You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While enabling Identity-Aware Proxy (IAP) for an Internal Load Balancer using the net-lb-app-int module (Cloud Foundation Fabric v47), I attempted to configure Google-Managed IAP (the new recommended mode which does not require OAuth client ID / secret).
Question
Is it possible to enable Google-Managed IAP using the current module?
Based on my testing:
• Passing {}
• Passing empty strings ""
• Passing " "
• Passing only partial fields
• Passing null values
• Passing no OAuth fields
does NOT activate IAP, and the Google Cloud Console continues to show IAP disabled for the backend service.
Terraform also shows no diff and the backend service is created without any IAP block.
It appears the current module supports only OAuth-based IAP, not Google-managed IAP.
optional(object({
oauth2_client_id = optional(string)
oauth2_client_secret = optional(string)
oauth2_client_secret_sha256 = optional(string)
}))
Terraform will reject {} as non-conforming to this schema.
Terraform then converts {} → null, causing:
for_each = []
Is this correct?
Google-Managed IAP requires only this:
iap {
enabled = true
}
but the module forces
iap {
enabled = true
oauth2_client_id =
oauth2_client_secret =
}
A practical patch for the cff modules
dynamic "iap" {
for_each = each.value.iap_config == null ? [] : [each.value.iap_config]
}
}
This patch allows:
• Google-Managed IAP via {}
• OAuth-IAP via values
• Backward compatibility
• Clean plan/apply behavior
summary
The current CFF module cannot enable Google-Managed IAP.
Only OAuth-based IAP is supported.
Empty strings do not override this behavior.
No input combination currently produces iap { enabled = true } on its own.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
While enabling Identity-Aware Proxy (IAP) for an Internal Load Balancer using the net-lb-app-int module (Cloud Foundation Fabric v47), I attempted to configure Google-Managed IAP (the new recommended mode which does not require OAuth client ID / secret).
dynamic "iap" {
for_each = each.value.iap_config == null ? [] : [each.value.iap_config]
content {
enabled = true
oauth2_client_id = iap.value.oauth2_client_id
oauth2_client_secret = iap.value.oauth2_client_secret
oauth2_client_secret_sha256 = iap.value.oauth2_client_secret_sha256
}
}
Question
Is it possible to enable Google-Managed IAP using the current module?
Based on my testing:
• Passing {}
• Passing empty strings ""
• Passing " "
• Passing only partial fields
• Passing null values
• Passing no OAuth fields
does NOT activate IAP, and the Google Cloud Console continues to show IAP disabled for the backend service.
Terraform also shows no diff and the backend service is created without any IAP block.
It appears the current module supports only OAuth-based IAP, not Google-managed IAP.
optional(object({
oauth2_client_id = optional(string)
oauth2_client_secret = optional(string)
oauth2_client_secret_sha256 = optional(string)
}))
Terraform will reject {} as non-conforming to this schema.
Terraform then converts {} → null, causing:
for_each = []
Is this correct?
Google-Managed IAP requires only this:
iap {
enabled = true
}
but the module forces
iap {
enabled = true
oauth2_client_id =
oauth2_client_secret =
}
A practical patch for the cff modules
dynamic "iap" {
for_each = each.value.iap_config == null ? [] : [each.value.iap_config]
content {
enabled = true
}
}
This patch allows:
• Google-Managed IAP via {}
• OAuth-IAP via values
• Backward compatibility
• Clean plan/apply behavior
summary
The current CFF module cannot enable Google-Managed IAP.
Only OAuth-based IAP is supported.
Empty strings do not override this behavior.
No input combination currently produces iap { enabled = true } on its own.
Beta Was this translation helpful? Give feedback.
All reactions