mirror of
https://github.com/letic/terraform-provider-google.git
synced 2024-10-14 23:17:15 +00:00
166 lines
4.9 KiB
Markdown
166 lines
4.9 KiB
Markdown
|
---
|
||
|
# ----------------------------------------------------------------------------
|
||
|
#
|
||
|
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
||
|
#
|
||
|
# ----------------------------------------------------------------------------
|
||
|
#
|
||
|
# This file is automatically generated by Magic Modules and manual
|
||
|
# changes will be clobbered when the file is regenerated.
|
||
|
#
|
||
|
# Please read more about how to change this file in
|
||
|
# .github/CONTRIBUTING.md.
|
||
|
#
|
||
|
# ----------------------------------------------------------------------------
|
||
|
layout: "google"
|
||
|
page_title: "Google: google_binary_authorization_policy"
|
||
|
sidebar_current: "docs-google-binary-authorization-policy"
|
||
|
description: |-
|
||
|
A policy for container image binary authorization.
|
||
|
---
|
||
|
|
||
|
# google\_binary\_authorization\_policy
|
||
|
|
||
|
A policy for container image binary authorization.
|
||
|
|
||
|
To get more information about Policy, see:
|
||
|
|
||
|
* [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/)
|
||
|
* How-to Guides
|
||
|
* [Official Documentation](https://cloud.google.com/binary-authorization/)
|
||
|
|
||
|
## Example Usage
|
||
|
|
||
|
```hcl
|
||
|
resource "google_container_analysis_note" "note" {
|
||
|
name = "test-attestor-note"
|
||
|
attestation_authority {
|
||
|
hint {
|
||
|
human_readable_name = "My attestor"
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
resource "google_binary_authorization_attestor" "attestor" {
|
||
|
name = "test-attestor"
|
||
|
attestation_authority_note {
|
||
|
note_reference = "${google_container_analysis_note.note.name}"
|
||
|
}
|
||
|
}
|
||
|
|
||
|
resource "google_binary_authorization_policy" "policy" {
|
||
|
admission_whitelist_patterns {
|
||
|
name_pattern= "gcr.io/google_containers/*"
|
||
|
}
|
||
|
|
||
|
default_admission_rule {
|
||
|
evaluation_mode = "ALWAYS_ALLOW"
|
||
|
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
|
||
|
}
|
||
|
|
||
|
cluster_admission_rules {
|
||
|
cluster = "us-central1-a.prod-cluster"
|
||
|
evaluation_mode = "REQUIRE_ATTESTATION"
|
||
|
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
|
||
|
require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"]
|
||
|
}
|
||
|
}
|
||
|
```
|
||
|
|
||
|
## Argument Reference
|
||
|
|
||
|
The following arguments are supported:
|
||
|
|
||
|
|
||
|
* `default_admission_rule` -
|
||
|
(Required)
|
||
|
Default admission rule for a cluster without a per-cluster admission
|
||
|
rule. Structure is documented below.
|
||
|
|
||
|
|
||
|
The `default_admission_rule` block supports:
|
||
|
|
||
|
* `evaluation_mode` -
|
||
|
(Required)
|
||
|
How this admission rule will be evaluated.
|
||
|
|
||
|
* `require_attestations_by` -
|
||
|
(Optional)
|
||
|
The resource names of the attestors that must attest to a
|
||
|
container image. If the attestor is in a different project from the
|
||
|
policy, it should be specified in the format `projects/*/attestors/*`.
|
||
|
Each attestor must exist before a policy can reference it. To add an
|
||
|
attestor to a policy the principal issuing the policy change
|
||
|
request must be able to read the attestor resource.
|
||
|
Note: this field must be non-empty when the evaluation_mode field
|
||
|
specifies REQUIRE_ATTESTATION, otherwise it must be empty.
|
||
|
|
||
|
* `enforcement_mode` -
|
||
|
(Required)
|
||
|
The action when a pod creation is denied by the admission rule.
|
||
|
|
||
|
- - -
|
||
|
|
||
|
|
||
|
* `description` -
|
||
|
(Optional)
|
||
|
A descriptive comment.
|
||
|
|
||
|
* `admission_whitelist_patterns` -
|
||
|
(Optional)
|
||
|
Admission policy whitelisting. A matching admission request will
|
||
|
always be permitted. This feature is typically used to exclude Google
|
||
|
or third-party infrastructure images from Binary Authorization
|
||
|
policies. Structure is documented below.
|
||
|
|
||
|
* `cluster_admission_rules` -
|
||
|
(Optional)
|
||
|
Admission policy whitelisting. A matching admission request will
|
||
|
always be permitted. This feature is typically used to exclude Google
|
||
|
or third-party infrastructure images from Binary Authorization
|
||
|
policies.
|
||
|
* `project` - (Optional) The ID of the project in which the resource belongs.
|
||
|
If it is not provided, the provider project is used.
|
||
|
|
||
|
|
||
|
The `admission_whitelist_patterns` block supports:
|
||
|
|
||
|
* `name_pattern` -
|
||
|
(Optional)
|
||
|
An image name pattern to whitelist, in the form
|
||
|
`registry/path/to/image`. This supports a trailing * as a
|
||
|
wildcard, but this is allowed only in text after the registry/
|
||
|
part.
|
||
|
|
||
|
The `cluster_admission_rules` block supports:
|
||
|
|
||
|
* `evaluation_mode` -
|
||
|
(Optional)
|
||
|
How this admission rule will be evaluated.
|
||
|
|
||
|
* `require_attestations_by` -
|
||
|
(Optional)
|
||
|
The resource names of the attestors that must attest to a
|
||
|
container image. If the attestor is in a different project from the
|
||
|
policy, it should be specified in the format `projects/*/attestors/*`.
|
||
|
Each attestor must exist before a policy can reference it. To add an
|
||
|
attestor to a policy the principal issuing the policy change
|
||
|
request must be able to read the attestor resource.
|
||
|
Note: this field must be non-empty when the evaluation_mode field
|
||
|
specifies REQUIRE_ATTESTATION, otherwise it must be empty.
|
||
|
|
||
|
* `enforcement_mode` -
|
||
|
(Optional)
|
||
|
The action when a pod creation is denied by the admission rule.
|
||
|
|
||
|
|
||
|
|
||
|
## Import
|
||
|
|
||
|
Policy can be imported using any of these accepted formats:
|
||
|
|
||
|
```
|
||
|
$ terraform import google_binary_authorization_policy.default projects/{{project}}
|
||
|
$ terraform import google_binary_authorization_policy.default {{project}}
|
||
|
```
|