@pulumi/gcp

import * as pulumi from "@pulumi/pulumi"; /** * BackendAuthenticationConfig groups the TrustConfig together with other settings that control how the load balancer authenticates, and expresses its identity to the backend. * * To get more information about BackendAuthenticationConfig, see: * * How-to Guides * * [Backend mTLS](https://cloud.google.com/load-balancing/docs/backend-authenticated-tls-backend-mtls#backend-authentication-config) * * ## Example Usage * * ### Network Security Backend Authentication Config Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.networksecurity.BackendAuthenticationConfig("default", { * name: "my-backend-authentication-config", * labels: { * foo: "bar", * }, * description: "my description", * wellKnownRoots: "PUBLIC_ROOTS", * }); * ``` * ### Network Security Backend Authentication Config Full * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const certificate = new gcp.certificatemanager.Certificate("certificate", { * name: "my-certificate", * labels: { * foo: "bar", * }, * location: "global", * selfManaged: { * pemCertificate: std.file({ * input: "test-fixtures/cert.pem", * }).then(invoke => invoke.result), * pemPrivateKey: std.file({ * input: "test-fixtures/key.pem", * }).then(invoke => invoke.result), * }, * scope: "CLIENT_AUTH", * }); * const trustConfig = new gcp.certificatemanager.TrustConfig("trust_config", { * name: "my-trust-config", * description: "sample description for the trust config", * location: "global", * trustStores: [{ * trustAnchors: [{ * pemCertificate: std.file({ * input: "test-fixtures/cert.pem", * }).then(invoke => invoke.result), * }], * intermediateCas: [{ * pemCertificate: std.file({ * input: "test-fixtures/cert.pem", * }).then(invoke => invoke.result), * }], * }], * labels: { * foo: "bar", * }, * }); * const _default = new gcp.networksecurity.BackendAuthenticationConfig("default", { * name: "my-backend-authentication-config", * labels: { * bar: "foo", * }, * location: "global", * description: "my description", * wellKnownRoots: "PUBLIC_ROOTS", * clientCertificate: certificate.id, * trustConfig: trustConfig.id, * }); * ``` * ### Backend Service Tls Settings * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const defaultHealthCheck = new gcp.compute.HealthCheck("default", { * name: "health-check", * httpHealthCheck: { * port: 80, * }, * }); * const defaultBackendAuthenticationConfig = new gcp.networksecurity.BackendAuthenticationConfig("default", { * name: "authentication", * wellKnownRoots: "PUBLIC_ROOTS", * }); * const _default = new gcp.compute.BackendService("default", { * name: "backend-service", * healthChecks: defaultHealthCheck.id, * loadBalancingScheme: "EXTERNAL_MANAGED", * protocol: "HTTPS", * tlsSettings: { * sni: "example.com", * subjectAltNames: [ * { * dnsName: "example.com", * }, * { * uniformResourceIdentifier: "https://example.com", * }, * ], * authenticationConfig: pulumi.interpolate`//networksecurity.googleapis.com/${defaultBackendAuthenticationConfig.id}`, * }, * }); * ``` * * ## Import * * BackendAuthenticationConfig can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/{{location}}/backendAuthenticationConfigs/{{name}}` * * * `{{project}}/{{location}}/{{name}}` * * * `{{location}}/{{name}}` * * When using the `pulumi import` command, BackendAuthenticationConfig can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:networksecurity/backendAuthenticationConfig:BackendAuthenticationConfig default projects/{{project}}/locations/{{location}}/backendAuthenticationConfigs/{{name}} * ``` * * ```sh * $ pulumi import gcp:networksecurity/backendAuthenticationConfig:BackendAuthenticationConfig default {{project}}/{{location}}/{{name}} * ``` * * ```sh * $ pulumi import gcp:networksecurity/backendAuthenticationConfig:BackendAuthenticationConfig default {{location}}/{{name}} * ``` */ export declare class BackendAuthenticationConfig extends pulumi.CustomResource { /** * Get an existing BackendAuthenticationConfig resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: BackendAuthenticationConfigState, opts?: pulumi.CustomResourceOptions): BackendAuthenticationConfig; /** * Returns true if the given object is an instance of BackendAuthenticationConfig. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is BackendAuthenticationConfig; /** * Reference to a Certificate resource from the certificatemanager.googleapis.com namespace. * Used by a BackendService to negotiate mTLS when the backend connection uses TLS and the backend requests a client certificate. Must have a CLIENT_AUTH scope. */ readonly clientCertificate: pulumi.Output<string | undefined>; /** * Time the BackendAuthenticationConfig was created in UTC. */ readonly createTime: pulumi.Output<string>; /** * A free-text description of the resource. Max length 1024 characters. */ readonly description: pulumi.Output<string | undefined>; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ readonly effectiveLabels: pulumi.Output<{ [key: string]: string; }>; /** * Set of label tags associated with the BackendAuthenticationConfig resource. * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ readonly labels: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The location of the backend authentication config. * The default value is `global`. */ readonly location: pulumi.Output<string | undefined>; /** * Name of the BackendAuthenticationConfig resource. */ readonly name: pulumi.Output<string>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output<string>; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ readonly pulumiLabels: pulumi.Output<{ [key: string]: string; }>; /** * Reference to a TrustConfig resource from the certificatemanager.googleapis.com namespace. * A BackendService uses the chain of trust represented by this TrustConfig, if specified, to validate the server certificates presented by the backend. Required unless wellKnownRoots is set to PUBLIC_ROOTS. */ readonly trustConfig: pulumi.Output<string | undefined>; /** * Time the BackendAuthenticationConfig was updated in UTC. */ readonly updateTime: pulumi.Output<string>; /** * Well known roots to use for server certificate validation. If set to NONE, the BackendService will only validate server certificates against roots specified in TrustConfig. * If set to PUBLIC_ROOTS, the BackendService uses a set of well-known public roots, in addition to any roots specified in the trustConfig field, when validating the server certificates presented by the backend. * Validation with these roots is only considered when the TlsSettings.sni field in the BackendService is set. The well-known roots are a set of root CAs managed by Google. CAs in this set can be added or removed without notice. * Possible values are: `NONE`, `PUBLIC_ROOTS`. */ readonly wellKnownRoots: pulumi.Output<string | undefined>; /** * Create a BackendAuthenticationConfig resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args?: BackendAuthenticationConfigArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering BackendAuthenticationConfig resources. */ export interface BackendAuthenticationConfigState { /** * Reference to a Certificate resource from the certificatemanager.googleapis.com namespace. * Used by a BackendService to negotiate mTLS when the backend connection uses TLS and the backend requests a client certificate. Must have a CLIENT_AUTH scope. */ clientCertificate?: pulumi.Input<string>; /** * Time the BackendAuthenticationConfig was created in UTC. */ createTime?: pulumi.Input<string>; /** * A free-text description of the resource. Max length 1024 characters. */ description?: pulumi.Input<string>; /** * All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Pulumi, other clients and services. */ effectiveLabels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * Set of label tags associated with the BackendAuthenticationConfig resource. * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * The location of the backend authentication config. * The default value is `global`. */ location?: pulumi.Input<string>; /** * Name of the BackendAuthenticationConfig resource. */ name?: pulumi.Input<string>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string>; /** * The combination of labels configured directly on the resource * and default labels configured on the provider. */ pulumiLabels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * Reference to a TrustConfig resource from the certificatemanager.googleapis.com namespace. * A BackendService uses the chain of trust represented by this TrustConfig, if specified, to validate the server certificates presented by the backend. Required unless wellKnownRoots is set to PUBLIC_ROOTS. */ trustConfig?: pulumi.Input<string>; /** * Time the BackendAuthenticationConfig was updated in UTC. */ updateTime?: pulumi.Input<string>; /** * Well known roots to use for server certificate validation. If set to NONE, the BackendService will only validate server certificates against roots specified in TrustConfig. * If set to PUBLIC_ROOTS, the BackendService uses a set of well-known public roots, in addition to any roots specified in the trustConfig field, when validating the server certificates presented by the backend. * Validation with these roots is only considered when the TlsSettings.sni field in the BackendService is set. The well-known roots are a set of root CAs managed by Google. CAs in this set can be added or removed without notice. * Possible values are: `NONE`, `PUBLIC_ROOTS`. */ wellKnownRoots?: pulumi.Input<string>; } /** * The set of arguments for constructing a BackendAuthenticationConfig resource. */ export interface BackendAuthenticationConfigArgs { /** * Reference to a Certificate resource from the certificatemanager.googleapis.com namespace. * Used by a BackendService to negotiate mTLS when the backend connection uses TLS and the backend requests a client certificate. Must have a CLIENT_AUTH scope. */ clientCertificate?: pulumi.Input<string>; /** * A free-text description of the resource. Max length 1024 characters. */ description?: pulumi.Input<string>; /** * Set of label tags associated with the BackendAuthenticationConfig resource. * **Note**: This field is non-authoritative, and will only manage the labels present in your configuration. * Please refer to the field `effectiveLabels` for all of the labels present on the resource. */ labels?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * The location of the backend authentication config. * The default value is `global`. */ location?: pulumi.Input<string>; /** * Name of the BackendAuthenticationConfig resource. */ name?: pulumi.Input<string>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string>; /** * Reference to a TrustConfig resource from the certificatemanager.googleapis.com namespace. * A BackendService uses the chain of trust represented by this TrustConfig, if specified, to validate the server certificates presented by the backend. Required unless wellKnownRoots is set to PUBLIC_ROOTS. */ trustConfig?: pulumi.Input<string>; /** * Well known roots to use for server certificate validation. If set to NONE, the BackendService will only validate server certificates against roots specified in TrustConfig. * If set to PUBLIC_ROOTS, the BackendService uses a set of well-known public roots, in addition to any roots specified in the trustConfig field, when validating the server certificates presented by the backend. * Validation with these roots is only considered when the TlsSettings.sni field in the BackendService is set. The well-known roots are a set of root CAs managed by Google. CAs in this set can be added or removed without notice. * Possible values are: `NONE`, `PUBLIC_ROOTS`. */ wellKnownRoots?: pulumi.Input<string>; }