import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * ServerTlsPolicy is a resource that specifies how a server should authenticate incoming requests. This resource itself does not affect configuration unless it is attached to a target HTTPS proxy or endpoint config selector resource. * * To get more information about ServerTlsPolicy, see: * * * [API documentation](https://cloud.google.com/traffic-director/docs/reference/network-security/rest/v1beta1/projects.locations.serverTlsPolicies) * * How-to Guides * * [Use ServerTlsPolicy](https://cloud.google.com/load-balancing/docs/mtls) * * ## Example Usage * * ### Network Security Server Tls Policy Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.networksecurity.ServerTlsPolicy("default", { * name: "my-server-tls-policy", * labels: { * foo: "bar", * }, * description: "my description", * allowOpen: false, * serverCertificate: { * certificateProviderInstance: { * pluginInstance: "google_cloud_private_spiffe", * }, * }, * mtlsPolicy: { * clientValidationCas: [{ * grpcEndpoint: { * targetUri: "unix:mypath", * }, * }], * }, * }); * ``` * ### Network Security Server Tls Policy Advanced * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.networksecurity.ServerTlsPolicy("default", { * name: "my-server-tls-policy", * labels: { * foo: "bar", * }, * description: "my description", * location: "global", * allowOpen: false, * mtlsPolicy: { * clientValidationMode: "ALLOW_INVALID_OR_MISSING_CLIENT_CERT", * }, * }); * ``` * ### Network Security Server Tls Policy Server Cert * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.networksecurity.ServerTlsPolicy("default", { * name: "my-server-tls-policy", * labels: { * foo: "bar", * }, * description: "my description", * location: "global", * allowOpen: false, * serverCertificate: { * grpcEndpoint: { * targetUri: "unix:mypath", * }, * }, * }); * ``` * ### Network Security Server Tls Policy Mtls * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const project = gcp.organizations.getProject({}); * const defaultTrustConfig = new gcp.certificatemanager.TrustConfig("default", { * name: "my-trust-config", * description: "sample trust config description", * location: "global", * trustStores: [{ * trustAnchors: [{ * pemCertificate: std.file({ * input: "test-fixtures/ca_cert.pem", * }).then(invoke => invoke.result), * }], * intermediateCas: [{ * pemCertificate: std.file({ * input: "test-fixtures/ca_cert.pem", * }).then(invoke => invoke.result), * }], * }], * labels: { * foo: "bar", * }, * }); * const _default = new gcp.networksecurity.ServerTlsPolicy("default", { * name: "my-server-tls-policy", * description: "my description", * location: "global", * allowOpen: false, * mtlsPolicy: { * clientValidationMode: "REJECT_INVALID", * clientValidationTrustConfig: pulumi.all([project, defaultTrustConfig.name]).apply(([project, name]) => `projects/${project.number}/locations/global/trustConfigs/${name}`), * }, * labels: { * foo: "bar", * }, * }); * ``` * * ## Import * * ServerTlsPolicy can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/{{location}}/serverTlsPolicies/{{name}}` * * * `{{project}}/{{location}}/{{name}}` * * * `{{location}}/{{name}}` * * When using the `pulumi import` command, ServerTlsPolicy can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:networksecurity/serverTlsPolicy:ServerTlsPolicy default projects/{{project}}/locations/{{location}}/serverTlsPolicies/{{name}} * ``` * * ```sh * $ pulumi import gcp:networksecurity/serverTlsPolicy:ServerTlsPolicy default {{project}}/{{location}}/{{name}} * ``` * * ```sh * $ pulumi import gcp:networksecurity/serverTlsPolicy:ServerTlsPolicy default {{location}}/{{name}} * ``` */ export declare class ServerTlsPolicy extends pulumi.CustomResource { /** * Get an existing ServerTlsPolicy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: ServerTlsPolicyState, opts?: pulumi.CustomResourceOptions): ServerTlsPolicy; /** * Returns true if the given object is an instance of ServerTlsPolicy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is ServerTlsPolicy; /** * This field applies only for Traffic Director policies. It is must be set to false for external HTTPS load balancer policies. * Determines if server allows plaintext connections. If set to true, server allows plain text connections. By default, it is set to false. This setting is not exclusive of other encryption modes. For example, if allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. See documentation of other encryption modes to confirm compatibility. * Consider using it if you wish to upgrade in place your deployment to TLS while having mixed TLS and non-TLS traffic reaching port :80. */ readonly allowOpen: pulumi.Output; /** * Time the ServerTlsPolicy was created in UTC. */ readonly createTime: pulumi.Output; /** * A free-text description of the resource. Max length 1024 characters. */ readonly description: pulumi.Output; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ readonly effectiveLabels: pulumi.Output<{ [key: string]: string; }>; /** * Set of label tags associated with the ServerTlsPolicy resource. * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ readonly labels: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The location of the server tls policy. * The default value is `global`. */ readonly location: pulumi.Output; /** * This field is required if the policy is used with external HTTPS load balancers. This field can be empty for Traffic Director. * Defines a mechanism to provision peer validation certificates for peer to peer authentication (Mutual TLS - mTLS). If not specified, client certificate will not be requested. The connection is treated as TLS and not mTLS. If allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. * Structure is documented below. */ readonly mtlsPolicy: pulumi.Output; /** * Name of the ServerTlsPolicy resource. */ readonly name: pulumi.Output; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ readonly pulumiLabels: pulumi.Output<{ [key: string]: string; }>; /** * Defines a mechanism to provision client identity (public and private keys) for peer to peer authentication. The presence of this dictates mTLS. * Structure is documented below. */ readonly serverCertificate: pulumi.Output; /** * Time the ServerTlsPolicy was updated in UTC. */ readonly updateTime: pulumi.Output; /** * Create a ServerTlsPolicy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args?: ServerTlsPolicyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering ServerTlsPolicy resources. */ export interface ServerTlsPolicyState { /** * This field applies only for Traffic Director policies. It is must be set to false for external HTTPS load balancer policies. * Determines if server allows plaintext connections. If set to true, server allows plain text connections. By default, it is set to false. This setting is not exclusive of other encryption modes. For example, if allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. See documentation of other encryption modes to confirm compatibility. * Consider using it if you wish to upgrade in place your deployment to TLS while having mixed TLS and non-TLS traffic reaching port :80. */ allowOpen?: pulumi.Input; /** * Time the ServerTlsPolicy was created in UTC. */ createTime?: pulumi.Input; /** * A free-text description of the resource. Max length 1024 characters. */ description?: pulumi.Input; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ effectiveLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Set of label tags associated with the ServerTlsPolicy resource. * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The location of the server tls policy. * The default value is `global`. */ location?: pulumi.Input; /** * This field is required if the policy is used with external HTTPS load balancers. This field can be empty for Traffic Director. * Defines a mechanism to provision peer validation certificates for peer to peer authentication (Mutual TLS - mTLS). If not specified, client certificate will not be requested. The connection is treated as TLS and not mTLS. If allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. * Structure is documented below. */ mtlsPolicy?: pulumi.Input; /** * Name of the ServerTlsPolicy resource. */ name?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ pulumiLabels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * Defines a mechanism to provision client identity (public and private keys) for peer to peer authentication. The presence of this dictates mTLS. * Structure is documented below. */ serverCertificate?: pulumi.Input; /** * Time the ServerTlsPolicy was updated in UTC. */ updateTime?: pulumi.Input; } /** * The set of arguments for constructing a ServerTlsPolicy resource. */ export interface ServerTlsPolicyArgs { /** * This field applies only for Traffic Director policies. It is must be set to false for external HTTPS load balancer policies. * Determines if server allows plaintext connections. If set to true, server allows plain text connections. By default, it is set to false. This setting is not exclusive of other encryption modes. For example, if allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. See documentation of other encryption modes to confirm compatibility. * Consider using it if you wish to upgrade in place your deployment to TLS while having mixed TLS and non-TLS traffic reaching port :80. */ allowOpen?: pulumi.Input; /** * A free-text description of the resource. Max length 1024 characters. */ description?: pulumi.Input; /** * Set of label tags associated with the ServerTlsPolicy resource. * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The location of the server tls policy. * The default value is `global`. */ location?: pulumi.Input; /** * This field is required if the policy is used with external HTTPS load balancers. This field can be empty for Traffic Director. * Defines a mechanism to provision peer validation certificates for peer to peer authentication (Mutual TLS - mTLS). If not specified, client certificate will not be requested. The connection is treated as TLS and not mTLS. If allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. * Structure is documented below. */ mtlsPolicy?: pulumi.Input; /** * Name of the ServerTlsPolicy resource. */ name?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; /** * Defines a mechanism to provision client identity (public and private keys) for peer to peer authentication. The presence of this dictates mTLS. * Structure is documented below. */ serverCertificate?: pulumi.Input; }