Google Git
Sign in
third-party-mirror / terraform-provider-google-beta / 7018e2f3f116fdacfd66c03551fbf0c3db62170a / . / v5.18.0 / website / docs / r / identity_platform_config.html.markdown
blob: eef2894b81e0416bdade14fe3632c189c17c9bd9 [file] [log] [blame]
---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** Type: MMv1 ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
subcategory: "Identity Platform"
description: |-
Identity Platform configuration for a Cloud project.
---
# google\_identity\_platform\_config
Identity Platform configuration for a Cloud project. Identity Platform is an
end-to-end authentication system for third-party users to access apps
and services.
This entity is created only once during intialization and cannot be deleted,
individual Identity Providers may be disabled instead. This resource may only
be created in billing-enabled projects.
To get more information about Config, see:
* [API documentation](https://cloud.google.com/identity-platform/docs/reference/rest/v2/Config)
* How-to Guides
* [Official Documentation](https://cloud.google.com/identity-platform/docs)
~> **Warning:** All arguments including the following potentially sensitive
values will be stored in the raw state as plain text: `client.api_key`.
[Read more about sensitive data in state](https://www.terraform.io/language/state/sensitive-data).
## Example Usage - Identity Platform Config Basic
```hcl
resource "google_project" "default" {
project_id = "my-project"
name = "my-project"
org_id = "123456789"
billing_account = "000000-0000000-0000000-000000"
labels = {
firebase = "enabled"
}
}
resource "google_project_service" "identitytoolkit" {
project = google_project.default.project_id
service = "identitytoolkit.googleapis.com"
}
resource "google_identity_platform_config" "default" {
project = google_project.default.project_id
autodelete_anonymous_users = true
sign_in {
allow_duplicate_emails = true
anonymous {
enabled = true
}
email {
enabled = true
password_required = false
}
phone_number {
enabled = true
test_phone_numbers = {
"+11231231234" = "000000"
}
}
}
sms_region_config {
allowlist_only {
allowed_regions = [
"US",
"CA",
]
}
}
blocking_functions {
triggers {
event_type = "beforeSignIn"
function_uri = "https://us-east1-my-project.cloudfunctions.net/before-sign-in"
}
forward_inbound_credentials {
refresh_token = true
access_token = true
id_token = true
}
}
quota {
sign_up_quota_config {
quota = 1000
start_time = ""
quota_duration = "7200s"
}
}
authorized_domains = [
"localhost",
"my-project.firebaseapp.com",
"my-project.web.app",
]
}
```
## Argument Reference
The following arguments are supported:
- - -
* `autodelete_anonymous_users` -
(Optional)
Whether anonymous users will be auto-deleted after a period of 30 days
* `sign_in` -
(Optional)
Configuration related to local sign in methods.
Structure is [documented below](#nested_sign_in).
* `blocking_functions` -
(Optional)
Configuration related to blocking functions.
Structure is [documented below](#nested_blocking_functions).
* `quota` -
(Optional)
Configuration related to quotas.
Structure is [documented below](#nested_quota).
* `authorized_domains` -
(Optional)
List of domains authorized for OAuth redirects.
* `sms_region_config` -
(Optional)
Configures the regions where users are allowed to send verification SMS for the project or tenant. This is based on the calling code of the destination phone number.
Structure is [documented below](#nested_sms_region_config).
* `client` -
(Optional)
Options related to how clients making requests on behalf of a project should be configured.
Structure is [documented below](#nested_client).
* `mfa` -
(Optional)
Options related to how clients making requests on behalf of a project should be configured.
Structure is [documented below](#nested_mfa).
* `multi_tenant` -
(Optional)
Configuration related to multi-tenant functionality.
Structure is [documented below](#nested_multi_tenant).
* `monitoring` -
(Optional)
Configuration related to monitoring project activity.
Structure is [documented below](#nested_monitoring).
* `project` - (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
<a name="nested_sign_in"></a>The `sign_in` block supports:
* `email` -
(Optional)
Configuration options related to authenticating a user by their email address.
Structure is [documented below](#nested_email).
* `phone_number` -
(Optional)
Configuration options related to authenticated a user by their phone number.
Structure is [documented below](#nested_phone_number).
* `anonymous` -
(Optional)
Configuration options related to authenticating an anonymous user.
Structure is [documented below](#nested_anonymous).
* `allow_duplicate_emails` -
(Optional)
Whether to allow more than one account to have the same email.
* `hash_config` -
(Output)
Output only. Hash config information.
Structure is [documented below](#nested_hash_config).
<a name="nested_email"></a>The `email` block supports:
* `enabled` -
(Required)
Whether email auth is enabled for the project or not.
* `password_required` -
(Optional)
Whether a password is required for email auth or not. If true, both an email and
password must be provided to sign in. If false, a user may sign in via either
email/password or email link.
<a name="nested_phone_number"></a>The `phone_number` block supports:
* `enabled` -
(Required)
Whether phone number auth is enabled for the project or not.
* `test_phone_numbers` -
(Optional)
A map of <test phone number, fake code> that can be used for phone auth testing.
<a name="nested_anonymous"></a>The `anonymous` block supports:
* `enabled` -
(Required)
Whether anonymous user auth is enabled for the project or not.
<a name="nested_hash_config"></a>The `hash_config` block contains:
* `algorithm` -
(Output)
Different password hash algorithms used in Identity Toolkit.
* `signer_key` -
(Output)
Signer key in base64.
* `salt_separator` -
(Output)
Non-printable character to be inserted between the salt and plain text password in base64.
* `rounds` -
(Output)
How many rounds for hash calculation. Used by scrypt and other similar password derivation algorithms.
* `memory_cost` -
(Output)
Memory cost for hash calculation. Used by scrypt and other similar password derivation algorithms. See https://tools.ietf.org/html/rfc7914 for explanation of field.
<a name="nested_blocking_functions"></a>The `blocking_functions` block supports:
* `triggers` -
(Required)
Map of Trigger to event type. Key should be one of the supported event types: "beforeCreate", "beforeSignIn".
Structure is [documented below](#nested_triggers).
* `forward_inbound_credentials` -
(Optional)
The user credentials to include in the JWT payload that is sent to the registered Blocking Functions.
Structure is [documented below](#nested_forward_inbound_credentials).
<a name="nested_triggers"></a>The `triggers` block supports:
* `event_type` - (Required) The identifier for this object. Format specified above.
* `function_uri` -
(Required)
HTTP URI trigger for the Cloud Function.
* `update_time` -
(Output)
When the trigger was changed.
<a name="nested_forward_inbound_credentials"></a>The `forward_inbound_credentials` block supports:
* `id_token` -
(Optional)
Whether to pass the user's OIDC identity provider's ID token.
* `access_token` -
(Optional)
Whether to pass the user's OAuth identity provider's access token.
* `refresh_token` -
(Optional)
Whether to pass the user's OAuth identity provider's refresh token.
<a name="nested_quota"></a>The `quota` block supports:
* `sign_up_quota_config` -
(Optional)
Quota for the Signup endpoint, if overwritten. Signup quota is measured in sign ups per project per hour per IP.
Structure is [documented below](#nested_sign_up_quota_config).
<a name="nested_sign_up_quota_config"></a>The `sign_up_quota_config` block supports:
* `quota` -
(Optional)
A sign up APIs quota that customers can override temporarily.
* `start_time` -
(Optional)
When this quota will take affect.
* `quota_duration` -
(Optional)
How long this quota will be active for. It is measurred in seconds, e.g., Example: "9.615s".
<a name="nested_sms_region_config"></a>The `sms_region_config` block supports:
* `allow_by_default` -
(Optional)
A policy of allowing SMS to every region by default and adding disallowed regions to a disallow list.
Structure is [documented below](#nested_allow_by_default).
* `allowlist_only` -
(Optional)
A policy of only allowing regions by explicitly adding them to an allowlist.
Structure is [documented below](#nested_allowlist_only).
<a name="nested_allow_by_default"></a>The `allow_by_default` block supports:
* `disallowed_regions` -
(Optional)
Two letter unicode region codes to disallow as defined by https://cldr.unicode.org/ The full list of these region codes is here: https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json
<a name="nested_allowlist_only"></a>The `allowlist_only` block supports:
* `allowed_regions` -
(Optional)
Two letter unicode region codes to allow as defined by https://cldr.unicode.org/ The full list of these region codes is here: https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json
<a name="nested_client"></a>The `client` block supports:
* `permissions` -
(Optional)
Configuration related to restricting a user's ability to affect their account.
Structure is [documented below](#nested_permissions).
* `api_key` -
(Output)
API key that can be used when making requests for this project.
**Note**: This property is sensitive and will not be displayed in the plan.
* `firebase_subdomain` -
(Output)
Firebase subdomain.
<a name="nested_permissions"></a>The `permissions` block supports:
* `disabled_user_signup` -
(Optional)
When true, end users cannot sign up for a new account on the associated project through any of our API methods
* `disabled_user_deletion` -
(Optional)
When true, end users cannot delete their account on the associated project through any of our API methods
<a name="nested_mfa"></a>The `mfa` block supports:
* `state` -
(Optional)
Whether MultiFactor Authentication has been enabled for this project.
Possible values are: `DISABLED`, `ENABLED`, `MANDATORY`.
* `enabled_providers` -
(Optional)
A list of usable second factors for this project.
Each value may be one of: `PHONE_SMS`.
* `provider_configs` -
(Optional)
A list of usable second factors for this project along with their configurations.
This field does not support phone based MFA, for that use the 'enabledProviders' field.
Structure is [documented below](#nested_provider_configs).
<a name="nested_provider_configs"></a>The `provider_configs` block supports:
* `state` -
(Optional)
Whether MultiFactor Authentication has been enabled for this project.
Possible values are: `DISABLED`, `ENABLED`, `MANDATORY`.
* `totp_provider_config` -
(Optional)
TOTP MFA provider config for this project.
Structure is [documented below](#nested_totp_provider_config).
<a name="nested_totp_provider_config"></a>The `totp_provider_config` block supports:
* `adjacent_intervals` -
(Optional)
The allowed number of adjacent intervals that will be used for verification to avoid clock skew.
<a name="nested_multi_tenant"></a>The `multi_tenant` block supports:
* `allow_tenants` -
(Optional)
Whether this project can have tenants or not.
* `default_tenant_location` -
(Optional)
The default cloud parent org or folder that the tenant project should be created under.
The parent resource name should be in the format of "/", such as "folders/123" or "organizations/456".
If the value is not set, the tenant will be created under the same organization or folder as the agent project.
<a name="nested_monitoring"></a>The `monitoring` block supports:
* `request_logging` -
(Optional)
Configuration for logging requests made to this project to Stackdriver Logging
Structure is [documented below](#nested_request_logging).
<a name="nested_request_logging"></a>The `request_logging` block supports:
* `enabled` -
(Optional)
Whether logging is enabled for this project or not.
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
* `id` - an identifier for the resource with format `projects/{{project}}/config`
* `name` -
The name of the Config resource
## Timeouts
This resource provides the following
[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:
- `create` - Default is 20 minutes.
- `update` - Default is 20 minutes.
- `delete` - Default is 20 minutes.
## Import
Config can be imported using any of these accepted formats:
* `projects/{{project}}/config`
* `projects/{{project}}`
* `{{project}}`
In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import Config using one of the formats above. For example:
```tf
import {
id = "projects/{{project}}/config"
to = google_identity_platform_config.default
}
```
When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), Config can be imported using one of the formats above. For example:
```
$ terraform import google_identity_platform_config.default projects/{{project}}/config
$ terraform import google_identity_platform_config.default projects/{{project}}
$ terraform import google_identity_platform_config.default {{project}}
```
## User Project Overrides
This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).