add global jwt_issuer_format option

go.mod

@@ -1,26 +1,26 @@
 module github.com/pomerium/enterprise-terraform-provider
 
-go 1.23.0
+go 1.23.7
 
 require (
 	github.com/go-jose/go-jose/v3 v3.0.4
-	github.com/google/go-cmp v0.6.0
+	github.com/google/go-cmp v0.7.0
 	github.com/hashicorp/terraform-plugin-framework v1.13.0
 	github.com/hashicorp/terraform-plugin-framework-timetypes v0.5.0
 	github.com/hashicorp/terraform-plugin-framework-validators v0.16.0
 	github.com/hashicorp/terraform-plugin-go v0.25.0
 	github.com/hashicorp/terraform-plugin-log v0.9.0
 	github.com/iancoleman/strcase v0.3.0
-	github.com/pomerium/enterprise-client-go v0.28.1-0.20250310151140-91b9684b1537
-	github.com/pomerium/pomerium v0.28.1-0.20250218200206-b9fd926618e2
+	github.com/pomerium/enterprise-client-go v0.28.1-0.20250313205349-eaa1c8257711
+	github.com/pomerium/pomerium v0.28.1-0.20250313134608-c4a5502f49f5
 	github.com/rs/zerolog v1.33.0
 	github.com/stretchr/testify v1.10.0
-	google.golang.org/grpc v1.70.0
-	google.golang.org/protobuf v1.36.4
+	google.golang.org/grpc v1.71.0
+	google.golang.org/protobuf v1.36.5
 )
 
 require (
-	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/fatih/color v1.14.1 // indirect
@@ -35,7 +35,7 @@ require (
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/oklog/run v1.0.0 // indirect
-	github.com/open-policy-agent/opa v1.0.0 // indirect
+	github.com/open-policy-agent/opa v1.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
@@ -46,7 +46,7 @@ require (
 	golang.org/x/net v0.36.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/text v0.22.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250219182151-9fdb1cabc7b2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )

go.sum

@@ -1,7 +1,7 @@
-github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8=
-github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
 github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA=
 github.com/bufbuild/protocompile v0.4.0/go.mod h1:3v93+mbWn/v3xzN+31nwkJfrEpAUwp+BagBSZWx+TP8=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -24,8 +24,8 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
@@ -72,16 +72,16 @@ github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJ
 github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
 github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
-github.com/open-policy-agent/opa v1.0.0 h1:fZsEwxg1knpPvUn0YDJuJZBcbVg4G3zKpWa3+CnYK+I=
-github.com/open-policy-agent/opa v1.0.0/go.mod h1:+JyoH12I0+zqyC1iX7a2tmoQlipwAEGvOhVJMhmy+rM=
+github.com/open-policy-agent/opa v1.2.0 h1:88NDVCM0of1eO6Z4AFeL3utTEtMuwloFmWWU7dRV1z0=
+github.com/open-policy-agent/opa v1.2.0/go.mod h1:30euUmOvuBoebRCcJ7DMF42bRBOPznvt0ACUMYDUGVY=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pomerium/enterprise-client-go v0.28.1-0.20250310151140-91b9684b1537 h1:5zM4pm7dPXWMx2Eq0G7XuoQJV5gZqMbjiWjRq6YH5Ws=
-github.com/pomerium/enterprise-client-go v0.28.1-0.20250310151140-91b9684b1537/go.mod h1:36+cCZpNgJQb5B1+y4rCcyQ8CM865NBNmEAQFS+73DQ=
-github.com/pomerium/pomerium v0.28.1-0.20250218200206-b9fd926618e2 h1:UtyGKmmFs/DVuvhOUeFowruCv+xObqAbqNmPqhMZ88o=
-github.com/pomerium/pomerium v0.28.1-0.20250218200206-b9fd926618e2/go.mod h1:8Uf1ya/wSjJyeUo5X4TqctlrYxbc5iPfFG18x1t0Deo=
+github.com/pomerium/enterprise-client-go v0.28.1-0.20250313205349-eaa1c8257711 h1:T6hLEgz5RAqKVJ2+gaRx9U1Rqlrbiii+jwBDqVh7QxM=
+github.com/pomerium/enterprise-client-go v0.28.1-0.20250313205349-eaa1c8257711/go.mod h1:36+cCZpNgJQb5B1+y4rCcyQ8CM865NBNmEAQFS+73DQ=
+github.com/pomerium/pomerium v0.28.1-0.20250313134608-c4a5502f49f5 h1:J7uXUwA8vk1O0sD9lkgi6H9v8lxXVaoH3rIJZ8+Arpw=
+github.com/pomerium/pomerium v0.28.1-0.20250313134608-c4a5502f49f5/go.mod h1:AR7TsCCxEbz1ZLKRPJSrmBHRqPewjPEac2LXsFTc/08=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
@@ -109,10 +109,10 @@ go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
 go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
 go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
 go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
-go.opentelemetry.io/otel/sdk v1.33.0 h1:iax7M131HuAm9QkZotNHEfstof92xM+N8sr3uHXc2IM=
-go.opentelemetry.io/otel/sdk v1.33.0/go.mod h1:A1Q5oi7/9XaMlIWzPSxLRWOI8nG3FnzHJNbiENQuihM=
-go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiyYCU9snn1CU=
-go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ=
+go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
+go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
+go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
+go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
 go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
 go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -168,12 +168,12 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU=
-google.golang.org/grpc v1.70.0 h1:pWFv03aZoHzlRKHWicjsZytKAiYCtNS0dHbXnIdq7jQ=
-google.golang.org/grpc v1.70.0/go.mod h1:ofIJqVKDXx/JiXrwr2IG4/zwdH9txy3IlF40RmcJSQw=
-google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
-google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250219182151-9fdb1cabc7b2 h1:DMTIbak9GhdaSxEjvVzAeNZvyc03I61duqNbnm3SU0M=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250219182151-9fdb1cabc7b2/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
+google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
+google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

internal/provider/convert.go

@@ -332,6 +332,39 @@ func ToBearerTokenFormat(src types.String) *pb.BearerTokenFormat {
 	}
 }
 
+// FromIssuerFormat converts a protobuf JWT issuer format into a string.
+func FromIssuerFormat(src *pb.IssuerFormat) types.String {
+	if src == nil {
+		return types.StringNull()
+	}
+
+	switch *src {
+	case pb.IssuerFormat_IssuerHostOnly:
+		return types.StringValue("host_only")
+	case pb.IssuerFormat_IssuerURI:
+		return types.StringValue("uri")
+	default:
+		return types.StringNull()
+	}
+}
+
+// ToIssuerFormat converts a JWT issuer format string into a protobuf enum.
+func ToIssuerFormat(src types.String, diags *diag.Diagnostics) *pb.IssuerFormat {
+	if src.IsNull() || src.IsUnknown() {
+		return nil
+	}
+
+	switch src.ValueString() {
+	case "host_only":
+		return pb.IssuerFormat_IssuerHostOnly.Enum()
+	case "uri":
+		return pb.IssuerFormat_IssuerURI.Enum()
+	default:
+		diags.AddError("unknown issuer format", fmt.Sprintf("unknown issuer format %q", src.ValueString()))
+		return nil
+	}
+}
+
 // UInt32ToInt64OrNull converts a uint32 to types.Int64, returning null if the value is 0
 func UInt32ToInt64OrNull(value uint32) types.Int64 {
 	if value > 0 {

internal/provider/convert_test.go

@@ -13,6 +13,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/testing/protocmp"
 	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/structpb"
@@ -786,6 +787,50 @@ func TestToBearerTokenFormat(t *testing.T) {
 	}
 }
 
+func TestFromIssuerFormat(t *testing.T) {
+	t.Parallel()
+
+	for _, tc := range []struct {
+		name   string
+		in     *pb.IssuerFormat
+		expect types.String
+	}{
+		{"null", nil, types.StringNull()},
+		{"host_only", pb.IssuerFormat_IssuerHostOnly.Enum(), types.StringValue("host_only")},
+		{"uri", pb.IssuerFormat_IssuerURI.Enum(), types.StringValue("uri")},
+		{"unknown", (*pb.IssuerFormat)(proto.Int32(123)), types.StringNull()},
+	} {
+		assert.Equal(t, tc.expect, provider.FromIssuerFormat(tc.in),
+			"%s: should convert %v to %v", tc.name, tc.in, tc.expect)
+	}
+}
+
+func TestToIssuerFormat(t *testing.T) {
+	t.Parallel()
+
+	for _, tc := range []struct {
+		name                 string
+		in                   types.String
+		expect               *pb.IssuerFormat
+		expectedErrorDetails string
+	}{
+		{"null", types.StringNull(), nil, ""},
+		{"host_only", types.StringValue("host_only"), pb.IssuerFormat_IssuerHostOnly.Enum(), ""},
+		{"uri", types.StringValue("uri"), pb.IssuerFormat_IssuerURI.Enum(), ""},
+		{"unknown", types.StringValue("foobar"), nil, `unknown issuer format "foobar"`},
+	} {
+		diagnostics := diag.Diagnostics{}
+		assert.Equal(t, tc.expect, provider.ToIssuerFormat(tc.in, &diagnostics),
+			"%s: should convert %v to %v", tc.name, tc.in, tc.expect)
+		if tc.expectedErrorDetails == "" {
+			assert.False(t, diagnostics.HasError())
+		} else {
+			assert.Len(t, diagnostics, 1)
+			assert.Equal(t, tc.expectedErrorDetails, diagnostics[0].Detail())
+		}
+	}
+}
+
 func TestToRouteStringList(t *testing.T) {
 	t.Parallel()
 

internal/provider/route_model.go

@@ -590,7 +590,7 @@ func ConvertRouteToPB(
 		pbRoute.EnableGoogleCloudServerlessAuthentication = src.EnableGoogleCloudServerlessAuthentication.ValueBool()
 	}
 	pbRoute.KubernetesServiceAccountTokenFile = src.KubernetesServiceAccountTokenFile.ValueStringPointer()
-	EnumValueToPBWithDefault(&pbRoute.JwtIssuerFormat, src.JWTIssuerFormat, pb.IssuerFormat_IssuerHostOnly, &diagnostics)
+	pbRoute.JwtIssuerFormat = ToIssuerFormat(src.JWTIssuerFormat, &diagnostics)
 	pbRoute.RewriteResponseHeaders = rewriteHeadersToPB(src.RewriteResponseHeaders)
 	pbRoute.BearerTokenFormat = ToBearerTokenFormat(src.BearerTokenFormat)
 	ToRouteStringList(ctx, &pbRoute.IdpAccessTokenAllowedAudiences, src.IDPAccessTokenAllowedAudiences, &diagnostics)
@@ -652,7 +652,7 @@ func ConvertRouteFromPB(
 		dst.EnableGoogleCloudServerlessAuthentication = types.BoolValue(true)
 	}
 	dst.KubernetesServiceAccountTokenFile = types.StringPointerValue(src.KubernetesServiceAccountTokenFile)
-	dst.JWTIssuerFormat = EnumValueFromPB(src.JwtIssuerFormat)
+	dst.JWTIssuerFormat = FromIssuerFormat(src.JwtIssuerFormat)
 	dst.RewriteResponseHeaders = rewriteHeadersFromPB(src.RewriteResponseHeaders)
 	dst.BearerTokenFormat = FromBearerTokenFormat(src.BearerTokenFormat)
 	dst.IDPAccessTokenAllowedAudiences = FromStringList(src.IdpAccessTokenAllowedAudiences)

internal/provider/route_model_test.go

@@ -62,7 +62,7 @@ func TestConvertRoute(t *testing.T) {
 		LogoUrl:                          ptr("https://logo.example.com/logo.png"),
 		EnableGoogleCloudServerlessAuthentication: true,
 		KubernetesServiceAccountTokenFile:         ptr("/path/to/token"),
-		JwtIssuerFormat:                           pb.IssuerFormat_IssuerURI,
+		JwtIssuerFormat:                           pb.IssuerFormat_IssuerURI.Enum(),
 		BearerTokenFormat:                         pb.BearerTokenFormat_BEARER_TOKEN_FORMAT_IDP_ACCESS_TOKEN.Enum(),
 		IdpAccessTokenAllowedAudiences:            &pb.Route_StringList{Values: []string{"aud1", "aud2"}},
 		LoadBalancingPolicy:                       pb.LoadBalancingPolicy_LOAD_BALANCING_POLICY_ROUND_ROBIN.Enum(),
@@ -186,7 +186,7 @@ func TestConvertRoute(t *testing.T) {
 		LogoURL:                       types.StringValue("https://logo.example.com/logo.png"),
 		EnableGoogleCloudServerlessAuthentication: types.BoolValue(true),
 		KubernetesServiceAccountTokenFile:         types.StringValue("/path/to/token"),
-		JWTIssuerFormat:                           types.StringValue("IssuerURI"),
+		JWTIssuerFormat:                           types.StringValue("uri"),
 		BearerTokenFormat:                         types.StringValue("idp_access_token"),
 		IDPAccessTokenAllowedAudiences:            types.SetValueMust(types.StringType, []attr.Value{types.StringValue("aud1"), types.StringValue("aud2")}),
 		LoadBalancingPolicy:                       types.StringValue("round_robin"),

internal/provider/settings_model.go

@@ -70,6 +70,7 @@ type SettingsModel struct {
 	InstallationID                                    types.String         `tfsdk:"installation_id"`
 	JWTClaimsHeaders                                  types.Map            `tfsdk:"jwt_claims_headers"`
 	JWTGroupsFilter                                   types.Object         `tfsdk:"jwt_groups_filter"`
+	JWTIssuerFormat                                   types.String         `tfsdk:"jwt_issuer_format"`
 	LogLevel                                          types.String         `tfsdk:"log_level"`
 	LogoURL                                           types.String         `tfsdk:"logo_url"`
 	MetricsAddress                                    types.String         `tfsdk:"metrics_address"`
@@ -158,6 +159,7 @@ func ConvertSettingsToPB(
 	pbSettings.InsecureServer = src.InsecureServer.ValueBoolPointer()
 	pbSettings.InstallationId = src.InstallationID.ValueStringPointer()
 	ToStringMap(ctx, &pbSettings.JwtClaimsHeaders, src.JWTClaimsHeaders, &diagnostics)
+	pbSettings.JwtIssuerFormat = ToIssuerFormat(src.JWTIssuerFormat, &diagnostics)
 	pbSettings.LogLevel = src.LogLevel.ValueStringPointer()
 	pbSettings.LogoUrl = src.LogoURL.ValueStringPointer()
 	pbSettings.MetricsAddress = src.MetricsAddress.ValueStringPointer()

internal/provider/settings_model_test.go

@@ -72,6 +72,7 @@ func TestConvertSettingsToPB(t *testing.T) {
 		InstallationId:                  proto.String("INSTALLATION_ID"),
 		JwtClaimsHeaders:                map[string]string{"X": "Y"},
 		JwtGroupsFilter:                 &pb.JwtGroupsFilter{InferFromPpl: proto.Bool(true), Groups: []string{"z"}},
+		JwtIssuerFormat:                 pb.IssuerFormat_IssuerURI.Enum(),
 		LogLevel:                        proto.String("debug"),
 		LogoUrl:                         proto.String("https://logo.example.com"),
 		MetricsAddress:                  proto.String("127.0.0.1:9999"),
@@ -139,6 +140,7 @@ func TestConvertSettingsToPB(t *testing.T) {
 		InstallationID:                  types.StringValue("INSTALLATION_ID"),
 		JWTClaimsHeaders:                types.MapValueMust(types.StringType, map[string]attr.Value{"X": types.StringValue("Y")}),
 		JWTGroupsFilter:                 types.ObjectValueMust(map[string]attr.Type{"infer_from_ppl": types.BoolType, "groups": types.ListType{ElemType: types.StringType}}, map[string]attr.Value{"infer_from_ppl": types.BoolValue(true), "groups": types.ListValueMust(types.StringType, []attr.Value{types.StringValue("z")})}),
+		JWTIssuerFormat:                 types.StringValue("uri"),
 		LogLevel:                        types.StringValue("debug"),
 		LogoURL:                         types.StringValue("https://logo.example.com"),
 		MetricsAddress:                  types.StringValue("127.0.0.1:9999"),