v5.18.0/website/docs/r/binary_authorization_attestor.html.markdown - terraform-provider-google-beta - Git at Google

 ---
 # ----------------------------------------------------------------------------
 #
 #     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
 #
 # ----------------------------------------------------------------------------
 #
 #     This file is automatically generated by Magic Modules and manual
 #     changes will be clobbered when the file is regenerated.
 #
 #     Please read more about how to change this file in
 #     .github/CONTRIBUTING.md.
 #
 # ----------------------------------------------------------------------------
 subcategory: "Binary Authorization"
 description: |-
   An attestor that attests to container image artifacts.
 ---

 # google\_binary\_authorization\_attestor

 An attestor that attests to container image artifacts.


 To get more information about Attestor, see:

 * [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/)
 * How-to Guides
     * [Official Documentation](https://cloud.google.com/binary-authorization/)

 <div class = "oics-button" style="float: right; margin: 0 0 -15px">
   <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=binary_authorization_attestor_basic&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
     <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
   </a>
 </div>
 ## Example Usage - Binary Authorization Attestor Basic


 ```hcl
 resource "google_binary_authorization_attestor" "attestor" {
   name = "test-attestor"
   attestation_authority_note {
     note_reference = google_container_analysis_note.note.name
     public_keys {
       ascii_armored_pgp_public_key = <<EOF
 mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
 bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
 oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
 V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
 Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
 83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
 IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
 uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
 0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
 51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
 WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
 MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
 +OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
 qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
 =6Bvm
 EOF

     }
   }
 }

 resource "google_container_analysis_note" "note" {
   name = "test-attestor-note"
   attestation_authority {
     hint {
       human_readable_name = "Attestor Note"
     }
   }
 }
 ```
 ## Example Usage - Binary Authorization Attestor Kms


 ```hcl
 resource "google_binary_authorization_attestor" "attestor" {
   name = "test-attestor"
   attestation_authority_note {
     note_reference = google_container_analysis_note.note.name
     public_keys {
       id = data.google_kms_crypto_key_version.version.id
       pkix_public_key {
         public_key_pem      = data.google_kms_crypto_key_version.version.public_key[0].pem
         signature_algorithm = data.google_kms_crypto_key_version.version.public_key[0].algorithm
       }
     }
   }
 }

 data "google_kms_crypto_key_version" "version" {
   crypto_key = google_kms_crypto_key.crypto-key.id
 }

 resource "google_container_analysis_note" "note" {
   name = "test-attestor-note"
   attestation_authority {
     hint {
       human_readable_name = "Attestor Note"
     }
   }
 }

 resource "google_kms_crypto_key" "crypto-key" {
   name     = "test-attestor-key"
   key_ring = google_kms_key_ring.keyring.id
   purpose  = "ASYMMETRIC_SIGN"

   version_template {
     algorithm = "RSA_SIGN_PKCS1_4096_SHA512"
   }

   lifecycle {
     prevent_destroy = true
   }
 }

 resource "google_kms_key_ring" "keyring" {
   name     = "test-attestor-key-ring"
   location = "global"
 }
 ```

 ## Argument Reference

 The following arguments are supported:


 * `name` -
   (Required)
   The resource name.

 * `attestation_authority_note` -
   (Required)
   A Container Analysis ATTESTATION_AUTHORITY Note, created by the user.
   Structure is [documented below](#nested_attestation_authority_note).


 <a name="nested_attestation_authority_note"></a>The `attestation_authority_note` block supports:

 * `note_reference` -
   (Required)
   The resource name of a ATTESTATION_AUTHORITY Note, created by the
   user. If the Note is in a different project from the Attestor, it
   should be specified in the format `projects/*/notes/*` (or the legacy
   `providers/*/notes/*`). This field may not be updated.
   An attestation by this attestor is stored as a Container Analysis
   ATTESTATION_AUTHORITY Occurrence that names a container image
   and that links to this Note.

 * `public_keys` -
   (Optional)
   Public keys that verify attestations signed by this attestor. This
   field may be updated.
   If this field is non-empty, one of the specified public keys must
   verify that an attestation was signed by this attestor for the
   image specified in the admission request.
   If this field is empty, this attestor always returns that no valid
   attestations exist.
   Structure is [documented below](#nested_public_keys).

 * `delegation_service_account_email` -
   (Output)
   This field will contain the service account email address that
   this Attestor will use as the principal when querying Container
   Analysis. Attestor administrators must grant this service account
   the IAM role needed to read attestations from the noteReference in
   Container Analysis (containeranalysis.notes.occurrences.viewer).
   This email address is fixed for the lifetime of the Attestor, but
   callers should not make any other assumptions about the service
   account email; future versions may use an email based on a
   different naming pattern.


 <a name="nested_public_keys"></a>The `public_keys` block supports:

 * `comment` -
   (Optional)
   A descriptive comment. This field may be updated.

 * `id` -
   (Optional)
   The ID of this public key. Signatures verified by BinAuthz
   must include the ID of the public key that can be used to
   verify them, and that ID must match the contents of this
   field exactly. Additional restrictions on this field can
   be imposed based on which public key type is encapsulated.
   See the documentation on publicKey cases below for details.

 * `ascii_armored_pgp_public_key` -
   (Optional)
   ASCII-armored representation of a PGP public key, as the
   entire output by the command
   `gpg --export --armor foo@example.com` (either LF or CRLF
   line endings). When using this field, id should be left
   blank. The BinAuthz API handlers will calculate the ID
   and fill it in automatically. BinAuthz computes this ID
   as the OpenPGP RFC4880 V4 fingerprint, represented as
   upper-case hex. If id is provided by the caller, it will
   be overwritten by the API-calculated ID.

 * `pkix_public_key` -
   (Optional)
   A raw PKIX SubjectPublicKeyInfo format public key.
   NOTE: id may be explicitly provided by the caller when using this
   type of public key, but it MUST be a valid RFC3986 URI. If id is left
   blank, a default one will be computed based on the digest of the DER
   encoding of the public key.
   Structure is [documented below](#nested_pkix_public_key).


 <a name="nested_pkix_public_key"></a>The `pkix_public_key` block supports:

 * `public_key_pem` -
   (Optional)
   A PEM-encoded public key, as described in
   `https://tools.ietf.org/html/rfc7468#section-13`

 * `signature_algorithm` -
   (Optional)
   The signature algorithm used to verify a message against
   a signature using this key. These signature algorithm must
   match the structure and any object identifiers encoded in
   publicKeyPem (i.e. this algorithm must match that of the
   public key).

 - - -


 * `description` -
   (Optional)
   A descriptive comment. This field may be updated. The field may be
   displayed in chooser dialogs.

 * `project` - (Optional) The ID of the project in which the resource belongs.
     If it is not provided, the provider project is used.


 ## Attributes Reference

 In addition to the arguments listed above, the following computed attributes are exported:

 * `id` - an identifier for the resource with format `projects/{{project}}/attestors/{{name}}`


 ## Timeouts

 This resource provides the following
 [Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

 - `create` - Default is 20 minutes.
 - `update` - Default is 20 minutes.
 - `delete` - Default is 20 minutes.

 ## Import


 Attestor can be imported using any of these accepted formats:

 * `projects/{{project}}/attestors/{{name}}`
 * `{{project}}/{{name}}`
 * `{{name}}`


 In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import Attestor using one of the formats above. For example:

 ```tf
 import {
   id = "projects/{{project}}/attestors/{{name}}"
   to = google_binary_authorization_attestor.default
 }
 ```

 When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), Attestor can be imported using one of the formats above. For example:

 ```
 $ terraform import google_binary_authorization_attestor.default projects/{{project}}/attestors/{{name}}
 $ terraform import google_binary_authorization_attestor.default {{project}}/{{name}}
 $ terraform import google_binary_authorization_attestor.default {{name}}
 ```

 ## User Project Overrides

 This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).
	---
	# ----------------------------------------------------------------------------
	#
	# * AUTO GENERATED CODE * Type: MMv1 ***
	#
	# ----------------------------------------------------------------------------
	#
	# This file is automatically generated by Magic Modules and manual
	# changes will be clobbered when the file is regenerated.
	#
	# Please read more about how to change this file in
	# .github/CONTRIBUTING.md.
	#
	# ----------------------------------------------------------------------------
	subcategory: "Binary Authorization"
	description: \|-
	An attestor that attests to container image artifacts.
	---

	# google\_binary\_authorization\_attestor

	An attestor that attests to container image artifacts.


	To get more information about Attestor, see:

	* [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/)
	* How-to Guides
	* [Official Documentation](https://cloud.google.com/binary-authorization/)

	<div class = "oics-button" style="float: right; margin: 0 0 -15px">
	<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=binary_authorization_attestor_basic&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
	<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
	</a>
	</div>
	## Example Usage - Binary Authorization Attestor Basic


	```hcl
	resource "google_binary_authorization_attestor" "attestor" {
	name = "test-attestor"
	attestation_authority_note {
	note_reference = google_container_analysis_note.note.name
	public_keys {
	ascii_armored_pgp_public_key = <<EOF
	mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
	bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
	oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
	V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
	Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
	83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
	IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
	uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
	0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
	51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
	WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
	MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
	+OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
	qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
	=6Bvm
	EOF

	}
	}
	}

	resource "google_container_analysis_note" "note" {
	name = "test-attestor-note"
	attestation_authority {
	hint {
	human_readable_name = "Attestor Note"
	}
	}
	}
	```
	## Example Usage - Binary Authorization Attestor Kms


	```hcl
	resource "google_binary_authorization_attestor" "attestor" {
	name = "test-attestor"
	attestation_authority_note {
	note_reference = google_container_analysis_note.note.name
	public_keys {
	id = data.google_kms_crypto_key_version.version.id
	pkix_public_key {
	public_key_pem = data.google_kms_crypto_key_version.version.public_key[0].pem
	signature_algorithm = data.google_kms_crypto_key_version.version.public_key[0].algorithm
	}
	}
	}
	}

	data "google_kms_crypto_key_version" "version" {
	crypto_key = google_kms_crypto_key.crypto-key.id
	}

	resource "google_container_analysis_note" "note" {
	name = "test-attestor-note"
	attestation_authority {
	hint {
	human_readable_name = "Attestor Note"
	}
	}
	}

	resource "google_kms_crypto_key" "crypto-key" {
	name = "test-attestor-key"
	key_ring = google_kms_key_ring.keyring.id
	purpose = "ASYMMETRIC_SIGN"

	version_template {
	algorithm = "RSA_SIGN_PKCS1_4096_SHA512"
	}

	lifecycle {
	prevent_destroy = true
	}
	}

	resource "google_kms_key_ring" "keyring" {
	name = "test-attestor-key-ring"
	location = "global"
	}
	```

	## Argument Reference

	The following arguments are supported:


	* `name` -
	(Required)
	The resource name.

	* `attestation_authority_note` -
	(Required)
	A Container Analysis ATTESTATION_AUTHORITY Note, created by the user.
	Structure is [documented below](#nested_attestation_authority_note).


	<a name="nested_attestation_authority_note"></a>The `attestation_authority_note` block supports:

	* `note_reference` -
	(Required)
	The resource name of a ATTESTATION_AUTHORITY Note, created by the
	user. If the Note is in a different project from the Attestor, it
	should be specified in the format `projects//notes/` (or the legacy
	`providers//notes/`). This field may not be updated.
	An attestation by this attestor is stored as a Container Analysis
	ATTESTATION_AUTHORITY Occurrence that names a container image
	and that links to this Note.

	* `public_keys` -
	(Optional)
	Public keys that verify attestations signed by this attestor. This
	field may be updated.
	If this field is non-empty, one of the specified public keys must
	verify that an attestation was signed by this attestor for the
	image specified in the admission request.
	If this field is empty, this attestor always returns that no valid
	attestations exist.
	Structure is [documented below](#nested_public_keys).

	* `delegation_service_account_email` -
	(Output)
	This field will contain the service account email address that
	this Attestor will use as the principal when querying Container
	Analysis. Attestor administrators must grant this service account
	the IAM role needed to read attestations from the noteReference in
	Container Analysis (containeranalysis.notes.occurrences.viewer).
	This email address is fixed for the lifetime of the Attestor, but
	callers should not make any other assumptions about the service
	account email; future versions may use an email based on a
	different naming pattern.


	<a name="nested_public_keys"></a>The `public_keys` block supports:

	* `comment` -
	(Optional)
	A descriptive comment. This field may be updated.

	* `id` -
	(Optional)
	The ID of this public key. Signatures verified by BinAuthz
	must include the ID of the public key that can be used to
	verify them, and that ID must match the contents of this
	field exactly. Additional restrictions on this field can
	be imposed based on which public key type is encapsulated.
	See the documentation on publicKey cases below for details.

	* `ascii_armored_pgp_public_key` -
	(Optional)
	ASCII-armored representation of a PGP public key, as the
	entire output by the command
	`gpg --export --armor foo@example.com` (either LF or CRLF
	line endings). When using this field, id should be left
	blank. The BinAuthz API handlers will calculate the ID
	and fill it in automatically. BinAuthz computes this ID
	as the OpenPGP RFC4880 V4 fingerprint, represented as
	upper-case hex. If id is provided by the caller, it will
	be overwritten by the API-calculated ID.

	* `pkix_public_key` -
	(Optional)
	A raw PKIX SubjectPublicKeyInfo format public key.
	NOTE: id may be explicitly provided by the caller when using this
	type of public key, but it MUST be a valid RFC3986 URI. If id is left
	blank, a default one will be computed based on the digest of the DER
	encoding of the public key.
	Structure is [documented below](#nested_pkix_public_key).


	<a name="nested_pkix_public_key"></a>The `pkix_public_key` block supports:

	* `public_key_pem` -
	(Optional)
	A PEM-encoded public key, as described in
	`https://tools.ietf.org/html/rfc7468#section-13`

	* `signature_algorithm` -
	(Optional)
	The signature algorithm used to verify a message against
	a signature using this key. These signature algorithm must
	match the structure and any object identifiers encoded in
	publicKeyPem (i.e. this algorithm must match that of the
	public key).

	- - -


	* `description` -
	(Optional)
	A descriptive comment. This field may be updated. The field may be
	displayed in chooser dialogs.

	* `project` - (Optional) The ID of the project in which the resource belongs.
	If it is not provided, the provider project is used.


	## Attributes Reference

	In addition to the arguments listed above, the following computed attributes are exported:

	* `id` - an identifier for the resource with format `projects/{{project}}/attestors/{{name}}`


	## Timeouts

	This resource provides the following
	[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:

	- `create` - Default is 20 minutes.
	- `update` - Default is 20 minutes.
	- `delete` - Default is 20 minutes.

	## Import


	Attestor can be imported using any of these accepted formats:

	* `projects/{{project}}/attestors/{{name}}`
	* `{{project}}/{{name}}`
	* `{{name}}`


	In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import Attestor using one of the formats above. For example:

	```tf
	import {
	id = "projects/{{project}}/attestors/{{name}}"
	to = google_binary_authorization_attestor.default
	}
	```

	When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), Attestor can be imported using one of the formats above. For example:

	```
	$ terraform import google_binary_authorization_attestor.default projects/{{project}}/attestors/{{name}}
	$ terraform import google_binary_authorization_attestor.default {{project}}/{{name}}
	$ terraform import google_binary_authorization_attestor.default {{name}}
	```

	## User Project Overrides

	This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).