From 289f674bf43c4fe588c802201d0316107521c4a9 Mon Sep 17 00:00:00 2001
From: Mario Minardi <mario.minardi@hashicorp.com>
Date: Thu, 26 Oct 2023 10:20:58 -0600
Subject: [PATCH 1/3] Fix example TF for workload identity provider

---
 .../hcp_iam_workload_identity_provider/resource_azure.tf      | 4 ++--
 .../hcp_iam_workload_identity_provider/resource_gcp.tf        | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/examples/resources/hcp_iam_workload_identity_provider/resource_azure.tf b/examples/resources/hcp_iam_workload_identity_provider/resource_azure.tf
index 906419a85..d9fa1d9cd 100644
--- a/examples/resources/hcp_iam_workload_identity_provider/resource_azure.tf
+++ b/examples/resources/hcp_iam_workload_identity_provider/resource_azure.tf
@@ -14,11 +14,11 @@ resource "hcp_iam_workload_identity_provider" "example" {
     # The allowed audience should be set to the Object ID of the Azure Managed
     # Identity. In this example, this would be the Object ID of a User Managed
     # Identity that will be attached to "my-app" workloads on Azure.
-    allowed_audience = ["api://10bacc1d-f3f5-499d-a14c-684c1471b27f"]
+    allowed_audiences = ["api://10bacc1d-f3f5-499d-a14c-684c1471b27f"]
   }
 
   # Only allow workload's that are assigned the expected managed identity.
   # The access_token given to Azure workload's will have the oid claim set to
   # that of the managed identity.
-  conditional_access = "jwt_claims.oid is `066c643f-86c0-490a-854c-35e77ddc7851`"
+  conditional_access = "jwt_claims.oid == `066c643f-86c0-490a-854c-35e77ddc7851`"
 }
diff --git a/examples/resources/hcp_iam_workload_identity_provider/resource_gcp.tf b/examples/resources/hcp_iam_workload_identity_provider/resource_gcp.tf
index ded3357f6..331441734 100644
--- a/examples/resources/hcp_iam_workload_identity_provider/resource_gcp.tf
+++ b/examples/resources/hcp_iam_workload_identity_provider/resource_gcp.tf
@@ -13,5 +13,5 @@ resource "hcp_iam_workload_identity_provider" "example" {
   # Only allow workload's that are assigned the expected service account ID
   # GCP will set the subject to that of the service account associated with the
   # workload.
-  conditional_access = "jwt_token.sub is `107517467455664443766`"
+  conditional_access = "jwt_claims.sub == `107517467455664443766`"
 }

From c37d303a18575107a8270942ad7ebe87337f790b Mon Sep 17 00:00:00 2001
From: Mario Minardi <mario.minardi@hashicorp.com>
Date: Thu, 26 Oct 2023 10:22:11 -0600
Subject: [PATCH 2/3] Generate docs

---
 docs/resources/iam_workload_identity_provider.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/resources/iam_workload_identity_provider.md b/docs/resources/iam_workload_identity_provider.md
index 76ea5b932..3e304b02c 100644
--- a/docs/resources/iam_workload_identity_provider.md
+++ b/docs/resources/iam_workload_identity_provider.md
@@ -49,13 +49,13 @@ resource "hcp_iam_workload_identity_provider" "example" {
     # The allowed audience should be set to the Object ID of the Azure Managed
     # Identity. In this example, this would be the Object ID of a User Managed
     # Identity that will be attached to "my-app" workloads on Azure.
-    allowed_audience = ["api://10bacc1d-f3f5-499d-a14c-684c1471b27f"]
+    allowed_audiences = ["api://10bacc1d-f3f5-499d-a14c-684c1471b27f"]
   }
 
   # Only allow workload's that are assigned the expected managed identity.
   # The access_token given to Azure workload's will have the oid claim set to
   # that of the managed identity.
-  conditional_access = "jwt_claims.oid is `066c643f-86c0-490a-854c-35e77ddc7851`"
+  conditional_access = "jwt_claims.oid == `066c643f-86c0-490a-854c-35e77ddc7851`"
 }
 ```
 
@@ -77,7 +77,7 @@ resource "hcp_iam_workload_identity_provider" "example" {
   # Only allow workload's that are assigned the expected service account ID
   # GCP will set the subject to that of the service account associated with the
   # workload.
-  conditional_access = "jwt_token.sub is `107517467455664443766`"
+  conditional_access = "jwt_claims.sub == `107517467455664443766`"
 }
 ```
 

From c26c76255602bd09d27abae6a3779b1af932b9df Mon Sep 17 00:00:00 2001
From: Mario Minardi <mario.minardi@hashicorp.com>
Date: Thu, 26 Oct 2023 10:54:25 -0600
Subject: [PATCH 3/3] Add changelog entry

---
 .changelog/657.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .changelog/657.txt

diff --git a/.changelog/657.txt b/.changelog/657.txt
new file mode 100644
index 000000000..73812f66b
--- /dev/null
+++ b/.changelog/657.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+Fix some documentation mistakes in examples for the `hcp_iam_workload_identity_provider` resource.
+```