GoogleCloudPlatform · zli82016 · Mar 24, 2026 · Mar 24, 2026
diff --git a/mmv1/products/iambeta/WorkloadIdentityPool.yaml b/mmv1/products/iambeta/WorkloadIdentityPool.yaml
@@ -67,13 +67,16 @@ examples:
     vars:
       workload_identity_pool_id: 'example-pool'
     min_version: beta
-    external_providers:
-      - 'random'
   - name: 'iam_workload_identity_pool_full_trust_domain_mode'
     primary_resource_id: 'example'
     vars:
       workload_identity_pool_id: 'example-pool'
     min_version: beta
+  - name: 'iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca'
+    primary_resource_id: 'example'
+    vars:
+      workload_identity_pool_id: 'example-pool'
+    min_version: beta
 parameters:
 properties:
   - name: 'workloadIdentityPoolId'
@@ -166,6 +169,9 @@ properties:
     properties:
       - name: 'caPools'
         type: KeyValuePairs
+        exactly_one_of:
+          - 'inlineCertificateIssuanceConfig.0.ca_pools'
+          - 'inlineCertificateIssuanceConfig.0.use_default_shared_ca'
         description: |
           A required mapping of a cloud region to the CA pool resource located in that region used
           for certificate issuance, adhering to these constraints:
@@ -176,7 +182,20 @@ properties:
           `projects/{project}/locations/{location}/caPools/{ca_pool}`
           * **Region Matching:** Workloads are ONLY issued certificates from CA pools within the
           same region. Also the CA pool region (in value) must match the workload's region (key).
-        required: true
+      - name: 'useDefaultSharedCa'
+        type: Boolean
+        exactly_one_of:
+          - 'inlineCertificateIssuanceConfig.0.ca_pools'
+          - 'inlineCertificateIssuanceConfig.0.use_default_shared_ca'
+        description: |
+          If set to true, the trust domain will utilize the GCP-provisioned default CA. A default
+          CA in the same region as the workload will be selected to issue the certificate. Enabling
+          this will clear any existing `ca_pools` configuration to provision the certificates.
+
+
+          ~> **Note** This field is mutually exclusive with `ca_pools`. If this flag is enabled,
+          certificates will be automatically provisioned from the default shared CAs. This flag should
+          not be set if you want to use your own CA pools to provision the certificates.
       - name: 'lifetime'
         type: String
         description: |

diff --git a/...examples/iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca.tf.tmpl b/...examples/iam_workload_identity_pool_full_trust_domain_mode_with_default_shared_ca.tf.tmpl
@@ -0,0 +1,35 @@
+resource "google_iam_workload_identity_pool" "{{$.PrimaryResourceId}}" {
+  provider = google-beta
+
+  workload_identity_pool_id = "{{index $.Vars "workload_identity_pool_id"}}"
+  display_name              = "Name of the pool"
+  description               = "Identity pool operates in TRUST_DOMAIN mode"
+  disabled                  = true
+  mode                      = "TRUST_DOMAIN"
+  inline_certificate_issuance_config {
+    use_default_shared_ca      = true
+    lifetime                   = "86400s"
+    rotation_window_percentage = 50
+    key_algorithm              = "ECDSA_P256"
+  }
+  inline_trust_config {
+    additional_trust_bundles {
+      trust_domain = "example.com"
+      trust_anchors {
+        pem_certificate = file("test-fixtures/trust_anchor_1.pem")
+      }
+      trust_anchors {
+        pem_certificate = file("test-fixtures/trust_anchor_2.pem")
+      }
+    }
+    additional_trust_bundles {
+      trust_domain = "example.net"
+      trust_anchors {
+        pem_certificate = file("test-fixtures/trust_anchor_3.pem")
+      }
+      trust_anchors {
+        pem_certificate = file("test-fixtures/trust_anchor_4.pem")
+      }
+    }
+  }
+}
diff --git a/...ird_party/terraform/services/iambeta/resource_iam_workload_identity_pool_provider_test.go b/...ird_party/terraform/services/iambeta/resource_iam_workload_identity_pool_provider_test.go
@@ -1,9 +1,10 @@
 package iambeta_test
 
 import (
-	"github.com/hashicorp/terraform-provider-google/google/acctest"
 	"testing"
 
+	"github.com/hashicorp/terraform-provider-google/google/acctest"
+
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 )
 
@@ -90,12 +91,12 @@ func TestAccIAMBetaWorkloadIdentityPoolProvider_oidc(t *testing.T) {
 func testAccIAMBetaWorkloadIdentityPoolProvider_aws_full(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_iam_workload_identity_pool" "my_pool" {
-  workload_identity_pool_id = "my-pool-%{random_suffix}"
+  workload_identity_pool_id = "tf-test-my-pool-%{random_suffix}"
 }
 
 resource "google_iam_workload_identity_pool_provider" "my_provider" {
   workload_identity_pool_id          = google_iam_workload_identity_pool.my_pool.workload_identity_pool_id
-  workload_identity_pool_provider_id = "my-provider-%{random_suffix}"
+  workload_identity_pool_provider_id = "tf-test-my-provider-%{random_suffix}"
   display_name                       = "Name of provider"
   description                        = "AWS identity pool provider for automated test"
   disabled                           = true
@@ -115,12 +116,12 @@ resource "google_iam_workload_identity_pool_provider" "my_provider" {
 func testAccIAMBetaWorkloadIdentityPoolProvider_aws_enabled(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_iam_workload_identity_pool" "my_pool" {
-  workload_identity_pool_id = "my-pool-%{random_suffix}"
+  workload_identity_pool_id = "tf-test-my-pool-%{random_suffix}"
 }
 
 resource "google_iam_workload_identity_pool_provider" "my_provider" {
   workload_identity_pool_id          = google_iam_workload_identity_pool.my_pool.workload_identity_pool_id
-  workload_identity_pool_provider_id = "my-provider-%{random_suffix}"
+  workload_identity_pool_provider_id = "tf-test-my-provider-%{random_suffix}"
   display_name                       = "Name of provider"
   description                        = "AWS identity pool provider for automated test"
   disabled                           = false
@@ -140,12 +141,12 @@ resource "google_iam_workload_identity_pool_provider" "my_provider" {
 func testAccIAMBetaWorkloadIdentityPoolProvider_oidc_full(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_iam_workload_identity_pool" "my_pool" {
-  workload_identity_pool_id = "my-pool-%{random_suffix}"
+  workload_identity_pool_id = "tf-test-my-pool-%{random_suffix}"
 }
 
 resource "google_iam_workload_identity_pool_provider" "my_provider" {
   workload_identity_pool_id          = google_iam_workload_identity_pool.my_pool.workload_identity_pool_id
-  workload_identity_pool_provider_id = "my-provider-%{random_suffix}"
+  workload_identity_pool_provider_id = "tf-test-my-provider-%{random_suffix}"
   display_name                       = "Name of provider"
   description                        = "OIDC identity pool provider for automated test"
   disabled                           = true
@@ -172,12 +173,12 @@ EOT
 func testAccIAMBetaWorkloadIdentityPoolProvider_oidc_update(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_iam_workload_identity_pool" "my_pool" {
-  workload_identity_pool_id = "my-pool-%{random_suffix}"
+  workload_identity_pool_id = "tf-test-my-pool-%{random_suffix}"
 }
 
 resource "google_iam_workload_identity_pool_provider" "my_provider" {
   workload_identity_pool_id          = google_iam_workload_identity_pool.my_pool.workload_identity_pool_id
-  workload_identity_pool_provider_id = "my-provider-%{random_suffix}"
+  workload_identity_pool_provider_id = "tf-test-my-provider-%{random_suffix}"
   display_name                       = "Name of provider"
   description                        = "OIDC identity pool provider for automated test"
   disabled                           = true
@@ -205,12 +206,12 @@ EOT
 func testAccIAMBetaWorkloadIdentityPoolProvider_aws_basic(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_iam_workload_identity_pool" "my_pool" {
-  workload_identity_pool_id = "my-pool-%{random_suffix}"
+  workload_identity_pool_id = "tf-test-my-pool-%{random_suffix}"
 }
 
 resource "google_iam_workload_identity_pool_provider" "my_provider" {
   workload_identity_pool_id          = google_iam_workload_identity_pool.my_pool.workload_identity_pool_id
-  workload_identity_pool_provider_id = "my-provider-%{random_suffix}"
+  workload_identity_pool_provider_id = "tf-test-my-provider-%{random_suffix}"
   aws {
     account_id = "999999999999"
   }
@@ -221,12 +222,12 @@ resource "google_iam_workload_identity_pool_provider" "my_provider" {
 func testAccIAMBetaWorkloadIdentityPoolProvider_oidc_basic(context map[string]interface{}) string {
 	return acctest.Nprintf(`
 resource "google_iam_workload_identity_pool" "my_pool" {
-  workload_identity_pool_id = "my-pool-%{random_suffix}"
+  workload_identity_pool_id = "tf-test-my-pool-%{random_suffix}"
 }
 
 resource "google_iam_workload_identity_pool_provider" "my_provider" {
   workload_identity_pool_id          = google_iam_workload_identity_pool.my_pool.workload_identity_pool_id
-  workload_identity_pool_provider_id = "my-provider-%{random_suffix}"
+  workload_identity_pool_provider_id = "tf-test-my-provider-%{random_suffix}"
   attribute_mapping                  = {
 	"google.subject"                  = "assertion.sub"
   }

diff --git a/mmv1/third_party/terraform/services/iambeta/resource_iam_workload_identity_pool_test.go.tmpl b/mmv1/third_party/terraform/services/iambeta/resource_iam_workload_identity_pool_test.go.tmpl
@@ -103,6 +103,19 @@ func TestAccIAMBetaWorkloadIdentityPool_beta_update(t *testing.T) {
 				ImportState:             true,
 				ImportStateVerify:       true,
 			},
+			{
+				Config: testAccIAMBetaWorkloadIdentityPool_beta_update_use_default_ca(randomSuffix),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction("google_iam_workload_identity_pool.my_pool", plancheck.ResourceActionUpdate),
+					},
+				},
+			},
+			{
+				ResourceName:            "google_iam_workload_identity_pool.my_pool",
+				ImportState:             true,
+				ImportStateVerify:       true,
+			},
 			{
 				Config: testAccIAMBetaWorkloadIdentityPool_beta_minimum(randomSuffix),
 				ConfigPlanChecks: resource.ConfigPlanChecks{
@@ -124,7 +137,7 @@ func TestAccIAMBetaWorkloadIdentityPool_beta_update(t *testing.T) {
 func testAccIAMBetaWorkloadIdentityPool_full(suffix string) string {
 	return fmt.Sprintf(`
 resource "google_iam_workload_identity_pool" "my_pool" {
-  workload_identity_pool_id = "my-pool-%s"
+  workload_identity_pool_id = "tf-test-my-pool-%s"
   display_name              = "Name of pool"
   description               = "Identity pool for automated test"
   disabled                  = true
@@ -135,15 +148,15 @@ resource "google_iam_workload_identity_pool" "my_pool" {
 func testAccIAMBetaWorkloadIdentityPool_minimal(suffix string) string {
 	return fmt.Sprintf(`
 resource "google_iam_workload_identity_pool" "my_pool" {
-  workload_identity_pool_id = "my-pool-%s"
+  workload_identity_pool_id = "tf-test-my-pool-%s"
 }
 `, suffix)
 }
 
 func testAccIAMBetaWorkloadIdentityPool_update(suffix string) string {
 	return fmt.Sprintf(`
 resource "google_iam_workload_identity_pool" "my_pool" {
-  workload_identity_pool_id = "my-pool-%s"
+  workload_identity_pool_id = "tf-test-my-pool-%s"
   display_name              = "Updated name of pool"
   description               = "Updated description"
   disabled                  = false
@@ -157,7 +170,7 @@ func testAccIAMBetaWorkloadIdentityPool_beta_full(suffix string) string {
 resource "google_iam_workload_identity_pool" "my_pool" {
   provider = google-beta
 
-  workload_identity_pool_id = "my-pool-%s"
+  workload_identity_pool_id = "tf-test-my-pool-%s"
   display_name              = "Name of the pool"
   description               = "Identity pool operates in TRUST_DOMAIN mode"
   disabled                  = true
@@ -200,7 +213,7 @@ func testAccIAMBetaWorkloadIdentityPool_beta_update(suffix string) string {
 resource "google_iam_workload_identity_pool" "my_pool" {
   provider = google-beta
 
-  workload_identity_pool_id = "my-pool-%s"
+  workload_identity_pool_id = "tf-test-my-pool-%s"
   display_name              = "Updated name of the pool"
   description               = "Updated identity pool operates in TRUST_DOMAIN mode"
   disabled                  = false
@@ -226,12 +239,41 @@ resource "google_iam_workload_identity_pool" "my_pool" {
 `, suffix)
 }
 
+func testAccIAMBetaWorkloadIdentityPool_beta_update_use_default_ca(suffix string) string {
+	return fmt.Sprintf(`
+resource "google_iam_workload_identity_pool" "my_pool" {
+  provider = google-beta
+
+  workload_identity_pool_id = "tf-test-my-pool-%s"
+  display_name              = "Updated name of the pool"
+  description               = "Updated identity pool operates in TRUST_DOMAIN mode"
+  disabled                  = false
+  mode                      = "TRUST_DOMAIN"
+  inline_certificate_issuance_config {
+    use_default_shared_ca      = true
+    lifetime                   = "172800s"
+    rotation_window_percentage = 75
+    key_algorithm              = "RSA_4096"
+  }
+  inline_trust_config {
+    additional_trust_bundles {
+      trust_domain = "ca-pool-baz.global.project-baz.workload.id.goog"
+      trust_anchors {
+        pem_certificate = file("test-fixtures/trust_anchor_updated.pem")
+      }
+    }
+  }
+}
+`, suffix)
+}
+
+
 func testAccIAMBetaWorkloadIdentityPool_beta_minimum(suffix string) string {
 	return fmt.Sprintf(`
 resource "google_iam_workload_identity_pool" "my_pool" {
   provider = google-beta
 
-  workload_identity_pool_id = "my-pool-%s"
+  workload_identity_pool_id = "tf-test-my-pool-%s"
   mode                      = "TRUST_DOMAIN"
 }
 `, suffix)