ClientTlsPolicy is a resource that specifies how a client should authenticate connections to backends of a service. This resource itself does not affect configuration unless it is attached to a backend service resource.
To get more information about ServerTlsPolicy, see:
resource "google_network_security_server_tls_policy" "default" {
provider = google-beta
name = "my-server-tls-policy"
labels = {
foo = "bar"
}
description = "my description"
allow_open = "false"
server_certificate {
certificate_provider_instance {
plugin_instance = "google_cloud_private_spiffe"
}
}
mtls_policy {
client_validation_ca {
grpc_endpoint {
target_uri = "unix:mypath"
}
}
client_validation_ca {
grpc_endpoint {
target_uri = "unix:abc/mypath"
}
}
client_validation_ca {
certificate_provider_instance {
plugin_instance = "google_cloud_private_spiffe"
}
}
}
}
resource "google_network_security_server_tls_policy" "default" {
provider = google-beta
name = "my-server-tls-policy"
labels = {
foo = "bar"
}
description = "my description"
location = "global"
allow_open = "false"
mtls_policy {
client_validation_mode = "ALLOW_INVALID_OR_MISSING_CLIENT_CERT"
}
}
resource "google_network_security_server_tls_policy" "default" {
provider = google-beta
name = "my-server-tls-policy"
labels = {
foo = "bar"
}
description = "my description"
location = "global"
allow_open = "false"
server_certificate {
grpc_endpoint {
target_uri = "unix:mypath"
}
}
}
data "google_project" "project" {
provider = google-beta
}
resource "google_network_security_server_tls_policy" "default" {
provider = google-beta
name = "my-server-tls-policy"
description = "my description"
location = "global"
allow_open = "false"
mtls_policy {
client_validation_mode = "REJECT_INVALID"
client_validation_trust_config = "projects/${data.google_project.project.number}/locations/global/trustConfigs/${google_certificate_manager_trust_config.default.name}"
}
labels = {
foo = "bar"
}
}
resource "google_certificate_manager_trust_config" "default" {
provider = google-beta
name = "my-trust-config"
description = "sample trust config description"
location = "global"
trust_stores {
trust_anchors {
pem_certificate = file("test-fixtures/ca_cert.pem")
}
intermediate_cas {
pem_certificate = file("test-fixtures/ca_cert.pem")
}
}
labels = {
foo = "bar"
}
}
The following arguments are supported:
name
-
(Required)
Name of the ServerTlsPolicy resource.labels
-
(Optional)
Set of label tags associated with the ServerTlsPolicy resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration.
Please refer to the field effective_labels
for all of the labels present on the resource.
description
-
(Optional)
A free-text description of the resource. Max length 1024 characters.
allow_open
-
(Optional)
This field applies only for Traffic Director policies. It is must be set to false for external HTTPS load balancer policies.
Determines if server allows plaintext connections. If set to true, server allows plain text connections. By default, it is set to false. This setting is not exclusive of other encryption modes. For example, if allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. See documentation of other encryption modes to confirm compatibility.
Consider using it if you wish to upgrade in place your deployment to TLS while having mixed TLS and non-TLS traffic reaching port :80.
server_certificate
-
(Optional)
Defines a mechanism to provision client identity (public and private keys) for peer to peer authentication. The presence of this dictates mTLS.
Structure is documented below.
mtls_policy
-
(Optional)
This field is required if the policy is used with external HTTPS load balancers. This field can be empty for Traffic Director.
Defines a mechanism to provision peer validation certificates for peer to peer authentication (Mutual TLS - mTLS). If not specified, client certificate will not be requested. The connection is treated as TLS and not mTLS. If allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections.
Structure is documented below.
location
-
(Optional)
The location of the server tls policy.
The default value is global
.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
The server_certificate
block supports:
grpc_endpoint
-
(Optional)
gRPC specific configuration to access the gRPC server to obtain the cert and private key.
Structure is documented below.
certificate_provider_instance
-
(Optional)
Optional if policy is to be used with Traffic Director. For external HTTPS load balancer must be empty.
Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allowOpen as a permissive mode that allows both plain text and TLS is not supported.
Structure is documented below.
The grpc_endpoint
block supports:
target_uri
-
(Required)
The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".The certificate_provider_instance
block supports:
plugin_instance
-
(Required)
Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.The mtls_policy
block supports:
client_validation_mode
-
(Optional)
When the client presents an invalid certificate or no certificate to the load balancer, the clientValidationMode specifies how the client connection is handled.
Required if the policy is to be used with the external HTTPS load balancing. For Traffic Director it must be empty.
Possible values are: CLIENT_VALIDATION_MODE_UNSPECIFIED
, ALLOW_INVALID_OR_MISSING_CLIENT_CERT
, REJECT_INVALID
.
client_validation_trust_config
-
(Optional)
Reference to the TrustConfig from certificatemanager.googleapis.com namespace.
If specified, the chain validation will be performed against certificates configured in the given TrustConfig.
Allowed only if the policy is to be used with external HTTPS load balancers.
client_validation_ca
-
(Optional)
Required if the policy is to be used with Traffic Director. For external HTTPS load balancers it must be empty.
Defines the mechanism to obtain the Certificate Authority certificate to validate the client certificate.
Structure is documented below.
The client_validation_ca
block supports:
grpc_endpoint
-
(Optional)
gRPC specific configuration to access the gRPC server to obtain the cert and private key.
Structure is documented below.
certificate_provider_instance
-
(Optional)
Optional if policy is to be used with Traffic Director. For external HTTPS load balancer must be empty.
Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allowOpen as a permissive mode that allows both plain text and TLS is not supported.
Structure is documented below.
The grpc_endpoint
block supports:
target_uri
-
(Required)
The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".The certificate_provider_instance
block supports:
plugin_instance
-
(Required)
Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/locations/{{location}}/serverTlsPolicies/{{name}}
create_time
-
Time the ServerTlsPolicy was created in UTC.
update_time
-
Time the ServerTlsPolicy was updated in UTC.
terraform_labels
-
The combination of labels configured directly on the resource
and default labels configured on the provider.
effective_labels
-
All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
This resource provides the following Timeouts configuration options:
create
- Default is 30 minutes.update
- Default is 30 minutes.delete
- Default is 30 minutes.ServerTlsPolicy can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/serverTlsPolicies/{{name}}
{{project}}/{{location}}/{{name}}
{{location}}/{{name}}
In Terraform v1.5.0 and later, use an import
block to import ServerTlsPolicy using one of the formats above. For example:
import {
id = "projects/{{project}}/locations/{{location}}/serverTlsPolicies/{{name}}"
to = google_network_security_server_tls_policy.default
}
When using the terraform import
command, ServerTlsPolicy can be imported using one of the formats above. For example:
$ terraform import google_network_security_server_tls_policy.default projects/{{project}}/locations/{{location}}/serverTlsPolicies/{{name}}
$ terraform import google_network_security_server_tls_policy.default {{project}}/{{location}}/{{name}}
$ terraform import google_network_security_server_tls_policy.default {{location}}/{{name}}
This resource supports User Project Overrides.