Add warning notes for field loginHint and gcipSettings in IAP Settings. (#12678) (#20829)

modular-magician · web-flow · commit 559830c65a0f · 2025-01-06T14:23:08.000-08:00
[upstream:c6cb3e68e135752461033f1f85849095b445b5e3]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/12678.txt b/.changelog/12678.txt
@@ -0,0 +1,3 @@
+```release-note:none
+Add warning notes for field loginHint and gcipSettings in IAP Settings.
+```
diff --git a/google/services/iap/resource_iap_settings.go b/google/services/iap/resource_iap_settings.go
@@ -113,10 +113,11 @@ If undefined, IAP will not apply any special logic to OPTIONS requests.`,
 							},
 						},
 						"gcip_settings": {
-							Type:        schema.TypeList,
-							Optional:    true,
-							Description: `GCIP claims and endpoint configurations for 3p identity providers.`,
-							MaxItems:    1,
+							Type:     schema.TypeList,
+							Optional: true,
+							Description: `GCIP claims and endpoint configurations for 3p identity providers.
+* Enabling gcipSetting significantly changes the way IAP authenticates users. Identity Platform does not support IAM, so IAP will not enforce any IAM policies for requests to your application.`,
+							MaxItems: 1,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
 									"login_page_uri": {
@@ -168,7 +169,8 @@ can be configured. The possible values are:
 Enables redirect to primary IDP by skipping Google's login screen.
 (https://developers.google.com/identity/protocols/OpenIDConnect#hd-param)
 Note: IAP does not verify that the id token's hd claim matches this value
-since access behavior is managed by IAM policies.`,
+since access behavior is managed by IAM policies.
+* loginHint setting is not a replacement for access control. Always enforce an appropriate access policy if you want to restrict access to users outside your domain.`,
 									},
 									"programmatic_clients": {
 										Type:        schema.TypeList,
diff --git a/website/docs/r/iap_settings.html.markdown b/website/docs/r/iap_settings.html.markdown
@@ -151,6 +151,7 @@ The following arguments are supported:
 * `gcip_settings` -
   (Optional)
   GCIP claims and endpoint configurations for 3p identity providers.
+  * Enabling gcipSetting significantly changes the way IAP authenticates users. Identity Platform does not support IAM, so IAP will not enforce any IAM policies for requests to your application.
   Structure is [documented below](#nested_access_settings_gcip_settings).
 
 * `cors_settings` -
@@ -220,6 +221,7 @@ The following arguments are supported:
   (https://developers.google.com/identity/protocols/OpenIDConnect#hd-param)
   Note: IAP does not verify that the id token's hd claim matches this value
   since access behavior is managed by IAM policies.
+  * loginHint setting is not a replacement for access control. Always enforce an appropriate access policy if you want to restrict access to users outside your domain.
 
 * `programmatic_clients` -
   (Optional)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:none
	`2`	`+Add warning notes for field loginHint and gcipSettings in IAP Settings.`
	`3`	+```