public/terraform-provider-google
0
0
Fork 0
mirror of https://github.com/letic/terraform-provider-google.git synced 2024-07-23 10:05:59 +00:00
Code Issues Projects Releases Wiki Activity
aa0c53245e
terraform-provider-google/website/docs/r/binaryauthorization_policy.html.markdown
Nathan McKinley 902675c324 Reverting 1.20 and 1.19 cherrypick branches.
2018-12-20 17:22:22 -08:00

5.5 KiB
Raw Blame History

layout page_title sidebar_current description
google Google: google_binary_authorization_policy docs-google-binary-authorization-policy A policy for container image binary authorization.

google_binary_authorization_policy

A policy for container image binary authorization.

~> Warning: This resource is in beta, and should be used with the terraform-provider-google-beta provider. See Provider Versions for more details on beta resources.

To get more information about Policy, see:

Example Usage

resource "google_binary_authorization_policy" "policy" {
  admission_whitelist_patterns {
    name_pattern= "gcr.io/google_containers/*"
  }

  default_admission_rule {
    evaluation_mode = "ALWAYS_ALLOW"
    enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
  }

  cluster_admission_rules {
    cluster = "us-central1-a.prod-cluster"
    evaluation_mode = "REQUIRE_ATTESTATION"
    enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
    require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"]
  }
}

resource "google_container_analysis_note" "note" {
  name = "test-attestor-note"
  attestation_authority {
    hint {
      human_readable_name = "My attestor"
    }
  }
}

resource "google_binary_authorization_attestor" "attestor" {
  name = "test-attestor"
  attestation_authority_note {
    note_reference = "${google_container_analysis_note.note.name}"
  }
}

Argument Reference

The following arguments are supported:

  • default_admission_rule - (Required) Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

The default_admission_rule block supports:

  • evaluation_mode - (Required) How this admission rule will be evaluated.

  • require_attestations_by - (Optional) The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

  • enforcement_mode - (Required) The action when a pod creation is denied by the admission rule.

  • description - (Optional) A descriptive comment.

  • admission_whitelist_patterns - (Optional) A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules. Structure is documented below.

  • cluster_admission_rules - (Optional) Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.

    Identifier format: {{location}}.{{clusterId}}. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). Structure is documented below.

  • project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The admission_whitelist_patterns block supports:

  • name_pattern - (Optional) An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

The cluster_admission_rules block supports:

  • cluster - (Required) The identifier for this object. Format specified above.

  • evaluation_mode - (Optional) How this admission rule will be evaluated.

  • require_attestations_by - (Optional) The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

  • enforcement_mode - (Optional) The action when a pod creation is denied by the admission rule.

Import

Policy can be imported using any of these accepted formats:

$ terraform import google_binary_authorization_policy.default projects/{{project}}
$ terraform import google_binary_authorization_policy.default {{project}}