forked from hashicorp/terraform-provider-google
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Policy, Attestor, and Note resources for Binary Authorization (ha…
…shicorp#1885) <!-- This change is generated by MagicModules. --> /cc @danawillow
- Loading branch information
1 parent
797762e
commit 956091a
Showing
26 changed files
with
501 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,158 @@ | ||
--- | ||
# ---------------------------------------------------------------------------- | ||
# | ||
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** | ||
# | ||
# ---------------------------------------------------------------------------- | ||
# | ||
# This file is automatically generated by Magic Modules and manual | ||
# changes will be clobbered when the file is regenerated. | ||
# | ||
# Please read more about how to change this file in | ||
# .github/CONTRIBUTING.md. | ||
# | ||
# ---------------------------------------------------------------------------- | ||
layout: "google" | ||
page_title: "Google: google_binary_authorization_attestor" | ||
sidebar_current: "docs-google-binary-authorization-attestor" | ||
description: |- | ||
An attestor that attests to container image artifacts. | ||
--- | ||
|
||
# google\_binary\_authorization\_attestor | ||
|
||
An attestor that attests to container image artifacts. | ||
|
||
To get more information about Attestor, see: | ||
|
||
* [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/) | ||
* How-to Guides | ||
* [Official Documentation](https://cloud.google.com/binary-authorization/) | ||
|
||
## Example Usage | ||
|
||
```hcl | ||
resource "google_container_analysis_note" "note" { | ||
name = "test-attestor-note" | ||
attestation_authority { | ||
hint { | ||
human_readable_name = "Attestor Note" | ||
} | ||
} | ||
} | ||
resource "google_binary_authorization_attestor" "attestor" { | ||
name = "test-attestor" | ||
attestation_authority_note { | ||
note_reference = "${google_container_analysis_note.note.name}" | ||
public_keys { | ||
ascii_armored_pgp_public_key = <<EOF | ||
mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl | ||
bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0 | ||
oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6 | ||
V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD | ||
Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX | ||
83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y | ||
IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L | ||
uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6 | ||
0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC | ||
51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U | ||
WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h | ||
MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l | ||
+OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1 | ||
qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg | ||
=6Bvm | ||
EOF | ||
} | ||
} | ||
} | ||
``` | ||
|
||
## Argument Reference | ||
|
||
The following arguments are supported: | ||
|
||
|
||
* `name` - | ||
(Required) | ||
The resource name. | ||
|
||
* `attestation_authority_note` - | ||
(Required) | ||
A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below. | ||
|
||
|
||
The `attestation_authority_note` block supports: | ||
|
||
* `note_reference` - | ||
(Required) | ||
The resource name of a ATTESTATION_AUTHORITY Note, created by the | ||
user. If the Note is in a different project from the Attestor, it | ||
should be specified in the format `projects/*/notes/*` (or the legacy | ||
`providers/*/notes/*`). This field may not be updated. | ||
An attestation by this attestor is stored as a Container Analysis | ||
ATTESTATION_AUTHORITY Occurrence that names a container image | ||
and that links to this Note. | ||
|
||
* `public_keys` - | ||
(Optional) | ||
Public keys that verify attestations signed by this attestor. This | ||
field may be updated. | ||
If this field is non-empty, one of the specified public keys must | ||
verify that an attestation was signed by this attestor for the | ||
image specified in the admission request. | ||
If this field is empty, this attestor always returns that no valid | ||
attestations exist. Structure is documented below. | ||
|
||
* `delegation_service_account_email` - | ||
This field will contain the service account email address that | ||
this Attestor will use as the principal when querying Container | ||
Analysis. Attestor administrators must grant this service account | ||
the IAM role needed to read attestations from the noteReference in | ||
Container Analysis (containeranalysis.notes.occurrences.viewer). | ||
This email address is fixed for the lifetime of the Attestor, but | ||
callers should not make any other assumptions about the service | ||
account email; future versions may use an email based on a | ||
different naming pattern. | ||
|
||
|
||
The `public_keys` block supports: | ||
|
||
* `comment` - | ||
(Optional) | ||
A descriptive comment. This field may be updated. | ||
|
||
* `id` - | ||
This field will be overwritten with key ID information, for | ||
example, an identifier extracted from a PGP public key. This | ||
field may not be updated. | ||
|
||
* `ascii_armored_pgp_public_key` - | ||
(Required) | ||
ASCII-armored representation of a PGP public key, as the | ||
entire output by the command | ||
`gpg --export --armor foo@example.com` (either LF or CRLF | ||
line endings). | ||
|
||
- - - | ||
|
||
|
||
* `description` - | ||
(Optional) | ||
A descriptive comment. This field may be updated. The field may be | ||
displayed in chooser dialogs. | ||
* `project` - (Optional) The ID of the project in which the resource belongs. | ||
If it is not provided, the provider project is used. | ||
|
||
|
||
|
||
|
||
## Import | ||
|
||
Attestor can be imported using any of these accepted formats: | ||
|
||
``` | ||
$ terraform import google_binary_authorization_attestor.default projects/{{project}}/attestors/{{name}} | ||
$ terraform import google_binary_authorization_attestor.default {{project}}/{{name}} | ||
$ terraform import google_binary_authorization_attestor.default {{name}} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,165 @@ | ||
--- | ||
# ---------------------------------------------------------------------------- | ||
# | ||
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** | ||
# | ||
# ---------------------------------------------------------------------------- | ||
# | ||
# This file is automatically generated by Magic Modules and manual | ||
# changes will be clobbered when the file is regenerated. | ||
# | ||
# Please read more about how to change this file in | ||
# .github/CONTRIBUTING.md. | ||
# | ||
# ---------------------------------------------------------------------------- | ||
layout: "google" | ||
page_title: "Google: google_binary_authorization_policy" | ||
sidebar_current: "docs-google-binary-authorization-policy" | ||
description: |- | ||
A policy for container image binary authorization. | ||
--- | ||
|
||
# google\_binary\_authorization\_policy | ||
|
||
A policy for container image binary authorization. | ||
|
||
To get more information about Policy, see: | ||
|
||
* [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/) | ||
* How-to Guides | ||
* [Official Documentation](https://cloud.google.com/binary-authorization/) | ||
|
||
## Example Usage | ||
|
||
```hcl | ||
resource "google_container_analysis_note" "note" { | ||
name = "test-attestor-note" | ||
attestation_authority { | ||
hint { | ||
human_readable_name = "My attestor" | ||
} | ||
} | ||
} | ||
resource "google_binary_authorization_attestor" "attestor" { | ||
name = "test-attestor" | ||
attestation_authority_note { | ||
note_reference = "${google_container_analysis_note.note.name}" | ||
} | ||
} | ||
resource "google_binary_authorization_policy" "policy" { | ||
admission_whitelist_patterns { | ||
name_pattern= "gcr.io/google_containers/*" | ||
} | ||
default_admission_rule { | ||
evaluation_mode = "ALWAYS_ALLOW" | ||
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG" | ||
} | ||
cluster_admission_rules { | ||
cluster = "us-central1-a.prod-cluster" | ||
evaluation_mode = "REQUIRE_ATTESTATION" | ||
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG" | ||
require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"] | ||
} | ||
} | ||
``` | ||
|
||
## Argument Reference | ||
|
||
The following arguments are supported: | ||
|
||
|
||
* `default_admission_rule` - | ||
(Required) | ||
Default admission rule for a cluster without a per-cluster admission | ||
rule. Structure is documented below. | ||
|
||
|
||
The `default_admission_rule` block supports: | ||
|
||
* `evaluation_mode` - | ||
(Required) | ||
How this admission rule will be evaluated. | ||
|
||
* `require_attestations_by` - | ||
(Optional) | ||
The resource names of the attestors that must attest to a | ||
container image. If the attestor is in a different project from the | ||
policy, it should be specified in the format `projects/*/attestors/*`. | ||
Each attestor must exist before a policy can reference it. To add an | ||
attestor to a policy the principal issuing the policy change | ||
request must be able to read the attestor resource. | ||
Note: this field must be non-empty when the evaluation_mode field | ||
specifies REQUIRE_ATTESTATION, otherwise it must be empty. | ||
|
||
* `enforcement_mode` - | ||
(Required) | ||
The action when a pod creation is denied by the admission rule. | ||
|
||
- - - | ||
|
||
|
||
* `description` - | ||
(Optional) | ||
A descriptive comment. | ||
|
||
* `admission_whitelist_patterns` - | ||
(Optional) | ||
Admission policy whitelisting. A matching admission request will | ||
always be permitted. This feature is typically used to exclude Google | ||
or third-party infrastructure images from Binary Authorization | ||
policies. Structure is documented below. | ||
|
||
* `cluster_admission_rules` - | ||
(Optional) | ||
Admission policy whitelisting. A matching admission request will | ||
always be permitted. This feature is typically used to exclude Google | ||
or third-party infrastructure images from Binary Authorization | ||
policies. | ||
* `project` - (Optional) The ID of the project in which the resource belongs. | ||
If it is not provided, the provider project is used. | ||
|
||
|
||
The `admission_whitelist_patterns` block supports: | ||
|
||
* `name_pattern` - | ||
(Optional) | ||
An image name pattern to whitelist, in the form | ||
`registry/path/to/image`. This supports a trailing * as a | ||
wildcard, but this is allowed only in text after the registry/ | ||
part. | ||
|
||
The `cluster_admission_rules` block supports: | ||
|
||
* `evaluation_mode` - | ||
(Optional) | ||
How this admission rule will be evaluated. | ||
|
||
* `require_attestations_by` - | ||
(Optional) | ||
The resource names of the attestors that must attest to a | ||
container image. If the attestor is in a different project from the | ||
policy, it should be specified in the format `projects/*/attestors/*`. | ||
Each attestor must exist before a policy can reference it. To add an | ||
attestor to a policy the principal issuing the policy change | ||
request must be able to read the attestor resource. | ||
Note: this field must be non-empty when the evaluation_mode field | ||
specifies REQUIRE_ATTESTATION, otherwise it must be empty. | ||
|
||
* `enforcement_mode` - | ||
(Optional) | ||
The action when a pod creation is denied by the admission rule. | ||
|
||
|
||
|
||
## Import | ||
|
||
Policy can be imported using any of these accepted formats: | ||
|
||
``` | ||
$ terraform import google_binary_authorization_policy.default projects/{{project}} | ||
$ terraform import google_binary_authorization_policy.default {{project}} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.