public/terraform-provider-google
0
0
Fork 0
mirror of https://github.com/letic/terraform-provider-google.git synced 2024-09-07 09:36:44 +00:00
Code Issues Projects Releases Wiki Activity
c74d7d2c60
terraform-provider-google/website/docs/r/binaryauthorization_policy.html.markdown
The Magician 3ff7ccca7c Add Policy, Attestor, and Note resources for Binary Authorization (#1885) 
<!-- This change is generated by MagicModules. -->
/cc @danawillow
2018-08-20 16:46:13 -07:00

166 lines
4.9 KiB
Markdown
Raw Blame History

---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
layout: "google"
page_title: "Google: google_binary_authorization_policy"
sidebar_current: "docs-google-binary-authorization-policy"
description: |-
A policy for container image binary authorization.
---
# google\_binary\_authorization\_policy
A policy for container image binary authorization.
To get more information about Policy, see:
* [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/)
* How-to Guides
* [Official Documentation](https://cloud.google.com/binary-authorization/)
## Example Usage
```hcl
resource "google_container_analysis_note" "note" {
name = "test-attestor-note"
attestation_authority {
hint {
human_readable_name = "My attestor"
}
}
}
resource "google_binary_authorization_attestor" "attestor" {
name = "test-attestor"
attestation_authority_note {
note_reference = "${google_container_analysis_note.note.name}"
}
}
resource "google_binary_authorization_policy" "policy" {
admission_whitelist_patterns {
name_pattern= "gcr.io/google_containers/*"
}
default_admission_rule {
evaluation_mode = "ALWAYS_ALLOW"
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
}
cluster_admission_rules {
cluster = "us-central1-a.prod-cluster"
evaluation_mode = "REQUIRE_ATTESTATION"
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"]
}
}
```
## Argument Reference
The following arguments are supported:
* `default_admission_rule` -
(Required)
Default admission rule for a cluster without a per-cluster admission
rule. Structure is documented below.
The `default_admission_rule` block supports:
* `evaluation_mode` -
(Required)
How this admission rule will be evaluated.
* `require_attestations_by` -
(Optional)
The resource names of the attestors that must attest to a
container image. If the attestor is in a different project from the
policy, it should be specified in the format `projects/*/attestors/*`.
Each attestor must exist before a policy can reference it. To add an
attestor to a policy the principal issuing the policy change
request must be able to read the attestor resource.
Note: this field must be non-empty when the evaluation_mode field
specifies REQUIRE_ATTESTATION, otherwise it must be empty.
* `enforcement_mode` -
(Required)
The action when a pod creation is denied by the admission rule.
- - -
* `description` -
(Optional)
A descriptive comment.
* `admission_whitelist_patterns` -
(Optional)
Admission policy whitelisting. A matching admission request will
always be permitted. This feature is typically used to exclude Google
or third-party infrastructure images from Binary Authorization
policies. Structure is documented below.
* `cluster_admission_rules` -
(Optional)
Admission policy whitelisting. A matching admission request will
always be permitted. This feature is typically used to exclude Google
or third-party infrastructure images from Binary Authorization
policies.
* `project` - (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
The `admission_whitelist_patterns` block supports:
* `name_pattern` -
(Optional)
An image name pattern to whitelist, in the form
`registry/path/to/image`. This supports a trailing * as a
wildcard, but this is allowed only in text after the registry/
part.
The `cluster_admission_rules` block supports:
* `evaluation_mode` -
(Optional)
How this admission rule will be evaluated.
* `require_attestations_by` -
(Optional)
The resource names of the attestors that must attest to a
container image. If the attestor is in a different project from the
policy, it should be specified in the format `projects/*/attestors/*`.
Each attestor must exist before a policy can reference it. To add an
attestor to a policy the principal issuing the policy change
request must be able to read the attestor resource.
Note: this field must be non-empty when the evaluation_mode field
specifies REQUIRE_ATTESTATION, otherwise it must be empty.
* `enforcement_mode` -
(Optional)
The action when a pod creation is denied by the admission rule.
## Import
Policy can be imported using any of these accepted formats:
```
$ terraform import google_binary_authorization_policy.default projects/{{project}}
$ terraform import google_binary_authorization_policy.default {{project}}
```
Reference in New Issue View Git Blame Copy Permalink