            scope_rbac_role_binding_id="tf-test-scope-rbac-role-binding_75223",
             scope_id=scope.scope_id,
             user="test-email@gmail.com",
             role=gcp.gkehub.ScopeRbacRoleBindingRoleArgs(
@@ -535,9 +535,9 @@ class ScopeRbacRoleBinding(pulumi.CustomResource):
         import pulumi
         import pulumi_gcp as gcp
 
-        scope = gcp.gkehub.Scope("scope", scope_id="tf-test-scope_9106")
+        scope = gcp.gkehub.Scope("scope", scope_id="tf-test-scope_27169")
         scope_rbac_role_binding = gcp.gkehub.ScopeRbacRoleBinding("scope_rbac_role_binding",
-            scope_rbac_role_binding_id="tf-test-scope-rbac-role-binding_27169",
+            scope_rbac_role_binding_id="tf-test-scope-rbac-role-binding_75223",
             scope_id=scope.scope_id,
             user="test-email@gmail.com",
             role=gcp.gkehub.ScopeRbacRoleBindingRoleArgs(

pulumi_gcp/iam/_inputs.py

@@ -513,6 +513,23 @@ class WorkforcePoolProviderOidcArgs:
                .well-known path for the `issuer_uri`. Currently, RSA and EC asymmetric
                keys are supported. The JWK must use following format and include only
                the following fields:
+               ```
+               {
+               "keys": [
+               {
+               "kty": "RSA/EC",
+               "alg": "<algorithm>",
+               "use": "sig",
+               "kid": "<key-id>",
+               "n": "",
+               "e": "",
+               "x": "",
+               "y": "",
+               "crv": ""
+               }
+               ]
+               }
+               ```
         :param pulumi.Input['WorkforcePoolProviderOidcWebSsoConfigArgs'] web_sso_config: Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser.
                Structure is documented below.
         """
@@ -572,6 +589,23 @@ class WorkforcePoolProviderOidcArgs:
         .well-known path for the `issuer_uri`. Currently, RSA and EC asymmetric
         keys are supported. The JWK must use following format and include only
         the following fields:
+        ```
+        {
+        "keys": [
+        {
+        "kty": "RSA/EC",
+        "alg": "<algorithm>",
+        "use": "sig",
+        "kid": "<key-id>",
+        "n": "",
+        "e": "",
+        "x": "",
+        "y": "",
+        "crv": ""
+        }
+        ]
+        }
+        ```
         """
         return pulumi.get(self, "jwks_json")
 
@@ -812,12 +846,33 @@ class WorkloadIdentityPoolProviderOidcArgs:
                If this list is empty, the OIDC token audience must be equal to the full canonical
                resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix.
                For example:
+               ```
+               //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
+               https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
+               ```
         :param pulumi.Input[str] jwks_json: OIDC JWKs in JSON String format. For details on definition of a
                JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
                use the `jwks_uri` from the discovery document fetched from the
                .well-known path for the `issuer_uri`. Currently, RSA and EC asymmetric
                keys are supported. The JWK must use following format and include only
                the following fields:
+               ```
+               {
+               "keys": [
+               {
+               "kty": "RSA/EC",
+               "alg": "<algorithm>",
+               "use": "sig",
+               "kid": "<key-id>",
+               "n": "",
+               "e": "",
+               "x": "",
+               "y": "",
+               "crv": ""
+               }
+               ]
+               }
+               ```
         """
         pulumi.set(__self__, "issuer_uri", issuer_uri)
         if allowed_audiences is not None:
@@ -848,6 +903,10 @@ class WorkloadIdentityPoolProviderOidcArgs:
         If this list is empty, the OIDC token audience must be equal to the full canonical
         resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix.
         For example:
+        ```
+        //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
+        https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
+        ```
         """
         return pulumi.get(self, "allowed_audiences")
 
@@ -865,6 +924,23 @@ class WorkloadIdentityPoolProviderOidcArgs:
         .well-known path for the `issuer_uri`. Currently, RSA and EC asymmetric
         keys are supported. The JWK must use following format and include only
         the following fields:
+        ```
+        {
+        "keys": [
+        {
+        "kty": "RSA/EC",
+        "alg": "<algorithm>",
+        "use": "sig",
+        "kid": "<key-id>",
+        "n": "",
+        "e": "",
+        "x": "",
+        "y": "",
+        "crv": ""
+        }
+        ]
+        }
+        ```
         """
         return pulumi.get(self, "jwks_json")
 

pulumi_gcp/iam/outputs.py

@@ -550,6 +550,23 @@ class WorkforcePoolProviderOidc(dict):
                .well-known path for the `issuer_uri`. Currently, RSA and EC asymmetric
                keys are supported. The JWK must use following format and include only
                the following fields:
+               ```
+               {
+               "keys": [
+               {
+               "kty": "RSA/EC",
+               "alg": "<algorithm>",
+               "use": "sig",
+               "kid": "<key-id>",
+               "n": "",
+               "e": "",
+               "x": "",
+               "y": "",
+               "crv": ""
+               }
+               ]
+               }
+               ```
         :param 'WorkforcePoolProviderOidcWebSsoConfigArgs' web_sso_config: Configuration for web single sign-on for the OIDC provider. Here, web sign-in refers to console sign-in and gcloud sign-in through the browser.
                Structure is documented below.
         """
@@ -597,6 +614,23 @@ class WorkforcePoolProviderOidc(dict):
         .well-known path for the `issuer_uri`. Currently, RSA and EC asymmetric
         keys are supported. The JWK must use following format and include only
         the following fields:
+        ```
+        {
+        "keys": [
+        {
+        "kty": "RSA/EC",
+        "alg": "<algorithm>",
+        "use": "sig",
+        "kid": "<key-id>",
+        "n": "",
+        "e": "",
+        "x": "",
+        "y": "",
+        "crv": ""
+        }
+        ]
+        }
+        ```
         """
         return pulumi.get(self, "jwks_json")
 
@@ -890,12 +924,33 @@ class WorkloadIdentityPoolProviderOidc(dict):
                If this list is empty, the OIDC token audience must be equal to the full canonical
                resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix.
                For example:
+               ```
+               //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
+               https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
+               ```
         :param str jwks_json: OIDC JWKs in JSON String format. For details on definition of a
                JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
                use the `jwks_uri` from the discovery document fetched from the
                .well-known path for the `issuer_uri`. Currently, RSA and EC asymmetric
                keys are supported. The JWK must use following format and include only
                the following fields:
+               ```
+               {
+               "keys": [
+               {
+               "kty": "RSA/EC",
+               "alg": "<algorithm>",
+               "use": "sig",
+               "kid": "<key-id>",
+               "n": "",
+               "e": "",
+               "x": "",
+               "y": "",
+               "crv": ""
+               }
+               ]
+               }
+               ```
         """
         pulumi.set(__self__, "issuer_uri", issuer_uri)
         if allowed_audiences is not None:
@@ -922,6 +977,10 @@ class WorkloadIdentityPoolProviderOidc(dict):
         If this list is empty, the OIDC token audience must be equal to the full canonical
         resource name of the WorkloadIdentityPoolProvider, with or without the HTTPS prefix.
         For example:
+        ```
+        //iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
+        https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>
+        ```
         """
         return pulumi.get(self, "allowed_audiences")
 
@@ -935,6 +994,23 @@ class WorkloadIdentityPoolProviderOidc(dict):
         .well-known path for the `issuer_uri`. Currently, RSA and EC asymmetric
         keys are supported. The JWK must use following format and include only
         the following fields:
+        ```
+        {
+        "keys": [
+        {
+        "kty": "RSA/EC",
+        "alg": "<algorithm>",
+        "use": "sig",
+        "kid": "<key-id>",
+        "n": "",
+        "e": "",
+        "x": "",
+        "y": "",
+        "crv": ""
+        }
+        ]
+        }
+        ```
         """
         return pulumi.get(self, "jwks_json")
 

pulumi_gcp/iam/workforce_pool_provider.py

@@ -81,6 +81,11 @@ class WorkforcePoolProviderArgs:
                For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute.
                For example, the following maps the sub claim of the incoming credential to the `subject` attribute
                on a Google token:
+               ```
+               {"google.subject": "assertion.sub"}
+               ```
+               An object containing a list of `"key": value` pairs.
+               Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
         :param pulumi.Input[str] description: A user-specified description of the provider. Cannot exceed 256 characters.
         :param pulumi.Input[bool] disabled: Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
                However, existing tokens still grant access.
@@ -209,6 +214,11 @@ class WorkforcePoolProviderArgs:
         For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute.
         For example, the following maps the sub claim of the incoming credential to the `subject` attribute
         on a Google token:
+        ```
+        {"google.subject": "assertion.sub"}
+        ```
+        An object containing a list of `"key": value` pairs.
+        Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
         """
         return pulumi.get(self, "attribute_mapping")
 
@@ -339,6 +349,11 @@ class _WorkforcePoolProviderState:
                For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute.
                For example, the following maps the sub claim of the incoming credential to the `subject` attribute
                on a Google token:
+               ```
+               {"google.subject": "assertion.sub"}
+               ```
+               An object containing a list of `"key": value` pairs.
+               Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
         :param pulumi.Input[str] description: A user-specified description of the provider. Cannot exceed 256 characters.
         :param pulumi.Input[bool] disabled: Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
                However, existing tokens still grant access.
@@ -449,6 +464,11 @@ class _WorkforcePoolProviderState:
         For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute.
         For example, the following maps the sub claim of the incoming credential to the `subject` attribute
         on a Google token:
+        ```
+        {"google.subject": "assertion.sub"}
+        ```
+        An object containing a list of `"key": value` pairs.
+        Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
         """
         return pulumi.get(self, "attribute_mapping")
 
@@ -811,6 +831,11 @@ class WorkforcePoolProvider(pulumi.CustomResource):
                For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute.
                For example, the following maps the sub claim of the incoming credential to the `subject` attribute
                on a Google token:
+               ```
+               {"google.subject": "assertion.sub"}
+               ```
+               An object containing a list of `"key": value` pairs.
+               Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
         :param pulumi.Input[str] description: A user-specified description of the provider. Cannot exceed 256 characters.
         :param pulumi.Input[bool] disabled: Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
                However, existing tokens still grant access.
@@ -1117,6 +1142,11 @@ class WorkforcePoolProvider(pulumi.CustomResource):
                For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute.
                For example, the following maps the sub claim of the incoming credential to the `subject` attribute
                on a Google token:
+               ```
+               {"google.subject": "assertion.sub"}
+               ```
+               An object containing a list of `"key": value` pairs.
+               Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
         :param pulumi.Input[str] description: A user-specified description of the provider. Cannot exceed 256 characters.
         :param pulumi.Input[bool] disabled: Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
                However, existing tokens still grant access.
@@ -1216,6 +1246,11 @@ class WorkforcePoolProvider(pulumi.CustomResource):
         For OIDC providers, you must supply a custom mapping that includes the `google.subject` attribute.
         For example, the following maps the sub claim of the incoming credential to the `subject` attribute
         on a Google token:
+        ```
+        {"google.subject": "assertion.sub"}
+        ```
+        An object containing a list of `"key": value` pairs.
+        Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
         """
         return pulumi.get(self, "attribute_mapping")
 

pulumi_gcp/iam/workload_identity_pool_provider.py

@@ -74,6 +74,26 @@ class WorkloadIdentityPoolProviderArgs:
                the total size of all mapped attributes must not exceed 8KB.
                For AWS providers, the following rules apply:
                - If no attribute mapping is defined, the following default mapping applies:
+               ```
+               {
+               "google.subject":"assertion.arn",
+               "attribute.aws_role":
+               "assertion.arn.contains('assumed-role')"
+               " ? assertion.arn.extract('{account_arn}assumed-role/')"
+               "   + 'assumed-role/'"
+               "   + assertion.arn.extract('assumed-role/{role_name}/')"
+               " : assertion.arn",
+               }
+               ```
+               - If any custom attribute mappings are defined, they must include a mapping to the
+               `google.subject` attribute.
+               For OIDC providers, the following rules apply:
+               - Custom attribute mappings must be defined, and must include a mapping to the
+               `google.subject` attribute. For example, the following maps the `sub` claim of the
+               incoming credential to the `subject` attribute on a Google token.
+               ```
+               {"google.subject": "assertion.sub"}
+               ```
         :param pulumi.Input['WorkloadIdentityPoolProviderAwsArgs'] aws: An Amazon Web Services identity provider. Not compatible with the property oidc or saml.
                Structure is documented below.
         :param pulumi.Input[str] description: A description for the provider. Cannot exceed 256 characters.
@@ -190,6 +210,26 @@ class WorkloadIdentityPoolProviderArgs:
         the total size of all mapped attributes must not exceed 8KB.
         For AWS providers, the following rules apply:
         - If no attribute mapping is defined, the following default mapping applies:
+        ```
+        {
+        "google.subject":"assertion.arn",
+        "attribute.aws_role":
+        "assertion.arn.contains('assumed-role')"
+        " ? assertion.arn.extract('{account_arn}assumed-role/')"
+        "   + 'assumed-role/'"
+        "   + assertion.arn.extract('assumed-role/{role_name}/')"
+        " : assertion.arn",
+        }
+        ```
+        - If any custom attribute mappings are defined, they must include a mapping to the
+        `google.subject` attribute.
+        For OIDC providers, the following rules apply:
+        - Custom attribute mappings must be defined, and must include a mapping to the
+        `google.subject` attribute. For example, the following maps the `sub` claim of the
+        incoming credential to the `subject` attribute on a Google token.
+        ```
+        {"google.subject": "assertion.sub"}
+        ```
         """
         return pulumi.get(self, "attribute_mapping")
 
@@ -341,6 +381,26 @@ class _WorkloadIdentityPoolProviderState:
                the total size of all mapped attributes must not exceed 8KB.
                For AWS providers, the following rules apply:
                - If no attribute mapping is defined, the following default mapping applies:
+               ```
+               {
+               "google.subject":"assertion.arn",
+               "attribute.aws_role":
+               "assertion.arn.contains('assumed-role')"
+               " ? assertion.arn.extract('{account_arn}assumed-role/')"
+               "   + 'assumed-role/'"
+               "   + assertion.arn.extract('assumed-role/{role_name}/')"
+               " : assertion.arn",
+               }
+               ```
+               - If any custom attribute mappings are defined, they must include a mapping to the
+               `google.subject` attribute.
+               For OIDC providers, the following rules apply:
+               - Custom attribute mappings must be defined, and must include a mapping to the
+               `google.subject` attribute. For example, the following maps the `sub` claim of the
+               incoming credential to the `subject` attribute on a Google token.
+               ```
+               {"google.subject": "assertion.sub"}
+               ```
         :param pulumi.Input['WorkloadIdentityPoolProviderAwsArgs'] aws: An Amazon Web Services identity provider. Not compatible with the property oidc or saml.
                Structure is documented below.
         :param pulumi.Input[str] description: A description for the provider. Cannot exceed 256 characters.
@@ -450,6 +510,26 @@ class _WorkloadIdentityPoolProviderState:
         the total size of all mapped attributes must not exceed 8KB.
         For AWS providers, the following rules apply:
         - If no attribute mapping is defined, the following default mapping applies:
+        ```
+        {
+        "google.subject":"assertion.arn",
+        "attribute.aws_role":
+        "assertion.arn.contains('assumed-role')"
+        " ? assertion.arn.extract('{account_arn}assumed-role/')"
+        "   + 'assumed-role/'"
+        "   + assertion.arn.extract('assumed-role/{role_name}/')"
+        " : assertion.arn",
+        }
+        ```
+        - If any custom attribute mappings are defined, they must include a mapping to the
+        `google.subject` attribute.
+        For OIDC providers, the following rules apply:
+        - Custom attribute mappings must be defined, and must include a mapping to the
+        `google.subject` attribute. For example, the following maps the `sub` claim of the
+        incoming credential to the `subject` attribute on a Google token.
+        ```
+        {"google.subject": "assertion.sub"}
+        ```
         """
         return pulumi.get(self, "attribute_mapping")
 
@@ -874,6 +954,26 @@ class WorkloadIdentityPoolProvider(pulumi.CustomResource):
                the total size of all mapped attributes must not exceed 8KB.
                For AWS providers, the following rules apply:
                - If no attribute mapping is defined, the following default mapping applies:
+               ```
+               {
+               "google.subject":"assertion.arn",
+               "attribute.aws_role":
+               "assertion.arn.contains('assumed-role')"
+               " ? assertion.arn.extract('{account_arn}assumed-role/')"
+               "   + 'assumed-role/'"
+               "   + assertion.arn.extract('assumed-role/{role_name}/')"
+               " : assertion.arn",
+               }
+               ```
+               - If any custom attribute mappings are defined, they must include a mapping to the
+               `google.subject` attribute.
+               For OIDC providers, the following rules apply:
+               - Custom attribute mappings must be defined, and must include a mapping to the
+               `google.subject` attribute. For example, the following maps the `sub` claim of the
+               incoming credential to the `subject` attribute on a Google token.
+               ```
+               {"google.subject": "assertion.sub"}
+               ```
         :param pulumi.Input[pulumi.InputType['WorkloadIdentityPoolProviderAwsArgs']] aws: An Amazon Web Services identity provider. Not compatible with the property oidc or saml.
                Structure is documented below.
         :param pulumi.Input[str] description: A description for the provider. Cannot exceed 256 characters.
@@ -1230,6 +1330,26 @@ class WorkloadIdentityPoolProvider(pulumi.CustomResource):
                the total size of all mapped attributes must not exceed 8KB.
                For AWS providers, the following rules apply:
                - If no attribute mapping is defined, the following default mapping applies:
+               ```
+               {
+               "google.subject":"assertion.arn",
+               "attribute.aws_role":
+               "assertion.arn.contains('assumed-role')"
+               " ? assertion.arn.extract('{account_arn}assumed-role/')"
+               "   + 'assumed-role/'"
+               "   + assertion.arn.extract('assumed-role/{role_name}/')"
+               " : assertion.arn",
+               }
+               ```
+               - If any custom attribute mappings are defined, they must include a mapping to the
+               `google.subject` attribute.
+               For OIDC providers, the following rules apply:
+               - Custom attribute mappings must be defined, and must include a mapping to the
+               `google.subject` attribute. For example, the following maps the `sub` claim of the
+               incoming credential to the `subject` attribute on a Google token.
+               ```
+               {"google.subject": "assertion.sub"}
+               ```
         :param pulumi.Input[pulumi.InputType['WorkloadIdentityPoolProviderAwsArgs']] aws: An Amazon Web Services identity provider. Not compatible with the property oidc or saml.
                Structure is documented below.
         :param pulumi.Input[str] description: A description for the provider. Cannot exceed 256 characters.
@@ -1327,6 +1447,26 @@ class WorkloadIdentityPoolProvider(pulumi.CustomResource):
         the total size of all mapped attributes must not exceed 8KB.
         For AWS providers, the following rules apply:
         - If no attribute mapping is defined, the following default mapping applies:
+        ```
+        {
+        "google.subject":"assertion.arn",
+        "attribute.aws_role":
+        "assertion.arn.contains('assumed-role')"
+        " ? assertion.arn.extract('{account_arn}assumed-role/')"
+        "   + 'assumed-role/'"
+        "   + assertion.arn.extract('assumed-role/{role_name}/')"
+        " : assertion.arn",
+        }
+        ```
+        - If any custom attribute mappings are defined, they must include a mapping to the
+        `google.subject` attribute.
+        For OIDC providers, the following rules apply:
+        - Custom attribute mappings must be defined, and must include a mapping to the
+        `google.subject` attribute. For example, the following maps the `sub` claim of the
+        incoming credential to the `subject` attribute on a Google token.
+        ```
+        {"google.subject": "assertion.sub"}
+        ```
         """
         return pulumi.get(self, "attribute_mapping")
 

pulumi_gcp/iap/tunnel_dest_group.py

@@ -249,7 +249,7 @@ class TunnelDestGroup(pulumi.CustomResource):
 
         dest_group = gcp.iap.TunnelDestGroup("dest_group",
             region="us-central1",
-            group_name="testgroup_75223",
+            group_name="testgroup_41819",
             cidrs=[
                 "10.1.0.0/16",
                 "192.168.10.0/24",
@@ -337,7 +337,7 @@ class TunnelDestGroup(pulumi.CustomResource):
 
         dest_group = gcp.iap.TunnelDestGroup("dest_group",
             region="us-central1",
-            group_name="testgroup_75223",
+            group_name="testgroup_41819",
             cidrs=[
                 "10.1.0.0/16",
                 "192.168.10.0/24",