gcp_iam_workload_identity_pool

ancestors

Type: UNORDERED_LIST_STRING

description

Type: STRING
Provider name: description
Description: Optional. A description of the pool. Cannot exceed 256 characters.

disabled

Type: BOOLEAN
Provider name: disabled
Description: Optional. Whether the pool is disabled. You cannot use a disabled pool to exchange tokens, or use existing tokens to access resources. If the pool is re-enabled, existing tokens grant access again.

expire_time

Type: TIMESTAMP
Provider name: expireTime
Description: Output only. Time after which the workload identity pool will be permanently purged and cannot be recovered.

gcp_display_name

Type: STRING
Provider name: displayName
Description: Optional. A display name for the pool. Cannot exceed 32 characters.

inline_certificate_issuance_config

Type: STRUCT
Provider name: inlineCertificateIssuanceConfig
Description: Optional. Defines the Certificate Authority (CA) pool resources and configurations required for issuance and rotation of mTLS workload certificates.

• key_algorithm
  Type: STRING
  Provider name: keyAlgorithm
  Description: Optional. Key algorithm to use when generating the key pair. This key pair will be used to create the certificate. If not specified, this will default to ECDSA_P256.
  Possible values:
  
  • KEY_ALGORITHM_UNSPECIFIED - Unspecified key algorithm. Defaults to ECDSA_P256.
    
  • RSA_2048 - Specifies RSA with a 2048-bit modulus.
    
  • RSA_3072 - Specifies RSA with a 3072-bit modulus.
    
  • RSA_4096 - Specifies RSA with a 4096-bit modulus.
    
  • ECDSA_P256 - Specifies ECDSA with curve P256.
    
  • ECDSA_P384 - Specifies ECDSA with curve P384.
    
• lifetime
  Type: STRING
  Provider name: lifetime
  Description: Optional. Lifetime of the workload certificates issued by the CA pool. Must be between 24 hours and 30 days. If not specified, this will be defaulted to 24 hours.
  
• rotation_window_percentage
  Type: INT32
  Provider name: rotationWindowPercentage
  Description: Optional. Rotation window percentage, the percentage of remaining lifetime after which certificate rotation is initiated. Must be between 50 and 80. If no value is specified, rotation window percentage is defaulted to 50.
  

inline_trust_config

Type: STRUCT
Provider name: inlineTrustConfig
Description: Optional. Represents config to add additional trusted trust domains.

labels

Type: UNORDERED_LIST_STRING

mode

Type: STRING
Provider name: mode
Description: Immutable. The mode the pool is operating in.
Possible values:

• MODE_UNSPECIFIED - State unspecified. New pools should not use this mode. Pools with an unspecified mode will operate as if they are in federation-only mode.
  
• FEDERATION_ONLY - Federation-only mode. Federation-only pools can only be used for federating external workload identities into Google Cloud. Unless otherwise noted, no structure or format constraints are applied to workload identities in a federation-only pool, and you cannot create any resources within the pool besides providers.
  
• TRUST_DOMAIN - Trust-domain mode. Trust-domain pools can be used to assign identities to Google Cloud workloads. All identities within a trust-domain pool must consist of a single namespace and individual workload identifier. The subject identifier for all identities must conform to the following format: ns//sa/ WorkloadIdentityPoolProviders cannot be created within trust-domain pools.
  

name

Type: STRING
Provider name: name
Description: Output only. The resource name of the pool.

organization_id

Type: STRING

parent

Type: STRING

project_id

Type: STRING

project_number

Type: STRING

region_id

Type: STRING

resource_name

Type: STRING

state

Type: STRING
Provider name: state
Description: Output only. The state of the pool.
Possible values:

• STATE_UNSPECIFIED - State unspecified.
  
• ACTIVE - The pool is active, and may be used in Google Cloud policies.
  
• DELETED - The pool is soft-deleted. Soft-deleted pools are permanently deleted after approximately 30 days. You can restore a soft-deleted pool using UndeleteWorkloadIdentityPool. You cannot reuse the ID of a soft-deleted pool until it is permanently deleted. While a pool is deleted, you cannot use it to exchange tokens, or use existing tokens to access resources. If the pool is undeleted, existing tokens grant access again.
  

tags

Type: UNORDERED_LIST_STRING

zone_id

Type: STRING