File: //snap/google-cloud-cli/396/lib/googlecloudsdk/schemas/networksecurity/v1/TlsInspectionPolicy.yaml
$schema: "http://json-schema.org/draft-06/schema#"
title: networksecurity v1 TlsInspectionPolicy export schema
description: A gcloud export/import command YAML validation schema.
type: object
required:
- caPool
- name
additionalProperties: false
properties:
COMMENT:
type: object
description: User specified info ignored by gcloud import.
additionalProperties: false
properties:
template-id:
type: string
region:
type: string
description:
type: string
date:
type: string
version:
type: string
UNKNOWN:
type: array
description: Unknown API fields that cannot be imported.
items:
type: string
caPool:
description: |-
A CA pool resource used to issue interception certificates. The CA pool
string has a relative resource path following the form
"projects/{project}/locations/{location}/caPools/{ca_pool}".
type: string
customTlsFeatures:
description: |-
List of custom TLS cipher suites selected. This field is valid only if the
selected tls_feature_profile is CUSTOM. The
compute.SslPoliciesService.ListAvailableFeatures method returns the set of
features that can be specified in this list.
type: array
items:
type: string
description:
description: Free-text description of the resource.
type: string
excludePublicCaSet:
description: |-
If FALSE (the default), use our default set of public CAs in addition
to any CAs specified in trust_config. These public CAs are currently
based on the Mozilla Root Program and are subject to change over time.
If TRUE, do not accept our default set of public CAs. Only CAs
specified in trust_config will be accepted. This defaults to FALSE
(use public CAs in addition to trust_config) for backwards
compatibility, but trusting public root CAs is *not recommended*
unless the traffic in question is outbound to public web servers. When
possible, prefer setting this to "false" and explicitly specifying
trusted CAs and certificates in a TrustConfig. Note that Secure Web
Proxy does not yet honor this field.
type: boolean
minTlsVersion:
description: |-
Minimum TLS version that the firewall should use when negotiating
connections with both clients and servers. If this is not set, then
the default value is to allow the broadest set of clients and servers
(TLS 1.0 or higher). Setting this to more restrictive values may
improve security, but may also prevent the firewall from connecting to
some clients or servers. Note that Secure Web Proxy does not yet honor
this field.
type: string
enum:
- TLS_1_0
- TLS_1_1
- TLS_1_2
- TLS_1_3
- TLS_VERSION_UNSPECIFIED
name:
description: |-
Name of the resource. Name is of the form projects/{projec
t}/locations/{location}/tlsInspectionPolicies/{tls_inspection_policy}
tls_inspection_policy should match the
pattern:(^[a-z]([a-z0-9-]{0,61}[a-z0-9])?$).
type: string
tlsFeatureProfile:
description: |-
The selected Profile. If this is not set, then the default value is to
allow the broadest set of clients and servers ("PROFILE_COMPATIBLE").
Setting this to more restrictive values may improve security, but may
also prevent the TLS inspection proxy from connecting to some clients
or servers. Note that Secure Web Proxy does not yet honor this field.
type: string
enum:
- PROFILE_COMPATIBLE
- PROFILE_CUSTOM
- PROFILE_MODERN
- PROFILE_RESTRICTED
- PROFILE_UNSPECIFIED
trustConfig:
description: |-
A TrustConfig resource used when making a connection to the TLS
server. This is a relative resource path following the form
"projects/{project}/locations/{location}/trustConfigs/{trust_config}".
This is necessary to intercept TLS connections to servers with
certificates signed by a private CA or self-signed certificates. Note
that Secure Web Proxy does not yet honor this field.
type: string