hashicorp · modular-magician · Jan 14, 2026 · Jan 14, 2026
@@ -0,0 +1,3 @@
+```release-note:enhancement
+dialogflowcx: added `serviceAccountAuthConfig ` field to `google_dialogflow_cx_webhook` resource
+```
@@ -257,6 +257,27 @@ Format: 'projects/{project}/secrets/{secret}/versions/{version}'`,
 								},
 							},
 						},
+						"service_account_auth_config": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							Description: `Configuration for authentication using a service account.`,
+							MaxItems:    1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"service_account": {
+										Type:     schema.TypeString,
+										Required: true,
+										Description: `The email address of the service account used to authenticate the webhook call.
+Dialogflow uses this service account to exchange an access token and the access
+token is then sent in the **Authorization** header of the webhook request.
+
+The service account must have the **roles/iam.serviceAccountTokenCreator** role
+granted to the
+[Dialogflow service agent](https://cloud.google.com/iam/docs/service-agents?_gl=1*1jsujvh*_ga*NjYxMzU3OTg2LjE3Njc3MzQ4NjM.*_ga_WH2QY8WWF5*czE3Njc3MzQ2MjgkbzIkZzEkdDE3Njc3MzQ3NzQkajYwJGwwJGgw#dialogflow-service-agent).`,
+									},
+								},
+							},
+						},
 						"service_agent_auth": {
 							Type:         schema.TypeString,
 							Optional:     true,
@@ -431,6 +452,27 @@ Format: 'projects/{project}/secrets/{secret}/versions/{version}'`,
 											},
 										},
 									},
+									"service_account_auth_config": {
+										Type:        schema.TypeList,
+										Optional:    true,
+										Description: `Configuration for authentication using a service account.`,
+										MaxItems:    1,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"service_account": {
+													Type:     schema.TypeString,
+													Required: true,
+													Description: `The email address of the service account used to authenticate the webhook call.
+Dialogflow uses this service account to exchange an access token and the access
+token is then sent in the **Authorization** header of the webhook request.
+
+The service account must have the **roles/iam.serviceAccountTokenCreator** role
+granted to the
+[Dialogflow service agent](https://cloud.google.com/iam/docs/service-agents?_gl=1*1jsujvh*_ga*NjYxMzU3OTg2LjE3Njc3MzQ4NjM.*_ga_WH2QY8WWF5*czE3Njc3MzQ2MjgkbzIkZzEkdDE3Njc3MzQ3NzQkajYwJGwwJGgw#dialogflow-service-agent).`,
+												},
+											},
+										},
+									},
 									"service_agent_auth": {
 										Type:         schema.TypeString,
 										Optional:     true,
@@ -965,6 +1007,8 @@ func flattenDialogflowCXWebhookGenericWebService(v interface{}, d *schema.Resour
 		flattenDialogflowCXWebhookGenericWebServiceSecretVersionsForRequestHeaders(original["secretVersionsForRequestHeaders"], d, config)
 	transformed["service_agent_auth"] =
 		flattenDialogflowCXWebhookGenericWebServiceServiceAgentAuth(original["serviceAgentAuth"], d, config)
+	transformed["service_account_auth_config"] =
+		flattenDialogflowCXWebhookGenericWebServiceServiceAccountAuthConfig(original["serviceAccountAuthConfig"], d, config)
 	transformed["uri"] =
 		flattenDialogflowCXWebhookGenericWebServiceUri(original["uri"], d, config)
 	transformed["webhook_type"] =
@@ -1059,6 +1103,23 @@ func flattenDialogflowCXWebhookGenericWebServiceServiceAgentAuth(v interface{},
 	return v
 }
 
+func flattenDialogflowCXWebhookGenericWebServiceServiceAccountAuthConfig(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["service_account"] =
+		flattenDialogflowCXWebhookGenericWebServiceServiceAccountAuthConfigServiceAccount(original["serviceAccount"], d, config)
+	return []interface{}{transformed}
+}
+func flattenDialogflowCXWebhookGenericWebServiceServiceAccountAuthConfigServiceAccount(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenDialogflowCXWebhookGenericWebServiceUri(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -1113,6 +1174,8 @@ func flattenDialogflowCXWebhookServiceDirectoryGenericWebService(v interface{},
 		flattenDialogflowCXWebhookServiceDirectoryGenericWebServiceSecretVersionsForRequestHeaders(original["secretVersionsForRequestHeaders"], d, config)
 	transformed["service_agent_auth"] =
 		flattenDialogflowCXWebhookServiceDirectoryGenericWebServiceServiceAgentAuth(original["serviceAgentAuth"], d, config)
+	transformed["service_account_auth_config"] =
+		flattenDialogflowCXWebhookServiceDirectoryGenericWebServiceServiceAccountAuthConfig(original["serviceAccountAuthConfig"], d, config)
 	transformed["uri"] =
 		flattenDialogflowCXWebhookServiceDirectoryGenericWebServiceUri(original["uri"], d, config)
 	transformed["webhook_type"] =
@@ -1207,6 +1270,23 @@ func flattenDialogflowCXWebhookServiceDirectoryGenericWebServiceServiceAgentAuth
 	return v
 }
 
+func flattenDialogflowCXWebhookServiceDirectoryGenericWebServiceServiceAccountAuthConfig(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	if v == nil {
+		return nil
+	}
+	original := v.(map[string]interface{})
+	if len(original) == 0 {
+		return nil
+	}
+	transformed := make(map[string]interface{})
+	transformed["service_account"] =
+		flattenDialogflowCXWebhookServiceDirectoryGenericWebServiceServiceAccountAuthConfigServiceAccount(original["serviceAccount"], d, config)
+	return []interface{}{transformed}
+}
+func flattenDialogflowCXWebhookServiceDirectoryGenericWebServiceServiceAccountAuthConfigServiceAccount(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
+	return v
+}
+
 func flattenDialogflowCXWebhookServiceDirectoryGenericWebServiceUri(v interface{}, d *schema.ResourceData, config *transport_tpg.Config) interface{} {
 	return v
 }
@@ -1318,6 +1398,13 @@ func expandDialogflowCXWebhookGenericWebService(v interface{}, d tpgresource.Ter
 		transformed["serviceAgentAuth"] = transformedServiceAgentAuth
 	}
 
+	transformedServiceAccountAuthConfig, err := expandDialogflowCXWebhookGenericWebServiceServiceAccountAuthConfig(original["service_account_auth_config"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedServiceAccountAuthConfig); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["serviceAccountAuthConfig"] = transformedServiceAccountAuthConfig
+	}
+
 	transformedUri, err := expandDialogflowCXWebhookGenericWebServiceUri(original["uri"], d, config)
 	if err != nil {
 		return nil, err
@@ -1476,6 +1563,32 @@ func expandDialogflowCXWebhookGenericWebServiceServiceAgentAuth(v interface{}, d
 	return v, nil
 }
 
+func expandDialogflowCXWebhookGenericWebServiceServiceAccountAuthConfig(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	if v == nil {
+		return nil, nil
+	}
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedServiceAccount, err := expandDialogflowCXWebhookGenericWebServiceServiceAccountAuthConfigServiceAccount(original["service_account"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedServiceAccount); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["serviceAccount"] = transformedServiceAccount
+	}
+
+	return transformed, nil
+}
+
+func expandDialogflowCXWebhookGenericWebServiceServiceAccountAuthConfigServiceAccount(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandDialogflowCXWebhookGenericWebServiceUri(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }
@@ -1592,6 +1705,13 @@ func expandDialogflowCXWebhookServiceDirectoryGenericWebService(v interface{}, d
 		transformed["serviceAgentAuth"] = transformedServiceAgentAuth
 	}
 
+	transformedServiceAccountAuthConfig, err := expandDialogflowCXWebhookServiceDirectoryGenericWebServiceServiceAccountAuthConfig(original["service_account_auth_config"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedServiceAccountAuthConfig); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["serviceAccountAuthConfig"] = transformedServiceAccountAuthConfig
+	}
+
 	transformedUri, err := expandDialogflowCXWebhookServiceDirectoryGenericWebServiceUri(original["uri"], d, config)
 	if err != nil {
 		return nil, err
@@ -1750,6 +1870,32 @@ func expandDialogflowCXWebhookServiceDirectoryGenericWebServiceServiceAgentAuth(
 	return v, nil
 }
 
+func expandDialogflowCXWebhookServiceDirectoryGenericWebServiceServiceAccountAuthConfig(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	if v == nil {
+		return nil, nil
+	}
+	l := v.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil, nil
+	}
+	raw := l[0]
+	original := raw.(map[string]interface{})
+	transformed := make(map[string]interface{})
+
+	transformedServiceAccount, err := expandDialogflowCXWebhookServiceDirectoryGenericWebServiceServiceAccountAuthConfigServiceAccount(original["service_account"], d, config)
+	if err != nil {
+		return nil, err
+	} else if val := reflect.ValueOf(transformedServiceAccount); val.IsValid() && !tpgresource.IsEmptyValue(val) {
+		transformed["serviceAccount"] = transformedServiceAccount
+	}
+
+	return transformed, nil
+}
+
+func expandDialogflowCXWebhookServiceDirectoryGenericWebServiceServiceAccountAuthConfigServiceAccount(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandDialogflowCXWebhookServiceDirectoryGenericWebServiceUri(v interface{}, d tpgresource.TerraformResourceData, config *transport_tpg.Config) (interface{}, error) {
 	return v, nil
 }

@@ -24,6 +24,7 @@ fields:
       field: generic_web_service.secret_versions_for_request_headers.key
     - api_field: genericWebService.secretVersionsForRequestHeaders.value.secretVersion
       field: generic_web_service.secret_versions_for_request_headers.secret_version
+    - api_field: genericWebService.serviceAccountAuthConfig.serviceAccount
     - api_field: genericWebService.serviceAgentAuth
     - api_field: genericWebService.uri
     - api_field: genericWebService.webhookType
@@ -46,6 +47,7 @@ fields:
       field: service_directory.generic_web_service.secret_versions_for_request_headers.key
     - api_field: serviceDirectory.genericWebService.secretVersionsForRequestHeaders.value.secretVersion
       field: service_directory.generic_web_service.secret_versions_for_request_headers.secret_version
+    - api_field: serviceDirectory.genericWebService.serviceAccountAuthConfig.serviceAccount
     - api_field: serviceDirectory.genericWebService.serviceAgentAuth
     - api_field: serviceDirectory.genericWebService.uri
     - api_field: serviceDirectory.genericWebService.webhookType

@@ -328,6 +328,125 @@ resource "google_dialogflow_cx_webhook" "flexible_webhook" {
 `, context)
 }
 
+func TestAccDialogflowCXWebhook_dialogflowcxWebhookWithServiceAccountAuthExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"service_account": envvar.GetTestServiceAccountFromEnv(t),
+		"random_suffix":   acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckDialogflowCXWebhookDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDialogflowCXWebhook_dialogflowcxWebhookWithServiceAccountAuthExample(context),
+			},
+			{
+				ResourceName:            "google_dialogflow_cx_webhook.webhook_use_service_account",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"generic_web_service.0.oauth_config.0.client_secret", "parent", "service_directory.0.generic_web_service.0.oauth_config.0.client_secret"},
+			},
+		},
+	})
+}
+
+func testAccDialogflowCXWebhook_dialogflowcxWebhookWithServiceAccountAuthExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_dialogflow_cx_agent" "agent" {
+  display_name = "tf-test-dialogflowcx-agent%{random_suffix}"
+  location = "global"
+  default_language_code = "en"
+  supported_language_codes = ["it","de","es"]
+  time_zone = "America/New_York"
+  description = "Example description."
+  avatar_uri = "https://cloud.google.com/_static/images/cloud/icons/favicons/onecloud/super_cloud.png"
+  enable_stackdriver_logging = true
+  enable_spell_correction    = true
+  speech_to_text_settings {
+    enable_speech_adaptation = true
+  }
+}
+
+
+resource "google_dialogflow_cx_webhook" "webhook_use_service_account" {
+  parent       = google_dialogflow_cx_agent.agent.id
+  display_name = "MyWebhook"
+  generic_web_service {
+		uri = "https://example.googleapis.com"
+    webhook_type = "STANDARD"
+    service_account_auth_config {
+      service_account = "%{service_account}"
+    }
+	}
+}
+`, context)
+}
+
+func TestAccDialogflowCXWebhook_dialogflowcxWebhookServiceDirectoryWithServiceAccountAuthExample(t *testing.T) {
+	t.Parallel()
+
+	context := map[string]interface{}{
+		"service_account": envvar.GetTestServiceAccountFromEnv(t),
+		"random_suffix":   acctest.RandString(t, 10),
+	}
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckDialogflowCXWebhookDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDialogflowCXWebhook_dialogflowcxWebhookServiceDirectoryWithServiceAccountAuthExample(context),
+			},
+			{
+				ResourceName:            "google_dialogflow_cx_webhook.webhook_use_service_account",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"generic_web_service.0.oauth_config.0.client_secret", "parent", "service_directory.0.generic_web_service.0.oauth_config.0.client_secret"},
+			},
+		},
+	})
+}
+
+func testAccDialogflowCXWebhook_dialogflowcxWebhookServiceDirectoryWithServiceAccountAuthExample(context map[string]interface{}) string {
+	return acctest.Nprintf(`
+resource "google_dialogflow_cx_agent" "agent" {
+  display_name = "tf-test-dialogflowcx-agent%{random_suffix}"
+  location = "us-central1"
+  default_language_code = "en"
+  supported_language_codes = ["it","de","es"]
+  time_zone = "America/New_York"
+  description = "Example description."
+  avatar_uri = "https://cloud.google.com/_static/images/cloud/icons/favicons/onecloud/super_cloud.png"
+  enable_stackdriver_logging = true
+  enable_spell_correction    = true
+  speech_to_text_settings {
+    enable_speech_adaptation = true
+  }
+}
+
+
+resource "google_dialogflow_cx_webhook" "webhook_use_service_account" {
+  parent       = google_dialogflow_cx_agent.agent.id
+  display_name = "MyWebhook"
+  service_directory {
+    service = "projects/example-proj/locations/us-central1/namespaces/example-namespace/services/example-service"
+    generic_web_service {
+      uri = "https://example.googleapis.com"
+      webhook_type = "STANDARD"
+      service_account_auth_config {
+        service_account = "%{service_account}"
+      }
+    }
+  }
+}
+`, context)
+}
+
 func testAccCheckDialogflowCXWebhookDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		for name, rs := range s.RootModule().Resources {