pulumi-gcp 8.1.0a1726293903__py3-none-any.whl → 8.2.0__py3-none-any.whl

pulumi_gcp/iam/outputs.py

@@ -36,10 +36,18 @@ __all__ = [
     'WorkloadIdentityPoolProviderAws',
     'WorkloadIdentityPoolProviderOidc',
     'WorkloadIdentityPoolProviderSaml',
+    'WorkloadIdentityPoolProviderX509',
+    'WorkloadIdentityPoolProviderX509TrustStore',
+    'WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa',
+    'WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor',
     'GetTestablePermissionsPermissionResult',
     'GetWorkloadIdentityPoolProviderAwResult',
     'GetWorkloadIdentityPoolProviderOidcResult',
     'GetWorkloadIdentityPoolProviderSamlResult',
+    'GetWorkloadIdentityPoolProviderX509Result',
+    'GetWorkloadIdentityPoolProviderX509TrustStoreResult',
+    'GetWorkloadIdentityPoolProviderX509TrustStoreIntermediateCaResult',
+    'GetWorkloadIdentityPoolProviderX509TrustStoreTrustAnchorResult',
 ]
 
 @pulumi.output_type
@@ -1238,6 +1246,8 @@ class WorkloadIdentityPoolProviderSaml(dict):
                  idp_metadata_xml: str):
         """
         :param str idp_metadata_xml: SAML Identity provider configuration metadata xml doc.
+               
+               <a name="nested_x509"></a>The `x509` block supports:
         """
         pulumi.set(__self__, "idp_metadata_xml", idp_metadata_xml)
 
@@ -1246,10 +1256,192 @@ class WorkloadIdentityPoolProviderSaml(dict):
     def idp_metadata_xml(self) -> str:
         """
         SAML Identity provider configuration metadata xml doc.
+
+        <a name="nested_x509"></a>The `x509` block supports:
         """
         return pulumi.get(self, "idp_metadata_xml")
 
 
+@pulumi.output_type
+class WorkloadIdentityPoolProviderX509(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "trustStore":
+            suggest = "trust_store"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in WorkloadIdentityPoolProviderX509. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        WorkloadIdentityPoolProviderX509.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        WorkloadIdentityPoolProviderX509.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 trust_store: 'outputs.WorkloadIdentityPoolProviderX509TrustStore'):
+        """
+        :param 'WorkloadIdentityPoolProviderX509TrustStoreArgs' trust_store: A Trust store, use this trust store as a wrapper to config the trust
+               anchor and optional intermediate cas to help build the trust chain for
+               the incoming end entity certificate. Follow the x509 guidelines to
+               define those PEM encoded certs. Only 1 trust store is currently
+               supported.
+        """
+        pulumi.set(__self__, "trust_store", trust_store)
+
+    @property
+    @pulumi.getter(name="trustStore")
+    def trust_store(self) -> 'outputs.WorkloadIdentityPoolProviderX509TrustStore':
+        """
+        A Trust store, use this trust store as a wrapper to config the trust
+        anchor and optional intermediate cas to help build the trust chain for
+        the incoming end entity certificate. Follow the x509 guidelines to
+        define those PEM encoded certs. Only 1 trust store is currently
+        supported.
+        """
+        return pulumi.get(self, "trust_store")
+
+
+@pulumi.output_type
+class WorkloadIdentityPoolProviderX509TrustStore(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "trustAnchors":
+            suggest = "trust_anchors"
+        elif key == "intermediateCas":
+            suggest = "intermediate_cas"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in WorkloadIdentityPoolProviderX509TrustStore. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        WorkloadIdentityPoolProviderX509TrustStore.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        WorkloadIdentityPoolProviderX509TrustStore.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 trust_anchors: Sequence['outputs.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor'],
+                 intermediate_cas: Optional[Sequence['outputs.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa']] = None):
+        """
+        :param Sequence['WorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs'] trust_anchors: List of Trust Anchors to be used while performing validation
+               against a given TrustStore. The incoming end entity's certificate
+               must be chained up to one of the trust anchors here.
+               Structure is documented below.
+        :param Sequence['WorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs'] intermediate_cas: Set of intermediate CA certificates used for building the trust chain to
+               trust anchor.
+               IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
+               Structure is documented below.
+        """
+        pulumi.set(__self__, "trust_anchors", trust_anchors)
+        if intermediate_cas is not None:
+            pulumi.set(__self__, "intermediate_cas", intermediate_cas)
+
+    @property
+    @pulumi.getter(name="trustAnchors")
+    def trust_anchors(self) -> Sequence['outputs.WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor']:
+        """
+        List of Trust Anchors to be used while performing validation
+        against a given TrustStore. The incoming end entity's certificate
+        must be chained up to one of the trust anchors here.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "trust_anchors")
+
+    @property
+    @pulumi.getter(name="intermediateCas")
+    def intermediate_cas(self) -> Optional[Sequence['outputs.WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa']]:
+        """
+        Set of intermediate CA certificates used for building the trust chain to
+        trust anchor.
+        IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "intermediate_cas")
+
+
+@pulumi.output_type
+class WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "pemCertificate":
+            suggest = "pem_certificate"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        WorkloadIdentityPoolProviderX509TrustStoreIntermediateCa.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 pem_certificate: Optional[str] = None):
+        """
+        :param str pem_certificate: PEM certificate of the PKI used for validation. Must only contain one
+               ca certificate(either root or intermediate cert).
+        """
+        if pem_certificate is not None:
+            pulumi.set(__self__, "pem_certificate", pem_certificate)
+
+    @property
+    @pulumi.getter(name="pemCertificate")
+    def pem_certificate(self) -> Optional[str]:
+        """
+        PEM certificate of the PKI used for validation. Must only contain one
+        ca certificate(either root or intermediate cert).
+        """
+        return pulumi.get(self, "pem_certificate")
+
+
+@pulumi.output_type
+class WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "pemCertificate":
+            suggest = "pem_certificate"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        WorkloadIdentityPoolProviderX509TrustStoreTrustAnchor.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 pem_certificate: Optional[str] = None):
+        """
+        :param str pem_certificate: PEM certificate of the PKI used for validation. Must only contain one
+               ca certificate(either root or intermediate cert).
+        """
+        if pem_certificate is not None:
+            pulumi.set(__self__, "pem_certificate", pem_certificate)
+
+    @property
+    @pulumi.getter(name="pemCertificate")
+    def pem_certificate(self) -> Optional[str]:
+        """
+        PEM certificate of the PKI used for validation. Must only contain one
+        ca certificate(either root or intermediate cert).
+        """
+        return pulumi.get(self, "pem_certificate")
+
+
 @pulumi.output_type
 class GetTestablePermissionsPermissionResult(dict):
     def __init__(__self__, *,
@@ -1454,3 +1646,106 @@ class GetWorkloadIdentityPoolProviderSamlResult(dict):
         return pulumi.get(self, "idp_metadata_xml")
 
 
+@pulumi.output_type
+class GetWorkloadIdentityPoolProviderX509Result(dict):
+    def __init__(__self__, *,
+                 trust_stores: Sequence['outputs.GetWorkloadIdentityPoolProviderX509TrustStoreResult']):
+        """
+        :param Sequence['GetWorkloadIdentityPoolProviderX509TrustStoreArgs'] trust_stores: A Trust store, use this trust store as a wrapper to config the trust
+               anchor and optional intermediate cas to help build the trust chain for
+               the incoming end entity certificate. Follow the x509 guidelines to
+               define those PEM encoded certs. Only 1 trust store is currently
+               supported.
+        """
+        pulumi.set(__self__, "trust_stores", trust_stores)
+
+    @property
+    @pulumi.getter(name="trustStores")
+    def trust_stores(self) -> Sequence['outputs.GetWorkloadIdentityPoolProviderX509TrustStoreResult']:
+        """
+        A Trust store, use this trust store as a wrapper to config the trust
+        anchor and optional intermediate cas to help build the trust chain for
+        the incoming end entity certificate. Follow the x509 guidelines to
+        define those PEM encoded certs. Only 1 trust store is currently
+        supported.
+        """
+        return pulumi.get(self, "trust_stores")
+
+
+@pulumi.output_type
+class GetWorkloadIdentityPoolProviderX509TrustStoreResult(dict):
+    def __init__(__self__, *,
+                 intermediate_cas: Sequence['outputs.GetWorkloadIdentityPoolProviderX509TrustStoreIntermediateCaResult'],
+                 trust_anchors: Sequence['outputs.GetWorkloadIdentityPoolProviderX509TrustStoreTrustAnchorResult']):
+        """
+        :param Sequence['GetWorkloadIdentityPoolProviderX509TrustStoreIntermediateCaArgs'] intermediate_cas: Set of intermediate CA certificates used for building the trust chain to
+               trust anchor.
+               IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
+        :param Sequence['GetWorkloadIdentityPoolProviderX509TrustStoreTrustAnchorArgs'] trust_anchors: List of Trust Anchors to be used while performing validation
+               against a given TrustStore. The incoming end entity's certificate
+               must be chained up to one of the trust anchors here.
+        """
+        pulumi.set(__self__, "intermediate_cas", intermediate_cas)
+        pulumi.set(__self__, "trust_anchors", trust_anchors)
+
+    @property
+    @pulumi.getter(name="intermediateCas")
+    def intermediate_cas(self) -> Sequence['outputs.GetWorkloadIdentityPoolProviderX509TrustStoreIntermediateCaResult']:
+        """
+        Set of intermediate CA certificates used for building the trust chain to
+        trust anchor.
+        IMPORTANT: Intermediate CAs are only supported when configuring x509 federation.
+        """
+        return pulumi.get(self, "intermediate_cas")
+
+    @property
+    @pulumi.getter(name="trustAnchors")
+    def trust_anchors(self) -> Sequence['outputs.GetWorkloadIdentityPoolProviderX509TrustStoreTrustAnchorResult']:
+        """
+        List of Trust Anchors to be used while performing validation
+        against a given TrustStore. The incoming end entity's certificate
+        must be chained up to one of the trust anchors here.
+        """
+        return pulumi.get(self, "trust_anchors")
+
+
+@pulumi.output_type
+class GetWorkloadIdentityPoolProviderX509TrustStoreIntermediateCaResult(dict):
+    def __init__(__self__, *,
+                 pem_certificate: str):
+        """
+        :param str pem_certificate: PEM certificate of the PKI used for validation. Must only contain one
+               ca certificate(either root or intermediate cert).
+        """
+        pulumi.set(__self__, "pem_certificate", pem_certificate)
+
+    @property
+    @pulumi.getter(name="pemCertificate")
+    def pem_certificate(self) -> str:
+        """
+        PEM certificate of the PKI used for validation. Must only contain one
+        ca certificate(either root or intermediate cert).
+        """
+        return pulumi.get(self, "pem_certificate")
+
+
+@pulumi.output_type
+class GetWorkloadIdentityPoolProviderX509TrustStoreTrustAnchorResult(dict):
+    def __init__(__self__, *,
+                 pem_certificate: str):
+        """
+        :param str pem_certificate: PEM certificate of the PKI used for validation. Must only contain one
+               ca certificate(either root or intermediate cert).
+        """
+        pulumi.set(__self__, "pem_certificate", pem_certificate)
+
+    @property
+    @pulumi.getter(name="pemCertificate")
+    def pem_certificate(self) -> str:
+        """
+        PEM certificate of the PKI used for validation. Must only contain one
+        ca certificate(either root or intermediate cert).
+        """
+        return pulumi.get(self, "pem_certificate")
+
+

pulumi_gcp/iam/workload_identity_pool_provider.py

@@ -31,7 +31,8 @@ class WorkloadIdentityPoolProviderArgs:
                  display_name: Optional[pulumi.Input[str]] = None,
                  oidc: Optional[pulumi.Input['WorkloadIdentityPoolProviderOidcArgs']] = None,
                  project: Optional[pulumi.Input[str]] = None,
-                 saml: Optional[pulumi.Input['WorkloadIdentityPoolProviderSamlArgs']] = None):
+                 saml: Optional[pulumi.Input['WorkloadIdentityPoolProviderSamlArgs']] = None,
+                 x509: Optional[pulumi.Input['WorkloadIdentityPoolProviderX509Args']] = None):
         """
         The set of arguments for constructing a WorkloadIdentityPoolProvider resource.
         :param pulumi.Input[str] workload_identity_pool_id: The ID used for the pool, which is the final component of the pool resource name. This
@@ -111,6 +112,9 @@ class WorkloadIdentityPoolProviderArgs:
                If it is not provided, the provider project is used.
         :param pulumi.Input['WorkloadIdentityPoolProviderSamlArgs'] saml: An SAML 2.0 identity provider. Not compatible with the property oidc or aws.
                Structure is documented below.
+        :param pulumi.Input['WorkloadIdentityPoolProviderX509Args'] x509: An X.509-type identity provider represents a CA. It is trusted to assert a
+               client identity if the client has a certificate that chains up to this CA.
+               Structure is documented below.
         """
         pulumi.set(__self__, "workload_identity_pool_id", workload_identity_pool_id)
         pulumi.set(__self__, "workload_identity_pool_provider_id", workload_identity_pool_provider_id)
@@ -132,6 +136,8 @@ class WorkloadIdentityPoolProviderArgs:
             pulumi.set(__self__, "project", project)
         if saml is not None:
             pulumi.set(__self__, "saml", saml)
+        if x509 is not None:
+            pulumi.set(__self__, "x509", x509)
 
     @property
     @pulumi.getter(name="workloadIdentityPoolId")
@@ -331,6 +337,20 @@ class WorkloadIdentityPoolProviderArgs:
     def saml(self, value: Optional[pulumi.Input['WorkloadIdentityPoolProviderSamlArgs']]):
         pulumi.set(self, "saml", value)
 
+    @property
+    @pulumi.getter
+    def x509(self) -> Optional[pulumi.Input['WorkloadIdentityPoolProviderX509Args']]:
+        """
+        An X.509-type identity provider represents a CA. It is trusted to assert a
+        client identity if the client has a certificate that chains up to this CA.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "x509")
+
+    @x509.setter
+    def x509(self, value: Optional[pulumi.Input['WorkloadIdentityPoolProviderX509Args']]):
+        pulumi.set(self, "x509", value)
+
 
 @pulumi.input_type
 class _WorkloadIdentityPoolProviderState:
@@ -347,7 +367,8 @@ class _WorkloadIdentityPoolProviderState:
                  saml: Optional[pulumi.Input['WorkloadIdentityPoolProviderSamlArgs']] = None,
                  state: Optional[pulumi.Input[str]] = None,
                  workload_identity_pool_id: Optional[pulumi.Input[str]] = None,
-                 workload_identity_pool_provider_id: Optional[pulumi.Input[str]] = None):
+                 workload_identity_pool_provider_id: Optional[pulumi.Input[str]] = None,
+                 x509: Optional[pulumi.Input['WorkloadIdentityPoolProviderX509Args']] = None):
         """
         Input properties used for looking up and filtering WorkloadIdentityPoolProvider resources.
         :param pulumi.Input[str] attribute_condition: [A Common Expression Language](https://opensource.google/projects/cel) expression, in
@@ -436,6 +457,9 @@ class _WorkloadIdentityPoolProviderState:
                
                
                - - -
+        :param pulumi.Input['WorkloadIdentityPoolProviderX509Args'] x509: An X.509-type identity provider represents a CA. It is trusted to assert a
+               client identity if the client has a certificate that chains up to this CA.
+               Structure is documented below.
         """
         if attribute_condition is not None:
             pulumi.set(__self__, "attribute_condition", attribute_condition)
@@ -463,6 +487,8 @@ class _WorkloadIdentityPoolProviderState:
             pulumi.set(__self__, "workload_identity_pool_id", workload_identity_pool_id)
         if workload_identity_pool_provider_id is not None:
             pulumi.set(__self__, "workload_identity_pool_provider_id", workload_identity_pool_provider_id)
+        if x509 is not None:
+            pulumi.set(__self__, "x509", x509)
 
     @property
     @pulumi.getter(name="attributeCondition")
@@ -693,6 +719,20 @@ class _WorkloadIdentityPoolProviderState:
     def workload_identity_pool_provider_id(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "workload_identity_pool_provider_id", value)
 
+    @property
+    @pulumi.getter
+    def x509(self) -> Optional[pulumi.Input['WorkloadIdentityPoolProviderX509Args']]:
+        """
+        An X.509-type identity provider represents a CA. It is trusted to assert a
+        client identity if the client has a certificate that chains up to this CA.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "x509")
+
+    @x509.setter
+    def x509(self, value: Optional[pulumi.Input['WorkloadIdentityPoolProviderX509Args']]):
+        pulumi.set(self, "x509", value)
+
 
 class WorkloadIdentityPoolProvider(pulumi.CustomResource):
     @overload
@@ -710,6 +750,7 @@ class WorkloadIdentityPoolProvider(pulumi.CustomResource):
                  saml: Optional[pulumi.Input[Union['WorkloadIdentityPoolProviderSamlArgs', 'WorkloadIdentityPoolProviderSamlArgsDict']]] = None,
                  workload_identity_pool_id: Optional[pulumi.Input[str]] = None,
                  workload_identity_pool_provider_id: Optional[pulumi.Input[str]] = None,
+                 x509: Optional[pulumi.Input[Union['WorkloadIdentityPoolProviderX509Args', 'WorkloadIdentityPoolProviderX509ArgsDict']]] = None,
                  __props__=None):
         """
         A configuration for an external identity provider.
@@ -882,6 +923,56 @@ class WorkloadIdentityPoolProvider(pulumi.CustomResource):
                 "jwks_json": "{\\"keys\\":[{\\"kty\\":\\"RSA\\",\\"alg\\":\\"RS256\\",\\"kid\\":\\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\\",\\"use\\":\\"sig\\",\\"e\\":\\"AQAB\\",\\"n\\":\\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\\"}]}",
             })
         ```
+        ### Iam Workload Identity Pool Provider X509 Basic
+
+        ```python
+        import pulumi
+        import pulumi_gcp as gcp
+        import pulumi_std as std
+
+        pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
+        example = gcp.iam.WorkloadIdentityPoolProvider("example",
+            workload_identity_pool_id=pool.workload_identity_pool_id,
+            workload_identity_pool_provider_id="example-prvdr",
+            attribute_mapping={
+                "google.subject": "assertion.subject.dn.cn",
+            },
+            x509={
+                "trust_store": {
+                    "trust_anchors": [{
+                        "pem_certificate": std.file(input="test-fixtures/trust_anchor.pem").result,
+                    }],
+                },
+            })
+        ```
+        ### Iam Workload Identity Pool Provider X509 Full
+
+        ```python
+        import pulumi
+        import pulumi_gcp as gcp
+        import pulumi_std as std
+
+        pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
+        example = gcp.iam.WorkloadIdentityPoolProvider("example",
+            workload_identity_pool_id=pool.workload_identity_pool_id,
+            workload_identity_pool_provider_id="example-prvdr",
+            display_name="Name of provider",
+            description="X.509 identity pool provider for automated test",
+            disabled=True,
+            attribute_mapping={
+                "google.subject": "assertion.subject.dn.cn",
+            },
+            x509={
+                "trust_store": {
+                    "trust_anchors": [{
+                        "pem_certificate": std.file(input="test-fixtures/trust_anchor.pem").result,
+                    }],
+                    "intermediate_cas": [{
+                        "pem_certificate": std.file(input="test-fixtures/intermediate_ca.pem").result,
+                    }],
+                },
+            })
+        ```
 
         ## Import
 
@@ -986,6 +1077,9 @@ class WorkloadIdentityPoolProvider(pulumi.CustomResource):
                
                
                - - -
+        :param pulumi.Input[Union['WorkloadIdentityPoolProviderX509Args', 'WorkloadIdentityPoolProviderX509ArgsDict']] x509: An X.509-type identity provider represents a CA. It is trusted to assert a
+               client identity if the client has a certificate that chains up to this CA.
+               Structure is documented below.
         """
         ...
     @overload
@@ -1164,6 +1258,56 @@ class WorkloadIdentityPoolProvider(pulumi.CustomResource):
                 "jwks_json": "{\\"keys\\":[{\\"kty\\":\\"RSA\\",\\"alg\\":\\"RS256\\",\\"kid\\":\\"sif0AR-F6MuvksAyAOv-Pds08Bcf2eUMlxE30NofddA\\",\\"use\\":\\"sig\\",\\"e\\":\\"AQAB\\",\\"n\\":\\"ylH1Chl1tpfti3lh51E1g5dPogzXDaQseqjsefGLknaNl5W6Wd4frBhHyE2t41Q5zgz_Ll0-NvWm0FlaG6brhrN9QZu6sJP1bM8WPfJVPgXOanxi7d7TXCkeNubGeiLTf5R3UXtS9Lm_guemU7MxDjDTelxnlgGCihOVTcL526suNJUdfXtpwUsvdU6_ZnAp9IpsuYjCtwPm9hPumlcZGMbxstdh07O4y4O90cVQClJOKSGQjAUCKJWXIQ0cqffGS_HuS_725CPzQ85SzYZzaNpgfhAER7kx_9P16ARM3BJz0PI5fe2hECE61J4GYU_BY43sxDfs7HyJpEXKLU9eWw\\"}]}",
             })
         ```
+        ### Iam Workload Identity Pool Provider X509 Basic
+
+        ```python
+        import pulumi
+        import pulumi_gcp as gcp
+        import pulumi_std as std
+
+        pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
+        example = gcp.iam.WorkloadIdentityPoolProvider("example",
+            workload_identity_pool_id=pool.workload_identity_pool_id,
+            workload_identity_pool_provider_id="example-prvdr",
+            attribute_mapping={
+                "google.subject": "assertion.subject.dn.cn",
+            },
+            x509={
+                "trust_store": {
+                    "trust_anchors": [{
+                        "pem_certificate": std.file(input="test-fixtures/trust_anchor.pem").result,
+                    }],
+                },
+            })
+        ```
+        ### Iam Workload Identity Pool Provider X509 Full
+
+        ```python
+        import pulumi
+        import pulumi_gcp as gcp
+        import pulumi_std as std
+
+        pool = gcp.iam.WorkloadIdentityPool("pool", workload_identity_pool_id="example-pool")
+        example = gcp.iam.WorkloadIdentityPoolProvider("example",
+            workload_identity_pool_id=pool.workload_identity_pool_id,
+            workload_identity_pool_provider_id="example-prvdr",
+            display_name="Name of provider",
+            description="X.509 identity pool provider for automated test",
+            disabled=True,
+            attribute_mapping={
+                "google.subject": "assertion.subject.dn.cn",
+            },
+            x509={
+                "trust_store": {
+                    "trust_anchors": [{
+                        "pem_certificate": std.file(input="test-fixtures/trust_anchor.pem").result,
+                    }],
+                    "intermediate_cas": [{
+                        "pem_certificate": std.file(input="test-fixtures/intermediate_ca.pem").result,
+                    }],
+                },
+            })
+        ```
 
         ## Import
 
@@ -1215,6 +1359,7 @@ class WorkloadIdentityPoolProvider(pulumi.CustomResource):
                  saml: Optional[pulumi.Input[Union['WorkloadIdentityPoolProviderSamlArgs', 'WorkloadIdentityPoolProviderSamlArgsDict']]] = None,
                  workload_identity_pool_id: Optional[pulumi.Input[str]] = None,
                  workload_identity_pool_provider_id: Optional[pulumi.Input[str]] = None,
+                 x509: Optional[pulumi.Input[Union['WorkloadIdentityPoolProviderX509Args', 'WorkloadIdentityPoolProviderX509ArgsDict']]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
         if not isinstance(opts, pulumi.ResourceOptions):
@@ -1239,6 +1384,7 @@ class WorkloadIdentityPoolProvider(pulumi.CustomResource):
             if workload_identity_pool_provider_id is None and not opts.urn:
                 raise TypeError("Missing required property 'workload_identity_pool_provider_id'")
             __props__.__dict__["workload_identity_pool_provider_id"] = workload_identity_pool_provider_id
+            __props__.__dict__["x509"] = x509
             __props__.__dict__["name"] = None
             __props__.__dict__["state"] = None
         super(WorkloadIdentityPoolProvider, __self__).__init__(
@@ -1263,7 +1409,8 @@ class WorkloadIdentityPoolProvider(pulumi.CustomResource):
             saml: Optional[pulumi.Input[Union['WorkloadIdentityPoolProviderSamlArgs', 'WorkloadIdentityPoolProviderSamlArgsDict']]] = None,
             state: Optional[pulumi.Input[str]] = None,
             workload_identity_pool_id: Optional[pulumi.Input[str]] = None,
-            workload_identity_pool_provider_id: Optional[pulumi.Input[str]] = None) -> 'WorkloadIdentityPoolProvider':
+            workload_identity_pool_provider_id: Optional[pulumi.Input[str]] = None,
+            x509: Optional[pulumi.Input[Union['WorkloadIdentityPoolProviderX509Args', 'WorkloadIdentityPoolProviderX509ArgsDict']]] = None) -> 'WorkloadIdentityPoolProvider':
         """
         Get an existing WorkloadIdentityPoolProvider resource's state with the given name, id, and optional extra
         properties used to qualify the lookup.
@@ -1357,6 +1504,9 @@ class WorkloadIdentityPoolProvider(pulumi.CustomResource):
                
                
                - - -
+        :param pulumi.Input[Union['WorkloadIdentityPoolProviderX509Args', 'WorkloadIdentityPoolProviderX509ArgsDict']] x509: An X.509-type identity provider represents a CA. It is trusted to assert a
+               client identity if the client has a certificate that chains up to this CA.
+               Structure is documented below.
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
 
@@ -1375,6 +1525,7 @@ class WorkloadIdentityPoolProvider(pulumi.CustomResource):
         __props__.__dict__["state"] = state
         __props__.__dict__["workload_identity_pool_id"] = workload_identity_pool_id
         __props__.__dict__["workload_identity_pool_provider_id"] = workload_identity_pool_provider_id
+        __props__.__dict__["x509"] = x509
         return WorkloadIdentityPoolProvider(resource_name, opts=opts, __props__=__props__)
 
     @property
@@ -1554,3 +1705,13 @@ class WorkloadIdentityPoolProvider(pulumi.CustomResource):
         """
         return pulumi.get(self, "workload_identity_pool_provider_id")
 
+    @property
+    @pulumi.getter
+    def x509(self) -> pulumi.Output[Optional['outputs.WorkloadIdentityPoolProviderX509']]:
+        """
+        An X.509-type identity provider represents a CA. It is trusted to assert a
+        client identity if the client has a certificate that chains up to this CA.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "x509")
+

pulumi_gcp/kms/__init__.py

@@ -16,6 +16,8 @@ from .ekm_connection_iam_binding import *
 from .ekm_connection_iam_member import *
 from .ekm_connection_iam_policy import *
 from .get_crypto_key_iam_policy import *
+from .get_crypto_key_latest_version import *
+from .get_crypto_key_versions import *
 from .get_crypto_keys import *
 from .get_ekm_connection_iam_policy import *
 from .get_key_ring_iam_policy import *

pulumi_gcp/kms/autokey_config.py

@@ -174,9 +174,13 @@ class AutokeyConfig(pulumi.CustomResource):
         wait_srv_acc_permissions = time.index.Sleep("wait_srv_acc_permissions", create_duration=10s,
         opts = pulumi.ResourceOptions(depends_on=[autokey_project_admin]))
         example_autokeyconfig = gcp.kms.AutokeyConfig("example-autokeyconfig",
-            folder=autokms_folder.folder_id,
+            folder=autokms_folder.id,
             key_project=key_project.project_id.apply(lambda project_id: f"projects/{project_id}"),
             opts = pulumi.ResourceOptions(depends_on=[wait_srv_acc_permissions]))
+        # Wait delay after setting AutokeyConfig, to prevent diffs on reapply,
+        # because setting the config takes a little to fully propagate.
+        wait_autokey_propagation = time.index.Sleep("wait_autokey_propagation", create_duration=30s,
+        opts = pulumi.ResourceOptions(depends_on=[example_autokeyconfig]))
         ```
 
         ## Import
@@ -264,9 +268,13 @@ class AutokeyConfig(pulumi.CustomResource):
         wait_srv_acc_permissions = time.index.Sleep("wait_srv_acc_permissions", create_duration=10s,
         opts = pulumi.ResourceOptions(depends_on=[autokey_project_admin]))
         example_autokeyconfig = gcp.kms.AutokeyConfig("example-autokeyconfig",
-            folder=autokms_folder.folder_id,
+            folder=autokms_folder.id,
             key_project=key_project.project_id.apply(lambda project_id: f"projects/{project_id}"),
             opts = pulumi.ResourceOptions(depends_on=[wait_srv_acc_permissions]))
+        # Wait delay after setting AutokeyConfig, to prevent diffs on reapply,
+        # because setting the config takes a little to fully propagate.
+        wait_autokey_propagation = time.index.Sleep("wait_autokey_propagation", create_duration=30s,
+        opts = pulumi.ResourceOptions(depends_on=[example_autokeyconfig]))
         ```
 
         ## Import