Add Policy, Attestor, and Note resources for Binary Authorization (ha…

…shicorp#1885)  /cc @danawillow
chrisst · Aug 20, 2018 · 956091a · 956091a
1 parent 797762e
commit 956091a
Show file tree

Hide file tree

Showing 26 changed files with 501 additions and 26 deletions.
diff --git a/docs/r/binaryauthorization_attestor.html.markdown b/docs/r/binaryauthorization_attestor.html.markdown
@@ -0,0 +1,158 @@
+---
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in
+#     .github/CONTRIBUTING.md.
+#
+# ----------------------------------------------------------------------------
+layout: "google"
+page_title: "Google: google_binary_authorization_attestor"
+sidebar_current: "docs-google-binary-authorization-attestor"
+description: |-
+  An attestor that attests to container image artifacts.
+---
+
+# google\_binary\_authorization\_attestor
+
+An attestor that attests to container image artifacts.
+
+To get more information about Attestor, see:
+
+* [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/)
+* How-to Guides
+    * [Official Documentation](https://cloud.google.com/binary-authorization/)
+
+## Example Usage
+
+```hcl
+resource "google_container_analysis_note" "note" {
+  name = "test-attestor-note"
+  attestation_authority {
+    hint {
+      human_readable_name = "Attestor Note"
+    }
+  }
+}
+
+resource "google_binary_authorization_attestor" "attestor" {
+  name = "test-attestor"
+  attestation_authority_note {
+    note_reference = "${google_container_analysis_note.note.name}"
+    public_keys {
+      ascii_armored_pgp_public_key = <<EOF
+mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
+bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
+oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
+V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
+Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
+83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
+IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
+uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
+0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
+51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
+WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
+MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
++OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
+qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
+=6Bvm
+EOF
+    }
+  }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+
+* `name` -
+  (Required)
+  The resource name.
+
+* `attestation_authority_note` -
+  (Required)
+  A Container Analysis ATTESTATION_AUTHORITY Note, created by the user.  Structure is documented below.
+
+
+The `attestation_authority_note` block supports:
+
+* `note_reference` -
+  (Required)
+  The resource name of a ATTESTATION_AUTHORITY Note, created by the
+  user. If the Note is in a different project from the Attestor, it
+  should be specified in the format `projects/*/notes/*` (or the legacy
+  `providers/*/notes/*`). This field may not be updated.
+  An attestation by this attestor is stored as a Container Analysis
+  ATTESTATION_AUTHORITY Occurrence that names a container image
+  and that links to this Note.
+
+* `public_keys` -
+  (Optional)
+  Public keys that verify attestations signed by this attestor. This
+  field may be updated.
+  If this field is non-empty, one of the specified public keys must
+  verify that an attestation was signed by this attestor for the
+  image specified in the admission request.
+  If this field is empty, this attestor always returns that no valid
+  attestations exist.  Structure is documented below.
+
+* `delegation_service_account_email` -
+  This field will contain the service account email address that
+  this Attestor will use as the principal when querying Container
+  Analysis. Attestor administrators must grant this service account
+  the IAM role needed to read attestations from the noteReference in
+  Container Analysis (containeranalysis.notes.occurrences.viewer).
+  This email address is fixed for the lifetime of the Attestor, but
+  callers should not make any other assumptions about the service
+  account email; future versions may use an email based on a
+  different naming pattern.
+
+
+The `public_keys` block supports:
+
+* `comment` -
+  (Optional)
+  A descriptive comment. This field may be updated.
+
+* `id` -
+  This field will be overwritten with key ID information, for
+  example, an identifier extracted from a PGP public key. This
+  field may not be updated.
+
+* `ascii_armored_pgp_public_key` -
+  (Required)
+  ASCII-armored representation of a PGP public key, as the
+  entire output by the command
+  `gpg --export --armor foo@example.com` (either LF or CRLF
+  line endings).
+
+- - -
+
+
+* `description` -
+  (Optional)
+  A descriptive comment. This field may be updated. The field may be
+  displayed in chooser dialogs.
+* `project` - (Optional) The ID of the project in which the resource belongs.
+    If it is not provided, the provider project is used.
+
+
+
+
+## Import
+
+Attestor can be imported using any of these accepted formats:
+
+```
+$ terraform import google_binary_authorization_attestor.default projects/{{project}}/attestors/{{name}}
+$ terraform import google_binary_authorization_attestor.default {{project}}/{{name}}
+$ terraform import google_binary_authorization_attestor.default {{name}}
+```
diff --git a/docs/r/binaryauthorization_policy.html.markdown b/docs/r/binaryauthorization_policy.html.markdown
@@ -0,0 +1,165 @@
+---
+# ----------------------------------------------------------------------------
+#
+#     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
+#
+# ----------------------------------------------------------------------------
+#
+#     This file is automatically generated by Magic Modules and manual
+#     changes will be clobbered when the file is regenerated.
+#
+#     Please read more about how to change this file in
+#     .github/CONTRIBUTING.md.
+#
+# ----------------------------------------------------------------------------
+layout: "google"
+page_title: "Google: google_binary_authorization_policy"
+sidebar_current: "docs-google-binary-authorization-policy"
+description: |-
+  A policy for container image binary authorization.
+---
+
+# google\_binary\_authorization\_policy
+
+A policy for container image binary authorization.
+
+To get more information about Policy, see:
+
+* [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/)
+* How-to Guides
+    * [Official Documentation](https://cloud.google.com/binary-authorization/)
+
+## Example Usage
+
+```hcl
+resource "google_container_analysis_note" "note" {
+  name = "test-attestor-note"
+  attestation_authority {
+    hint {
+      human_readable_name = "My attestor"
+    }
+  }
+}
+
+resource "google_binary_authorization_attestor" "attestor" {
+  name = "test-attestor"
+  attestation_authority_note {
+    note_reference = "${google_container_analysis_note.note.name}"
+  }
+}
+
+resource "google_binary_authorization_policy" "policy" {
+  admission_whitelist_patterns {
+    name_pattern= "gcr.io/google_containers/*"
+  }
+
+  default_admission_rule {
+    evaluation_mode = "ALWAYS_ALLOW"
+    enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
+  }
+
+  cluster_admission_rules {
+    cluster = "us-central1-a.prod-cluster"
+    evaluation_mode = "REQUIRE_ATTESTATION"
+    enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
+    require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"]
+  }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+
+* `default_admission_rule` -
+  (Required)
+  Default admission rule for a cluster without a per-cluster admission
+  rule.  Structure is documented below.
+
+
+The `default_admission_rule` block supports:
+
+* `evaluation_mode` -
+  (Required)
+  How this admission rule will be evaluated.
+
+* `require_attestations_by` -
+  (Optional)
+  The resource names of the attestors that must attest to a
+  container image. If the attestor is in a different project from the
+  policy, it should be specified in the format `projects/*/attestors/*`.
+  Each attestor must exist before a policy can reference it. To add an
+  attestor to a policy the principal issuing the policy change
+  request must be able to read the attestor resource.
+  Note: this field must be non-empty when the evaluation_mode field
+  specifies REQUIRE_ATTESTATION, otherwise it must be empty.
+
+* `enforcement_mode` -
+  (Required)
+  The action when a pod creation is denied by the admission rule.
+
+- - -
+
+
+* `description` -
+  (Optional)
+  A descriptive comment.
+
+* `admission_whitelist_patterns` -
+  (Optional)
+  Admission policy whitelisting. A matching admission request will
+  always be permitted. This feature is typically used to exclude Google
+  or third-party infrastructure images from Binary Authorization
+  policies.  Structure is documented below.
+
+* `cluster_admission_rules` -
+  (Optional)
+  Admission policy whitelisting. A matching admission request will
+  always be permitted. This feature is typically used to exclude Google
+  or third-party infrastructure images from Binary Authorization
+  policies.
+* `project` - (Optional) The ID of the project in which the resource belongs.
+    If it is not provided, the provider project is used.
+
+
+The `admission_whitelist_patterns` block supports:
+
+* `name_pattern` -
+  (Optional)
+  An image name pattern to whitelist, in the form
+  `registry/path/to/image`. This supports a trailing * as a
+  wildcard, but this is allowed only in text after the registry/
+  part.
+
+The `cluster_admission_rules` block supports:
+
+* `evaluation_mode` -
+  (Optional)
+  How this admission rule will be evaluated.
+
+* `require_attestations_by` -
+  (Optional)
+  The resource names of the attestors that must attest to a
+  container image. If the attestor is in a different project from the
+  policy, it should be specified in the format `projects/*/attestors/*`.
+  Each attestor must exist before a policy can reference it. To add an
+  attestor to a policy the principal issuing the policy change
+  request must be able to read the attestor resource.
+  Note: this field must be non-empty when the evaluation_mode field
+  specifies REQUIRE_ATTESTATION, otherwise it must be empty.
+
+* `enforcement_mode` -
+  (Optional)
+  The action when a pod creation is denied by the admission rule.
+
+
+
+## Import
+
+Policy can be imported using any of these accepted formats:
+
+```
+$ terraform import google_binary_authorization_policy.default projects/{{project}}
+$ terraform import google_binary_authorization_policy.default {{project}}
+```
diff --git a/docs/r/compute_address.html.markdown b/docs/r/compute_address.html.markdown
@@ -84,6 +84,7 @@ The following arguments are supported:
   following characters must be a dash, lowercase letter, or digit,
   except the last character, which cannot be a dash.
 
+
 - - -
 
 

diff --git a/docs/r/compute_autoscaler.html.markdown b/docs/r/compute_autoscaler.html.markdown
@@ -114,6 +114,8 @@ The following arguments are supported:
 * `target` -
   (Required)
   URL of the managed instance group that this autoscaler will scale.
+
+
 The `autoscaling_policy` block supports:
 
 * `min_replicas` -
@@ -157,7 +159,9 @@ The `autoscaling_policy` block supports:
 * `load_balancing_utilization` -
   (Optional)
   Configuration parameters of autoscaling based on a load balancer.  Structure is documented below.
-        The `cpu_utilization` block supports:
+
+
+The `cpu_utilization` block supports:
 
 * `target` -
   (Required)
@@ -172,8 +176,8 @@ The `autoscaling_policy` block supports:
   scales up until it reaches the maximum number of instances you
   specified or until the average utilization reaches the target
   utilization.
-  
-  The `metric` block supports:
+
+The `metric` block supports:
 
 * `name` -
   (Required)
@@ -197,15 +201,14 @@ The `autoscaling_policy` block supports:
   Defines how target utilization value is expressed for a
   Stackdriver Monitoring metric. Either GAUGE, DELTA_PER_SECOND,
   or DELTA_PER_MINUTE.
-      
-  The `load_balancing_utilization` block supports:
+
+The `load_balancing_utilization` block supports:
 
 * `target` -
   (Required)
   Fraction of backend capacity utilization (set in HTTP(s) load
   balancing configuration) that autoscaler should maintain. Must
   be a positive float value. If not defined, the default is 0.8.
-
 
 - - -
 

diff --git a/docs/r/compute_backend_bucket.html.markdown b/docs/r/compute_backend_bucket.html.markdown
@@ -71,6 +71,7 @@ The following arguments are supported:
   characters must be a dash, lowercase letter, or digit, except the
   last character, which cannot be a dash.
 
+
 - - -