---
title: Getting Started with Datadog
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog
---

# gcp_networksecurity_server_tls_policy{% #gcp_networksecurity_server_tls_policy %}

## `allow_open`{% #allow_open %}

**Type**: `BOOLEAN`**Provider name**: `allowOpen`**Description**: This field applies only for Traffic Director policies. It is must be set to false for Application Load Balancer policies. Determines if server allows plaintext connections. If set to true, server allows plain text connections. By default, it is set to false. This setting is not exclusive of other encryption modes. For example, if `allow_open` and `mtls_policy` are set, server allows both plain text and mTLS connections. See documentation of other encryption modes to confirm compatibility. Consider using it if you wish to upgrade in place your deployment to TLS while having mixed TLS and non-TLS traffic reaching port :80.

## `ancestors`{% #ancestors %}

**Type**: `UNORDERED_LIST_STRING`

## `create_time`{% #create_time %}

**Type**: `TIMESTAMP`**Provider name**: `createTime`**Description**: Output only. The timestamp when the resource was created.

## `description`{% #description %}

**Type**: `STRING`**Provider name**: `description`**Description**: Free-text description of the resource.

## `labels`{% #labels %}

**Type**: `UNORDERED_LIST_STRING`

## `mtls_policy`{% #mtls_policy %}

**Type**: `STRUCT`**Provider name**: `mtlsPolicy`**Description**: This field is required if the policy is used with Application Load Balancers. This field can be empty for Traffic Director. Defines a mechanism to provision peer validation certificates for peer to peer authentication (Mutual TLS - mTLS). If not specified, client certificate will not be requested. The connection is treated as TLS and not mTLS. If `allow_open` and `mtls_policy` are set, server allows both plain text and mTLS connections.

- `client_validation_ca`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `clientValidationCa`**Description**: Required if the policy is to be used with Traffic Director. For Application Load Balancers it must be empty. Defines the mechanism to obtain the Certificate Authority certificate to validate the client certificate.
  - `certificate_provider_instance`**Type**: `STRUCT`**Provider name**: `certificateProviderInstance`**Description**: The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.
    - `plugin_instance`**Type**: `STRING`**Provider name**: `pluginInstance`**Description**: Required. Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.
  - `grpc_endpoint`**Type**: `STRUCT`**Provider name**: `grpcEndpoint`**Description**: gRPC specific configuration to access the gRPC server to obtain the CA certificate.
    - `target_uri`**Type**: `STRING`**Provider name**: `targetUri`**Description**: Required. The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".
- `client_validation_mode`**Type**: `STRING`**Provider name**: `clientValidationMode`**Description**: When the client presents an invalid certificate or no certificate to the load balancer, the `client_validation_mode` specifies how the client connection is handled. Required if the policy is to be used with the Application Load Balancers. For Traffic Director it must be empty.**Possible values**:
  - `CLIENT_VALIDATION_MODE_UNSPECIFIED` - Not allowed.
  - `ALLOW_INVALID_OR_MISSING_CLIENT_CERT` - Allow connection even if certificate chain validation of the client certificate failed or no client certificate was presented. The proof of possession of the private key is always checked if client certificate was presented. This mode requires the backend to implement processing of data extracted from a client certificate to authenticate the peer, or to reject connections if the client certificate fingerprint is missing.
  - `REJECT_INVALID` - Require a client certificate and allow connection to the backend only if validation of the client certificate passed. If set, requires a reference to non-empty TrustConfig specified in `client_validation_trust_config`.
- `client_validation_trust_config`**Type**: `STRING`**Provider name**: `clientValidationTrustConfig`**Description**: Reference to the TrustConfig from certificatemanager.googleapis.com namespace. If specified, the chain validation will be performed against certificates configured in the given TrustConfig. Allowed only if the policy is to be used with Application Load Balancers.

## `name`{% #name %}

**Type**: `STRING`**Provider name**: `name`**Description**: Required. Name of the ServerTlsPolicy resource. It matches the pattern `projects/*/locations/{location}/serverTlsPolicies/{server_tls_policy}`

## `organization_id`{% #organization_id %}

**Type**: `STRING`

## `parent`{% #parent %}

**Type**: `STRING`

## `project_id`{% #project_id %}

**Type**: `STRING`

## `project_number`{% #project_number %}

**Type**: `STRING`

## `region_id`{% #region_id %}

**Type**: `STRING`

## `resource_name`{% #resource_name %}

**Type**: `STRING`

## `server_certificate`{% #server_certificate %}

**Type**: `STRUCT`**Provider name**: `serverCertificate`**Description**: Optional if policy is to be used with Traffic Director. For Application Load Balancers must be empty. Defines a mechanism to provision server identity (public and private keys). Cannot be combined with `allow_open` as a permissive mode that allows both plain text and TLS is not supported.

- `certificate_provider_instance`**Type**: `STRUCT`**Provider name**: `certificateProviderInstance`**Description**: The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.
  - `plugin_instance`**Type**: `STRING`**Provider name**: `pluginInstance`**Description**: Required. Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.
- `grpc_endpoint`**Type**: `STRUCT`**Provider name**: `grpcEndpoint`**Description**: gRPC specific configuration to access the gRPC server to obtain the cert and private key.
  - `target_uri`**Type**: `STRING`**Provider name**: `targetUri`**Description**: Required. The target URI of the gRPC endpoint. Only UDS path is supported, and should start with "unix:".

## `tags`{% #tags %}

**Type**: `UNORDERED_LIST_STRING`

## `update_time`{% #update_time %}

**Type**: `TIMESTAMP`**Provider name**: `updateTime`**Description**: Output only. The timestamp when the resource was updated.

## `zone_id`{% #zone_id %}

**Type**: `STRING`