tls_inspection_policies

Creates, updates, deletes, gets or lists a tls_inspection_policies resource.

Overview

Name	`tls_inspection_policies`
Type	Resource
Id	`google.networksecurity.tls_inspection_policies`

Fields

The following fields are returned by SELECT queries:

projects_locations_tls_inspection_policies_get
projects_locations_tls_inspection_policies_list

Successful response

Name	Datatype	Description
`name`	`string`	Required. Name of the resource. Name is of the form projects/{project}/locations/{location}/tlsInspectionPolicies/{tls_inspection_policy} tls_inspection_policy should match the pattern:(^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$).
`caPool`	`string`	Required. A CA pool resource used to issue interception certificates. The CA pool string has a relative resource path following the form "projects/{project}/locations/{location}/caPools/{ca_pool}".
`createTime`	`string (google-datetime)`	Output only. The timestamp when the resource was created.
`customTlsFeatures`	`array`	Optional. List of custom TLS cipher suites selected. This field is valid only if the selected tls_feature_profile is CUSTOM. The compute.SslPoliciesService.ListAvailableFeatures method returns the set of features that can be specified in this list. Note that Secure Web Proxy does not yet honor this field.
`description`	`string`	Optional. Free-text description of the resource.
`excludePublicCaSet`	`boolean`	Optional. If FALSE (the default), use our default set of public CAs in addition to any CAs specified in trust_config. These public CAs are currently based on the Mozilla Root Program and are subject to change over time. If TRUE, do not accept our default set of public CAs. Only CAs specified in trust_config will be accepted. This defaults to FALSE (use public CAs in addition to trust_config) for backwards compatibility, but trusting public root CAs is not recommended unless the traffic in question is outbound to public web servers. When possible, prefer setting this to "false" and explicitly specifying trusted CAs and certificates in a TrustConfig. Note that Secure Web Proxy does not yet honor this field.
`minTlsVersion`	`string`	Optional. Minimum TLS version that the firewall should use when negotiating connections with both clients and servers. If this is not set, then the default value is to allow the broadest set of clients and servers (TLS 1.0 or higher). Setting this to more restrictive values may improve security, but may also prevent the firewall from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field.
`tlsFeatureProfile`	`string`	Optional. The selected Profile. If this is not set, then the default value is to allow the broadest set of clients and servers ("PROFILE_COMPATIBLE"). Setting this to more restrictive values may improve security, but may also prevent the TLS inspection proxy from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field.
`trustConfig`	`string`	Optional. A TrustConfig resource used when making a connection to the TLS server. This is a relative resource path following the form "projects/{project}/locations/{location}/trustConfigs/{trust_config}". This is necessary to intercept TLS connections to servers with certificates signed by a private CA or self-signed certificates. Note that Secure Web Proxy does not yet honor this field.
`updateTime`	`string (google-datetime)`	Output only. The timestamp when the resource was updated.

Successful response

Name	Datatype	Description
`name`	`string`	Required. Name of the resource. Name is of the form projects/{project}/locations/{location}/tlsInspectionPolicies/{tls_inspection_policy} tls_inspection_policy should match the pattern:(^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$).
`caPool`	`string`	Required. A CA pool resource used to issue interception certificates. The CA pool string has a relative resource path following the form "projects/{project}/locations/{location}/caPools/{ca_pool}".
`createTime`	`string (google-datetime)`	Output only. The timestamp when the resource was created.
`customTlsFeatures`	`array`	Optional. List of custom TLS cipher suites selected. This field is valid only if the selected tls_feature_profile is CUSTOM. The compute.SslPoliciesService.ListAvailableFeatures method returns the set of features that can be specified in this list. Note that Secure Web Proxy does not yet honor this field.
`description`	`string`	Optional. Free-text description of the resource.
`excludePublicCaSet`	`boolean`	Optional. If FALSE (the default), use our default set of public CAs in addition to any CAs specified in trust_config. These public CAs are currently based on the Mozilla Root Program and are subject to change over time. If TRUE, do not accept our default set of public CAs. Only CAs specified in trust_config will be accepted. This defaults to FALSE (use public CAs in addition to trust_config) for backwards compatibility, but trusting public root CAs is not recommended unless the traffic in question is outbound to public web servers. When possible, prefer setting this to "false" and explicitly specifying trusted CAs and certificates in a TrustConfig. Note that Secure Web Proxy does not yet honor this field.
`minTlsVersion`	`string`	Optional. Minimum TLS version that the firewall should use when negotiating connections with both clients and servers. If this is not set, then the default value is to allow the broadest set of clients and servers (TLS 1.0 or higher). Setting this to more restrictive values may improve security, but may also prevent the firewall from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field.
`tlsFeatureProfile`	`string`	Optional. The selected Profile. If this is not set, then the default value is to allow the broadest set of clients and servers ("PROFILE_COMPATIBLE"). Setting this to more restrictive values may improve security, but may also prevent the TLS inspection proxy from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field.
`trustConfig`	`string`	Optional. A TrustConfig resource used when making a connection to the TLS server. This is a relative resource path following the form "projects/{project}/locations/{location}/trustConfigs/{trust_config}". This is necessary to intercept TLS connections to servers with certificates signed by a private CA or self-signed certificates. Note that Secure Web Proxy does not yet honor this field.
`updateTime`	`string (google-datetime)`	Output only. The timestamp when the resource was updated.

Methods

The following methods are available for this resource:

Name	Accessible by	Required Params	Optional Params	Description
`projects_locations_tls_inspection_policies_get`	`select`	`projectsId`, `locationsId`, `tlsInspectionPoliciesId`		Gets details of a single TlsInspectionPolicy.
`projects_locations_tls_inspection_policies_list`	`select`	`projectsId`, `locationsId`	`pageSize`, `pageToken`	Lists TlsInspectionPolicies in a given project and location.
`projects_locations_tls_inspection_policies_create`	`insert`	`projectsId`, `locationsId`	`tlsInspectionPolicyId`	Creates a new TlsInspectionPolicy in a given project and location.
`projects_locations_tls_inspection_policies_patch`	`update`	`projectsId`, `locationsId`, `tlsInspectionPoliciesId`	`updateMask`	Updates the parameters of a single TlsInspectionPolicy.
`projects_locations_tls_inspection_policies_delete`	`delete`	`projectsId`, `locationsId`, `tlsInspectionPoliciesId`	`force`	Deletes a single TlsInspectionPolicy.

Parameters

Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.

Name	Datatype	Description
`locationsId`	`string`
`projectsId`	`string`
`tlsInspectionPoliciesId`	`string`
`force`	`boolean`
`pageSize`	`integer (int32)`
`pageToken`	`string`
`tlsInspectionPolicyId`	`string`
`updateMask`	`string (google-fieldmask)`

`SELECT` examples

projects_locations_tls_inspection_policies_get
projects_locations_tls_inspection_policies_list

Gets details of a single TlsInspectionPolicy.

SELECT
name,
caPool,
createTime,
customTlsFeatures,
description,
excludePublicCaSet,
minTlsVersion,
tlsFeatureProfile,
trustConfig,
updateTime
FROM google.networksecurity.tls_inspection_policies
WHERE projectsId = '{{ projectsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND tlsInspectionPoliciesId = '{{ tlsInspectionPoliciesId }}' -- required;

Lists TlsInspectionPolicies in a given project and location.

SELECT
name,
caPool,
createTime,
customTlsFeatures,
description,
excludePublicCaSet,
minTlsVersion,
tlsFeatureProfile,
trustConfig,
updateTime
FROM google.networksecurity.tls_inspection_policies
WHERE projectsId = '{{ projectsId }}' -- required
AND locationsId = '{{ locationsId }}' -- required
AND pageSize = '{{ pageSize }}'
AND pageToken = '{{ pageToken }}';

`INSERT` examples

projects_locations_tls_inspection_policies_create
Manifest

Creates a new TlsInspectionPolicy in a given project and location.

INSERT INTO google.networksecurity.tls_inspection_policies (
data__name,
data__description,
data__caPool,
data__trustConfig,
data__excludePublicCaSet,
data__minTlsVersion,
data__tlsFeatureProfile,
data__customTlsFeatures,
projectsId,
locationsId,
tlsInspectionPolicyId
)
SELECT 
'{{ name }}',
'{{ description }}',
'{{ caPool }}',
'{{ trustConfig }}',
{{ excludePublicCaSet }},
'{{ minTlsVersion }}',
'{{ tlsFeatureProfile }}',
'{{ customTlsFeatures }}',
'{{ projectsId }}',
'{{ locationsId }}',
'{{ tlsInspectionPolicyId }}'
RETURNING
name,
done,
error,
metadata,
response
;

# Description fields are for documentation purposes
- name: tls_inspection_policies
  props:
    - name: projectsId
      value: string
      description: Required parameter for the tls_inspection_policies resource.
    - name: locationsId
      value: string
      description: Required parameter for the tls_inspection_policies resource.
    - name: name
      value: string
      description: >
        Required. Name of the resource. Name is of the form projects/{project}/locations/{location}/tlsInspectionPolicies/{tls_inspection_policy} tls_inspection_policy should match the pattern:(^&#91;a-z&#93;([a-z0-9-]{0,61}[a-z0-9])?$).
        
    - name: description
      value: string
      description: >
        Optional. Free-text description of the resource.
        
    - name: caPool
      value: string
      description: >
        Required. A CA pool resource used to issue interception certificates. The CA pool string has a relative resource path following the form "projects/{project}/locations/{location}/caPools/{ca_pool}".
        
    - name: trustConfig
      value: string
      description: >
        Optional. A TrustConfig resource used when making a connection to the TLS server. This is a relative resource path following the form "projects/{project}/locations/{location}/trustConfigs/{trust_config}". This is necessary to intercept TLS connections to servers with certificates signed by a private CA or self-signed certificates. Note that Secure Web Proxy does not yet honor this field.
        
    - name: excludePublicCaSet
      value: boolean
      description: >
        Optional. If FALSE (the default), use our default set of public CAs in addition to any CAs specified in trust_config. These public CAs are currently based on the Mozilla Root Program and are subject to change over time. If TRUE, do not accept our default set of public CAs. Only CAs specified in trust_config will be accepted. This defaults to FALSE (use public CAs in addition to trust_config) for backwards compatibility, but trusting public root CAs is *not recommended* unless the traffic in question is outbound to public web servers. When possible, prefer setting this to "false" and explicitly specifying trusted CAs and certificates in a TrustConfig. Note that Secure Web Proxy does not yet honor this field.
        
    - name: minTlsVersion
      value: string
      description: >
        Optional. Minimum TLS version that the firewall should use when negotiating connections with both clients and servers. If this is not set, then the default value is to allow the broadest set of clients and servers (TLS 1.0 or higher). Setting this to more restrictive values may improve security, but may also prevent the firewall from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field.
        
      valid_values: ['TLS_VERSION_UNSPECIFIED', 'TLS_1_0', 'TLS_1_1', 'TLS_1_2', 'TLS_1_3']
    - name: tlsFeatureProfile
      value: string
      description: >
        Optional. The selected Profile. If this is not set, then the default value is to allow the broadest set of clients and servers ("PROFILE_COMPATIBLE"). Setting this to more restrictive values may improve security, but may also prevent the TLS inspection proxy from connecting to some clients or servers. Note that Secure Web Proxy does not yet honor this field.
        
      valid_values: ['PROFILE_UNSPECIFIED', 'PROFILE_COMPATIBLE', 'PROFILE_MODERN', 'PROFILE_RESTRICTED', 'PROFILE_CUSTOM']
    - name: customTlsFeatures
      value: array
      description: >
        Optional. List of custom TLS cipher suites selected. This field is valid only if the selected tls_feature_profile is CUSTOM. The compute.SslPoliciesService.ListAvailableFeatures method returns the set of features that can be specified in this list. Note that Secure Web Proxy does not yet honor this field.
        
    - name: tlsInspectionPolicyId
      value: string

`UPDATE` examples

projects_locations_tls_inspection_policies_patch

Updates the parameters of a single TlsInspectionPolicy.

UPDATE google.networksecurity.tls_inspection_policies
SET 
data__name = '{{ name }}',
data__description = '{{ description }}',
data__caPool = '{{ caPool }}',
data__trustConfig = '{{ trustConfig }}',
data__excludePublicCaSet = {{ excludePublicCaSet }},
data__minTlsVersion = '{{ minTlsVersion }}',
data__tlsFeatureProfile = '{{ tlsFeatureProfile }}',
data__customTlsFeatures = '{{ customTlsFeatures }}'
WHERE 
projectsId = '{{ projectsId }}' --required
AND locationsId = '{{ locationsId }}' --required
AND tlsInspectionPoliciesId = '{{ tlsInspectionPoliciesId }}' --required
AND updateMask = '{{ updateMask}}'
RETURNING
name,
done,
error,
metadata,
response;

`DELETE` examples

projects_locations_tls_inspection_policies_delete

Deletes a single TlsInspectionPolicy.

DELETE FROM google.networksecurity.tls_inspection_policies
WHERE projectsId = '{{ projectsId }}' --required
AND locationsId = '{{ locationsId }}' --required
AND tlsInspectionPoliciesId = '{{ tlsInspectionPoliciesId }}' --required
AND force = '{{ force }}';

Overview​

Fields​

Methods​

Parameters​

SELECT examples​

INSERT examples​

UPDATE examples​

DELETE examples​