Represents a collection of external workforces. Provides namespaces for federated users that can be referenced in IAM policies.
To get more information about WorkforcePool, see:
resource "google_iam_workforce_pool" "example" {
workforce_pool_id = "example-pool"
parent = "organizations/123456789"
location = "global"
}
resource "google_iam_workforce_pool" "example" {
workforce_pool_id = "example-pool"
parent = "organizations/123456789"
location = "global"
display_name = "Display name"
description = "A sample workforce pool."
disabled = false
session_duration = "7200s"
access_restrictions {
allowed_services {
domain = "backstory.chronicle.security"
}
disable_programmatic_signin = false
}
}
The following arguments are supported:
location
-
(Required)
The location for the resource.
workforce_pool_id
-
(Required)
The name of the pool. The ID must be a globally unique string of 6 to 63 lowercase letters,
digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen.
The prefix gcp-
is reserved for use by Google, and may not be specified.
parent
-
(Required)
Immutable. The resource name of the parent. Format: organizations/{org-id}
.
display_name
-
(Optional)
A user-specified display name of the pool in Google Cloud Console. Cannot exceed 32 characters.
description
-
(Optional)
A user-specified description of the pool. Cannot exceed 256 characters.
disabled
-
(Optional)
Whether the pool is disabled. You cannot use a disabled pool to exchange tokens,
or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.
session_duration
-
(Optional)
Duration that the Google Cloud access tokens, console sign-in sessions,
and gcloud
sign-in sessions from this pool are valid.
Must be greater than 15 minutes (900s) and less than 12 hours (43200s).
If sessionDuration
is not configured, minted credentials have a default duration of one hour (3600s).
A duration in seconds with up to nine fractional digits, ending with 's
'. Example: "3.5s
".
access_restrictions
-
(Optional)
Configure access restrictions on the workforce pool users. This is an optional field. If specified web
sign-in can be restricted to given set of services or programmatic sign-in can be disabled for pool users.
Structure is documented below.
The access_restrictions
block supports:
allowed_services
-
(Optional)
Services allowed for web sign-in with the workforce pool.
If not set by default there are no restrictions.
Structure is documented below.
disable_programmatic_signin
-
(Optional)
Disable programmatic sign-in by disabling token issue via the Security Token API endpoint.
See Security Token Service API.
The allowed_services
block supports:
domain
-
(Optional)
Domain name of the service.
Example: console.cloud.googleIn addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format locations/{{location}}/workforcePools/{{workforce_pool_id}}
name
-
Output only. The resource name of the pool.
Format: locations/{location}/workforcePools/{workforcePoolId}
state
-
Output only. The state of the pool.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.WorkforcePool can be imported using any of these accepted formats:
locations/{{location}}/workforcePools/{{workforce_pool_id}}
{{location}}/{{workforce_pool_id}}
In Terraform v1.5.0 and later, use an import
block to import WorkforcePool using one of the formats above. For example:
import {
id = "locations/{{location}}/workforcePools/{{workforce_pool_id}}"
to = google_iam_workforce_pool.default
}
When using the terraform import
command, WorkforcePool can be imported using one of the formats above. For example:
$ terraform import google_iam_workforce_pool.default locations/{{location}}/workforcePools/{{workforce_pool_id}}
$ terraform import google_iam_workforce_pool.default {{location}}/{{workforce_pool_id}}