diff --git a/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto
index 4b0e17c7..73592f8a 100644
--- a/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto
+++ b/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto
@@ -57,4 +57,11 @@ message SPIFFECertValidatorConfig {
 
   // This field specifies trust domains used for validating incoming X.509-SVID(s).
   repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}];
+
+  // This field specifies all trust bundles as a single DataSource. If both
+  // trust_bundles and trust_domains are specified, trust_bundles will
+  // take precedence. Currently assumes file will be a SPIFFE Trust Bundle Map.
+  // If DataSource is a file, dynamic file watching will be enabled,
+  // and updates to the specified file will trigger a refresh of the trust_bundles.
+  config.core.v3.DataSource trust_bundles = 2;
 }