2018-08-20 23:46:13 +00:00
|
|
|
---
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
#
|
|
|
|
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
|
|
|
#
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
#
|
|
|
|
# This file is automatically generated by Magic Modules and manual
|
|
|
|
# changes will be clobbered when the file is regenerated.
|
|
|
|
#
|
|
|
|
# Please read more about how to change this file in
|
|
|
|
# .github/CONTRIBUTING.md.
|
|
|
|
#
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
layout: "google"
|
|
|
|
page_title: "Google: google_binary_authorization_attestor"
|
|
|
|
sidebar_current: "docs-google-binary-authorization-attestor"
|
|
|
|
description: |-
|
|
|
|
An attestor that attests to container image artifacts.
|
|
|
|
---
|
|
|
|
|
|
|
|
# google\_binary\_authorization\_attestor
|
|
|
|
|
|
|
|
An attestor that attests to container image artifacts.
|
|
|
|
|
2018-10-04 02:45:53 +00:00
|
|
|
~> **Warning:** This resource is in beta, and should be used with the terraform-provider-google-beta provider.
|
2018-10-09 15:26:38 +00:00
|
|
|
See [Provider Versions](https://terraform.io/docs/providers/google/provider_versions.html) for more details on beta resources.
|
2018-10-04 02:45:53 +00:00
|
|
|
|
2018-08-20 23:46:13 +00:00
|
|
|
To get more information about Attestor, see:
|
|
|
|
|
|
|
|
* [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/)
|
|
|
|
* How-to Guides
|
|
|
|
* [Official Documentation](https://cloud.google.com/binary-authorization/)
|
|
|
|
|
2018-12-14 01:51:11 +00:00
|
|
|
## Example Usage
|
2018-08-20 23:46:13 +00:00
|
|
|
|
|
|
|
```hcl
|
|
|
|
resource "google_binary_authorization_attestor" "attestor" {
|
|
|
|
name = "test-attestor"
|
|
|
|
attestation_authority_note {
|
|
|
|
note_reference = "${google_container_analysis_note.note.name}"
|
|
|
|
public_keys {
|
|
|
|
ascii_armored_pgp_public_key = <<EOF
|
|
|
|
mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
|
|
|
|
bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
|
|
|
|
oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
|
|
|
|
V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
|
|
|
|
Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
|
|
|
|
83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
|
|
|
|
IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
|
|
|
|
uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
|
|
|
|
0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
|
|
|
|
51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
|
|
|
|
WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
|
|
|
|
MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
|
|
|
|
+OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
|
|
|
|
qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
|
|
|
|
=6Bvm
|
|
|
|
EOF
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2018-10-05 22:28:31 +00:00
|
|
|
|
|
|
|
resource "google_container_analysis_note" "note" {
|
|
|
|
name = "test-attestor-note"
|
|
|
|
attestation_authority {
|
|
|
|
hint {
|
|
|
|
human_readable_name = "Attestor Note"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2018-08-20 23:46:13 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
## Argument Reference
|
|
|
|
|
|
|
|
The following arguments are supported:
|
|
|
|
|
|
|
|
|
|
|
|
* `name` -
|
|
|
|
(Required)
|
|
|
|
The resource name.
|
|
|
|
|
|
|
|
* `attestation_authority_note` -
|
|
|
|
(Required)
|
|
|
|
A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.
|
|
|
|
|
|
|
|
|
|
|
|
The `attestation_authority_note` block supports:
|
|
|
|
|
|
|
|
* `note_reference` -
|
|
|
|
(Required)
|
|
|
|
The resource name of a ATTESTATION_AUTHORITY Note, created by the
|
|
|
|
user. If the Note is in a different project from the Attestor, it
|
|
|
|
should be specified in the format `projects/*/notes/*` (or the legacy
|
|
|
|
`providers/*/notes/*`). This field may not be updated.
|
|
|
|
An attestation by this attestor is stored as a Container Analysis
|
|
|
|
ATTESTATION_AUTHORITY Occurrence that names a container image
|
|
|
|
and that links to this Note.
|
|
|
|
|
|
|
|
* `public_keys` -
|
|
|
|
(Optional)
|
|
|
|
Public keys that verify attestations signed by this attestor. This
|
|
|
|
field may be updated.
|
|
|
|
If this field is non-empty, one of the specified public keys must
|
|
|
|
verify that an attestation was signed by this attestor for the
|
|
|
|
image specified in the admission request.
|
|
|
|
If this field is empty, this attestor always returns that no valid
|
|
|
|
attestations exist. Structure is documented below.
|
|
|
|
|
|
|
|
* `delegation_service_account_email` -
|
|
|
|
This field will contain the service account email address that
|
|
|
|
this Attestor will use as the principal when querying Container
|
|
|
|
Analysis. Attestor administrators must grant this service account
|
|
|
|
the IAM role needed to read attestations from the noteReference in
|
|
|
|
Container Analysis (containeranalysis.notes.occurrences.viewer).
|
|
|
|
This email address is fixed for the lifetime of the Attestor, but
|
|
|
|
callers should not make any other assumptions about the service
|
|
|
|
account email; future versions may use an email based on a
|
|
|
|
different naming pattern.
|
|
|
|
|
|
|
|
|
|
|
|
The `public_keys` block supports:
|
|
|
|
|
|
|
|
* `comment` -
|
|
|
|
(Optional)
|
|
|
|
A descriptive comment. This field may be updated.
|
|
|
|
|
|
|
|
* `id` -
|
|
|
|
This field will be overwritten with key ID information, for
|
|
|
|
example, an identifier extracted from a PGP public key. This
|
|
|
|
field may not be updated.
|
|
|
|
|
|
|
|
* `ascii_armored_pgp_public_key` -
|
|
|
|
(Required)
|
|
|
|
ASCII-armored representation of a PGP public key, as the
|
|
|
|
entire output by the command
|
|
|
|
`gpg --export --armor foo@example.com` (either LF or CRLF
|
|
|
|
line endings).
|
|
|
|
|
|
|
|
- - -
|
|
|
|
|
|
|
|
|
|
|
|
* `description` -
|
|
|
|
(Optional)
|
|
|
|
A descriptive comment. This field may be updated. The field may be
|
|
|
|
displayed in chooser dialogs.
|
|
|
|
* `project` - (Optional) The ID of the project in which the resource belongs.
|
|
|
|
If it is not provided, the provider project is used.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Import
|
|
|
|
|
|
|
|
Attestor can be imported using any of these accepted formats:
|
|
|
|
|
|
|
|
```
|
|
|
|
$ terraform import google_binary_authorization_attestor.default projects/{{project}}/attestors/{{name}}
|
|
|
|
$ terraform import google_binary_authorization_attestor.default {{project}}/{{name}}
|
|
|
|
$ terraform import google_binary_authorization_attestor.default {{name}}
|
|
|
|
```
|