---
title: Getting Started with Datadog
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog
---

# gcp_identitytoolkit_tenant{% #gcp_identitytoolkit_tenant %}

## `allow_password_signup`{% #allow_password_signup %}

**Type**: `BOOLEAN`**Provider name**: `allowPasswordSignup`**Description**: Whether to allow email/password user authentication.

## `ancestors`{% #ancestors %}

**Type**: `UNORDERED_LIST_STRING`

## `autodelete_anonymous_users`{% #autodelete_anonymous_users %}

**Type**: `BOOLEAN`**Provider name**: `autodeleteAnonymousUsers`**Description**: Whether anonymous users will be auto-deleted after a period of 30 days.

## `client`{% #client %}

**Type**: `STRUCT`**Provider name**: `client`**Description**: Options related to how clients making requests on behalf of a project should be configured.

- `permissions`**Type**: `STRUCT`**Provider name**: `permissions`**Description**: Configuration related to restricting a user's ability to affect their account.
  - `disabled_user_deletion`**Type**: `BOOLEAN`**Provider name**: `disabledUserDeletion`**Description**: When true, end users cannot delete their account on the associated project through any of our API methods
  - `disabled_user_signup`**Type**: `BOOLEAN`**Provider name**: `disabledUserSignup`**Description**: When true, end users cannot sign up for a new account on the associated project through any of our API methods

## `disable_auth`{% #disable_auth %}

**Type**: `BOOLEAN`**Provider name**: `disableAuth`**Description**: Whether authentication is disabled for the tenant. If true, the users under the disabled tenant are not allowed to sign-in. Admins of the disabled tenant are not able to manage its users.

## `email_privacy_config`{% #email_privacy_config %}

**Type**: `STRUCT`**Provider name**: `emailPrivacyConfig`**Description**: Configuration for settings related to email privacy and public visibility.

- `enable_improved_email_privacy`**Type**: `BOOLEAN`**Provider name**: `enableImprovedEmailPrivacy`**Description**: Migrates the project to a state of improved email privacy. For example certain error codes are more generic to avoid giving away information on whether the account exists. In addition, this disables certain features that as a side-effect allow user enumeration. Enabling this toggle disables the fetchSignInMethodsForEmail functionality and changing the user's email to an unverified email. It is recommended to remove dependence on this functionality and enable this toggle to improve user privacy.

## `enable_anonymous_user`{% #enable_anonymous_user %}

**Type**: `BOOLEAN`**Provider name**: `enableAnonymousUser`**Description**: Whether to enable anonymous user authentication.

## `enable_email_link_signin`{% #enable_email_link_signin %}

**Type**: `BOOLEAN`**Provider name**: `enableEmailLinkSignin`**Description**: Whether to enable email link user authentication.

## `gcp_display_name`{% #gcp_display_name %}

**Type**: `STRING`**Provider name**: `displayName`**Description**: Display name of the tenant.

## `hash_config`{% #hash_config %}

**Type**: `STRUCT`**Provider name**: `hashConfig`**Description**: Output only. Hash config information of a tenant for display on Pantheon. This can only be displayed on Pantheon to avoid the sensitive information to get accidentally leaked. Only returned in GetTenant response to restrict reading of this information. Requires firebaseauth.configs.getHashConfig permission on the agent project for returning this field.

- `algorithm`**Type**: `STRING`**Provider name**: `algorithm`**Description**: Output only. Different password hash algorithms used in Identity Toolkit.**Possible values**:
  - `HASH_ALGORITHM_UNSPECIFIED` - Default value. Do not use.
  - `HMAC_SHA256` - HMAC_SHA256
  - `HMAC_SHA1` - HMAC_SHA1
  - `HMAC_MD5` - HMAC_MD5
  - `SCRYPT` - SCRYPT
  - `PBKDF_SHA1` - PBKDF_SHA1
  - `MD5` - MD5
  - `HMAC_SHA512` - HMAC_SHA512
  - `SHA1` - SHA1
  - `BCRYPT` - BCRYPT
  - `PBKDF2_SHA256` - PBKDF2_SHA256
  - `SHA256` - SHA256
  - `SHA512` - SHA512
  - `STANDARD_SCRYPT` - STANDARD_SCRYPT
- `memory_cost`**Type**: `INT32`**Provider name**: `memoryCost`**Description**: Output only. Memory cost for hash calculation. Used by scrypt and other similar password derivation algorithms. See [https://tools.ietf.org/html/rfc7914](https://tools.ietf.org/html/rfc7914) for explanation of field.
- `rounds`**Type**: `INT32`**Provider name**: `rounds`**Description**: Output only. How many rounds for hash calculation. Used by scrypt and other similar password derivation algorithms.
- `salt_separator`**Type**: `STRING`**Provider name**: `saltSeparator`**Description**: Output only. Non-printable character to be inserted between the salt and plain text password in base64.
- `signer_key`**Type**: `STRING`**Provider name**: `signerKey`**Description**: Output only. Signer key in base64.

## `inheritance`{% #inheritance %}

**Type**: `STRUCT`**Provider name**: `inheritance`**Description**: Specify the settings that the tenant could inherit.

- `email_sending_config`**Type**: `BOOLEAN`**Provider name**: `emailSendingConfig`**Description**: Whether to allow the tenant to inherit custom domains, email templates, and custom SMTP settings. If true, email sent from tenant will follow the project level email sending configurations. If false (by default), emails will go with the default settings with no customizations.

## `labels`{% #labels %}

**Type**: `UNORDERED_LIST_STRING`

## `mfa_config`{% #mfa_config %}

**Type**: `STRUCT`**Provider name**: `mfaConfig`**Description**: The tenant-level configuration of MFA options.

- `enabled_providers`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `enabledProviders`**Description**: A list of usable second factors for this project.
- `provider_configs`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `providerConfigs`**Description**: A list of usable second factors for this project along with their configurations. This field does not support phone based MFA, for that use the 'enabled_providers' field.
  - `state`**Type**: `STRING`**Provider name**: `state`**Description**: Describes the state of the MultiFactor Authentication type.**Possible values**:
    - `MFA_STATE_UNSPECIFIED` - Illegal State, should not be used.
    - `DISABLED` - Multi-factor authentication cannot be used for this project.
    - `ENABLED` - Multi-factor authentication can be used for this project.
    - `MANDATORY` - Multi-factor authentication is required for this project. Users from this project must authenticate with the second factor.
  - `totp_provider_config`**Type**: `STRUCT`**Provider name**: `totpProviderConfig`**Description**: TOTP MFA provider config for this project.
    - `adjacent_intervals`**Type**: `INT32`**Provider name**: `adjacentIntervals`**Description**: The allowed number of adjacent intervals that will be used for verification to avoid clock skew.
- `state`**Type**: `STRING`**Provider name**: `state`**Description**: Whether MultiFactor Authentication has been enabled for this project.**Possible values**:
  - `STATE_UNSPECIFIED` - Illegal State, should not be used.
  - `DISABLED` - Multi-factor authentication cannot be used for this project
  - `ENABLED` - Multi-factor authentication can be used for this project
  - `MANDATORY` - Multi-factor authentication is required for this project. Users from this project must authenticate with the second factor.

## `mobile_links_config`{% #mobile_links_config %}

**Type**: `STRUCT`**Provider name**: `mobileLinksConfig`**Description**: Optional. Deprecated. Never launched. Configuration for settings related to univeral links (iOS) and app links (Android).

- `domain`**Type**: `STRING`**Provider name**: `domain`**Description**: Open code in app domain to use for app links and universal links.**Possible values**:
  - `DOMAIN_UNSPECIFIED` - Default value. The default domain is the Firebase Dynamic Link domain before the FDL deprecation and the hosting domain after the FDL deprecation.
  - `FIREBASE_DYNAMIC_LINK_DOMAIN` - Use Firebase Dynamic Link domain as app link domain. Default value.
  - `HOSTING_DOMAIN` - Use hosting domain as app link domain.

## `monitoring`{% #monitoring %}

**Type**: `STRUCT`**Provider name**: `monitoring`**Description**: Configuration related to monitoring project activity.

- `request_logging`**Type**: `STRUCT`**Provider name**: `requestLogging`**Description**: Configuration for logging requests made to this project to Stackdriver Logging
  - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether logging is enabled for this project or not.

## `name`{% #name %}

**Type**: `STRING`**Provider name**: `name`**Description**: Output only. Resource name of a tenant. For example: "projects/{project-id}/tenants/{tenant-id}"

## `organization_id`{% #organization_id %}

**Type**: `STRING`

## `parent`{% #parent %}

**Type**: `STRING`

## `password_policy_config`{% #password_policy_config %}

**Type**: `STRUCT`**Provider name**: `passwordPolicyConfig`**Description**: The tenant-level password policy config

- `force_upgrade_on_signin`**Type**: `BOOLEAN`**Provider name**: `forceUpgradeOnSignin`**Description**: Users must have a password compliant with the password policy to sign-in.
- `last_update_time`**Type**: `TIMESTAMP`**Provider name**: `lastUpdateTime`**Description**: Output only. The last time the password policy on the project was updated.
- `password_policy_enforcement_state`**Type**: `STRING`**Provider name**: `passwordPolicyEnforcementState`**Description**: Which enforcement mode to use for the password policy.**Possible values**:
  - `PASSWORD_POLICY_ENFORCEMENT_STATE_UNSPECIFIED` - Illegal State, should not be used.
  - `OFF` - Password Policy will not be used on the project.
  - `ENFORCE` - Passwords non-compliant with the password policy will be rejected with an error thrown.
- `password_policy_versions`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `passwordPolicyVersions`**Description**: Must be of length 1. Contains the strength attributes for the password policy.
  - `custom_strength_options`**Type**: `STRUCT`**Provider name**: `customStrengthOptions`**Description**: The custom strength options enforced by the password policy.
    - `contains_lowercase_character`**Type**: `BOOLEAN`**Provider name**: `containsLowercaseCharacter`**Description**: The password must contain a lower case character.
    - `contains_non_alphanumeric_character`**Type**: `BOOLEAN`**Provider name**: `containsNonAlphanumericCharacter`**Description**: The password must contain a non alpha numeric character.
    - `contains_numeric_character`**Type**: `BOOLEAN`**Provider name**: `containsNumericCharacter`**Description**: The password must contain a number.
    - `contains_uppercase_character`**Type**: `BOOLEAN`**Provider name**: `containsUppercaseCharacter`**Description**: The password must contain an upper case character.
    - `max_password_length`**Type**: `INT32`**Provider name**: `maxPasswordLength`**Description**: Maximum password length. No default max length
    - `min_password_length`**Type**: `INT32`**Provider name**: `minPasswordLength`**Description**: Minimum password length. Range from 6 to 30
  - `schema_version`**Type**: `INT32`**Provider name**: `schemaVersion`**Description**: Output only. schema version number for the password policy

## `project_id`{% #project_id %}

**Type**: `STRING`

## `project_number`{% #project_number %}

**Type**: `STRING`

## `recaptcha_config`{% #recaptcha_config %}

**Type**: `STRUCT`**Provider name**: `recaptchaConfig`**Description**: The tenant-level reCAPTCHA config.

- `email_password_enforcement_state`**Type**: `STRING`**Provider name**: `emailPasswordEnforcementState`**Description**: The reCAPTCHA config for email/password provider, containing the enforcement status. The email/password provider contains all email related user flows protected by reCAPTCHA.**Possible values**:
  - `RECAPTCHA_PROVIDER_ENFORCEMENT_STATE_UNSPECIFIED` - Enforcement state has not been set.
  - `OFF` - Unenforced.
  - `AUDIT` - reCAPTCHA assessment is created, result is not used to enforce.
  - `ENFORCE` - reCAPTCHA assessment is created, result is used to enforce.
- `managed_rules`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `managedRules`**Description**: The managed rules for authentication action based on reCAPTCHA scores. The rules are shared across providers for a given tenant project.
  - `action`**Type**: `STRING`**Provider name**: `action`**Description**: The action taken if the reCAPTCHA score of a request is within the interval [start_score, end_score].**Possible values**:
    - `RECAPTCHA_ACTION_UNSPECIFIED` - The reCAPTCHA action is not specified.
    - `BLOCK` - The reCAPTCHA-protected request will be blocked.
  - `end_score`**Type**: `FLOAT`**Provider name**: `endScore`**Description**: The end score (inclusive) of the score range for an action. Must be a value between 0.0 and 1.0, at 11 discrete values; e.g. 0, 0.1, 0.2, 0.3, … 0.9, 1.0. A score of 0.0 indicates the riskiest request (likely a bot), whereas 1.0 indicates the safest request (likely a human). See [https://cloud.google.com/recaptcha-enterprise/docs/interpret-assessment](https://cloud.google.com/recaptcha-enterprise/docs/interpret-assessment).
- `phone_enforcement_state`**Type**: `STRING`**Provider name**: `phoneEnforcementState`**Description**: The reCAPTCHA config for phone provider, containing the enforcement status. The phone provider contains all SMS related user flows protected by reCAPTCHA.**Possible values**:
  - `RECAPTCHA_PROVIDER_ENFORCEMENT_STATE_UNSPECIFIED` - Enforcement state has not been set.
  - `OFF` - Unenforced.
  - `AUDIT` - reCAPTCHA assessment is created, result is not used to enforce.
  - `ENFORCE` - reCAPTCHA assessment is created, result is used to enforce.
- `recaptcha_keys`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `recaptchaKeys`**Description**: The reCAPTCHA keys.
  - `key`**Type**: `STRING`**Provider name**: `key`**Description**: The reCAPTCHA Enterprise key resource name, e.g. "projects/{project}/keys/{key}"
  - `type`**Type**: `STRING`**Provider name**: `type`**Description**: The client's platform type.**Possible values**:
    - `CLIENT_TYPE_UNSPECIFIED` - Client type is not specified.
    - `WEB` - Client type is web.
    - `IOS` - Client type is iOS.
    - `ANDROID` - Client type is Android.
- `toll_fraud_managed_rules`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `tollFraudManagedRules`**Description**: The managed rules for the authentication action based on reCAPTCHA toll fraud risk scores. Toll fraud managed rules will only take effect when the phone_enforcement_state is AUDIT or ENFORCE and use_sms_toll_fraud_protection is true.
  - `action`**Type**: `STRING`**Provider name**: `action`**Description**: The action taken if the reCAPTCHA score of a request is within the interval [start_score, end_score].**Possible values**:
    - `RECAPTCHA_ACTION_UNSPECIFIED` - The reCAPTCHA action is not specified.
    - `BLOCK` - The reCAPTCHA-protected request will be blocked.
  - `start_score`**Type**: `FLOAT`**Provider name**: `startScore`**Description**: The start score (inclusive) for an action. Must be a value between 0.0 and 1.0, at 11 discrete values; e.g. 0, 0.1, 0.2, 0.3, … 0.9, 1.0. A score of 0.0 indicates the safest request (likely legitimate), whereas 1.0 indicates the riskiest request (likely toll fraud). See [https://cloud.google.com/recaptcha-enterprise/docs/sms-fraud-detection#create-assessment-sms](https://cloud.google.com/recaptcha-enterprise/docs/sms-fraud-detection#create-assessment-sms).
- `use_account_defender`**Type**: `BOOLEAN`**Provider name**: `useAccountDefender`**Description**: Whether to use the account defender for reCAPTCHA assessment. Defaults to `false`.
- `use_sms_bot_score`**Type**: `BOOLEAN`**Provider name**: `useSmsBotScore`**Description**: Whether to use the rCE bot score for reCAPTCHA phone provider. Can only be true when the phone_enforcement_state is AUDIT or ENFORCE.
- `use_sms_toll_fraud_protection`**Type**: `BOOLEAN`**Provider name**: `useSmsTollFraudProtection`**Description**: Whether to use the rCE sms toll fraud protection risk score for reCAPTCHA phone provider. Can only be true when the phone_enforcement_state is AUDIT or ENFORCE.

## `region_id`{% #region_id %}

**Type**: `STRING`

## `resource_name`{% #resource_name %}

**Type**: `STRING`

## `sms_region_config`{% #sms_region_config %}

**Type**: `STRUCT`**Provider name**: `smsRegionConfig`**Description**: Configures which regions are enabled for SMS verification code sending.

- `allow_by_default`**Type**: `STRUCT`**Provider name**: `allowByDefault`**Description**: A policy of allowing SMS to every region by default and adding disallowed regions to a disallow list.
  - `disallowed_regions`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `disallowedRegions`**Description**: Two letter unicode region codes to disallow as defined by [https://cldr.unicode.org/](https://cldr.unicode.org/) The full list of these region codes is here: [https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json](https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json)
- `allowlist_only`**Type**: `STRUCT`**Provider name**: `allowlistOnly`**Description**: A policy of only allowing regions by explicitly adding them to an allowlist.
  - `allowed_regions`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `allowedRegions`**Description**: Two letter unicode region codes to allow as defined by [https://cldr.unicode.org/](https://cldr.unicode.org/) The full list of these region codes is here: [https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json](https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json)

## `tags`{% #tags %}

**Type**: `UNORDERED_LIST_STRING`

## `zone_id`{% #zone_id %}

**Type**: `STRING`