The TlsInspectionPolicy resource contains references to CA pools in Certificate Authority Service and associated metadata.
To get more information about TlsInspectionPolicy, see:
resource "google_privateca_ca_pool" "default" {
provider = google-beta
name = "my-basic-ca-pool"
location = "us-central1"
tier = "DEVOPS"
publishing_options {
publish_ca_cert = false
publish_crl = false
}
issuance_policy {
maximum_lifetime = "1209600s"
baseline_values {
ca_options {
is_ca = false
}
key_usage {
base_key_usage {}
extended_key_usage {
server_auth = true
}
}
}
}
}
resource "google_privateca_certificate_authority" "default" {
provider = google-beta
pool = google_privateca_ca_pool.default.name
certificate_authority_id = "my-basic-certificate-authority"
location = "us-central1"
lifetime = "86400s"
type = "SELF_SIGNED"
deletion_protection = false
skip_grace_period = true
ignore_active_certificates_on_deletion = true
config {
subject_config {
subject {
organization = "Test LLC"
common_name = "my-ca"
}
}
x509_config {
ca_options {
is_ca = true
}
key_usage {
base_key_usage {
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
}
resource "google_project_service_identity" "ns_sa" {
provider = google-beta
service = "networksecurity.googleapis.com"
}
resource "google_privateca_ca_pool_iam_member" "tls_inspection_permission" {
provider = google-beta
ca_pool = google_privateca_ca_pool.default.id
role = "roles/privateca.certificateManager"
member = "serviceAccount:${google_project_service_identity.ns_sa.email}"
}
resource "google_network_security_tls_inspection_policy" "default" {
provider = google-beta
name = "my-tls-inspection-policy"
location = "us-central1"
ca_pool = google_privateca_ca_pool.default.id
exclude_public_ca_set = false
depends_on = [google_privateca_ca_pool.default, google_privateca_certificate_authority.default, google_privateca_ca_pool_iam_member.tls_inspection_permission]
}
The following arguments are supported:
ca_pool
-
(Required)
A CA pool resource used to issue interception certificates.
name
-
(Required)
Short name of the TlsInspectionPolicy resource to be created.
description
-
(Optional)
Free-text description of the resource.
exclude_public_ca_set
-
(Optional)
If FALSE (the default), use our default set of public CAs in addition to any CAs specified in trustConfig. These public CAs are currently based on the Mozilla Root Program and are subject to change over time. If TRUE, do not accept our default set of public CAs. Only CAs specified in trustConfig will be accepted.
location
-
(Optional)
The location of the tls inspection policy.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/locations/{{location}}/tlsInspectionPolicies/{{name}}
create_time
-
The timestamp when the resource was created.
update_time
-
The timestamp when the resource was updated.
This resource provides the following Timeouts configuration options:
create
- Default is 30 minutes.update
- Default is 30 minutes.delete
- Default is 30 minutes.TlsInspectionPolicy can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/tlsInspectionPolicies/{{name}}
{{project}}/{{location}}/{{name}}
{{location}}/{{name}}
In Terraform v1.5.0 and later, use an import
block to import TlsInspectionPolicy using one of the formats above. For example:
import {
id = "projects/{{project}}/locations/{{location}}/tlsInspectionPolicies/{{name}}"
to = google_network_security_tls_inspection_policy.default
}
When using the terraform import
command, TlsInspectionPolicy can be imported using one of the formats above. For example:
$ terraform import google_network_security_tls_inspection_policy.default projects/{{project}}/locations/{{location}}/tlsInspectionPolicies/{{name}}
$ terraform import google_network_security_tls_inspection_policy.default {{project}}/{{location}}/{{name}}
$ terraform import google_network_security_tls_inspection_policy.default {{location}}/{{name}}
This resource supports User Project Overrides.