-
Notifications
You must be signed in to change notification settings - Fork 19
/
outputs.py
298 lines (258 loc) · 21.3 KB
/
outputs.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
# coding=utf-8
# *** WARNING: this file was generated by the Pulumi SDK Generator. ***
# *** Do not edit by hand unless you're certain you know what you are doing! ***
import warnings
import pulumi
import pulumi.runtime
from typing import Any, Mapping, Optional, Sequence, Union, overload
from ... import _utilities
from . import outputs
__all__ = [
'AttestorPublicKeyResponse',
'BindingResponse',
'ExprResponse',
'PkixPublicKeyResponse',
'UserOwnedGrafeasNoteResponse',
]
@pulumi.output_type
class AttestorPublicKeyResponse(dict):
"""
An attestor public key that will be used to verify attestations signed by this attestor.
"""
@staticmethod
def __key_warning(key: str):
suggest = None
if key == "asciiArmoredPgpPublicKey":
suggest = "ascii_armored_pgp_public_key"
elif key == "pkixPublicKey":
suggest = "pkix_public_key"
if suggest:
pulumi.log.warn(f"Key '{key}' not found in AttestorPublicKeyResponse. Access the value via the '{suggest}' property getter instead.")
def __getitem__(self, key: str) -> Any:
AttestorPublicKeyResponse.__key_warning(key)
return super().__getitem__(key)
def get(self, key: str, default = None) -> Any:
AttestorPublicKeyResponse.__key_warning(key)
return super().get(key, default)
def __init__(__self__, *,
ascii_armored_pgp_public_key: str,
comment: str,
pkix_public_key: 'outputs.PkixPublicKeyResponse'):
"""
An attestor public key that will be used to verify attestations signed by this attestor.
:param str ascii_armored_pgp_public_key: ASCII-armored representation of a PGP public key, as the entire output by the command `gpg --export --armor foo@example.com` (either LF or CRLF line endings). When using this field, `id` should be left blank. The BinAuthz API handlers will calculate the ID and fill it in automatically. BinAuthz computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as upper-case hex. If `id` is provided by the caller, it will be overwritten by the API-calculated ID.
:param str comment: Optional. A descriptive comment. This field may be updated.
:param 'PkixPublicKeyResponse' pkix_public_key: A raw PKIX SubjectPublicKeyInfo format public key. NOTE: `id` may be explicitly provided by the caller when using this type of public key, but it MUST be a valid RFC3986 URI. If `id` is left blank, a default one will be computed based on the digest of the DER encoding of the public key.
"""
pulumi.set(__self__, "ascii_armored_pgp_public_key", ascii_armored_pgp_public_key)
pulumi.set(__self__, "comment", comment)
pulumi.set(__self__, "pkix_public_key", pkix_public_key)
@property
@pulumi.getter(name="asciiArmoredPgpPublicKey")
def ascii_armored_pgp_public_key(self) -> str:
"""
ASCII-armored representation of a PGP public key, as the entire output by the command `gpg --export --armor foo@example.com` (either LF or CRLF line endings). When using this field, `id` should be left blank. The BinAuthz API handlers will calculate the ID and fill it in automatically. BinAuthz computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as upper-case hex. If `id` is provided by the caller, it will be overwritten by the API-calculated ID.
"""
return pulumi.get(self, "ascii_armored_pgp_public_key")
@property
@pulumi.getter
def comment(self) -> str:
"""
Optional. A descriptive comment. This field may be updated.
"""
return pulumi.get(self, "comment")
@property
@pulumi.getter(name="pkixPublicKey")
def pkix_public_key(self) -> 'outputs.PkixPublicKeyResponse':
"""
A raw PKIX SubjectPublicKeyInfo format public key. NOTE: `id` may be explicitly provided by the caller when using this type of public key, but it MUST be a valid RFC3986 URI. If `id` is left blank, a default one will be computed based on the digest of the DER encoding of the public key.
"""
return pulumi.get(self, "pkix_public_key")
@pulumi.output_type
class BindingResponse(dict):
"""
Associates `members` with a `role`.
"""
def __init__(__self__, *,
condition: 'outputs.ExprResponse',
members: Sequence[str],
role: str):
"""
Associates `members` with a `role`.
:param 'ExprResponse' condition: The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the members in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
:param Sequence[str] members: Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
:param str role: Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
"""
pulumi.set(__self__, "condition", condition)
pulumi.set(__self__, "members", members)
pulumi.set(__self__, "role", role)
@property
@pulumi.getter
def condition(self) -> 'outputs.ExprResponse':
"""
The condition that is associated with this binding. If the condition evaluates to `true`, then this binding applies to the current request. If the condition evaluates to `false`, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the members in this binding. To learn which resources support conditions in their IAM policies, see the [IAM documentation](https://cloud.google.com/iam/help/conditions/resource-policies).
"""
return pulumi.get(self, "condition")
@property
@pulumi.getter
def members(self) -> Sequence[str]:
"""
Specifies the identities requesting access for a Cloud Platform resource. `members` can have the following values: * `allUsers`: A special identifier that represents anyone who is on the internet; with or without a Google account. * `allAuthenticatedUsers`: A special identifier that represents anyone who is authenticated with a Google account or a service account. * `user:{emailid}`: An email address that represents a specific Google account. For example, `alice@example.com` . * `serviceAccount:{emailid}`: An email address that represents a service account. For example, `my-other-app@appspot.gserviceaccount.com`. * `group:{emailid}`: An email address that represents a Google group. For example, `admins@example.com`. * `deleted:user:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a user that has been recently deleted. For example, `alice@example.com?uid=123456789012345678901`. If the user is recovered, this value reverts to `user:{emailid}` and the recovered user retains the role in the binding. * `deleted:serviceAccount:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, `my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901`. If the service account is undeleted, this value reverts to `serviceAccount:{emailid}` and the undeleted service account retains the role in the binding. * `deleted:group:{emailid}?uid={uniqueid}`: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, `admins@example.com?uid=123456789012345678901`. If the group is recovered, this value reverts to `group:{emailid}` and the recovered group retains the role in the binding. * `domain:{domain}`: The G Suite domain (primary) that represents all the users of that domain. For example, `google.com` or `example.com`.
"""
return pulumi.get(self, "members")
@property
@pulumi.getter
def role(self) -> str:
"""
Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
"""
return pulumi.get(self, "role")
@pulumi.output_type
class ExprResponse(dict):
"""
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
"""
def __init__(__self__, *,
description: str,
expression: str,
location: str,
title: str):
"""
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
:param str description: Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
:param str expression: Textual representation of an expression in Common Expression Language syntax.
:param str location: Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
:param str title: Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
"""
pulumi.set(__self__, "description", description)
pulumi.set(__self__, "expression", expression)
pulumi.set(__self__, "location", location)
pulumi.set(__self__, "title", title)
@property
@pulumi.getter
def description(self) -> str:
"""
Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
"""
return pulumi.get(self, "description")
@property
@pulumi.getter
def expression(self) -> str:
"""
Textual representation of an expression in Common Expression Language syntax.
"""
return pulumi.get(self, "expression")
@property
@pulumi.getter
def location(self) -> str:
"""
Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file.
"""
return pulumi.get(self, "location")
@property
@pulumi.getter
def title(self) -> str:
"""
Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression.
"""
return pulumi.get(self, "title")
@pulumi.output_type
class PkixPublicKeyResponse(dict):
"""
A public key in the PkixPublicKey format (see https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details). Public keys of this type are typically textually encoded using the PEM format.
"""
@staticmethod
def __key_warning(key: str):
suggest = None
if key == "publicKeyPem":
suggest = "public_key_pem"
elif key == "signatureAlgorithm":
suggest = "signature_algorithm"
if suggest:
pulumi.log.warn(f"Key '{key}' not found in PkixPublicKeyResponse. Access the value via the '{suggest}' property getter instead.")
def __getitem__(self, key: str) -> Any:
PkixPublicKeyResponse.__key_warning(key)
return super().__getitem__(key)
def get(self, key: str, default = None) -> Any:
PkixPublicKeyResponse.__key_warning(key)
return super().get(key, default)
def __init__(__self__, *,
public_key_pem: str,
signature_algorithm: str):
"""
A public key in the PkixPublicKey format (see https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details). Public keys of this type are typically textually encoded using the PEM format.
:param str public_key_pem: A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
:param str signature_algorithm: The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in `public_key_pem` (i.e. this algorithm must match that of the public key).
"""
pulumi.set(__self__, "public_key_pem", public_key_pem)
pulumi.set(__self__, "signature_algorithm", signature_algorithm)
@property
@pulumi.getter(name="publicKeyPem")
def public_key_pem(self) -> str:
"""
A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
"""
return pulumi.get(self, "public_key_pem")
@property
@pulumi.getter(name="signatureAlgorithm")
def signature_algorithm(self) -> str:
"""
The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in `public_key_pem` (i.e. this algorithm must match that of the public key).
"""
return pulumi.get(self, "signature_algorithm")
@pulumi.output_type
class UserOwnedGrafeasNoteResponse(dict):
"""
An user owned Grafeas note references a Grafeas Attestation.Authority Note created by the user.
"""
@staticmethod
def __key_warning(key: str):
suggest = None
if key == "delegationServiceAccountEmail":
suggest = "delegation_service_account_email"
elif key == "noteReference":
suggest = "note_reference"
elif key == "publicKeys":
suggest = "public_keys"
if suggest:
pulumi.log.warn(f"Key '{key}' not found in UserOwnedGrafeasNoteResponse. Access the value via the '{suggest}' property getter instead.")
def __getitem__(self, key: str) -> Any:
UserOwnedGrafeasNoteResponse.__key_warning(key)
return super().__getitem__(key)
def get(self, key: str, default = None) -> Any:
UserOwnedGrafeasNoteResponse.__key_warning(key)
return super().get(key, default)
def __init__(__self__, *,
delegation_service_account_email: str,
note_reference: str,
public_keys: Sequence['outputs.AttestorPublicKeyResponse']):
"""
An user owned Grafeas note references a Grafeas Attestation.Authority Note created by the user.
:param str delegation_service_account_email: This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the note_reference in Container Analysis (`containeranalysis.notes.occurrences.viewer`). This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.
:param str note_reference: Required. The Grafeas resource name of a Attestation.Authority Note, created by the user, in the format: `projects/*/notes/*`. This field may not be updated. An attestation by this attestor is stored as a Grafeas Attestation.Authority Occurrence that names a container image and that links to this Note. Grafeas is an external dependency.
:param Sequence['AttestorPublicKeyResponse'] public_keys: Optional. Public keys that verify attestations signed by this attestor. This field may be updated. If this field is non-empty, one of the specified public keys must verify that an attestation was signed by this attestor for the image specified in the admission request. If this field is empty, this attestor always returns that no valid attestations exist.
"""
pulumi.set(__self__, "delegation_service_account_email", delegation_service_account_email)
pulumi.set(__self__, "note_reference", note_reference)
pulumi.set(__self__, "public_keys", public_keys)
@property
@pulumi.getter(name="delegationServiceAccountEmail")
def delegation_service_account_email(self) -> str:
"""
This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the note_reference in Container Analysis (`containeranalysis.notes.occurrences.viewer`). This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.
"""
return pulumi.get(self, "delegation_service_account_email")
@property
@pulumi.getter(name="noteReference")
def note_reference(self) -> str:
"""
Required. The Grafeas resource name of a Attestation.Authority Note, created by the user, in the format: `projects/*/notes/*`. This field may not be updated. An attestation by this attestor is stored as a Grafeas Attestation.Authority Occurrence that names a container image and that links to this Note. Grafeas is an external dependency.
"""
return pulumi.get(self, "note_reference")
@property
@pulumi.getter(name="publicKeys")
def public_keys(self) -> Sequence['outputs.AttestorPublicKeyResponse']:
"""
Optional. Public keys that verify attestations signed by this attestor. This field may be updated. If this field is non-empty, one of the specified public keys must verify that an attestation was signed by this attestor for the image specified in the admission request. If this field is empty, this attestor always returns that no valid attestations exist.
"""
return pulumi.get(self, "public_keys")