Merge branch 'master' into projects-ds-new-version

blueprints/README.md

@@ -5,7 +5,7 @@ This section provides **[networking blueprints](./networking/)** that implement
 Currently available blueprints:
 
 - **apigee** - [Apigee Hybrid on GKE](./apigee/hybrid-gke/), [Apigee X analytics in BigQuery](./apigee/bigquery-analytics), [Apigee network patterns](./apigee/network-patterns/)
-- **cloud operations** - [Active Directory Federation Services](./cloud-operations/adfs), [Cloud Asset Inventory feeds for resource change tracking and remediation](./cloud-operations/asset-inventory-feed-remediation), [Fine-grained Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Cloud DNS & Shared VPC design](./cloud-operations/dns-shared-vpc), [Delegated Role Grants](./cloud-operations/iam-delegated-role-grants), [Networking Dashboard](./cloud-operations/network-dashboard), [Managing on-prem service account keys by uploading public keys](./cloud-operations/onprem-sa-key-management), [Compute Image builder with Hashicorp Packer](./cloud-operations/packer-image-builder), [Packer example](./cloud-operations/packer-image-builder/packer), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Configuring workload identity federation for Terraform Cloud/Enterprise workflow](./cloud-operations/terraform-enterprise-wif), [TCP healthcheck and restart for unmanaged GCE instances](./cloud-operations/unmanaged-instances-healthcheck), [Migrate for Compute Engine (v5) blueprints](./cloud-operations/vm-migration), [Configuring workload identity federation to access Google Cloud resources from apps running on Azure](./cloud-operations/workload-identity-federation)
+- **cloud operations** - [Active Directory Federation Services](./cloud-operations/adfs), [Cloud Asset Inventory feeds for resource change tracking and remediation](./cloud-operations/asset-inventory-feed-remediation), [Fine-grained Cloud DNS IAM via Service Directory](./cloud-operations/dns-fine-grained-iam), [Cloud DNS & Shared VPC design](./cloud-operations/dns-shared-vpc), [Delegated Role Grants](./cloud-operations/iam-delegated-role-grants), [Networking Dashboard](./cloud-operations/network-dashboard), [Managing on-prem service account keys by uploading public keys](./cloud-operations/onprem-sa-key-management), [Compute Image builder with Hashicorp Packer](./cloud-operations/packer-image-builder), [Packer example](./cloud-operations/packer-image-builder/packer), [Compute Engine quota monitoring](./cloud-operations/quota-monitoring), [Scheduled Cloud Asset Inventory Export to Bigquery](./cloud-operations/scheduled-asset-inventory-export-bq), [Configuring workload identity federation with Terraform Cloud/Enterprise workflows](./cloud-operations/terraform-cloud-dynamic-credentials), [TCP healthcheck and restart for unmanaged GCE instances](./cloud-operations/unmanaged-instances-healthcheck), [Migrate for Compute Engine (v5) blueprints](./cloud-operations/vm-migration), [Configuring workload identity federation to access Google Cloud resources from apps running on Azure](./cloud-operations/workload-identity-federation)
 - **data solutions** - [GCE and GCS CMEK via centralized Cloud KMS](./data-solutions/cmek-via-centralized-kms), [Cloud Composer version 2 private instance, supporting Shared VPC and external CMEK key](./data-solutions/composer-2), [Cloud SQL instance with multi-region read replicas](./data-solutions/cloudsql-multiregion), [Data Platform](./data-solutions/data-platform-foundations), [Spinning up a foundation data pipeline on Google Cloud using Cloud Storage, Dataflow and BigQuery](./data-solutions/gcs-to-bq-with-least-privileges), [#SQL Server Always On Groups blueprint](./data-solutions/sqlserver-alwayson), [Data Playground](./data-solutions/data-playground), [MLOps with Vertex AI](./data-solutions/vertex-mlops), [Shielded Folder](./data-solutions/shielded-folder)
 - **factories** - [The why and the how of Resource Factories](./factories), [Google Cloud Identity Group Factory](./factories/cloud-identity-group-factory), [Google Cloud BQ Factory](./factories/bigquery-factory), [Google Cloud VPC Firewall Factory](./factories/net-vpc-firewall-yaml), [Minimal Project Factory](./factories/project-factory)
 - **GKE** - [Binary Authorization Pipeline Blueprint](./gke/binauthz), [Storage API](./gke/binauthz/image), [Multi-cluster mesh on GKE (fleet API)](./gke/multi-cluster-mesh-gke-fleet-api), [GKE Multitenant Blueprint](./gke/multitenant-fleet), [Shared VPC with GKE support](./networking/shared-vpc-gke/)

blueprints/cloud-operations/README.md

@@ -64,9 +64,9 @@ This [blueprint](./onprem-sa-key-management) shows how to manage IAM Service Acc
 
 <br clear="left">
 
-## Workload identity federation for Terraform Enterprise workflow
+## Workload identity federation with Terraform Cloud workflows
 
-<a href="./terraform-enterprise-wif" title="Workload identity federation for Terraform Cloud/Enterprise workflow"><img src="./terraform-enterprise-wif/diagram.png" align="left" width="280px"></a> This [blueprint](./terraform-enterprise-wif) shows how to configure [Wokload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) between [Terraform Cloud/Enterprise](https://developer.hashicorp.com/terraform/enterprise) instance and Google Cloud.
+<a href="./terraform-cloud-dynamic-credentials" title="Workload identity federation with Terraform Cloud/Enterprise workflows"><img src="./terraform-cloud-dynamic-credentials/diagram.png" align="left" width="280px"></a> This [blueprint](./terraform-cloud-dynamic-credentials) shows how to configure [Wokload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) between [Terraform Cloud/Enterprise](https://developer.hashicorp.com/terraform/enterprise) instance and Google Cloud.
 
 <br clear="left">
 

blueprints/cloud-operations/terraform-cloud-dynamic-credentials/README.md

@@ -1,10 +1,10 @@
-# Configuring workload identity federation for Terraform Cloud/Enterprise workflow
+# Configuration of workload identity federation for Terraform Cloud/Enterprise workflows
 
-The most common way to use Terraform Cloud for GCP deployments is to store a GCP Service Account Key as a part of TFE Workflow configuration, as we all know there are security risks due to the fact that keys are long term credentials that could be compromised.
+The most common way to use Terraform Cloud for GCP deployments is to store a GCP Service Account Key as a part of TFC Workflow configuration, as we all know there are security risks due to the fact that keys are long term credentials that could be compromised.
 
 Workload identity federation enables applications running outside of Google Cloud to replace long-lived service account keys with short-lived access tokens. This is achieved by configuring Google Cloud to trust an external identity provider, so applications can use the credentials issued by the external identity provider to impersonate a service account.
 
-This blueprint shows how to set up [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) between [Terraform Cloud/Enterprise](https://developer.hashicorp.com/terraform/enterprise) instance and Google Cloud. This will be possible by configuring workload identity federation to trust oidc tokens generated for a specific workflow in a Terraform Enterprise organization.
+This blueprint shows how to set up [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) between [Terraform Cloud/Enterprise](https://developer.hashicorp.com/terraform/enterprise) instance and Google Cloud. This will be possible by configuring workload identity federation and [Terraform Cloud Dynamic Provider Credentials](https://www.hashicorp.com/blog/terraform-cloud-adds-dynamic-provider-credentials-vault-official-cloud-providers).
 
 The following diagram illustrates how the VM will get a short-lived access token and use it to access a resource:
 
@@ -12,8 +12,8 @@ The following diagram illustrates how the VM will get a short-lived access token
 
 ## Running the blueprint
 
-### Create Terraform Enterprise Workflow
-If you don't have an existing Terraform Enterprise organization you can sign up for a [free trial](https://app.terraform.io/public/signup/account) account. 
+### Create Terraform Cloud Workflow
+If you don't have an existing Terraform Cloud organization you can sign up for a [free trial](https://app.terraform.io/public/signup/account) account. 
 
 Create a new Workspace for a `CLI-driven workflow` (Identity Federation will work for any workflow type, but for simplicity of the blueprint we use CLI driven workflow). 
 
@@ -21,7 +21,7 @@ Note workspace name and id (id starts with `ws-`), we will use them on a later s
 
 Go to the organization settings and note the org name and id (id starts with `org-`).
 
-### Deploy GCP Workload Identity Pool Provider for Terraform Enterprise
+### Deploy GCP Workload Identity Pool Provider for Terraform Cloud integration
 
 > **_NOTE:_**  This is a preparation part and should be executed on behalf of a user with enough permissions. 
 
@@ -32,7 +32,7 @@ Required permissions when new project is created:
  - Workload Identity Admin on the project level
  - Project IAM Admin on the project level
 
-Fill out required variables, use TFE Org and Workspace IDs from the previous steps (IDs are not the names).
+Fill out required variables, use TFC Org and Workspace IDs from the previous steps (IDs are not the names).
 ```bash
 cd gcp-workload-identity-provider
 
@@ -50,34 +50,41 @@ terraform init
 terraform apply
 ```
 
-As a result a set of outputs will be provided (your values will be different), note the output since we will use it on the next steps.
+You will receive a set of outputs (your values may be different), note them because we will need them in the next steps.
 
 ```
-impersonate_service_account_email = "sa-tfe@fe-test-oidc.iam.gserviceaccount.com"
-project_id = "tfe-test-oidc"
-workload_identity_audience = "//iam.googleapis.com/projects/476538149566/locations/global/workloadIdentityPools/tfe-pool/providers/tfe-provider"
-workload_identity_pool_provider_id = "projects/476538149566/locations/global/workloadIdentityPools/tfe-pool/providers/tfe-provider"
+project_id = "tfc-dynamic-creds-gcp"
+tfc_workspace_wariables = {
+  "TFC_GCP_PROJECT_NUMBER" = "200635100209"
+  "TFC_GCP_PROVIDER_AUTH" = "true"
+  "TFC_GCP_RUN_SERVICE_ACCOUNT_EMAIL" = "sa-tfc@tfc-dynamic-creds-gcp.iam.gserviceaccount.com"
+  "TFC_GCP_WORKLOAD_POOL_ID" = "tfc-pool"
+  "TFC_GCP_WORKLOAD_PROVIDER_ID" = "tfc-provider"
+}
 ```
 
-### Configure OIDC provider for your TFE Workflow
+### Configure Dynamic Provider Credentials for your TFC Workflow
 
-To enable OIDC for a TFE workflow it's enough to setup an environment variable `TFC_WORKLOAD_IDENTITY_AUDIENCE`. 
+To configure [GCP Dynamic Provider Credentials](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/gcp-configuration) for a TFC workflow, you need to set a set of environment variables:
+- `TFC_GCP_PROVIDER_AUTH`
+- `TFC_GCP_PROJECT_NUMBER`
+- `TFC_GCP_RUN_SERVICE_ACCOUNT_EMAIL`
+- `TFC_GCP_WORKLOAD_POOL_ID`
+- `TFC_GCP_WORKLOAD_PROVIDER_ID`
 
-Go the the Workflow -> Variables and add a new variable `TFC_WORKLOAD_IDENTITY_AUDIENCE` equal to the value of `workload_identity_audience` output, in our example it's:
+Go to the Workflow -> Variables page and click the + Add variable button. For variable type select ` Environment variable`. The variable names listed above are the names of the variables that you need to set. The values provided in the terraform output in the previous step are the values that you need to provide for each variable.
 
-```
-TFC_WORKLOAD_IDENTITY_AUDIENCE = "//iam.googleapis.com/projects/476538149566/locations/global/workloadIdentityPools/tfe-pool/providers/tfe-provider"
-```
-
-At that point we setup GCP Identity Federation to trust TFE generated OIDC tokens, so the TFE workflow can use the token to impersonate a GCP Service Account. 
+At that point we set up GCP Identity Federation to trust TFC generated OIDC tokens, workflow should be able to use Dynamic Provider Credentials to impersonate a GCP Service Account. 
 
 ## Testing the blueprint
 
-In order to test the setup we will deploy a GCS bucket from TFE Workflow using OIDC token for Service Account Impersonation.
+To test the setup, we will deploy a GCS bucket from the TFC Workflow created in the previous step.
+
+This will allow us to verify that the workflow can successfully interact with GCP services using the TFC Dynamic Provider Credentials.
 
 ### Configure backend and variables
 
-First, we need to configure TFE Remote backend for our testing terraform code, use TFE Organization name and workspace name (names are not the same as ids)
+First, we need to configure the TFC Remote backend for our testing Terraform code. Use the TFC Organization name and workspace name (names are not the same as ids).
 
 ```
 cd ../tfc-workflow-using-wif
@@ -89,7 +96,7 @@ vi backend.tf
 
 ```
 
-Fill out variables based on the output from the preparation steps:
+Fill out `project_id` variable based on the output from the preparation steps:
 
 ```
 mv terraform.auto.tfvars.template terraform.auto.tfvars
@@ -100,7 +107,7 @@ vi terraform.auto.tfvars
 
 ### Authenticate terraform for triggering CLI-driven workflow
 
-Follow this [documentation](https://learn.hashicorp.com/tutorials/terraform/cloud-login) to login ti terraform cloud from the CLI.
+Follow this [documentation](https://learn.hashicorp.com/tutorials/terraform/cloud-login) to login to terraform cloud from the CLI.
 
 ### Trigger the workflow
 
@@ -110,6 +117,6 @@ terraform init
 terraform apply
 ```
 
-As a result we have a successfully deployed GCS bucket from Terraform Enterprise workflow using Workload Identity Federation.
+As a result we have a successfully deployed GCS bucket from Terraform Cloud workflow using Workload Identity Federation.
 
 Once done testing, you can clean up resources by running `terraform destroy` first in the `tfc-workflow-using-wif` and then `gcp-workload-identity-provider` folders. 

blueprints/cloud-operations/terraform-cloud-dynamic-credentials/gcp-workload-identity-provider/README.md

@@ -1,10 +1,14 @@
-# GCP Workload Identity Provider for Terraform Enterprise
+# GCP Workload Identity Provider for Terraform Cloud Dynamic Credentials
 
-This terraform code is a part of [GCP Workload Identity Federation for Terraform Enterprise](../) blueprint.
+This terraform code is a part of [GCP Workload Identity Federation for Terraform Cloud](../) blueprint.
 
 The codebase provisions the following list of resources:
 
-- GCS Bucket
+- (optional) GCP Project
+- IAM Service Account
+- Workload Identity Pool
+- Workload Identity Provider
+- IAM Permissins
 <!-- BEGIN TFDOC -->
 
 ## Variables
@@ -13,21 +17,19 @@ The codebase provisions the following list of resources:
 |---|---|:---:|:---:|:---:|
 | [billing_account](variables.tf#L16) | Billing account id used as default for new projects. | <code>string</code> | ✓ |  |
 | [project_id](variables.tf#L43) | Existing project id. | <code>string</code> | ✓ |  |
-| [tfe_organization_id](variables.tf#L48) | TFE organization id. | <code>string</code> | ✓ |  |
-| [tfe_workspace_id](variables.tf#L53) | TFE workspace id. | <code>string</code> | ✓ |  |
-| [issuer_uri](variables.tf#L21) | Terraform Enterprise uri. Replace the uri if a self hosted instance is used. | <code>string</code> |  | <code>&#34;https:&#47;&#47;app.terraform.io&#47;&#34;</code> |
+| [tfc_organization_id](variables.tf#L48) | TFC organization id. | <code>string</code> | ✓ |  |
+| [tfc_workspace_id](variables.tf#L53) | TFC workspace id. | <code>string</code> | ✓ |  |
+| [issuer_uri](variables.tf#L21) | Terraform Cloud/Enterprise uri. Replace the uri if a self hosted instance is used. | <code>string</code> |  | <code>&#34;https:&#47;&#47;app.terraform.io&#47;&#34;</code> |
 | [parent](variables.tf#L27) | Parent folder or organization in 'folders/folder_id' or 'organizations/org_id' format. | <code>string</code> |  | <code>null</code> |
 | [project_create](variables.tf#L37) | Create project instead of using an existing one. | <code>bool</code> |  | <code>true</code> |
-| [workload_identity_pool_id](variables.tf#L58) | Workload identity pool id. | <code>string</code> |  | <code>&#34;tfe-pool&#34;</code> |
-| [workload_identity_pool_provider_id](variables.tf#L64) | Workload identity pool provider id. | <code>string</code> |  | <code>&#34;tfe-provider&#34;</code> |
+| [workload_identity_pool_id](variables.tf#L58) | Workload identity pool id. | <code>string</code> |  | <code>&#34;tfc-pool&#34;</code> |
+| [workload_identity_pool_provider_id](variables.tf#L64) | Workload identity pool provider id. | <code>string</code> |  | <code>&#34;tfc-provider&#34;</code> |
 
 ## Outputs
 
 | name | description | sensitive |
 |---|---|:---:|
-| [impersonate_service_account_email](outputs.tf#L16) | Service account to be impersonated by workload identity. |  |
-| [project_id](outputs.tf#L21) | GCP Project ID. |  |
-| [workload_identity_audience](outputs.tf#L26) | TFC Workload Identity Audience. |  |
-| [workload_identity_pool_provider_id](outputs.tf#L31) | GCP workload identity pool provider ID. |  |
+| [project_id](outputs.tf#L15) | GCP Project ID. |  |
+| [tfc_workspace_wariables](outputs.tf#L20) | Variables to be set on the TFC workspace. |  |
 
 <!-- END TFDOC -->

blueprints/cloud-operations/terraform-cloud-dynamic-credentials/gcp-workload-identity-provider/main.tf

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -36,25 +36,27 @@ module "project" {
 #                     Workload Identity Pool and Provider                     #
 ###############################################################################
 
-resource "google_iam_workload_identity_pool" "tfe-pool" {
+resource "google_iam_workload_identity_pool" "tfc-pool" {
   project                   = module.project.project_id
   workload_identity_pool_id = var.workload_identity_pool_id
-  display_name              = "TFE Pool"
-  description               = "Identity pool for Terraform Enterprise OIDC integration"
+  display_name              = "TFC Pool"
+  description               = "Identity pool for Terraform Cloud Dynamic Credentials integration"
 }
 
-resource "google_iam_workload_identity_pool_provider" "tfe-pool-provider" {
+resource "google_iam_workload_identity_pool_provider" "tfc-pool-provider" {
   project                            = module.project.project_id
-  workload_identity_pool_id          = google_iam_workload_identity_pool.tfe-pool.workload_identity_pool_id
+  workload_identity_pool_id          = google_iam_workload_identity_pool.tfc-pool.workload_identity_pool_id
   workload_identity_pool_provider_id = var.workload_identity_pool_provider_id
-  display_name                       = "TFE Pool Provider"
-  description                        = "OIDC identity pool provider for TFE Integration"
-  # Use condition to make sure only token generated for a specific TFE Org can be used across org workspaces
-  attribute_condition = "attribute.terraform_organization_id == \"${var.tfe_organization_id}\""
+  display_name                       = "TFC Pool Provider"
+  description                        = "OIDC identity pool provider for Terraform Cloud Dynamic Credentials integration"
+  # Use condition to make sure only token generated for a specific TFC Org can be used across org workspaces
+  attribute_condition = "attribute.terraform_organization_id == \"${var.tfc_organization_id}\""
   attribute_mapping = {
     "google.subject"                        = "assertion.sub"
     "attribute.aud"                         = "assertion.aud"
     "attribute.terraform_run_phase"         = "assertion.terraform_run_phase"
+    "attribute.terraform_project_id"        = "assertion.terraform_project_id",
+    "attribute.terraform_project_name"      = "assertion.terraform_project_name",
     "attribute.terraform_workspace_id"      = "assertion.terraform_workspace_id"
     "attribute.terraform_workspace_name"    = "assertion.terraform_workspace_name"
     "attribute.terraform_organization_id"   = "assertion.terraform_organization_id"
@@ -72,15 +74,15 @@ resource "google_iam_workload_identity_pool_provider" "tfe-pool-provider" {
 #                       Service Account and IAM bindings                      #
 ###############################################################################
 
-module "sa-tfe" {
+module "sa-tfc" {
   source     = "../../../../modules/iam-service-account"
   project_id = module.project.project_id
-  name       = "sa-tfe"
+  name       = "sa-tfc"
 
   iam = {
-    # We allow only tokens generated by a specific TFE workspace impersonation of the service account,
-    # that way one identity pool can be used for a TFE Organization, but every workspace will be able to impersonate only a specifc SA
-    "roles/iam.workloadIdentityUser" = ["principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.tfe-pool.name}/attribute.terraform_workspace_id/${var.tfe_workspace_id}"]
+    # We allow only tokens generated by a specific TFC workspace impersonation of the service account,
+    # that way one identity pool can be used for a TFC Organization, but every workspace will be able to impersonate only a specifc SA
+    "roles/iam.workloadIdentityUser" = ["principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.tfc-pool.name}/attribute.terraform_workspace_id/${var.tfc_workspace_id}"]
   }
 
   iam_project_roles = {

blueprints/cloud-operations/terraform-cloud-dynamic-credentials/gcp-workload-identity-provider/outputs.tf

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,23 +12,18 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
-output "impersonate_service_account_email" {
-  description = "Service account to be impersonated by workload identity."
-  value       = module.sa-tfe.email
-}
-
 output "project_id" {
   description = "GCP Project ID."
   value       = module.project.project_id
 }
 
-output "workload_identity_audience" {
-  description = "TFC Workload Identity Audience."
-  value       = "//iam.googleapis.com/${google_iam_workload_identity_pool_provider.tfe-pool-provider.name}"
-}
-
-output "workload_identity_pool_provider_id" {
-  description = "GCP workload identity pool provider ID."
-  value       = google_iam_workload_identity_pool_provider.tfe-pool-provider.name
+output "tfc_workspace_wariables" {
+  description = "Variables to be set on the TFC workspace."
+  value = {
+    TFC_GCP_PROVIDER_AUTH             = "true",
+    TFC_GCP_PROJECT_NUMBER            = module.project.number,
+    TFC_GCP_WORKLOAD_POOL_ID          = google_iam_workload_identity_pool.tfc-pool.workload_identity_pool_id,
+    TFC_GCP_WORKLOAD_PROVIDER_ID      = google_iam_workload_identity_pool_provider.tfc-pool-provider.workload_identity_pool_provider_id,
+    TFC_GCP_RUN_SERVICE_ACCOUNT_EMAIL = module.sa-tfc.email
+  }
 }

blueprints/cloud-operations/terraform-cloud-dynamic-credentials/gcp-workload-identity-provider/variables.tf

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -19,7 +19,7 @@ variable "billing_account" {
 }
 
 variable "issuer_uri" {
-  description = "Terraform Enterprise uri. Replace the uri if a self hosted instance is used."
+  description = "Terraform Cloud/Enterprise uri. Replace the uri if a self hosted instance is used."
   type        = string
   default     = "https://app.terraform.io/"
 }
@@ -45,24 +45,24 @@ variable "project_id" {
   type        = string
 }
 
-variable "tfe_organization_id" {
-  description = "TFE organization id."
+variable "tfc_organization_id" {
+  description = "TFC organization id."
   type        = string
 }
 
-variable "tfe_workspace_id" {
-  description = "TFE workspace id."
+variable "tfc_workspace_id" {
+  description = "TFC workspace id."
   type        = string
 }
 
 variable "workload_identity_pool_id" {
   description = "Workload identity pool id."
   type        = string
-  default     = "tfe-pool"
+  default     = "tfc-pool"
 }
 
 variable "workload_identity_pool_provider_id" {
   description = "Workload identity pool provider id."
   type        = string
-  default     = "tfe-provider"
+  default     = "tfc-provider"
 }

blueprints/cloud-operations/terraform-cloud-dynamic-credentials/tfc-workflow-using-wif/README.md

@@ -0,0 +1,16 @@
+# Test GCP Workload Identity Provider for Terraform Dynamic Credentials
+
+This terraform code is a part of [GCP Workload Identity Federation for Terraform Cloud](../) blueprint. For instructions please refer to the blueprint [readme](../README.md).
+
+The codebase provisions the following list of resources:
+
+- GCS Bucket
+<!-- BEGIN TFDOC -->
+
+## Variables
+
+| name | description | type | required | default |
+|---|---|:---:|:---:|:---:|
+| [project_id](variables.tf#L15) | GCP project ID. | <code>string</code> | ✓ |  |
+
+<!-- END TFDOC -->

blueprints/cloud-operations/terraform-cloud-dynamic-credentials/tfc-workflow-using-wif/backend.tf.template

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,10 +18,10 @@
 
 terraform {
   backend "remote" {
-    organization = "<TFE-ORG-NAME>"
+    organization = "<TFC-ORG-NAME>"
 
     workspaces {
-      name = "<TFE-WORKSPACE-NAME>"
+      name = "<TFC-WORKSPACE-NAME>"
     }
   }
 

blueprints/cloud-operations/terraform-cloud-dynamic-credentials/tfc-workflow-using-wif/main.tf

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -19,7 +19,7 @@
 
 resource "google_storage_bucket" "test-bucket" {
   project       = var.project_id
-  name          = "${var.project_id}-tfe-oidc-test-bucket"
+  name          = "${var.project_id}-test"
   location      = "US"
   force_destroy = true
 }

blueprints/cloud-operations/terraform-cloud-dynamic-credentials/tfc-workflow-using-wif/provider.tf

@@ -1,5 +1,4 @@
-#!/bin/bash
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,11 +12,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Exit if any of the intermediate steps fail
-set -e
-
-FILENAME=$@
-
-echo $TFC_WORKLOAD_IDENTITY_TOKEN > $FILENAME
-
-echo -n "{\"file\":\"${FILENAME}\"}"
+provider "google" {}

blueprints/cloud-operations/terraform-cloud-dynamic-credentials/tfc-workflow-using-wif/terraform.auto.tfvars.template

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,5 +12,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-project_id                         = "tfe-oidc-workflow"
-impersonate_service_account_email  = "sa-tfe@tfe-oidc-workflow2.iam.gserviceaccount.com"
+project_id = "tfc-dynamic-creds-gcp"

blueprints/cloud-operations/terraform-cloud-dynamic-credentials/tfc-workflow-using-wif/variables.tf

@@ -1,4 +1,3 @@
-#!/bin/bash
 # Copyright 2022 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,11 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Exit if any of the intermediate steps fail
-set -e
-
-cat <<EOF
-{
-  "audience": "$TFC_WORKLOAD_IDENTITY_AUDIENCE"
+variable "project_id" {
+  description = "GCP project ID."
+  type        = string
 }
-EOF

blueprints/cloud-operations/terraform-enterprise-wif/gcp-workload-identity-provider/terraform.auto.tfvars.template

@@ -1,20 +0,0 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-parent              = "folders/437102807785"
-project_id          = "my-project-id"
-tfe_organization_id = "org-W3bz9neazHrZz99U"
-tfe_workspace_id    = "ws-DFxEE3NmeMdaAvoK"
-billing_account     = "015617-1B8CBC-AF10D9"

blueprints/cloud-operations/terraform-enterprise-wif/tfc-workflow-using-wif/README.md

@@ -1,17 +0,0 @@
-# GCP Workload Identity Provider for Terraform Enterprise
-
-This terraform code is a part of [GCP Workload Identity Federation for Terraform Enterprise](../) blueprint. For instructions please refer to the blueprint [readme](../README.md).
-
-The codebase provisions the following list of resources:
-
-- GCS Bucket
-<!-- BEGIN TFDOC -->
-
-## Variables
-
-| name | description | type | required | default |
-|---|---|:---:|:---:|:---:|
-| [impersonate_service_account_email](variables.tf#L16) | Service account to be impersonated by workload identity. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L21) | GCP project ID. | <code>string</code> | ✓ |  |
-
-<!-- END TFDOC -->

blueprints/cloud-operations/terraform-enterprise-wif/tfc-workflow-using-wif/provider.tf

@@ -1,24 +0,0 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-module "tfe_oidc" {
-  source = "./tfc-oidc"
-
-  impersonate_service_account_email = var.impersonate_service_account_email
-}
-
-provider "google" {
-  credentials = module.tfe_oidc.credentials
-}

blueprints/cloud-operations/terraform-enterprise-wif/tfc-workflow-using-wif/tfc-oidc/README.md

@@ -1,38 +0,0 @@
-# Terraform Enterprise OIDC Credential for GCP Workload Identity Federation
-
-This is a helper module to prepare GCP Credentials from Terraform Enterprise workload identity token. For more information see [Terraform Enterprise Workload Identity Federation](../) blueprint.
-
-## Example
-```hcl
-module "tfe_oidc" {
-  source = "./tfc-oidc"
-
-  impersonate_service_account_email = "tfe-test@tfe-test-wif.iam.gserviceaccount.com"
-}
-
-provider "google" {
-  credentials = module.tfe_oidc.credentials
-}
-
-provider "google-beta" {
-  credentials = module.tfe_oidc.credentials
-}
-
-# tftest skip
-```
-<!-- BEGIN TFDOC -->
-
-## Variables
-
-| name | description | type | required | default |
-|---|---|:---:|:---:|:---:|
-| [impersonate_service_account_email](variables.tf#L17) | Service account to be impersonated by workload identity federation. | <code>string</code> | ✓ |  |
-| [tmp_oidc_token_path](variables.tf#L22) | Name of the temporary file where TFC OIDC token will be stored to authentificate terraform provider google. | <code>string</code> |  | <code>&#34;.oidc_token&#34;</code> |
-
-## Outputs
-
-| name | description | sensitive |
-|---|---|:---:|
-| [credentials](outputs.tf#L17) | Credentials in format to pass the to gcp provider. |  |
-
-<!-- END TFDOC -->

blueprints/cloud-operations/terraform-enterprise-wif/tfc-workflow-using-wif/tfc-oidc/main.tf

@@ -1,23 +0,0 @@
-/**
- * Copyright 2022 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-data "external" "oidc_token_file" {
-  program = ["bash", "${path.module}/write_token.sh", "${var.tmp_oidc_token_path}"]
-}
-
-data "external" "workload_identity_pool" {
-  program = ["bash", "${path.module}/get_audience.sh"]
-}

blueprints/cloud-operations/terraform-enterprise-wif/tfc-workflow-using-wif/tfc-oidc/outputs.tf

@@ -1,27 +0,0 @@
-/**
- * Copyright 2022 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-output "credentials" {
-  description = "Credentials in format to pass the to gcp provider."
-  value = jsonencode({
-    "type" : "external_account",
-    "audience" : data.external.workload_identity_pool.result.audience,
-    "subject_token_type" : "urn:ietf:params:oauth:token-type:jwt",
-    "token_url" : "https://sts.googleapis.com/v1/token",
-    "credential_source" : data.external.oidc_token_file.result
-    "service_account_impersonation_url" : "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${var.impersonate_service_account_email}:generateAccessToken"
-  })
-}

blueprints/cloud-operations/terraform-enterprise-wif/tfc-workflow-using-wif/tfc-oidc/variables.tf

@@ -1,26 +0,0 @@
-/**
- * Copyright 2022 Google LLC
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-variable "impersonate_service_account_email" {
-  description = "Service account to be impersonated by workload identity federation."
-  type        = string
-}
-
-variable "tmp_oidc_token_path" {
-  description = "Name of the temporary file where TFC OIDC token will be stored to authentificate terraform provider google."
-  type        = string
-  default     = ".oidc_token"
-}

blueprints/cloud-operations/terraform-enterprise-wif/tfc-workflow-using-wif/tfc-oidc/versions.tf

@@ -1,29 +0,0 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-terraform {
-  required_version = ">= 1.3.1"
-  required_providers {
-    google = {
-      source  = "hashicorp/google"
-      version = ">= 4.50.0" # tftest
-    }
-    google-beta = {
-      source  = "hashicorp/google-beta"
-      version = ">= 4.50.0" # tftest
-    }
-  }
-}
-
-

blueprints/cloud-operations/terraform-enterprise-wif/tfc-workflow-using-wif/variables.tf

@@ -1,24 +0,0 @@
-# Copyright 2022 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-variable "impersonate_service_account_email" {
-  description = "Service account to be impersonated by workload identity."
-  type        = string
-}
-
-variable "project_id" {
-  description = "GCP project ID."
-  type        = string
-}

tests/blueprints/cloud_operations/terraform-cloud-dynamic-credentials/gcp_workload_identity_provider/fixture/main.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,13 +15,13 @@
  */
 
 module "test" {
-  source                             = "../../../../../../blueprints/cloud-operations/terraform-enterprise-wif/gcp-workload-identity-provider"
+  source                             = "../../../../../../blueprints/cloud-operations/terraform-cloud-dynamic-credentials/gcp-workload-identity-provider"
   billing_account                    = var.billing_account
   project_create                     = var.project_create
   project_id                         = var.project_id
   parent                             = var.parent
-  tfe_organization_id                = var.tfe_organization_id
-  tfe_workspace_id                   = var.tfe_workspace_id
+  tfc_organization_id                = var.tfe_organization_id
+  tfc_workspace_id                   = var.tfe_workspace_id
   workload_identity_pool_id          = var.workload_identity_pool_id
   workload_identity_pool_provider_id = var.workload_identity_pool_provider_id
   issuer_uri                         = var.issuer_uri

tests/blueprints/cloud_operations/terraform-cloud-dynamic-credentials/gcp_workload_identity_provider/fixture/variables.tf

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -37,14 +37,14 @@ variable "parent" {
   }
 }
 
-variable "tfe_organization_id" {
-  description = "TFE organization id."
+variable "tfc_organization_id" {
+  description = "TFC organization id."
   type        = string
   default     = "org-123"
 }
 
-variable "tfe_workspace_id" {
-  description = "TFE workspace id."
+variable "tfc_workspace_id" {
+  description = "TFC workspace id."
   type        = string
   default     = "ws-123"
 }
@@ -52,17 +52,17 @@ variable "tfe_workspace_id" {
 variable "workload_identity_pool_id" {
   description = "Workload identity pool id."
   type        = string
-  default     = "tfe-pool"
+  default     = "tfc-pool"
 }
 
 variable "workload_identity_pool_provider_id" {
   description = "Workload identity pool provider id."
   type        = string
-  default     = "tfe-provider"
+  default     = "tfc-provider"
 }
 
 variable "issuer_uri" {
-  description = "Terraform Enterprise uri. Replace the uri if a self hosted instance is used."
+  description = "Terraform Cloud uri. Replace the uri if a self hosted instance is used."
   type        = string
   default     = "https://app.terraform.io/"
 }