diff --git a/fast/stages/0-org-setup/schemas/organization.schema.json b/fast/stages/0-org-setup/schemas/organization.schema.json
index e1d502d78..f7fc110d1 100644
--- a/fast/stages/0-org-setup/schemas/organization.schema.json
+++ b/fast/stages/0-org-setup/schemas/organization.schema.json
@@ -360,6 +360,39 @@
"pool_name": {
"type": "string"
},
+ "display_name": {
+ "type": "string"
+ },
+ "description": {
+ "type": "string"
+ },
+ "disabled": {
+ "type": "boolean"
+ },
+ "session_duration": {
+ "type": "string"
+ },
+ "access_restrictions": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "allowed_services": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "domain": {
+ "type": "string"
+ }
+ }
+ }
+ },
+ "disable_programmatic_signin": {
+ "type": "boolean"
+ }
+ }
+ },
"providers": {
"type": "object",
"additionalProperties": false,
diff --git a/fast/stages/0-org-setup/schemas/organization.schema.md b/fast/stages/0-org-setup/schemas/organization.schema.md
index b0c6ed0bf..086b1875d 100644
--- a/fast/stages/0-org-setup/schemas/organization.schema.md
+++ b/fast/stages/0-org-setup/schemas/organization.schema.md
@@ -101,6 +101,17 @@
- **workforce_identity_config**: *object*
*additional properties: false*
- **pool_name**: *string*
+ - **display_name**: *string*
+ - **description**: *string*
+ - **disabled**: *boolean*
+ - **session_duration**: *string*
+ - **access_restrictions**: *object*
+
*additional properties: false*
+ - **allowed_services**: *array*
+ - items: *object*
+
*additional properties: false*
+ - **domain**: *string*
+ - **disable_programmatic_signin**: *boolean*
- **providers**: *object*
*additional properties: false*
- **`^[a-z][a-z0-9-]+[a-z0-9]$`**: *object*
diff --git a/modules/organization/README.md b/modules/organization/README.md
index f25a33c0f..7322d000d 100644
--- a/modules/organization/README.md
+++ b/modules/organization/README.md
@@ -841,7 +841,9 @@ module "org" {
organization_id = var.organization_id
workforce_identity_config = {
# optional, defaults to 'default'
- pool_name = "test-pool"
+ pool_name = "test-pool"
+ display_name = "Test Pool"
+ description = "Workforce pool for testing."
providers = {
saml-basic = {
attribute_mapping_template = "azuread"
@@ -959,7 +961,7 @@ module "org" {
| [tag_bindings](variables-tags.tf#L89) | Tag bindings for this organization, in key => tag value id format. | map(string) | | {} |
| [tags](variables-tags.tf#L96) | Tags by key name. If `id` is provided, key or value creation is skipped. The `iam` attribute behaves like the similarly named one at module level. | map(object({…})) | | {} |
| [tags_config](variables-tags.tf#L161) | Fine-grained control on tag resource and IAM creation. | object({…}) | | {} |
-| [workforce_identity_config](variables-identity-providers.tf#L17) | Workforce Identity Federation pool and providers. | object({…}) | | null |
+| [workforce_identity_config](variables-identity-providers.tf#L17) | Workforce Identity Federation pool and providers. | object({…}) | | null |
## Outputs
diff --git a/modules/organization/identity-providers.tf b/modules/organization/identity-providers.tf
index 91dd5818e..66d04ae27 100644
--- a/modules/organization/identity-providers.tf
+++ b/modules/organization/identity-providers.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -42,6 +42,22 @@ resource "google_iam_workforce_pool" "default" {
parent = var.organization_id
location = "global"
workforce_pool_id = var.workforce_identity_config.pool_name
+ description = var.workforce_identity_config.description
+ disabled = var.workforce_identity_config.disabled
+ display_name = var.workforce_identity_config.display_name
+ session_duration = var.workforce_identity_config.session_duration
+ dynamic "access_restrictions" {
+ for_each = var.workforce_identity_config.access_restrictions != null ? [""] : []
+ content {
+ disable_programmatic_signin = var.workforce_identity_config.access_restrictions.disable_programmatic_signin
+ dynamic "allowed_services" {
+ for_each = coalesce(var.workforce_identity_config.access_restrictions.allowed_services, [])
+ content {
+ domain = allowed_services.value.domain
+ }
+ }
+ }
+ }
}
resource "google_iam_workforce_pool_provider" "default" {
diff --git a/modules/organization/variables-identity-providers.tf b/modules/organization/variables-identity-providers.tf
index 9947f841d..f698665c9 100644
--- a/modules/organization/variables-identity-providers.tf
+++ b/modules/organization/variables-identity-providers.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -17,7 +17,17 @@
variable "workforce_identity_config" {
description = "Workforce Identity Federation pool and providers."
type = object({
- pool_name = optional(string, "default")
+ pool_name = optional(string, "default")
+ description = optional(string)
+ disabled = optional(bool)
+ display_name = optional(string)
+ session_duration = optional(string)
+ access_restrictions = optional(object({
+ disable_programmatic_signin = optional(bool)
+ allowed_services = optional(list(object({
+ domain = optional(string)
+ })))
+ }))
providers = optional(map(object({
description = optional(string)
display_name = optional(string)
diff --git a/tests/modules/organization/examples/wfif.yaml b/tests/modules/organization/examples/wfif.yaml
index d29c0ba88..cb46b67b1 100644
--- a/tests/modules/organization/examples/wfif.yaml
+++ b/tests/modules/organization/examples/wfif.yaml
@@ -15,9 +15,9 @@
values:
module.org.google_iam_workforce_pool.default[0]:
access_restrictions: []
- description: null
+ description: Workforce pool for testing.
disabled: null
- display_name: null
+ display_name: Test Pool
location: global
parent: organizations/1122334455
session_duration: 3600s