pomerium · wasaga · Feb 24, 2025 · Feb 24, 2025
@@ -28,6 +28,7 @@ Route data source
 
 - `allow_spdy` (Boolean) Allow SPDY.
 - `allow_websockets` (Boolean) Allow websockets.
+- `bearer_token_format` (String) Bearer token format.
 - `description` (String) Description of the route.
 - `enable_google_cloud_serverless_authentication` (Boolean) Enable Google Cloud serverless authentication.
 - `from` (String) From URL.
@@ -36,6 +37,7 @@ Route data source
 - `host_rewrite` (String) Host rewrite.
 - `host_rewrite_header` (String) Host rewrite header.
 - `idle_timeout` (String) Idle timeout.
+- `idp_access_token_allowed_audiences` (Set of String) IDP access token allowed audiences.
 - `idp_client_id` (String) IDP client ID.
 - `idp_client_secret` (String) IDP client secret.
 - `kubernetes_service_account_token` (String) Kubernetes service account token.

@@ -40,6 +40,7 @@ Read-Only:
 
 - `allow_spdy` (Boolean) Allow SPDY.
 - `allow_websockets` (Boolean) Allow websockets.
+- `bearer_token_format` (String) Bearer token format.
 - `description` (String) Description of the route.
 - `enable_google_cloud_serverless_authentication` (Boolean) Enable Google Cloud serverless authentication.
 - `from` (String) From URL.
@@ -49,6 +50,7 @@ Read-Only:
 - `host_rewrite_header` (String) Host rewrite header.
 - `id` (String) Unique identifier for the route.
 - `idle_timeout` (String) Idle timeout.
+- `idp_access_token_allowed_audiences` (Set of String) IDP access token allowed audiences.
 - `idp_client_id` (String) IDP client ID.
 - `idp_client_secret` (String) IDP client secret.
 - `kubernetes_service_account_token` (String) Kubernetes service account token.

@@ -26,13 +26,15 @@ Route for Pomerium.
 
 - `allow_spdy` (Boolean) If applied, this setting enables Pomerium to proxy SPDY protocol upgrades.
 - `allow_websockets` (Boolean) If applied, this setting enables Pomerium to proxy websocket connections.
+- `bearer_token_format` (String) Bearer token format.
 - `description` (String) Description of the route.
 - `enable_google_cloud_serverless_authentication` (Boolean) Enable Google Cloud serverless authentication.
 - `host_path_regex_rewrite_pattern` (String) Rewrites the Host header according to a regular expression matching the path.
 - `host_path_regex_rewrite_substitution` (String) Rewrites the Host header according to a regular expression matching the substitution.
 - `host_rewrite` (String) Rewrites the Host header to a new literal value.
 - `host_rewrite_header` (String) Rewrites the Host header to match an incoming header value.
 - `idle_timeout` (String) Sets the time to terminate the upstream connection if there are no active streams. Defaults to 5 minutes.
+- `idp_access_token_allowed_audiences` (Set of String) IDP access token allowed audiences.
 - `idp_client_id` (String) IDP client ID.
 - `idp_client_secret` (String) IDP client secret.
 - `jwt_groups_filter` (Attributes) JWT Groups Filter (see [below for nested schema](#nestedatt--jwt_groups_filter))

@@ -30,6 +30,7 @@ The settings are global object.
 - `autocert_dir` (String) Autocert directory is the path which Autocert will store x509 certificate data.
 - `autocert_must_staple` (Boolean) Controls whether the must-staple flag is enabled when requesting certificates.
 - `autocert_use_staging` (Boolean) Autocert Use Staging setting allows you to use Let's Encrypt's staging environment, which has more lenient usage limits than the production environment.
+- `bearer_token_format` (String) Bearer token format.
 - `cache_service_url` (String) Cache service URL
 - `certificate_authority` (String) Certificate authority
 - `certificate_authority_file` (String) Certificate authority file
@@ -66,6 +67,7 @@ The settings are global object.
 - `identity_provider_ping` (Attributes) Ping directory sync options (see [below for nested schema](#nestedatt--identity_provider_ping))
 - `identity_provider_refresh_interval` (String) Identity provider refresh interval
 - `identity_provider_refresh_timeout` (String) Identity provider refresh timeout
+- `idp_access_token_allowed_audiences` (Set of String) IDP access token allowed audiences.
 - `idp_client_id` (String) IDP client ID
 - `idp_client_secret` (String, Sensitive) IDP client secret
 - `idp_provider` (String) IDP provider

@@ -56,6 +56,8 @@ resource "pomerium_settings" "settings" {
   jwt_groups_filter = {
     groups = ["id1", "id2"]
   }
+
+  idp_access_token_allowed_audiences = ["aud1", "aud2"]
 }
 
 resource "pomerium_service_account" "test_sa" {
@@ -141,6 +143,8 @@ resource "pomerium_route" "prefix_route" {
   allow_websockets      = true
   preserve_host_header  = true
   pass_identity_headers = true
+
+  idp_access_token_allowed_audiences = ["aud3", "aud4"]
 }
 
 # Example route with path matching

@@ -261,7 +261,7 @@ func (r *RouteResource) Schema(_ context.Context, _ resource.SchemaRequest, resp
 					stringvalidator.OneOf("default", "idp_access_token", "idp_identity_token"),
 				},
 			},
-			"idp_access_token_allowed_audiences": schema.ListAttribute{
+			"idp_access_token_allowed_audiences": schema.SetAttribute{
 				Description: "IDP access token allowed audiences.",
 				Optional:    true,
 				ElementType: types.StringType,

@@ -224,7 +224,7 @@ func getRouteDataSourceAttributes(idRequired bool) map[string]schema.Attribute {
 			Description: "Bearer token format.",
 			Computed:    true,
 		},
-		"idp_access_token_allowed_audiences": schema.ListAttribute{
+		"idp_access_token_allowed_audiences": schema.SetAttribute{
 			Description: "IDP access token allowed audiences.",
 			Computed:    true,
 			ElementType: types.StringType,

@@ -457,7 +457,7 @@ var SettingsResourceSchema = schema.Schema{
 				stringvalidator.OneOf("default", "idp_access_token", "idp_identity_token"),
 			},
 		},
-		"idp_access_token_allowed_audiences": schema.ListAttribute{
+		"idp_access_token_allowed_audiences": schema.SetAttribute{
 			Description: "IDP access token allowed audiences.",
 			Optional:    true,
 			ElementType: types.StringType,