---
title: Getting Started with Datadog
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog
---

# gcp_gkehub_membership_feature{% #gcp_gkehub_membership_feature %}

## `ancestors`{% #ancestors %}

**Type**: `UNORDERED_LIST_STRING`

## `configmanagement`{% #configmanagement %}

**Type**: `STRUCT`**Provider name**: `configmanagement`**Description**: Config Management-specific spec.

- `cluster`**Type**: `STRING`**Provider name**: `cluster`**Description**: Optional. The user-specified cluster name used by Config Sync cluster-name-selector annotation or ClusterSelector, for applying configs to only a subset of clusters. Omit this field if the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. Set this field if a name different from the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector.
- `config_sync`**Type**: `STRUCT`**Provider name**: `configSync`**Description**: Optional. Config Sync configuration for the cluster.
  - `deployment_overrides`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `deploymentOverrides`**Description**: Optional. Configuration for deployment overrides.
    - `containers`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `containers`**Description**: Optional. The containers of the deployment resource to be overridden.
      - `container_name`**Type**: `STRING`**Provider name**: `containerName`**Description**: Required. The name of the container.
      - `cpu_limit`**Type**: `STRING`**Provider name**: `cpuLimit`**Description**: Optional. The cpu limit of the container.
      - `cpu_request`**Type**: `STRING`**Provider name**: `cpuRequest`**Description**: Optional. The cpu request of the container.
      - `memory_limit`**Type**: `STRING`**Provider name**: `memoryLimit`**Description**: Optional. The memory limit of the container.
      - `memory_request`**Type**: `STRING`**Provider name**: `memoryRequest`**Description**: Optional. The memory request of the container.
    - `deployment_name`**Type**: `STRING`**Provider name**: `deploymentName`**Description**: Required. The name of the deployment resource to be overridden.
    - `deployment_namespace`**Type**: `STRING`**Provider name**: `deploymentNamespace`**Description**: Required. The namespace of the deployment resource to be overridden.
  - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Optional. Enables the installation of ConfigSync. If set to true, ConfigSync resources will be created and the other ConfigSync fields will be applied if exist. If set to false, all other ConfigSync fields will be ignored, ConfigSync resources will be deleted. If omitted, ConfigSync resources will be managed depends on the presence of the git or oci field.
  - `git`**Type**: `STRUCT`**Provider name**: `git`**Description**: Optional. Git repo configuration for the cluster.
    - `gcp_service_account_email`**Type**: `STRING`**Provider name**: `gcpServiceAccountEmail`**Description**: Optional. The Google Cloud Service Account Email used for auth when secret_type is gcpServiceAccount.
    - `https_proxy`**Type**: `STRING`**Provider name**: `httpsProxy`**Description**: Optional. URL for the HTTPS proxy to be used when communicating with the Git repo.
    - `policy_dir`**Type**: `STRING`**Provider name**: `policyDir`**Description**: Optional. The path within the Git repository that represents the top level of the repo to sync. Default: the root directory of the repository.
    - `secret_type`**Type**: `STRING`**Provider name**: `secretType`**Description**: Required. Type of secret configured for access to the Git repo. Must be one of ssh, cookiefile, gcenode, token, gcpserviceaccount, githubapp or none. The validation of this is case-sensitive.
    - `sync_branch`**Type**: `STRING`**Provider name**: `syncBranch`**Description**: Optional. The branch of the repository to sync from. Default: master.
    - `sync_repo`**Type**: `STRING`**Provider name**: `syncRepo`**Description**: Required. The URL of the Git repository to use as the source of truth.
    - `sync_rev`**Type**: `STRING`**Provider name**: `syncRev`**Description**: Optional. Git revision (tag or hash) to check out. Default HEAD.
    - `sync_wait_secs`**Type**: `INT64`**Provider name**: `syncWaitSecs`**Description**: Optional. Period in seconds between consecutive syncs. Default: 15.
  - `metrics_gcp_service_account_email`**Type**: `STRING`**Provider name**: `metricsGcpServiceAccountEmail`**Description**: Optional. The Email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring and Cloud Monarch when Workload Identity is enabled. The GSA should have the Monitoring Metric Writer (roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount `default` in the namespace `config-management-monitoring` should be bound to the GSA. Deprecated: If Workload Identity Federation for GKE is enabled, Google Cloud Service Account is no longer needed for exporting Config Sync metrics: [https://cloud.google.com/kubernetes-engine/enterprise/config-sync/docs/how-to/monitor-config-sync-cloud-monitoring#custom-monitoring](https://cloud.google.com/kubernetes-engine/enterprise/config-sync/docs/how-to/monitor-config-sync-cloud-monitoring#custom-monitoring).
  - `oci`**Type**: `STRUCT`**Provider name**: `oci`**Description**: Optional. OCI repo configuration for the cluster
    - `gcp_service_account_email`**Type**: `STRING`**Provider name**: `gcpServiceAccountEmail`**Description**: Optional. The Google Cloud Service Account Email used for auth when secret_type is gcpServiceAccount.
    - `policy_dir`**Type**: `STRING`**Provider name**: `policyDir`**Description**: Optional. The absolute path of the directory that contains the local resources. Default: the root directory of the image.
    - `secret_type`**Type**: `STRING`**Provider name**: `secretType`**Description**: Required. Type of secret configured for access to the OCI repo. Must be one of gcenode, gcpserviceaccount, k8sserviceaccount or none. The validation of this is case-sensitive.
    - `sync_repo`**Type**: `STRING`**Provider name**: `syncRepo`**Description**: Required. The OCI image repository URL for the package to sync from. e.g. `LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY_NAME/PACKAGE_NAME`.
    - `sync_wait_secs`**Type**: `INT64`**Provider name**: `syncWaitSecs`**Description**: Optional. Period in seconds between consecutive syncs. Default: 15.
  - `prevent_drift`**Type**: `BOOLEAN`**Provider name**: `preventDrift`**Description**: Optional. Set to true to enable the Config Sync admission webhook to prevent drifts. If set to `false`, disables the Config Sync admission webhook and does not prevent drifts.
  - `source_format`**Type**: `STRING`**Provider name**: `sourceFormat`**Description**: Optional. Specifies whether the Config Sync Repo is in "hierarchical" or "unstructured" mode.
  - `stop_syncing`**Type**: `BOOLEAN`**Provider name**: `stopSyncing`**Description**: Optional. Set to true to stop syncing configs for a single cluster. Default to false.
- `hierarchy_controller`**Type**: `STRUCT`**Provider name**: `hierarchyController`**Description**: Optional. Hierarchy Controller configuration for the cluster. Deprecated: Configuring Hierarchy Controller through the configmanagement feature is no longer recommended. Use [https://github.com/kubernetes-sigs/hierarchical-namespaces](https://github.com/kubernetes-sigs/hierarchical-namespaces) instead.
  - `enable_hierarchical_resource_quota`**Type**: `BOOLEAN`**Provider name**: `enableHierarchicalResourceQuota`**Description**: Whether hierarchical resource quota is enabled in this cluster.
  - `enable_pod_tree_labels`**Type**: `BOOLEAN`**Provider name**: `enablePodTreeLabels`**Description**: Whether pod tree labels are enabled in this cluster.
  - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether Hierarchy Controller is enabled in this cluster.
- `management`**Type**: `STRING`**Provider name**: `management`**Description**: Optional. Enables automatic Feature management.**Possible values**:
  - `MANAGEMENT_UNSPECIFIED` - Unspecified
  - `MANAGEMENT_AUTOMATIC` - Google will manage the Feature for the cluster.
  - `MANAGEMENT_MANUAL` - User will manually manage the Feature for the cluster.
- `policy_controller`**Type**: `STRUCT`**Provider name**: `policyController`**Description**: Optional. Policy Controller configuration for the cluster. Deprecated: Configuring Policy Controller through the configmanagement feature is no longer recommended. Use the policycontroller feature instead.
  - `audit_interval_seconds`**Type**: `INT64`**Provider name**: `auditIntervalSeconds`**Description**: Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether.
  - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Enables the installation of Policy Controller. If false, the rest of PolicyController fields take no effect.
  - `exemptable_namespaces`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `exemptableNamespaces`**Description**: The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.
  - `log_denies_enabled`**Type**: `BOOLEAN`**Provider name**: `logDeniesEnabled`**Description**: Logs all denies and dry run failures.
  - `monitoring`**Type**: `STRUCT`**Provider name**: `monitoring`**Description**: Monitoring specifies the configuration of monitoring.
    - `backends`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `backends`**Description**: Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export.
  - `mutation_enabled`**Type**: `BOOLEAN`**Provider name**: `mutationEnabled`**Description**: Enable or disable mutation in policy controller. If true, mutation CRDs, webhook and controller deployment will be deployed to the cluster.
  - `referential_rules_enabled`**Type**: `BOOLEAN`**Provider name**: `referentialRulesEnabled`**Description**: Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.
  - `template_library_installed`**Type**: `BOOLEAN`**Provider name**: `templateLibraryInstalled`**Description**: Installs the default template library along with Policy Controller.
  - `update_time`**Type**: `TIMESTAMP`**Provider name**: `updateTime`**Description**: Output only. Last time this membership spec was updated.
- `version`**Type**: `STRING`**Provider name**: `version`**Description**: Optional. Version of ACM installed.

## `fleetobservability`{% #fleetobservability %}

**Type**: `STRUCT`**Provider name**: `fleetobservability`**Description**: Fleet observability membership spec

## `identityservice`{% #identityservice %}

**Type**: `STRUCT`**Provider name**: `identityservice`**Description**: Identity Service-specific spec.

- `auth_methods`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `authMethods`**Description**: A member may support multiple auth methods.
  - `azuread_config`**Type**: `STRUCT`**Provider name**: `azureadConfig`**Description**: AzureAD specific Configuration.
    - `client_id`**Type**: `STRING`**Provider name**: `clientId`**Description**: ID for the registered client application that makes authentication requests to the Azure AD identity provider.
    - `client_secret`**Type**: `STRING`**Provider name**: `clientSecret`**Description**: Input only. Unencrypted AzureAD client secret will be passed to the GKE Hub CLH.
    - `group_format`**Type**: `STRING`**Provider name**: `groupFormat`**Description**: Optional. Format of the AzureAD groups that the client wants for auth.
    - `kubectl_redirect_uri`**Type**: `STRING`**Provider name**: `kubectlRedirectUri`**Description**: The redirect URL that kubectl uses for authorization.
    - `tenant`**Type**: `STRING`**Provider name**: `tenant`**Description**: Kind of Azure AD account to be authenticated. Supported values are or for accounts belonging to a specific tenant.
    - `user_claim`**Type**: `STRING`**Provider name**: `userClaim`**Description**: Optional. Claim in the AzureAD ID Token that holds the user details.
  - `google_config`**Type**: `STRUCT`**Provider name**: `googleConfig`**Description**: GoogleConfig specific configuration.
    - `disable`**Type**: `BOOLEAN`**Provider name**: `disable`**Description**: Disable automatic configuration of Google Plugin on supported platforms.
  - `ldap_config`**Type**: `STRUCT`**Provider name**: `ldapConfig`**Description**: LDAP specific configuration.
    - `group`**Type**: `STRUCT`**Provider name**: `group`**Description**: Optional. Contains the properties for locating and authenticating groups in the directory.
      - `base_dn`**Type**: `STRING`**Provider name**: `baseDn`**Description**: Required. The location of the subtree in the LDAP directory to search for group entries.
      - `filter`**Type**: `STRING`**Provider name**: `filter`**Description**: Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".
      - `id_attribute`**Type**: `STRING`**Provider name**: `idAttribute`**Description**: Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
    - `server`**Type**: `STRUCT`**Provider name**: `server`**Description**: Required. Server settings for the external LDAP server.
      - `connection_type`**Type**: `STRING`**Provider name**: `connectionType`**Description**: Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty.
      - `host`**Type**: `STRING`**Provider name**: `host`**Description**: Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
    - `service_account`**Type**: `STRUCT`**Provider name**: `serviceAccount`**Description**: Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
      - `simple_bind_credentials`**Type**: `STRUCT`**Provider name**: `simpleBindCredentials`**Description**: Credentials for basic auth.
        - `dn`**Type**: `STRING`**Provider name**: `dn`**Description**: Required. The distinguished name(DN) of the service account object/user.
        - `password`**Type**: `STRING`**Provider name**: `password`**Description**: Required. Input only. The password of the service account object/user.
    - `user`**Type**: `STRUCT`**Provider name**: `user`**Description**: Required. Defines where users exist in the LDAP directory.
      - `base_dn`**Type**: `STRING`**Provider name**: `baseDn`**Description**: Required. The location of the subtree in the LDAP directory to search for user entries.
      - `filter`**Type**: `STRING`**Provider name**: `filter`**Description**: Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".
      - `id_attribute`**Type**: `STRING`**Provider name**: `idAttribute`**Description**: Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "[bsmith@example.com](mailto:bsmith@example.com)". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
      - `login_attribute`**Type**: `STRING`**Provider name**: `loginAttribute`**Description**: Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
  - `name`**Type**: `STRING`**Provider name**: `name`**Description**: Identifier for auth config.
  - `oidc_config`**Type**: `STRUCT`**Provider name**: `oidcConfig`**Description**: OIDC specific configuration.
    - `certificate_authority_data`**Type**: `STRING`**Provider name**: `certificateAuthorityData`**Description**: PEM-encoded CA for OIDC provider.
    - `client_id`**Type**: `STRING`**Provider name**: `clientId`**Description**: ID for OIDC client application.
    - `client_secret`**Type**: `STRING`**Provider name**: `clientSecret`**Description**: Input only. Unencrypted OIDC client secret will be passed to the GKE Hub CLH.
    - `deploy_cloud_console_proxy`**Type**: `BOOLEAN`**Provider name**: `deployCloudConsoleProxy`**Description**: Flag to denote if reverse proxy is used to connect to auth provider. This flag should be set to true when provider is not reachable by Google Cloud Console.
    - `enable_access_token`**Type**: `BOOLEAN`**Provider name**: `enableAccessToken`**Description**: Enable access token.
    - `extra_params`**Type**: `STRING`**Provider name**: `extraParams`**Description**: Comma-separated list of key-value pairs.
    - `group_prefix`**Type**: `STRING`**Provider name**: `groupPrefix`**Description**: Prefix to prepend to group name.
    - `groups_claim`**Type**: `STRING`**Provider name**: `groupsClaim`**Description**: Claim in OIDC ID token that holds group information.
    - `issuer_uri`**Type**: `STRING`**Provider name**: `issuerUri`**Description**: URI for the OIDC provider. This should point to the level below .well-known/openid-configuration.
    - `kubectl_redirect_uri`**Type**: `STRING`**Provider name**: `kubectlRedirectUri`**Description**: Registered redirect uri to redirect users going through OAuth flow using kubectl plugin.
    - `scopes`**Type**: `STRING`**Provider name**: `scopes`**Description**: Comma-separated list of identifiers.
    - `user_claim`**Type**: `STRING`**Provider name**: `userClaim`**Description**: Claim in OIDC ID token that holds username.
    - `user_prefix`**Type**: `STRING`**Provider name**: `userPrefix`**Description**: Prefix to prepend to user name.
  - `proxy`**Type**: `STRING`**Provider name**: `proxy`**Description**: Proxy server address to use for auth method.
  - `saml_config`**Type**: `STRUCT`**Provider name**: `samlConfig`**Description**: SAML specific configuration.
    - `group_prefix`**Type**: `STRING`**Provider name**: `groupPrefix`**Description**: Optional. Prefix to prepend to group name.
    - `groups_attribute`**Type**: `STRING`**Provider name**: `groupsAttribute`**Description**: Optional. The SAML attribute to read groups from. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the `group_prefix`).
    - `identity_provider_certificates`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `identityProviderCertificates`**Description**: Required. The list of IdP certificates to validate the SAML response against.
    - `identity_provider_id`**Type**: `STRING`**Provider name**: `identityProviderId`**Description**: Required. The entity ID of the SAML IdP.
    - `identity_provider_sso_uri`**Type**: `STRING`**Provider name**: `identityProviderSsoUri`**Description**: Required. The URI where the SAML IdP exposes the SSO service.
    - `user_attribute`**Type**: `STRING`**Provider name**: `userAttribute`**Description**: Optional. The SAML attribute to read username from. If unspecified, the username will be read from the NameID element of the assertion in SAML response. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the `user_prefix`).
    - `user_prefix`**Type**: `STRING`**Provider name**: `userPrefix`**Description**: Optional. Prefix to prepend to user name.
- `identity_service_options`**Type**: `STRUCT`**Provider name**: `identityServiceOptions`**Description**: Optional. non-protocol-related configuration options.
  - `diagnostic_interface`**Type**: `STRUCT`**Provider name**: `diagnosticInterface`**Description**: Configuration options for the AIS diagnostic interface.
    - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Determines whether to enable the diagnostic interface.
    - `expiration_time`**Type**: `TIMESTAMP`**Provider name**: `expirationTime`**Description**: Determines the expiration time of the diagnostic interface enablement. When reached, requests to the interface would be automatically rejected.
  - `session_duration`**Type**: `STRING`**Provider name**: `sessionDuration`**Description**: Determines the lifespan of STS tokens issued by Anthos Identity Service.

## `labels`{% #labels %}

**Type**: `UNORDERED_LIST_STRING`

## `mesh`{% #mesh %}

**Type**: `STRUCT`**Provider name**: `mesh`**Description**: Anthos Service Mesh-specific spec

- `config_api`**Type**: `STRING`**Provider name**: `configApi`**Description**: Optional. Specifies the API that will be used for configuring the mesh workloads.**Possible values**:
  - `CONFIG_API_UNSPECIFIED` - Unspecified
  - `CONFIG_API_ISTIO` - Use the Istio API for configuration.
  - `CONFIG_API_GATEWAY` - Use the K8s Gateway API for configuration.
- `control_plane`**Type**: `STRING`**Provider name**: `controlPlane`**Description**: Deprecated: use `management` instead Enables automatic control plane management.**Possible values**:
  - `CONTROL_PLANE_MANAGEMENT_UNSPECIFIED` - Unspecified
  - `AUTOMATIC` - Google should provision a control plane revision and make it available in the cluster. Google will enroll this revision in a release channel and keep it up to date. The control plane revision may be a managed service, or a managed install.
  - `MANUAL` - User will manually configure the control plane (e.g. via CLI, or via the ControlPlaneRevision KRM API)
- `management`**Type**: `STRING`**Provider name**: `management`**Description**: Optional. Enables automatic Service Mesh management.**Possible values**:
  - `MANAGEMENT_UNSPECIFIED` - Unspecified
  - `MANAGEMENT_AUTOMATIC` - Google should manage my Service Mesh for the cluster.
  - `MANAGEMENT_MANUAL` - User will manually configure their service mesh components.
  - `MANAGEMENT_NOT_INSTALLED` - Google should remove any managed Service Mesh components from this cluster and deprovision any resources.

## `organization_id`{% #organization_id %}

**Type**: `STRING`

## `origin`{% #origin %}

**Type**: `STRUCT`**Provider name**: `origin`**Description**: Whether this per-Membership spec was inherited from a fleet-level default. This field can be updated by users by either overriding a Membership config (updated to USER implicitly) or setting to FLEET explicitly.

- `type`**Type**: `STRING`**Provider name**: `type`**Description**: Type specifies which type of origin is set.**Possible values**:
  - `TYPE_UNSPECIFIED` - Type is unknown or not set.
  - `FLEET` - Per-Membership spec was inherited from the fleet-level default.
  - `FLEET_OUT_OF_SYNC` - Per-Membership spec was inherited from the fleet-level default but is now out of sync with the current default.
  - `USER` - Per-Membership spec was inherited from a user specification.

## `parent`{% #parent %}

**Type**: `STRING`

## `policycontroller`{% #policycontroller %}

**Type**: `STRUCT`**Provider name**: `policycontroller`**Description**: Policy Controller spec.

- `policy_controller_hub_config`**Type**: `STRUCT`**Provider name**: `policyControllerHubConfig`**Description**: Policy Controller configuration for the cluster.
  - `audit_interval_seconds`**Type**: `INT64`**Provider name**: `auditIntervalSeconds`**Description**: Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether.
  - `constraint_violation_limit`**Type**: `INT64`**Provider name**: `constraintViolationLimit`**Description**: The maximum number of audit violations to be stored in a constraint. If not set, the internal default (currently 20) will be used.
  - `exemptable_namespaces`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `exemptableNamespaces`**Description**: The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.
  - `install_spec`**Type**: `STRING`**Provider name**: `installSpec`**Description**: The install_spec represents the intended state specified by the latest request that mutated install_spec in the feature spec, not the lifecycle state of the feature observed by the Hub feature controller that is reported in the feature state.**Possible values**:
    - `INSTALL_SPEC_UNSPECIFIED` - Spec is unknown.
    - `INSTALL_SPEC_NOT_INSTALLED` - Request to uninstall Policy Controller.
    - `INSTALL_SPEC_ENABLED` - Request to install and enable Policy Controller.
    - `INSTALL_SPEC_SUSPENDED` - Request to suspend Policy Controller i.e. its webhooks. If Policy Controller is not installed, it will be installed but suspended.
    - `INSTALL_SPEC_DETACHED` - Request to stop all reconciliation actions by PoCo Hub controller. This is a breakglass mechanism to stop PoCo Hub from affecting cluster resources.
  - `log_denies_enabled`**Type**: `BOOLEAN`**Provider name**: `logDeniesEnabled`**Description**: Logs all denies and dry run failures.
  - `monitoring`**Type**: `STRUCT`**Provider name**: `monitoring`**Description**: Monitoring specifies the configuration of monitoring.
    - `backends`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `backends`**Description**: Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export.
  - `mutation_enabled`**Type**: `BOOLEAN`**Provider name**: `mutationEnabled`**Description**: Enables the ability to mutate resources using Policy Controller.
  - `policy_content`**Type**: `STRUCT`**Provider name**: `policyContent`**Description**: Specifies the desired policy content on the cluster
    - `template_library`**Type**: `STRUCT`**Provider name**: `templateLibrary`**Description**: Configures the installation of the Template Library.
      - `installation`**Type**: `STRING`**Provider name**: `installation`**Description**: Configures the manner in which the template library is installed on the cluster.**Possible values**:
        - `INSTALLATION_UNSPECIFIED` - No installation strategy has been specified.
        - `NOT_INSTALLED` - Do not install the template library.
        - `ALL` - Install the entire template library.
  - `referential_rules_enabled`**Type**: `BOOLEAN`**Provider name**: `referentialRulesEnabled`**Description**: Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.
- `version`**Type**: `STRING`**Provider name**: `version`**Description**: Version of Policy Controller installed.

## `project_id`{% #project_id %}

**Type**: `STRING`

## `project_number`{% #project_number %}

**Type**: `STRING`

## `region_id`{% #region_id %}

**Type**: `STRING`

## `resource_name`{% #resource_name %}

**Type**: `STRING`

## `tags`{% #tags %}

**Type**: `UNORDERED_LIST_STRING`

## `zone_id`{% #zone_id %}

**Type**: `STRING`