v5.18.0/website/docs/r/iam_workforce_pool.html.markdown - terraform-provider-google-beta - Git at Google

 ---
 # ----------------------------------------------------------------------------
 #
 #     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
 #
 # ----------------------------------------------------------------------------
 #
 #     This file is automatically generated by Magic Modules and manual
 #     changes will be clobbered when the file is regenerated.
 #
 #     Please read more about how to change this file in
 #     .github/CONTRIBUTING.md.
 #
 # ----------------------------------------------------------------------------
 subcategory: "Cloud IAM"
 description: |-
   Represents a collection of external workforces.
 ---

 # google\_iam\_workforce\_pool

 Represents a collection of external workforces. Provides namespaces for
 federated users that can be referenced in IAM policies.


 To get more information about WorkforcePool, see:

 * [API documentation](https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools)
 * How-to Guides
     * [Manage pools](https://cloud.google.com/iam/docs/manage-workforce-identity-pools-providers#manage_pools)

 ~> **Note:** Ask your Google Cloud account team to request access to workforce identity federation for
 your billing/quota project. The account team notifies you when the project is granted access.

 ## Example Usage - Iam Workforce Pool Basic


 ```hcl
 resource "google_iam_workforce_pool" "example" {
   workforce_pool_id = "example-pool"
   parent            = "organizations/123456789"
   location          = "global"
 }
 ```
 ## Example Usage - Iam Workforce Pool Full


 ```hcl
 resource "google_iam_workforce_pool" "example" {
   workforce_pool_id   = "example-pool"
   parent              = "organizations/123456789"
   location            = "global"
   display_name        = "Display name"
   description         = "A sample workforce pool."
   disabled            = false
   session_duration    = "7200s"
   access_restrictions {
     allowed_services {
       domain = "backstory.chronicle.security"
     }
     disable_programmatic_signin = false
   }
 }
 ```

 ## Argument Reference

 The following arguments are supported:


 * `location` -
   (Required)
   The location for the resource.

 * `workforce_pool_id` -
   (Required)
   The name of the pool. The ID must be a globally unique string of 6 to 63 lowercase letters,
   digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen.
   The prefix `gcp-` is reserved for use by Google, and may not be specified.

 * `parent` -
   (Required)
   Immutable. The resource name of the parent. Format: `organizations/{org-id}`.


 - - -


 * `display_name` -
   (Optional)
   A user-specified display name of the pool in Google Cloud Console. Cannot exceed 32 characters.

 * `description` -
   (Optional)
   A user-specified description of the pool. Cannot exceed 256 characters.

 * `disabled` -
   (Optional)
   Whether the pool is disabled. You cannot use a disabled pool to exchange tokens,
   or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

 * `session_duration` -
   (Optional)
   Duration that the Google Cloud access tokens, console sign-in sessions,
   and `gcloud` sign-in sessions from this pool are valid.
   Must be greater than 15 minutes (900s) and less than 12 hours (43200s).
   If `sessionDuration` is not configured, minted credentials have a default duration of one hour (3600s).
   A duration in seconds with up to nine fractional digits, ending with '`s`'. Example: "`3.5s`".

 * `access_restrictions` -
   (Optional)
   Configure access restrictions on the workforce pool users. This is an optional field. If specified web
   sign-in can be restricted to given set of services or programmatic sign-in can be disabled for pool users.
   Structure is [documented below](#nested_access_restrictions).


 <a name="nested_access_restrictions"></a>The `access_restrictions` block supports:

 * `allowed_services` -
   (Optional)
   Services allowed for web sign-in with the workforce pool.
   If not set by default there are no restrictions.
   Structure is [documented below](#nested_allowed_services).

 * `disable_programmatic_signin` -
   (Optional)
   Disable programmatic sign-in by disabling token issue via the Security Token API endpoint.
   See [Security Token Service API](https://cloud.google.com/iam/docs/reference/sts/rest).


 <a name="nested_allowed_services"></a>The `allowed_services` block supports:

 * `domain` -
   (Optional)
   Domain name of the service.
   Example: console.cloud.google

 ## Attributes Reference

 In addition to the arguments listed above, the following computed attributes are exported:

 * `id` - an identifier for the resource with format `locations/{{location}}/workforcePools/{{workforce_pool_id}}`

 * `name` -
   Output only. The resource name of the pool.
   Format: `locations/{location}/workforcePools/{workforcePoolId}`

 * `state` -
   Output only. The state of the pool.
    * STATE_UNSPECIFIED: State unspecified.
    * ACTIVE: The pool is active, and may be used in Google Cloud policies.
    * DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted
      after approximately 30 days. You can restore a soft-deleted pool using
      [workforcePools.undelete](https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools/undelete#google.iam.admin.v1.WorkforcePools.UndeleteWorkforcePool).
      You cannot reuse the ID of a soft-deleted pool until it is permanently deleted.
      While a pool is deleted, you cannot use it to exchange tokens, or use
      existing tokens to access resources. If the pool is undeleted, existing
      tokens grant access again.


 ## Timeouts

 This resource provides the following
 [Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

 - `create` - Default is 20 minutes.
 - `update` - Default is 20 minutes.
 - `delete` - Default is 20 minutes.

 ## Import


 WorkforcePool can be imported using any of these accepted formats:

 * `locations/{{location}}/workforcePools/{{workforce_pool_id}}`
 * `{{location}}/{{workforce_pool_id}}`


 In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import WorkforcePool using one of the formats above. For example:

 ```tf
 import {
   id = "locations/{{location}}/workforcePools/{{workforce_pool_id}}"
   to = google_iam_workforce_pool.default
 }
 ```

 When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), WorkforcePool can be imported using one of the formats above. For example:

 ```
 $ terraform import google_iam_workforce_pool.default locations/{{location}}/workforcePools/{{workforce_pool_id}}
 $ terraform import google_iam_workforce_pool.default {{location}}/{{workforce_pool_id}}
 ```
	---
	# ----------------------------------------------------------------------------
	#
	# * AUTO GENERATED CODE * Type: MMv1 ***
	#
	# ----------------------------------------------------------------------------
	#
	# This file is automatically generated by Magic Modules and manual
	# changes will be clobbered when the file is regenerated.
	#
	# Please read more about how to change this file in
	# .github/CONTRIBUTING.md.
	#
	# ----------------------------------------------------------------------------
	subcategory: "Cloud IAM"
	description: \|-
	Represents a collection of external workforces.
	---

	# google\_iam\_workforce\_pool

	Represents a collection of external workforces. Provides namespaces for
	federated users that can be referenced in IAM policies.


	To get more information about WorkforcePool, see:

	* [API documentation](https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools)
	* How-to Guides
	* [Manage pools](https://cloud.google.com/iam/docs/manage-workforce-identity-pools-providers#manage_pools)

	~> Note: Ask your Google Cloud account team to request access to workforce identity federation for
	your billing/quota project. The account team notifies you when the project is granted access.

	## Example Usage - Iam Workforce Pool Basic


	```hcl
	resource "google_iam_workforce_pool" "example" {
	workforce_pool_id = "example-pool"
	parent = "organizations/123456789"
	location = "global"
	}
	```
	## Example Usage - Iam Workforce Pool Full


	```hcl
	resource "google_iam_workforce_pool" "example" {
	workforce_pool_id = "example-pool"
	parent = "organizations/123456789"
	location = "global"
	display_name = "Display name"
	description = "A sample workforce pool."
	disabled = false
	session_duration = "7200s"
	access_restrictions {
	allowed_services {
	domain = "backstory.chronicle.security"
	}
	disable_programmatic_signin = false
	}
	}
	```

	## Argument Reference

	The following arguments are supported:


	* `location` -
	(Required)
	The location for the resource.

	* `workforce_pool_id` -
	(Required)
	The name of the pool. The ID must be a globally unique string of 6 to 63 lowercase letters,
	digits, or hyphens. It must start with a letter, and cannot have a trailing hyphen.
	The prefix `gcp-` is reserved for use by Google, and may not be specified.

	* `parent` -
	(Required)
	Immutable. The resource name of the parent. Format: `organizations/{org-id}`.


	- - -


	* `display_name` -
	(Optional)
	A user-specified display name of the pool in Google Cloud Console. Cannot exceed 32 characters.

	* `description` -
	(Optional)
	A user-specified description of the pool. Cannot exceed 256 characters.

	* `disabled` -
	(Optional)
	Whether the pool is disabled. You cannot use a disabled pool to exchange tokens,
	or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

	* `session_duration` -
	(Optional)
	Duration that the Google Cloud access tokens, console sign-in sessions,
	and `gcloud` sign-in sessions from this pool are valid.
	Must be greater than 15 minutes (900s) and less than 12 hours (43200s).
	If `sessionDuration` is not configured, minted credentials have a default duration of one hour (3600s).
	A duration in seconds with up to nine fractional digits, ending with '`s`'. Example: "`3.5s`".

	* `access_restrictions` -
	(Optional)
	Configure access restrictions on the workforce pool users. This is an optional field. If specified web
	sign-in can be restricted to given set of services or programmatic sign-in can be disabled for pool users.
	Structure is [documented below](#nested_access_restrictions).


	<a name="nested_access_restrictions"></a>The `access_restrictions` block supports:

	* `allowed_services` -
	(Optional)
	Services allowed for web sign-in with the workforce pool.
	If not set by default there are no restrictions.
	Structure is [documented below](#nested_allowed_services).

	* `disable_programmatic_signin` -
	(Optional)
	Disable programmatic sign-in by disabling token issue via the Security Token API endpoint.
	See [Security Token Service API](https://cloud.google.com/iam/docs/reference/sts/rest).


	<a name="nested_allowed_services"></a>The `allowed_services` block supports:

	* `domain` -
	(Optional)
	Domain name of the service.
	Example: console.cloud.google

	## Attributes Reference

	In addition to the arguments listed above, the following computed attributes are exported:

	* `id` - an identifier for the resource with format `locations/{{location}}/workforcePools/{{workforce_pool_id}}`

	* `name` -
	Output only. The resource name of the pool.
	Format: `locations/{location}/workforcePools/{workforcePoolId}`

	* `state` -
	Output only. The state of the pool.
	* STATE_UNSPECIFIED: State unspecified.
	* ACTIVE: The pool is active, and may be used in Google Cloud policies.
	* DELETED: The pool is soft-deleted. Soft-deleted pools are permanently deleted
	after approximately 30 days. You can restore a soft-deleted pool using
	[workforcePools.undelete](https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools/undelete#google.iam.admin.v1.WorkforcePools.UndeleteWorkforcePool).
	You cannot reuse the ID of a soft-deleted pool until it is permanently deleted.
	While a pool is deleted, you cannot use it to exchange tokens, or use
	existing tokens to access resources. If the pool is undeleted, existing
	tokens grant access again.


	## Timeouts

	This resource provides the following
	[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

	- `create` - Default is 20 minutes.
	- `update` - Default is 20 minutes.
	- `delete` - Default is 20 minutes.

	## Import


	WorkforcePool can be imported using any of these accepted formats:

	* `locations/{{location}}/workforcePools/{{workforce_pool_id}}`
	* `{{location}}/{{workforce_pool_id}}`


	In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import WorkforcePool using one of the formats above. For example:

	```tf
	import {
	id = "locations/{{location}}/workforcePools/{{workforce_pool_id}}"
	to = google_iam_workforce_pool.default
	}
	```

	When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), WorkforcePool can be imported using one of the formats above. For example:

	```
	$ terraform import google_iam_workforce_pool.default locations/{{location}}/workforcePools/{{workforce_pool_id}}
	$ terraform import google_iam_workforce_pool.default {{location}}/{{workforce_pool_id}}
	```