pulumi-gcp 7.23.0a1715621482__py3-none-any.whl → 7.23.0a1715808346__py3-none-any.whl

pulumi_gcp/iam/outputs.py

@@ -19,6 +19,10 @@ __all__ = [
     'DenyPolicyRuleDenyRuleDenialCondition',
     'WorkforcePoolAccessRestrictions',
     'WorkforcePoolAccessRestrictionsAllowedService',
+    'WorkforcePoolProviderExtraAttributesOauth2Client',
+    'WorkforcePoolProviderExtraAttributesOauth2ClientClientSecret',
+    'WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValue',
+    'WorkforcePoolProviderExtraAttributesOauth2ClientQueryParameters',
     'WorkforcePoolProviderOidc',
     'WorkforcePoolProviderOidcClientSecret',
     'WorkforcePoolProviderOidcClientSecretValue',
@@ -506,6 +510,195 @@ class WorkforcePoolAccessRestrictionsAllowedService(dict):
         return pulumi.get(self, "domain")
 
 
+@pulumi.output_type
+class WorkforcePoolProviderExtraAttributesOauth2Client(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "attributesType":
+            suggest = "attributes_type"
+        elif key == "clientId":
+            suggest = "client_id"
+        elif key == "clientSecret":
+            suggest = "client_secret"
+        elif key == "issuerUri":
+            suggest = "issuer_uri"
+        elif key == "queryParameters":
+            suggest = "query_parameters"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in WorkforcePoolProviderExtraAttributesOauth2Client. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        WorkforcePoolProviderExtraAttributesOauth2Client.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        WorkforcePoolProviderExtraAttributesOauth2Client.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 attributes_type: str,
+                 client_id: str,
+                 client_secret: 'outputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecret',
+                 issuer_uri: str,
+                 query_parameters: Optional['outputs.WorkforcePoolProviderExtraAttributesOauth2ClientQueryParameters'] = None):
+        """
+        :param str attributes_type: Represents the IdP and type of claims that should be fetched.
+               * AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided
+               in ExtraAttributesOAuth2Client and 'mail' property of the 'microsoft.graph.group' object is used for claim mapping.
+               See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on
+               'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. Possible values: ["AZURE_AD_GROUPS_MAIL"]
+        :param str client_id: The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
+        :param 'WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs' client_secret: The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
+        :param str issuer_uri: The OIDC identity provider's issuer URI. Must be a valid URI using the 'https' scheme. Required to get the OIDC discovery document.
+        :param 'WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs' query_parameters: Represents the parameters to control which claims are fetched from an IdP.
+        """
+        pulumi.set(__self__, "attributes_type", attributes_type)
+        pulumi.set(__self__, "client_id", client_id)
+        pulumi.set(__self__, "client_secret", client_secret)
+        pulumi.set(__self__, "issuer_uri", issuer_uri)
+        if query_parameters is not None:
+            pulumi.set(__self__, "query_parameters", query_parameters)
+
+    @property
+    @pulumi.getter(name="attributesType")
+    def attributes_type(self) -> str:
+        """
+        Represents the IdP and type of claims that should be fetched.
+        * AZURE_AD_GROUPS_MAIL: Used to get the user's group claims from the Azure AD identity provider using configuration provided
+        in ExtraAttributesOAuth2Client and 'mail' property of the 'microsoft.graph.group' object is used for claim mapping.
+        See https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties for more details on
+        'microsoft.graph.group' properties. The attributes obtained from idntity provider are mapped to 'assertion.groups'. Possible values: ["AZURE_AD_GROUPS_MAIL"]
+        """
+        return pulumi.get(self, "attributes_type")
+
+    @property
+    @pulumi.getter(name="clientId")
+    def client_id(self) -> str:
+        """
+        The OAuth 2.0 client ID for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
+        """
+        return pulumi.get(self, "client_id")
+
+    @property
+    @pulumi.getter(name="clientSecret")
+    def client_secret(self) -> 'outputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecret':
+        """
+        The OAuth 2.0 client secret for retrieving extra attributes from the identity provider. Required to get the Access Token using client credentials grant flow.
+        """
+        return pulumi.get(self, "client_secret")
+
+    @property
+    @pulumi.getter(name="issuerUri")
+    def issuer_uri(self) -> str:
+        """
+        The OIDC identity provider's issuer URI. Must be a valid URI using the 'https' scheme. Required to get the OIDC discovery document.
+        """
+        return pulumi.get(self, "issuer_uri")
+
+    @property
+    @pulumi.getter(name="queryParameters")
+    def query_parameters(self) -> Optional['outputs.WorkforcePoolProviderExtraAttributesOauth2ClientQueryParameters']:
+        """
+        Represents the parameters to control which claims are fetched from an IdP.
+        """
+        return pulumi.get(self, "query_parameters")
+
+
+@pulumi.output_type
+class WorkforcePoolProviderExtraAttributesOauth2ClientClientSecret(dict):
+    def __init__(__self__, *,
+                 value: Optional['outputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValue'] = None):
+        """
+        :param 'WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs' value: The value of the client secret.
+               Structure is documented below.
+        """
+        if value is not None:
+            pulumi.set(__self__, "value", value)
+
+    @property
+    @pulumi.getter
+    def value(self) -> Optional['outputs.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValue']:
+        """
+        The value of the client secret.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "value")
+
+
+@pulumi.output_type
+class WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValue(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "plainText":
+            suggest = "plain_text"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValue. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValue.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValue.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 plain_text: str,
+                 thumbprint: Optional[str] = None):
+        """
+        :param str plain_text: The plain text of the client secret value.
+        :param str thumbprint: (Output)
+               A thumbprint to represent the current client secret value.
+        """
+        pulumi.set(__self__, "plain_text", plain_text)
+        if thumbprint is not None:
+            pulumi.set(__self__, "thumbprint", thumbprint)
+
+    @property
+    @pulumi.getter(name="plainText")
+    def plain_text(self) -> str:
+        """
+        The plain text of the client secret value.
+        """
+        return pulumi.get(self, "plain_text")
+
+    @property
+    @pulumi.getter
+    def thumbprint(self) -> Optional[str]:
+        """
+        (Output)
+        A thumbprint to represent the current client secret value.
+        """
+        return pulumi.get(self, "thumbprint")
+
+
+@pulumi.output_type
+class WorkforcePoolProviderExtraAttributesOauth2ClientQueryParameters(dict):
+    def __init__(__self__, *,
+                 filter: Optional[str] = None):
+        """
+        :param str filter: The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the
+               filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The
+               groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.
+        """
+        if filter is not None:
+            pulumi.set(__self__, "filter", filter)
+
+    @property
+    @pulumi.getter
+    def filter(self) -> Optional[str]:
+        """
+        The filter used to request specific records from IdP. In case of attributes type as AZURE_AD_GROUPS_MAIL, it represents the
+        filter used to request specific groups for users from IdP. By default, all of the groups associated with the user are fetched. The
+        groups should be mail enabled and security enabled. See https://learn.microsoft.com/en-us/graph/search-query-parameter for more details.
+        """
+        return pulumi.get(self, "filter")
+
+
 @pulumi.output_type
 class WorkforcePoolProviderOidc(dict):
     @staticmethod
@@ -689,7 +882,6 @@ class WorkforcePoolProviderOidcClientSecretValue(dict):
                  thumbprint: Optional[str] = None):
         """
         :param str plain_text: The plain text of the client secret value.
-               **Note**: This property is sensitive and will not be displayed in the plan.
         :param str thumbprint: (Output)
                A thumbprint to represent the current client secret value.
         """
@@ -702,7 +894,6 @@ class WorkforcePoolProviderOidcClientSecretValue(dict):
     def plain_text(self) -> str:
         """
         The plain text of the client secret value.
-        **Note**: This property is sensitive and will not be displayed in the plan.
         """
         return pulumi.get(self, "plain_text")
 
@@ -755,6 +946,8 @@ class WorkforcePoolProviderOidcWebSsoConfig(dict):
                Possible values are: `CODE`, `ID_TOKEN`.
         :param Sequence[str] additional_scopes: Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the `openid`, `profile` and `email` scopes that are supported by the identity provider are requested.
                Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.
+               
+               <a name="nested_extra_attributes_oauth2_client"></a>The `extra_attributes_oauth2_client` block supports:
         """
         pulumi.set(__self__, "assertion_claims_behavior", assertion_claims_behavior)
         pulumi.set(__self__, "response_type", response_type)
@@ -790,6 +983,8 @@ class WorkforcePoolProviderOidcWebSsoConfig(dict):
         """
         Additional scopes to request for in the OIDC authentication request on top of scopes requested by default. By default, the `openid`, `profile` and `email` scopes that are supported by the identity provider are requested.
         Each additional scope may be at most 256 characters. A maximum of 10 additional scopes may be configured.
+
+        <a name="nested_extra_attributes_oauth2_client"></a>The `extra_attributes_oauth2_client` block supports:
         """
         return pulumi.get(self, "additional_scopes")
 

pulumi_gcp/iam/workforce_pool_provider.py

@@ -24,6 +24,7 @@ class WorkforcePoolProviderArgs:
                  description: Optional[pulumi.Input[str]] = None,
                  disabled: Optional[pulumi.Input[bool]] = None,
                  display_name: Optional[pulumi.Input[str]] = None,
+                 extra_attributes_oauth2_client: Optional[pulumi.Input['WorkforcePoolProviderExtraAttributesOauth2ClientArgs']] = None,
                  oidc: Optional[pulumi.Input['WorkforcePoolProviderOidcArgs']] = None,
                  saml: Optional[pulumi.Input['WorkforcePoolProviderSamlArgs']] = None):
         """
@@ -90,6 +91,11 @@ class WorkforcePoolProviderArgs:
         :param pulumi.Input[bool] disabled: Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
                However, existing tokens still grant access.
         :param pulumi.Input[str] display_name: A user-specified display name for the provider. Cannot exceed 32 characters.
+        :param pulumi.Input['WorkforcePoolProviderExtraAttributesOauth2ClientArgs'] extra_attributes_oauth2_client: The configuration for OAuth 2.0 client used to get the additional user
+               attributes. This should be used when users can't get the desired claims
+               in authentication credentials. Currently this configuration is only
+               supported with OIDC protocol.
+               Structure is documented below.
         :param pulumi.Input['WorkforcePoolProviderOidcArgs'] oidc: Represents an OpenId Connect 1.0 identity provider.
                Structure is documented below.
         :param pulumi.Input['WorkforcePoolProviderSamlArgs'] saml: Represents a SAML identity provider.
@@ -108,6 +114,8 @@ class WorkforcePoolProviderArgs:
             pulumi.set(__self__, "disabled", disabled)
         if display_name is not None:
             pulumi.set(__self__, "display_name", display_name)
+        if extra_attributes_oauth2_client is not None:
+            pulumi.set(__self__, "extra_attributes_oauth2_client", extra_attributes_oauth2_client)
         if oidc is not None:
             pulumi.set(__self__, "oidc", oidc)
         if saml is not None:
@@ -263,6 +271,22 @@ class WorkforcePoolProviderArgs:
     def display_name(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "display_name", value)
 
+    @property
+    @pulumi.getter(name="extraAttributesOauth2Client")
+    def extra_attributes_oauth2_client(self) -> Optional[pulumi.Input['WorkforcePoolProviderExtraAttributesOauth2ClientArgs']]:
+        """
+        The configuration for OAuth 2.0 client used to get the additional user
+        attributes. This should be used when users can't get the desired claims
+        in authentication credentials. Currently this configuration is only
+        supported with OIDC protocol.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "extra_attributes_oauth2_client")
+
+    @extra_attributes_oauth2_client.setter
+    def extra_attributes_oauth2_client(self, value: Optional[pulumi.Input['WorkforcePoolProviderExtraAttributesOauth2ClientArgs']]):
+        pulumi.set(self, "extra_attributes_oauth2_client", value)
+
     @property
     @pulumi.getter
     def oidc(self) -> Optional[pulumi.Input['WorkforcePoolProviderOidcArgs']]:
@@ -298,6 +322,7 @@ class _WorkforcePoolProviderState:
                  description: Optional[pulumi.Input[str]] = None,
                  disabled: Optional[pulumi.Input[bool]] = None,
                  display_name: Optional[pulumi.Input[str]] = None,
+                 extra_attributes_oauth2_client: Optional[pulumi.Input['WorkforcePoolProviderExtraAttributesOauth2ClientArgs']] = None,
                  location: Optional[pulumi.Input[str]] = None,
                  name: Optional[pulumi.Input[str]] = None,
                  oidc: Optional[pulumi.Input['WorkforcePoolProviderOidcArgs']] = None,
@@ -358,6 +383,11 @@ class _WorkforcePoolProviderState:
         :param pulumi.Input[bool] disabled: Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
                However, existing tokens still grant access.
         :param pulumi.Input[str] display_name: A user-specified display name for the provider. Cannot exceed 32 characters.
+        :param pulumi.Input['WorkforcePoolProviderExtraAttributesOauth2ClientArgs'] extra_attributes_oauth2_client: The configuration for OAuth 2.0 client used to get the additional user
+               attributes. This should be used when users can't get the desired claims
+               in authentication credentials. Currently this configuration is only
+               supported with OIDC protocol.
+               Structure is documented below.
         :param pulumi.Input[str] location: The location for the resource.
         :param pulumi.Input[str] name: Output only. The resource name of the provider.
                Format: `locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}`
@@ -392,6 +422,8 @@ class _WorkforcePoolProviderState:
             pulumi.set(__self__, "disabled", disabled)
         if display_name is not None:
             pulumi.set(__self__, "display_name", display_name)
+        if extra_attributes_oauth2_client is not None:
+            pulumi.set(__self__, "extra_attributes_oauth2_client", extra_attributes_oauth2_client)
         if location is not None:
             pulumi.set(__self__, "location", location)
         if name is not None:
@@ -513,6 +545,22 @@ class _WorkforcePoolProviderState:
     def display_name(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "display_name", value)
 
+    @property
+    @pulumi.getter(name="extraAttributesOauth2Client")
+    def extra_attributes_oauth2_client(self) -> Optional[pulumi.Input['WorkforcePoolProviderExtraAttributesOauth2ClientArgs']]:
+        """
+        The configuration for OAuth 2.0 client used to get the additional user
+        attributes. This should be used when users can't get the desired claims
+        in authentication credentials. Currently this configuration is only
+        supported with OIDC protocol.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "extra_attributes_oauth2_client")
+
+    @extra_attributes_oauth2_client.setter
+    def extra_attributes_oauth2_client(self, value: Optional[pulumi.Input['WorkforcePoolProviderExtraAttributesOauth2ClientArgs']]):
+        pulumi.set(self, "extra_attributes_oauth2_client", value)
+
     @property
     @pulumi.getter
     def location(self) -> Optional[pulumi.Input[str]]:
@@ -624,6 +672,7 @@ class WorkforcePoolProvider(pulumi.CustomResource):
                  description: Optional[pulumi.Input[str]] = None,
                  disabled: Optional[pulumi.Input[bool]] = None,
                  display_name: Optional[pulumi.Input[str]] = None,
+                 extra_attributes_oauth2_client: Optional[pulumi.Input[pulumi.InputType['WorkforcePoolProviderExtraAttributesOauth2ClientArgs']]] = None,
                  location: Optional[pulumi.Input[str]] = None,
                  oidc: Optional[pulumi.Input[pulumi.InputType['WorkforcePoolProviderOidcArgs']]] = None,
                  provider_id: Optional[pulumi.Input[str]] = None,
@@ -760,6 +809,91 @@ class WorkforcePoolProvider(pulumi.CustomResource):
             disabled=False,
             attribute_condition="true")
         ```
+        ### Iam Workforce Pool Provider Extra Attributes Oauth2 Config Client Basic
+
+        ```python
+        import pulumi
+        import pulumi_gcp as gcp
+
+        pool = gcp.iam.WorkforcePool("pool",
+            workforce_pool_id="example-pool",
+            parent="organizations/123456789",
+            location="global")
+        example = gcp.iam.WorkforcePoolProvider("example",
+            workforce_pool_id=pool.workforce_pool_id,
+            location=pool.location,
+            provider_id="example-prvdr",
+            attribute_mapping={
+                "google.subject": "assertion.sub",
+            },
+            oidc=gcp.iam.WorkforcePoolProviderOidcArgs(
+                issuer_uri="https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/",
+                client_id="https://analysis.windows.net/powerbi/connector/GoogleBigQuery",
+                web_sso_config=gcp.iam.WorkforcePoolProviderOidcWebSsoConfigArgs(
+                    response_type="CODE",
+                    assertion_claims_behavior="MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
+                ),
+                client_secret=gcp.iam.WorkforcePoolProviderOidcClientSecretArgs(
+                    value=gcp.iam.WorkforcePoolProviderOidcClientSecretValueArgs(
+                        plain_text="client-secret",
+                    ),
+                ),
+            ),
+            extra_attributes_oauth2_client=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientArgs(
+                issuer_uri="https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0",
+                client_id="client-id",
+                client_secret=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs(
+                    value=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs(
+                        plain_text="client-secret",
+                    ),
+                ),
+                attributes_type="AZURE_AD_GROUPS_MAIL",
+            ))
+        ```
+        ### Iam Workforce Pool Provider Extra Attributes Oauth2 Config Client Full
+
+        ```python
+        import pulumi
+        import pulumi_gcp as gcp
+
+        pool = gcp.iam.WorkforcePool("pool",
+            workforce_pool_id="example-pool",
+            parent="organizations/123456789",
+            location="global")
+        example = gcp.iam.WorkforcePoolProvider("example",
+            workforce_pool_id=pool.workforce_pool_id,
+            location=pool.location,
+            provider_id="example-prvdr",
+            attribute_mapping={
+                "google.subject": "assertion.sub",
+            },
+            oidc=gcp.iam.WorkforcePoolProviderOidcArgs(
+                issuer_uri="https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/",
+                client_id="https://analysis.windows.net/powerbi/connector/GoogleBigQuery",
+                client_secret=gcp.iam.WorkforcePoolProviderOidcClientSecretArgs(
+                    value=gcp.iam.WorkforcePoolProviderOidcClientSecretValueArgs(
+                        plain_text="client-secret",
+                    ),
+                ),
+                web_sso_config=gcp.iam.WorkforcePoolProviderOidcWebSsoConfigArgs(
+                    response_type="CODE",
+                    assertion_claims_behavior="MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
+                ),
+            ),
+            extra_attributes_oauth2_client=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientArgs(
+                issuer_uri="https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0",
+                client_id="client-id",
+                client_secret=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs(
+                    value=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs(
+                        plain_text="client-secret",
+                    ),
+                ),
+                attributes_type="AZURE_AD_GROUPS_MAIL",
+                query_parameters=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs(
+                    filter="mail:gcp",
+                ),
+            ))
+        ```
 
         ## Import
 
@@ -832,6 +966,11 @@ class WorkforcePoolProvider(pulumi.CustomResource):
         :param pulumi.Input[bool] disabled: Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
                However, existing tokens still grant access.
         :param pulumi.Input[str] display_name: A user-specified display name for the provider. Cannot exceed 32 characters.
+        :param pulumi.Input[pulumi.InputType['WorkforcePoolProviderExtraAttributesOauth2ClientArgs']] extra_attributes_oauth2_client: The configuration for OAuth 2.0 client used to get the additional user
+               attributes. This should be used when users can't get the desired claims
+               in authentication credentials. Currently this configuration is only
+               supported with OIDC protocol.
+               Structure is documented below.
         :param pulumi.Input[str] location: The location for the resource.
         :param pulumi.Input[pulumi.InputType['WorkforcePoolProviderOidcArgs']] oidc: Represents an OpenId Connect 1.0 identity provider.
                Structure is documented below.
@@ -984,6 +1123,91 @@ class WorkforcePoolProvider(pulumi.CustomResource):
             disabled=False,
             attribute_condition="true")
         ```
+        ### Iam Workforce Pool Provider Extra Attributes Oauth2 Config Client Basic
+
+        ```python
+        import pulumi
+        import pulumi_gcp as gcp
+
+        pool = gcp.iam.WorkforcePool("pool",
+            workforce_pool_id="example-pool",
+            parent="organizations/123456789",
+            location="global")
+        example = gcp.iam.WorkforcePoolProvider("example",
+            workforce_pool_id=pool.workforce_pool_id,
+            location=pool.location,
+            provider_id="example-prvdr",
+            attribute_mapping={
+                "google.subject": "assertion.sub",
+            },
+            oidc=gcp.iam.WorkforcePoolProviderOidcArgs(
+                issuer_uri="https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/",
+                client_id="https://analysis.windows.net/powerbi/connector/GoogleBigQuery",
+                web_sso_config=gcp.iam.WorkforcePoolProviderOidcWebSsoConfigArgs(
+                    response_type="CODE",
+                    assertion_claims_behavior="MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
+                ),
+                client_secret=gcp.iam.WorkforcePoolProviderOidcClientSecretArgs(
+                    value=gcp.iam.WorkforcePoolProviderOidcClientSecretValueArgs(
+                        plain_text="client-secret",
+                    ),
+                ),
+            ),
+            extra_attributes_oauth2_client=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientArgs(
+                issuer_uri="https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0",
+                client_id="client-id",
+                client_secret=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs(
+                    value=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs(
+                        plain_text="client-secret",
+                    ),
+                ),
+                attributes_type="AZURE_AD_GROUPS_MAIL",
+            ))
+        ```
+        ### Iam Workforce Pool Provider Extra Attributes Oauth2 Config Client Full
+
+        ```python
+        import pulumi
+        import pulumi_gcp as gcp
+
+        pool = gcp.iam.WorkforcePool("pool",
+            workforce_pool_id="example-pool",
+            parent="organizations/123456789",
+            location="global")
+        example = gcp.iam.WorkforcePoolProvider("example",
+            workforce_pool_id=pool.workforce_pool_id,
+            location=pool.location,
+            provider_id="example-prvdr",
+            attribute_mapping={
+                "google.subject": "assertion.sub",
+            },
+            oidc=gcp.iam.WorkforcePoolProviderOidcArgs(
+                issuer_uri="https://sts.windows.net/826602fe-2101-470c-9d71-ee1343668989/",
+                client_id="https://analysis.windows.net/powerbi/connector/GoogleBigQuery",
+                client_secret=gcp.iam.WorkforcePoolProviderOidcClientSecretArgs(
+                    value=gcp.iam.WorkforcePoolProviderOidcClientSecretValueArgs(
+                        plain_text="client-secret",
+                    ),
+                ),
+                web_sso_config=gcp.iam.WorkforcePoolProviderOidcWebSsoConfigArgs(
+                    response_type="CODE",
+                    assertion_claims_behavior="MERGE_USER_INFO_OVER_ID_TOKEN_CLAIMS",
+                ),
+            ),
+            extra_attributes_oauth2_client=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientArgs(
+                issuer_uri="https://login.microsoftonline.com/826602fe-2101-470c-9d71-ee1343668989/v2.0",
+                client_id="client-id",
+                client_secret=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretArgs(
+                    value=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientClientSecretValueArgs(
+                        plain_text="client-secret",
+                    ),
+                ),
+                attributes_type="AZURE_AD_GROUPS_MAIL",
+                query_parameters=gcp.iam.WorkforcePoolProviderExtraAttributesOauth2ClientQueryParametersArgs(
+                    filter="mail:gcp",
+                ),
+            ))
+        ```
 
         ## Import
 
@@ -1023,6 +1247,7 @@ class WorkforcePoolProvider(pulumi.CustomResource):
                  description: Optional[pulumi.Input[str]] = None,
                  disabled: Optional[pulumi.Input[bool]] = None,
                  display_name: Optional[pulumi.Input[str]] = None,
+                 extra_attributes_oauth2_client: Optional[pulumi.Input[pulumi.InputType['WorkforcePoolProviderExtraAttributesOauth2ClientArgs']]] = None,
                  location: Optional[pulumi.Input[str]] = None,
                  oidc: Optional[pulumi.Input[pulumi.InputType['WorkforcePoolProviderOidcArgs']]] = None,
                  provider_id: Optional[pulumi.Input[str]] = None,
@@ -1042,6 +1267,7 @@ class WorkforcePoolProvider(pulumi.CustomResource):
             __props__.__dict__["description"] = description
             __props__.__dict__["disabled"] = disabled
             __props__.__dict__["display_name"] = display_name
+            __props__.__dict__["extra_attributes_oauth2_client"] = extra_attributes_oauth2_client
             if location is None and not opts.urn:
                 raise TypeError("Missing required property 'location'")
             __props__.__dict__["location"] = location
@@ -1070,6 +1296,7 @@ class WorkforcePoolProvider(pulumi.CustomResource):
             description: Optional[pulumi.Input[str]] = None,
             disabled: Optional[pulumi.Input[bool]] = None,
             display_name: Optional[pulumi.Input[str]] = None,
+            extra_attributes_oauth2_client: Optional[pulumi.Input[pulumi.InputType['WorkforcePoolProviderExtraAttributesOauth2ClientArgs']]] = None,
             location: Optional[pulumi.Input[str]] = None,
             name: Optional[pulumi.Input[str]] = None,
             oidc: Optional[pulumi.Input[pulumi.InputType['WorkforcePoolProviderOidcArgs']]] = None,
@@ -1135,6 +1362,11 @@ class WorkforcePoolProvider(pulumi.CustomResource):
         :param pulumi.Input[bool] disabled: Whether the provider is disabled. You cannot use a disabled provider to exchange tokens.
                However, existing tokens still grant access.
         :param pulumi.Input[str] display_name: A user-specified display name for the provider. Cannot exceed 32 characters.
+        :param pulumi.Input[pulumi.InputType['WorkforcePoolProviderExtraAttributesOauth2ClientArgs']] extra_attributes_oauth2_client: The configuration for OAuth 2.0 client used to get the additional user
+               attributes. This should be used when users can't get the desired claims
+               in authentication credentials. Currently this configuration is only
+               supported with OIDC protocol.
+               Structure is documented below.
         :param pulumi.Input[str] location: The location for the resource.
         :param pulumi.Input[str] name: Output only. The resource name of the provider.
                Format: `locations/{location}/workforcePools/{workforcePoolId}/providers/{providerId}`
@@ -1168,6 +1400,7 @@ class WorkforcePoolProvider(pulumi.CustomResource):
         __props__.__dict__["description"] = description
         __props__.__dict__["disabled"] = disabled
         __props__.__dict__["display_name"] = display_name
+        __props__.__dict__["extra_attributes_oauth2_client"] = extra_attributes_oauth2_client
         __props__.__dict__["location"] = location
         __props__.__dict__["name"] = name
         __props__.__dict__["oidc"] = oidc
@@ -1263,6 +1496,18 @@ class WorkforcePoolProvider(pulumi.CustomResource):
         """
         return pulumi.get(self, "display_name")
 
+    @property
+    @pulumi.getter(name="extraAttributesOauth2Client")
+    def extra_attributes_oauth2_client(self) -> pulumi.Output[Optional['outputs.WorkforcePoolProviderExtraAttributesOauth2Client']]:
+        """
+        The configuration for OAuth 2.0 client used to get the additional user
+        attributes. This should be used when users can't get the desired claims
+        in authentication credentials. Currently this configuration is only
+        supported with OIDC protocol.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "extra_attributes_oauth2_client")
+
     @property
     @pulumi.getter
     def location(self) -> pulumi.Output[str]:

pulumi_gcp/integrationconnectors/__init__.py

@@ -7,5 +7,6 @@ import typing
 # Export this package's modules as members:
 from .connection import *
 from .endpoint_attachment import *
+from .managed_zone import *
 from ._inputs import *
 from . import outputs