---
# ----------------------------------------------------------------------------
#
#     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
#
# ----------------------------------------------------------------------------
#
#     This file is automatically generated by Magic Modules and manual
#     changes will be clobbered when the file is regenerated.
#
#     Please read more about how to change this file in
#     .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
layout: "google"
page_title: "Google: google_binary_authorization_policy"
sidebar_current: "docs-google-binary-authorization-policy"
description: |-
  A policy for container image binary authorization.
---

# google\_binary\_authorization\_policy

A policy for container image binary authorization.

To get more information about Policy, see:

* [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/)
* How-to Guides
    * [Official Documentation](https://cloud.google.com/binary-authorization/)

## Example Usage

```hcl
resource "google_container_analysis_note" "note" {
  name = "test-attestor-note"
  attestation_authority {
    hint {
      human_readable_name = "My attestor"
    }
  }
}

resource "google_binary_authorization_attestor" "attestor" {
  name = "test-attestor"
  attestation_authority_note {
    note_reference = "${google_container_analysis_note.note.name}"
  }
}

resource "google_binary_authorization_policy" "policy" {
  admission_whitelist_patterns {
    name_pattern= "gcr.io/google_containers/*"
  }

  default_admission_rule {
    evaluation_mode = "ALWAYS_ALLOW"
    enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
  }

  cluster_admission_rules {
    cluster = "us-central1-a.prod-cluster"
    evaluation_mode = "REQUIRE_ATTESTATION"
    enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
    require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"]
  }
}
```

## Argument Reference

The following arguments are supported:


* `default_admission_rule` -
  (Required)
  Default admission rule for a cluster without a per-cluster admission
  rule.  Structure is documented below.


The `default_admission_rule` block supports:

* `evaluation_mode` -
  (Required)
  How this admission rule will be evaluated.

* `require_attestations_by` -
  (Optional)
  The resource names of the attestors that must attest to a
  container image. If the attestor is in a different project from the
  policy, it should be specified in the format `projects/*/attestors/*`.
  Each attestor must exist before a policy can reference it. To add an
  attestor to a policy the principal issuing the policy change
  request must be able to read the attestor resource.
  Note: this field must be non-empty when the evaluation_mode field
  specifies REQUIRE_ATTESTATION, otherwise it must be empty.

* `enforcement_mode` -
  (Required)
  The action when a pod creation is denied by the admission rule.

- - -


* `description` -
  (Optional)
  A descriptive comment.

* `admission_whitelist_patterns` -
  (Optional)
  Admission policy whitelisting. A matching admission request will
  always be permitted. This feature is typically used to exclude Google
  or third-party infrastructure images from Binary Authorization
  policies.  Structure is documented below.

* `cluster_admission_rules` -
  (Optional)
  Admission policy whitelisting. A matching admission request will
  always be permitted. This feature is typically used to exclude Google
  or third-party infrastructure images from Binary Authorization
  policies.
* `project` - (Optional) The ID of the project in which the resource belongs.
    If it is not provided, the provider project is used.


The `admission_whitelist_patterns` block supports:

* `name_pattern` -
  (Optional)
  An image name pattern to whitelist, in the form
  `registry/path/to/image`. This supports a trailing * as a
  wildcard, but this is allowed only in text after the registry/
  part.

The `cluster_admission_rules` block supports:

* `evaluation_mode` -
  (Optional)
  How this admission rule will be evaluated.

* `require_attestations_by` -
  (Optional)
  The resource names of the attestors that must attest to a
  container image. If the attestor is in a different project from the
  policy, it should be specified in the format `projects/*/attestors/*`.
  Each attestor must exist before a policy can reference it. To add an
  attestor to a policy the principal issuing the policy change
  request must be able to read the attestor resource.
  Note: this field must be non-empty when the evaluation_mode field
  specifies REQUIRE_ATTESTATION, otherwise it must be empty.

* `enforcement_mode` -
  (Optional)
  The action when a pod creation is denied by the admission rule.



## Import

Policy can be imported using any of these accepted formats:

```
$ terraform import google_binary_authorization_policy.default projects/{{project}}
$ terraform import google_binary_authorization_policy.default {{project}}
```