ClientTlsPolicy is a resource that specifies how a client should authenticate connections to backends of a service. This resource itself does not affect configuration unless it is attached to a backend service resource.
To get more information about ClientTlsPolicy, see:
resource "google_network_security_client_tls_policy" "default" {
provider = google-beta
name = "my-client-tls-policy"
labels = {
foo = "bar"
}
description = "my description"
sni = "secure.example.com"
}
resource "google_network_security_client_tls_policy" "default" {
provider = google-beta
name = "my-client-tls-policy"
labels = {
foo = "bar"
}
description = "my description"
client_certificate {
certificate_provider_instance {
plugin_instance = "google_cloud_private_spiffe"
}
}
server_validation_ca {
grpc_endpoint {
target_uri = "unix:mypath"
}
}
server_validation_ca {
grpc_endpoint {
target_uri = "unix:mypath1"
}
}
}
The following arguments are supported:
name
-
(Required)
Name of the ClientTlsPolicy resource.labels
-
(Optional)
Set of label tags associated with the ClientTlsPolicy resource.
Note: This field is non-authoritative, and will only manage the labels present in your configuration.
Please refer to the field effective_labels
for all of the labels present on the resource.
description
-
(Optional)
A free-text description of the resource. Max length 1024 characters.
sni
-
(Optional)
Server Name Indication string to present to the server during TLS handshake. E.g: "secure.example.com".
client_certificate
-
(Optional)
Defines a mechanism to provision client identity (public and private keys) for peer to peer authentication. The presence of this dictates mTLS.
Structure is documented below.
server_validation_ca
-
(Optional)
Defines the mechanism to obtain the Certificate Authority certificate to validate the server certificate. If empty, client does not validate the server certificate.
Structure is documented below.
location
-
(Optional)
The location of the client tls policy.
The default value is global
.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
The client_certificate
block supports:
grpc_endpoint
-
(Optional)
gRPC specific configuration to access the gRPC server to obtain the cert and private key.
Structure is documented below.
certificate_provider_instance
-
(Optional)
The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.
Structure is documented below.
The grpc_endpoint
block supports:
target_uri
-
(Required)
The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".The certificate_provider_instance
block supports:
plugin_instance
-
(Required)
Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.The server_validation_ca
block supports:
grpc_endpoint
-
(Optional)
gRPC specific configuration to access the gRPC server to obtain the cert and private key.
Structure is documented below.
certificate_provider_instance
-
(Optional)
The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.
Structure is documented below.
The grpc_endpoint
block supports:
target_uri
-
(Required)
The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".The certificate_provider_instance
block supports:
plugin_instance
-
(Required)
Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/locations/{{location}}/clientTlsPolicies/{{name}}
create_time
-
Time the ClientTlsPolicy was created in UTC.
update_time
-
Time the ClientTlsPolicy was updated in UTC.
terraform_labels
-
The combination of labels configured directly on the resource
and default labels configured on the provider.
effective_labels
-
All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
This resource provides the following Timeouts configuration options:
create
- Default is 30 minutes.update
- Default is 30 minutes.delete
- Default is 30 minutes.ClientTlsPolicy can be imported using any of these accepted formats:
projects/{{project}}/locations/{{location}}/clientTlsPolicies/{{name}}
{{project}}/{{location}}/{{name}}
{{location}}/{{name}}
In Terraform v1.5.0 and later, use an import
block to import ClientTlsPolicy using one of the formats above. For example:
import {
id = "projects/{{project}}/locations/{{location}}/clientTlsPolicies/{{name}}"
to = google_network_security_client_tls_policy.default
}
When using the terraform import
command, ClientTlsPolicy can be imported using one of the formats above. For example:
$ terraform import google_network_security_client_tls_policy.default projects/{{project}}/locations/{{location}}/clientTlsPolicies/{{name}}
$ terraform import google_network_security_client_tls_policy.default {{project}}/{{location}}/{{name}}
$ terraform import google_network_security_client_tls_policy.default {{location}}/{{name}}
This resource supports User Project Overrides.