2018-08-20 23:46:13 +00:00
|
|
|
---
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
#
|
|
|
|
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
|
|
|
#
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
#
|
|
|
|
# This file is automatically generated by Magic Modules and manual
|
|
|
|
# changes will be clobbered when the file is regenerated.
|
|
|
|
#
|
|
|
|
# Please read more about how to change this file in
|
|
|
|
# .github/CONTRIBUTING.md.
|
|
|
|
#
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
layout: "google"
|
|
|
|
page_title: "Google: google_binary_authorization_policy"
|
|
|
|
sidebar_current: "docs-google-binary-authorization-policy"
|
|
|
|
description: |-
|
|
|
|
A policy for container image binary authorization.
|
|
|
|
---
|
|
|
|
|
|
|
|
# google\_binary\_authorization\_policy
|
|
|
|
|
|
|
|
A policy for container image binary authorization.
|
|
|
|
|
2018-10-04 02:45:53 +00:00
|
|
|
~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider.
|
2018-10-09 15:26:38 +00:00
|
|
|
See [Provider Versions](https://terraform.io/docs/providers/google/provider_versions.html) for more details on beta resources.
|
2018-10-04 02:45:53 +00:00
|
|
|
|
2018-08-20 23:46:13 +00:00
|
|
|
To get more information about Policy, see:
|
|
|
|
|
|
|
|
* [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/)
|
|
|
|
* How-to Guides
|
|
|
|
* [Official Documentation](https://cloud.google.com/binary-authorization/)
|
|
|
|
|
2018-12-14 01:51:11 +00:00
|
|
|
## Example Usage
|
2018-08-20 23:46:13 +00:00
|
|
|
|
|
|
|
```hcl
|
|
|
|
resource "google_binary_authorization_policy" "policy" {
|
|
|
|
admission_whitelist_patterns {
|
|
|
|
name_pattern= "gcr.io/google_containers/*"
|
|
|
|
}
|
|
|
|
|
|
|
|
default_admission_rule {
|
|
|
|
evaluation_mode = "ALWAYS_ALLOW"
|
|
|
|
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
|
|
|
|
}
|
|
|
|
|
|
|
|
cluster_admission_rules {
|
|
|
|
cluster = "us-central1-a.prod-cluster"
|
|
|
|
evaluation_mode = "REQUIRE_ATTESTATION"
|
|
|
|
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
|
|
|
|
require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"]
|
|
|
|
}
|
|
|
|
}
|
2018-10-05 22:28:31 +00:00
|
|
|
|
|
|
|
resource "google_container_analysis_note" "note" {
|
|
|
|
name = "test-attestor-note"
|
|
|
|
attestation_authority {
|
|
|
|
hint {
|
|
|
|
human_readable_name = "My attestor"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_binary_authorization_attestor" "attestor" {
|
|
|
|
name = "test-attestor"
|
|
|
|
attestation_authority_note {
|
|
|
|
note_reference = "${google_container_analysis_note.note.name}"
|
|
|
|
}
|
|
|
|
}
|
2018-08-20 23:46:13 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
## Argument Reference
|
|
|
|
|
|
|
|
The following arguments are supported:
|
|
|
|
|
|
|
|
|
|
|
|
* `default_admission_rule` -
|
|
|
|
(Required)
|
|
|
|
Default admission rule for a cluster without a per-cluster admission
|
|
|
|
rule. Structure is documented below.
|
|
|
|
|
|
|
|
|
|
|
|
The `default_admission_rule` block supports:
|
|
|
|
|
|
|
|
* `evaluation_mode` -
|
|
|
|
(Required)
|
|
|
|
How this admission rule will be evaluated.
|
|
|
|
|
|
|
|
* `require_attestations_by` -
|
|
|
|
(Optional)
|
|
|
|
The resource names of the attestors that must attest to a
|
|
|
|
container image. If the attestor is in a different project from the
|
|
|
|
policy, it should be specified in the format `projects/*/attestors/*`.
|
|
|
|
Each attestor must exist before a policy can reference it. To add an
|
|
|
|
attestor to a policy the principal issuing the policy change
|
|
|
|
request must be able to read the attestor resource.
|
|
|
|
Note: this field must be non-empty when the evaluation_mode field
|
|
|
|
specifies REQUIRE_ATTESTATION, otherwise it must be empty.
|
|
|
|
|
|
|
|
* `enforcement_mode` -
|
|
|
|
(Required)
|
|
|
|
The action when a pod creation is denied by the admission rule.
|
|
|
|
|
|
|
|
- - -
|
|
|
|
|
|
|
|
|
|
|
|
* `description` -
|
|
|
|
(Optional)
|
|
|
|
A descriptive comment.
|
|
|
|
|
|
|
|
* `admission_whitelist_patterns` -
|
|
|
|
(Optional)
|
2018-09-28 19:48:46 +00:00
|
|
|
A whitelist of image patterns to exclude from admission rules. If an
|
|
|
|
image's name matches a whitelist pattern, the image's admission
|
|
|
|
requests will always be permitted regardless of your admission rules. Structure is documented below.
|
2018-08-20 23:46:13 +00:00
|
|
|
|
|
|
|
* `cluster_admission_rules` -
|
|
|
|
(Optional)
|
2018-09-28 19:48:46 +00:00
|
|
|
Per-cluster admission rules. An admission rule specifies either that
|
|
|
|
all container images used in a pod creation request must be attested
|
|
|
|
to by one or more attestors, that all pod creations will be allowed,
|
|
|
|
or that all pod creations will be denied. There can be at most one
|
|
|
|
admission rule per cluster spec.
|
|
|
|
|
|
|
|
Identifier format: `{{location}}.{{clusterId}}`.
|
|
|
|
A location is either a compute zone (e.g. `us-central1-a`) or a region
|
|
|
|
(e.g. `us-central1`). Structure is documented below.
|
2018-08-20 23:46:13 +00:00
|
|
|
* `project` - (Optional) The ID of the project in which the resource belongs.
|
|
|
|
If it is not provided, the provider project is used.
|
|
|
|
|
|
|
|
|
|
|
|
The `admission_whitelist_patterns` block supports:
|
|
|
|
|
|
|
|
* `name_pattern` -
|
|
|
|
(Optional)
|
|
|
|
An image name pattern to whitelist, in the form
|
|
|
|
`registry/path/to/image`. This supports a trailing * as a
|
|
|
|
wildcard, but this is allowed only in text after the registry/
|
|
|
|
part.
|
|
|
|
|
|
|
|
The `cluster_admission_rules` block supports:
|
|
|
|
|
2018-09-28 19:48:46 +00:00
|
|
|
* `cluster` - (Required) The identifier for this object. Format specified above.
|
|
|
|
|
2018-08-20 23:46:13 +00:00
|
|
|
* `evaluation_mode` -
|
|
|
|
(Optional)
|
|
|
|
How this admission rule will be evaluated.
|
|
|
|
|
|
|
|
* `require_attestations_by` -
|
|
|
|
(Optional)
|
|
|
|
The resource names of the attestors that must attest to a
|
|
|
|
container image. If the attestor is in a different project from the
|
|
|
|
policy, it should be specified in the format `projects/*/attestors/*`.
|
|
|
|
Each attestor must exist before a policy can reference it. To add an
|
|
|
|
attestor to a policy the principal issuing the policy change
|
|
|
|
request must be able to read the attestor resource.
|
|
|
|
Note: this field must be non-empty when the evaluation_mode field
|
|
|
|
specifies REQUIRE_ATTESTATION, otherwise it must be empty.
|
|
|
|
|
|
|
|
* `enforcement_mode` -
|
|
|
|
(Optional)
|
|
|
|
The action when a pod creation is denied by the admission rule.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Import
|
|
|
|
|
|
|
|
Policy can be imported using any of these accepted formats:
|
|
|
|
|
|
|
|
```
|
|
|
|
$ terraform import google_binary_authorization_policy.default projects/{{project}}
|
|
|
|
$ terraform import google_binary_authorization_policy.default {{project}}
|
|
|
|
```
|