hashicorp · modular-magician · Jul 22, 2025 · Jul 22, 2025
@@ -0,0 +1,3 @@
+```release-note:enhancement
+workbench: added `enable_managed_euc` field to `google_workbench_instance` resource.
+```
@@ -66,6 +66,21 @@ var WorkbenchInstanceSettableUnmodifiableDefaultMetadata = []string{
 	"serial-port-logging-enable",
 }
 
+var WorkbenchInstanceEUCProvidedAdditionalMetadata = []string{
+	"enable-oslogin",
+	"disable-ssh",
+	"ssh-keys",
+	"block-project-ssh-keys",
+	"post-startup-script",
+	"post-startup-script-behavior",
+	"startup-script",
+	"startup-script-url",
+	"gce-container-declaration",
+	"gce-software-declaration",
+	"serial-port-enable",
+	"euc-enabled",
+}
+
 var WorkbenchInstanceProvidedMetadata = []string{
 	"agent-health-check-interval-seconds",
 	"agent-health-check-path",
@@ -84,6 +99,7 @@ var WorkbenchInstanceProvidedMetadata = []string{
 	"dataproc-region",
 	"dataproc-service-account",
 	"disable-check-xsrf",
+	"enable-euc",
 	"framework",
 	"generate-diagnostics-bucket",
 	"generate-diagnostics-file",
@@ -136,6 +152,14 @@ func WorkbenchInstanceMetadataDiffSuppress(k, old, new string, d *schema.Resourc
 		}
 	}
 
+	if d.Get("enable_managed_euc").(bool) {
+		for _, metadata := range WorkbenchInstanceEUCProvidedAdditionalMetadata {
+			if key == metadata {
+				return true
+			}
+		}
+	}
+
 	for _, metadata := range WorkbenchInstanceSettableUnmodifiableDefaultMetadata {
 		if strings.Contains(k, metadata) && new == "" {
 			return true
@@ -379,6 +403,11 @@ func ResourceWorkbenchInstance() *schema.Resource {
 				ForceNew:    true,
 				Description: `Optional. If true, the workbench instance will not register with the proxy.`,
 			},
+			"enable_managed_euc": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: `Flag to enable managed end user credentials for the instance.`,
+			},
 			"enable_third_party_identity": {
 				Type:     schema.TypeBool,
 				Optional: true,
@@ -975,6 +1004,12 @@ func resourceWorkbenchInstanceCreate(d *schema.ResourceData, meta interface{}) e
 	} else if v, ok := d.GetOkExists("enable_third_party_identity"); !tpgresource.IsEmptyValue(reflect.ValueOf(enableThirdPartyIdentityProp)) && (ok || !reflect.DeepEqual(v, enableThirdPartyIdentityProp)) {
 		obj["enableThirdPartyIdentity"] = enableThirdPartyIdentityProp
 	}
+	enableManagedEucProp, err := expandWorkbenchInstanceEnableManagedEuc(d.Get("enable_managed_euc"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("enable_managed_euc"); !tpgresource.IsEmptyValue(reflect.ValueOf(enableManagedEucProp)) && (ok || !reflect.DeepEqual(v, enableManagedEucProp)) {
+		obj["enableManagedEuc"] = enableManagedEucProp
+	}
 	labelsProp, err := expandWorkbenchInstanceEffectiveLabels(d.Get("effective_labels"), d, config)
 	if err != nil {
 		return err
@@ -1136,6 +1171,9 @@ func resourceWorkbenchInstanceRead(d *schema.ResourceData, meta interface{}) err
 	if err := d.Set("enable_third_party_identity", flattenWorkbenchInstanceEnableThirdPartyIdentity(res["enableThirdPartyIdentity"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Instance: %s", err)
 	}
+	if err := d.Set("enable_managed_euc", flattenWorkbenchInstanceEnableManagedEuc(res["enableManagedEuc"], d, config)); err != nil {
+		return fmt.Errorf("Error reading Instance: %s", err)
+	}
 	if err := d.Set("terraform_labels", flattenWorkbenchInstanceTerraformLabels(res["labels"], d, config)); err != nil {
 		return fmt.Errorf("Error reading Instance: %s", err)
 	}
@@ -1174,6 +1212,12 @@ func resourceWorkbenchInstanceUpdate(d *schema.ResourceData, meta interface{}) e
 	} else if v, ok := d.GetOkExists("enable_third_party_identity"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, enableThirdPartyIdentityProp)) {
 		obj["enableThirdPartyIdentity"] = enableThirdPartyIdentityProp
 	}
+	enableManagedEucProp, err := expandWorkbenchInstanceEnableManagedEuc(d.Get("enable_managed_euc"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("enable_managed_euc"); !tpgresource.IsEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, enableManagedEucProp)) {
+		obj["enableManagedEuc"] = enableManagedEucProp
+	}
 	labelsProp, err := expandWorkbenchInstanceEffectiveLabels(d.Get("effective_labels"), d, config)
 	if err != nil {
 		return err
@@ -1198,6 +1242,10 @@ func resourceWorkbenchInstanceUpdate(d *schema.ResourceData, meta interface{}) e
 		updateMask = append(updateMask, "enableThirdPartyIdentity")
 	}
 
+	if d.HasChange("enable_managed_euc") {
+		updateMask = append(updateMask, "enableManagedEuc")
+	}
+
 	if d.HasChange("effective_labels") {
 		updateMask = append(updateMask, "labels")
 	}
@@ -1904,6 +1952,10 @@ func flattenWorkbenchInstanceEnableThirdPartyIdentity(v interface{}, d *schema.R
 	return v
 }
 
+func flattenWorkbenchInstanceEnableManagedEuc(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenWorkbenchInstanceTerraformLabels(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	if v == nil {
 		return v
@@ -2546,6 +2598,10 @@ func expandWorkbenchInstanceEnableThirdPartyIdentity(v interface{}, d tpgresourc
 	return v, nil
 }
 
+func expandWorkbenchInstanceEnableManagedEuc(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandWorkbenchInstanceEffectiveLabels(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (map[string]string, error) {
 	if v == nil {
 		return map[string]string{}, nil

@@ -12,6 +12,7 @@ fields:
   - field: 'disable_proxy_access'
   - field: 'effective_labels'
     provider_only: true
+  - field: 'enable_managed_euc'
   - field: 'enable_third_party_identity'
   - field: 'gce_setup.accelerator_configs.core_count'
   - field: 'gce_setup.accelerator_configs.type'

@@ -453,6 +453,54 @@ resource "google_workbench_instance" "instance" {
 `, context)
 }
 
+func TestAccWorkbenchInstance_workbenchInstanceEucExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"project_id":     envvar.GetTestProjectFromEnv(),
+		"project_number": envvar.GetTestProjectNumberFromEnv(),
+		"random_suffix":  acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckWorkbenchInstanceDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccWorkbenchInstance_workbenchInstanceEucExample(context),
+			},
+			{
+				ResourceName:            "google_workbench_instance.instance",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"instance_id", "instance_owners", "labels", "location", "name", "terraform_labels"},
+			},
+		},
+	})
+}
+
+func testAccWorkbenchInstance_workbenchInstanceEucExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_workbench_instance" "instance" {
+  name = "tf-test-workbench-instance%{random_suffix}"
+  location = "us-central1-a"
+
+  gce_setup {
+    machine_type = "e2-standard-4"
+
+    metadata = {
+      terraform = "true"
+    }
+  }
+
+  instance_owners  = ["[email protected]"]
+
+  enable_managed_euc = "true"
+}
+`, context)
+}
+
 func testAccCheckWorkbenchInstanceDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {

@@ -318,6 +318,27 @@ resource "google_workbench_instance" "instance" {
   }
 }
 ```
+## Example Usage - Workbench Instance Euc
+
+
+```hcl
+resource "google_workbench_instance" "instance" {
+  name = "workbench-instance"
+  location = "us-central1-a"
+
+  gce_setup {
+    machine_type = "e2-standard-4"
+
+    metadata = {
+      terraform = "true"
+    }
+  }
+
+  instance_owners  = ["[email protected]"]
+
+  enable_managed_euc = "true"
+}
+```
 
 ## Argument Reference
 
@@ -363,6 +384,10 @@ The following arguments are supported:
   Flag that specifies that a notebook can be accessed with third party
   identity provider.
 
+* `enable_managed_euc` -
+  (Optional)
+  Flag to enable managed end user credentials for the instance.
+
 * `instance_id` -
   (Optional)
   Required. User-defined unique ID of this instance.