@pulumi/gcp

import * as pulumi from "@pulumi/pulumi"; /** * The TlsInspectionPolicy resource contains references to CA pools in Certificate Authority Service and associated metadata. * * To get more information about TlsInspectionPolicy, see: * * * [API documentation](https://cloud.google.com/secure-web-proxy/docs/reference/network-security/rest/v1/projects.locations.tlsInspectionPolicies) * * How-to Guides * * [Use TlsInspectionPolicy](https://cloud.google.com/secure-web-proxy/docs/tls-inspection-overview) * * ## Example Usage * * ### Network Security Tls Inspection Policy Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const _default = new gcp.certificateauthority.CaPool("default", { * name: "my-basic-ca-pool", * location: "us-central1", * tier: "DEVOPS", * publishingOptions: { * publishCaCert: false, * publishCrl: false, * }, * issuancePolicy: { * maximumLifetime: "1209600s", * baselineValues: { * caOptions: { * isCa: false, * }, * keyUsage: { * baseKeyUsage: {}, * extendedKeyUsage: { * serverAuth: true, * }, * }, * }, * }, * }); * const defaultAuthority = new gcp.certificateauthority.Authority("default", { * pool: _default.name, * certificateAuthorityId: "my-basic-certificate-authority", * location: "us-central1", * lifetime: "86400s", * type: "SELF_SIGNED", * deletionProtection: false, * skipGracePeriod: true, * ignoreActiveCertificatesOnDeletion: true, * config: { * subjectConfig: { * subject: { * organization: "Test LLC", * commonName: "my-ca", * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: { * serverAuth: false, * }, * }, * }, * }, * keySpec: { * algorithm: "RSA_PKCS1_4096_SHA256", * }, * }); * const project = gcp.organizations.getProject({}); * const tlsInspectionPermission = new gcp.certificateauthority.CaPoolIamMember("tls_inspection_permission", { * caPool: _default.id, * role: "roles/privateca.certificateManager", * member: project.then(project => `serviceAccount:service-${project.number}@gcp-sa-networksecurity.iam.gserviceaccount.com`), * }); * const defaultTlsInspectionPolicy = new gcp.networksecurity.TlsInspectionPolicy("default", { * name: "my-tls-inspection-policy", * location: "us-central1", * caPool: _default.id, * excludePublicCaSet: false, * }, { * dependsOn: [ * _default, * defaultAuthority, * tlsInspectionPermission, * ], * }); * ``` * ### Network Security Tls Inspection Policy Custom * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * import * as std from "@pulumi/std"; * * const _default = new gcp.certificateauthority.CaPool("default", { * name: "my-basic-ca-pool", * location: "us-central1", * tier: "DEVOPS", * publishingOptions: { * publishCaCert: false, * publishCrl: false, * }, * issuancePolicy: { * maximumLifetime: "1209600s", * baselineValues: { * caOptions: { * isCa: false, * }, * keyUsage: { * baseKeyUsage: {}, * extendedKeyUsage: { * serverAuth: true, * }, * }, * }, * }, * }); * const defaultAuthority = new gcp.certificateauthority.Authority("default", { * pool: _default.name, * certificateAuthorityId: "my-basic-certificate-authority", * location: "us-central1", * lifetime: "86400s", * type: "SELF_SIGNED", * deletionProtection: false, * skipGracePeriod: true, * ignoreActiveCertificatesOnDeletion: true, * config: { * subjectConfig: { * subject: { * organization: "Test LLC", * commonName: "my-ca", * }, * }, * x509Config: { * caOptions: { * isCa: true, * }, * keyUsage: { * baseKeyUsage: { * certSign: true, * crlSign: true, * }, * extendedKeyUsage: { * serverAuth: false, * }, * }, * }, * }, * keySpec: { * algorithm: "RSA_PKCS1_4096_SHA256", * }, * }); * const nsSa = new gcp.projects.ServiceIdentity("ns_sa", {service: "networksecurity.googleapis.com"}); * const defaultCaPoolIamMember = new gcp.certificateauthority.CaPoolIamMember("default", { * caPool: _default.id, * role: "roles/privateca.certificateManager", * member: nsSa.member, * }); * const defaultTrustConfig = new gcp.certificatemanager.TrustConfig("default", { * name: "my-trust-config", * description: "sample trust config description", * location: "us-central1", * trustStores: [{ * trustAnchors: [{ * pemCertificate: std.file({ * input: "test-fixtures/ca_cert.pem", * }).then(invoke => invoke.result), * }], * intermediateCas: [{ * pemCertificate: std.file({ * input: "test-fixtures/ca_cert.pem", * }).then(invoke => invoke.result), * }], * }], * }); * const defaultTlsInspectionPolicy = new gcp.networksecurity.TlsInspectionPolicy("default", { * name: "my-tls-inspection-policy", * location: "us-central1", * caPool: _default.id, * excludePublicCaSet: false, * minTlsVersion: "TLS_1_0", * trustConfig: defaultTrustConfig.id, * tlsFeatureProfile: "PROFILE_CUSTOM", * customTlsFeatures: [ * "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", * "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", * "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", * "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", * "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", * "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", * "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", * "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", * "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", * "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", * "TLS_RSA_WITH_3DES_EDE_CBC_SHA", * "TLS_RSA_WITH_AES_128_CBC_SHA", * "TLS_RSA_WITH_AES_128_GCM_SHA256", * "TLS_RSA_WITH_AES_256_CBC_SHA", * "TLS_RSA_WITH_AES_256_GCM_SHA384", * ], * }, { * dependsOn: [ * defaultAuthority, * defaultCaPoolIamMember, * ], * }); * ``` * * ## Import * * TlsInspectionPolicy can be imported using any of these accepted formats: * * * `projects/{{project}}/locations/{{location}}/tlsInspectionPolicies/{{name}}` * * * `{{project}}/{{location}}/{{name}}` * * * `{{location}}/{{name}}` * * When using the `pulumi import` command, TlsInspectionPolicy can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:networksecurity/tlsInspectionPolicy:TlsInspectionPolicy default projects/{{project}}/locations/{{location}}/tlsInspectionPolicies/{{name}} * ``` * * ```sh * $ pulumi import gcp:networksecurity/tlsInspectionPolicy:TlsInspectionPolicy default {{project}}/{{location}}/{{name}} * ``` * * ```sh * $ pulumi import gcp:networksecurity/tlsInspectionPolicy:TlsInspectionPolicy default {{location}}/{{name}} * ``` */ export declare class TlsInspectionPolicy extends pulumi.CustomResource { /** * Get an existing TlsInspectionPolicy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: TlsInspectionPolicyState, opts?: pulumi.CustomResourceOptions): TlsInspectionPolicy; /** * Returns true if the given object is an instance of TlsInspectionPolicy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is TlsInspectionPolicy; /** * A CA pool resource used to issue interception certificates. */ readonly caPool: pulumi.Output<string>; /** * The timestamp when the resource was created. */ readonly createTime: pulumi.Output<string>; /** * List of custom TLS cipher suites selected. This field is valid only if the selected tlsFeatureProfile is CUSTOM. The compute.SslPoliciesService.ListAvailableFeatures method returns the set of features that can be specified in this list. Note that Secure Web Proxy does not yet honor this field. */ readonly customTlsFeatures: pulumi.Output<string[] | undefined>; /** * Free-text description of the resource. */ readonly description: pulumi.Output<string | undefined>; /** * If FALSE (the default), use our default set of public CAs in addition to any CAs specified in trustConfig. These public CAs are currently based on the Mozilla Root Program and are subject to change over time. If TRUE, do not accept our default set of public CAs. Only CAs specified in trustConfig will be accepted. */ readonly excludePublicCaSet: pulumi.Output<boolean | undefined>; /** * The location of the tls inspection policy. */ readonly location: pulumi.Output<string | undefined>; /** * Minimum TLS version that the firewall should use when negotiating connections with both clients and servers. If this is not set, then the default value is to allow the broadest set of clients and servers (TLS 1.0 or higher). Setting this to more restrictive values may improve security, but may also prevent the firewall from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field. * Default value is `TLS_VERSION_UNSPECIFIED`. * Possible values are: `TLS_VERSION_UNSPECIFIED`, `TLS_1_0`, `TLS_1_1`, `TLS_1_2`, `TLS_1_3`. */ readonly minTlsVersion: pulumi.Output<string | undefined>; /** * Short name of the TlsInspectionPolicy resource to be created. */ readonly name: pulumi.Output<string>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output<string>; /** * The selected Profile. If this is not set, then the default value is to allow the broadest set of clients and servers (\"PROFILE_COMPATIBLE\"). Setting this to more restrictive values may improve security, but may also prevent the TLS inspection proxy from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field. * Default value is `PROFILE_UNSPECIFIED`. * Possible values are: `PROFILE_UNSPECIFIED`, `PROFILE_COMPATIBLE`, `PROFILE_MODERN`, `PROFILE_RESTRICTED`, `PROFILE_CUSTOM`. */ readonly tlsFeatureProfile: pulumi.Output<string | undefined>; /** * A TrustConfig resource used when making a connection to the TLS server. This is a relative resource path following the form \"projects/{project}/locations/{location}/trustConfigs/{trust_config}\". This is necessary to intercept TLS connections to servers with certificates signed by a private CA or self-signed certificates. Trust config and the TLS inspection policy must be in the same region. Note that Secure Web Proxy does not yet honor this field. */ readonly trustConfig: pulumi.Output<string | undefined>; /** * The timestamp when the resource was updated. */ readonly updateTime: pulumi.Output<string>; /** * Create a TlsInspectionPolicy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: TlsInspectionPolicyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering TlsInspectionPolicy resources. */ export interface TlsInspectionPolicyState { /** * A CA pool resource used to issue interception certificates. */ caPool?: pulumi.Input<string>; /** * The timestamp when the resource was created. */ createTime?: pulumi.Input<string>; /** * List of custom TLS cipher suites selected. This field is valid only if the selected tlsFeatureProfile is CUSTOM. The compute.SslPoliciesService.ListAvailableFeatures method returns the set of features that can be specified in this list. Note that Secure Web Proxy does not yet honor this field. */ customTlsFeatures?: pulumi.Input<pulumi.Input<string>[]>; /** * Free-text description of the resource. */ description?: pulumi.Input<string>; /** * If FALSE (the default), use our default set of public CAs in addition to any CAs specified in trustConfig. These public CAs are currently based on the Mozilla Root Program and are subject to change over time. If TRUE, do not accept our default set of public CAs. Only CAs specified in trustConfig will be accepted. */ excludePublicCaSet?: pulumi.Input<boolean>; /** * The location of the tls inspection policy. */ location?: pulumi.Input<string>; /** * Minimum TLS version that the firewall should use when negotiating connections with both clients and servers. If this is not set, then the default value is to allow the broadest set of clients and servers (TLS 1.0 or higher). Setting this to more restrictive values may improve security, but may also prevent the firewall from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field. * Default value is `TLS_VERSION_UNSPECIFIED`. * Possible values are: `TLS_VERSION_UNSPECIFIED`, `TLS_1_0`, `TLS_1_1`, `TLS_1_2`, `TLS_1_3`. */ minTlsVersion?: pulumi.Input<string>; /** * Short name of the TlsInspectionPolicy resource to be created. */ name?: pulumi.Input<string>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string>; /** * The selected Profile. If this is not set, then the default value is to allow the broadest set of clients and servers (\"PROFILE_COMPATIBLE\"). Setting this to more restrictive values may improve security, but may also prevent the TLS inspection proxy from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field. * Default value is `PROFILE_UNSPECIFIED`. * Possible values are: `PROFILE_UNSPECIFIED`, `PROFILE_COMPATIBLE`, `PROFILE_MODERN`, `PROFILE_RESTRICTED`, `PROFILE_CUSTOM`. */ tlsFeatureProfile?: pulumi.Input<string>; /** * A TrustConfig resource used when making a connection to the TLS server. This is a relative resource path following the form \"projects/{project}/locations/{location}/trustConfigs/{trust_config}\". This is necessary to intercept TLS connections to servers with certificates signed by a private CA or self-signed certificates. Trust config and the TLS inspection policy must be in the same region. Note that Secure Web Proxy does not yet honor this field. */ trustConfig?: pulumi.Input<string>; /** * The timestamp when the resource was updated. */ updateTime?: pulumi.Input<string>; } /** * The set of arguments for constructing a TlsInspectionPolicy resource. */ export interface TlsInspectionPolicyArgs { /** * A CA pool resource used to issue interception certificates. */ caPool: pulumi.Input<string>; /** * List of custom TLS cipher suites selected. This field is valid only if the selected tlsFeatureProfile is CUSTOM. The compute.SslPoliciesService.ListAvailableFeatures method returns the set of features that can be specified in this list. Note that Secure Web Proxy does not yet honor this field. */ customTlsFeatures?: pulumi.Input<pulumi.Input<string>[]>; /** * Free-text description of the resource. */ description?: pulumi.Input<string>; /** * If FALSE (the default), use our default set of public CAs in addition to any CAs specified in trustConfig. These public CAs are currently based on the Mozilla Root Program and are subject to change over time. If TRUE, do not accept our default set of public CAs. Only CAs specified in trustConfig will be accepted. */ excludePublicCaSet?: pulumi.Input<boolean>; /** * The location of the tls inspection policy. */ location?: pulumi.Input<string>; /** * Minimum TLS version that the firewall should use when negotiating connections with both clients and servers. If this is not set, then the default value is to allow the broadest set of clients and servers (TLS 1.0 or higher). Setting this to more restrictive values may improve security, but may also prevent the firewall from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field. * Default value is `TLS_VERSION_UNSPECIFIED`. * Possible values are: `TLS_VERSION_UNSPECIFIED`, `TLS_1_0`, `TLS_1_1`, `TLS_1_2`, `TLS_1_3`. */ minTlsVersion?: pulumi.Input<string>; /** * Short name of the TlsInspectionPolicy resource to be created. */ name?: pulumi.Input<string>; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input<string>; /** * The selected Profile. If this is not set, then the default value is to allow the broadest set of clients and servers (\"PROFILE_COMPATIBLE\"). Setting this to more restrictive values may improve security, but may also prevent the TLS inspection proxy from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field. * Default value is `PROFILE_UNSPECIFIED`. * Possible values are: `PROFILE_UNSPECIFIED`, `PROFILE_COMPATIBLE`, `PROFILE_MODERN`, `PROFILE_RESTRICTED`, `PROFILE_CUSTOM`. */ tlsFeatureProfile?: pulumi.Input<string>; /** * A TrustConfig resource used when making a connection to the TLS server. This is a relative resource path following the form \"projects/{project}/locations/{location}/trustConfigs/{trust_config}\". This is necessary to intercept TLS connections to servers with certificates signed by a private CA or self-signed certificates. Trust config and the TLS inspection policy must be in the same region. Note that Secure Web Proxy does not yet honor this field. */ trustConfig?: pulumi.Input<string>; }