Google Git
Sign in
third-party-mirror / terraform-provider-google-beta / 7018e2f3f116fdacfd66c03551fbf0c3db62170a / . / v5.18.0 / website / docs / r / binary_authorization_policy.html.markdown
blob: f5c33cdd10fdc89b91e3453d63dc05065484bd12 [file] [log] [blame]
---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** Type: MMv1 ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
subcategory: "Binary Authorization"
description: |-
A policy for container image binary authorization.
---
# google\_binary\_authorization\_policy
A policy for container image binary authorization.
To get more information about Policy, see:
* [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/)
* How-to Guides
* [Official Documentation](https://cloud.google.com/binary-authorization/)
## Example Usage - Binary Authorization Policy Basic
```hcl
resource "google_binary_authorization_policy" "policy" {
admission_whitelist_patterns {
name_pattern = "gcr.io/google_containers/*"
}
default_admission_rule {
evaluation_mode = "ALWAYS_ALLOW"
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
}
cluster_admission_rules {
cluster = "us-central1-a.prod-cluster"
evaluation_mode = "REQUIRE_ATTESTATION"
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
require_attestations_by = [google_binary_authorization_attestor.attestor.name]
}
}
resource "google_container_analysis_note" "note" {
name = "test-attestor-note"
attestation_authority {
hint {
human_readable_name = "My attestor"
}
}
}
resource "google_binary_authorization_attestor" "attestor" {
name = "test-attestor"
attestation_authority_note {
note_reference = google_container_analysis_note.note.name
}
}
```
## Example Usage - Binary Authorization Policy Global Evaluation
```hcl
resource "google_binary_authorization_policy" "policy" {
default_admission_rule {
evaluation_mode = "REQUIRE_ATTESTATION"
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
require_attestations_by = [google_binary_authorization_attestor.attestor.name]
}
global_policy_evaluation_mode = "ENABLE"
}
resource "google_container_analysis_note" "note" {
name = "test-attestor-note"
attestation_authority {
hint {
human_readable_name = "My attestor"
}
}
}
resource "google_binary_authorization_attestor" "attestor" {
name = "test-attestor"
attestation_authority_note {
note_reference = google_container_analysis_note.note.name
}
}
```
## Argument Reference
The following arguments are supported:
* `default_admission_rule` -
(Required)
Default admission rule for a cluster without a per-cluster admission
rule.
Structure is [documented below](#nested_default_admission_rule).
<a name="nested_default_admission_rule"></a>The `default_admission_rule` block supports:
* `evaluation_mode` -
(Required)
How this admission rule will be evaluated.
Possible values are: `ALWAYS_ALLOW`, `REQUIRE_ATTESTATION`, `ALWAYS_DENY`.
* `require_attestations_by` -
(Optional)
The resource names of the attestors that must attest to a
container image. If the attestor is in a different project from the
policy, it should be specified in the format `projects/*/attestors/*`.
Each attestor must exist before a policy can reference it. To add an
attestor to a policy the principal issuing the policy change
request must be able to read the attestor resource.
Note: this field must be non-empty when the evaluation_mode field
specifies REQUIRE_ATTESTATION, otherwise it must be empty.
* `enforcement_mode` -
(Required)
The action when a pod creation is denied by the admission rule.
Possible values are: `ENFORCED_BLOCK_AND_AUDIT_LOG`, `DRYRUN_AUDIT_LOG_ONLY`.
- - -
* `description` -
(Optional)
A descriptive comment.
* `global_policy_evaluation_mode` -
(Optional)
Controls the evaluation of a Google-maintained global admission policy
for common system-level images. Images not covered by the global
policy will be subject to the project admission policy.
Possible values are: `ENABLE`, `DISABLE`.
* `admission_whitelist_patterns` -
(Optional)
A whitelist of image patterns to exclude from admission rules. If an
image's name matches a whitelist pattern, the image's admission
requests will always be permitted regardless of your admission rules.
Structure is [documented below](#nested_admission_whitelist_patterns).
* `cluster_admission_rules` -
(Optional)
Per-cluster admission rules. An admission rule specifies either that
all container images used in a pod creation request must be attested
to by one or more attestors, that all pod creations will be allowed,
or that all pod creations will be denied. There can be at most one
admission rule per cluster spec.
Identifier format: `{{location}}.{{clusterId}}`.
A location is either a compute zone (e.g. `us-central1-a`) or a region
(e.g. `us-central1`).
Structure is [documented below](#nested_cluster_admission_rules).
* `project` - (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
<a name="nested_admission_whitelist_patterns"></a>The `admission_whitelist_patterns` block supports:
* `name_pattern` -
(Required)
An image name pattern to whitelist, in the form
`registry/path/to/image`. This supports a trailing * as a
wildcard, but this is allowed only in text after the registry/
part.
<a name="nested_cluster_admission_rules"></a>The `cluster_admission_rules` block supports:
* `cluster` - (Required) The identifier for this object. Format specified above.
* `evaluation_mode` -
(Required)
How this admission rule will be evaluated.
Possible values are: `ALWAYS_ALLOW`, `REQUIRE_ATTESTATION`, `ALWAYS_DENY`.
* `require_attestations_by` -
(Optional)
The resource names of the attestors that must attest to a
container image. If the attestor is in a different project from the
policy, it should be specified in the format `projects/*/attestors/*`.
Each attestor must exist before a policy can reference it. To add an
attestor to a policy the principal issuing the policy change
request must be able to read the attestor resource.
Note: this field must be non-empty when the evaluation_mode field
specifies REQUIRE_ATTESTATION, otherwise it must be empty.
* `enforcement_mode` -
(Required)
The action when a pod creation is denied by the admission rule.
Possible values are: `ENFORCED_BLOCK_AND_AUDIT_LOG`, `DRYRUN_AUDIT_LOG_ONLY`.
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
* `id` - an identifier for the resource with format `projects/{{project}}`
## Timeouts
This resource provides the following
[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:
- `create` - Default is 20 minutes.
- `update` - Default is 20 minutes.
- `delete` - Default is 20 minutes.
## Import
Policy can be imported using any of these accepted formats:
* `projects/{{project}}`
* `{{project}}`
In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import Policy using one of the formats above. For example:
```tf
import {
id = "projects/{{project}}"
to = google_binary_authorization_policy.default
}
```
When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), Policy can be imported using one of the formats above. For example:
```
$ terraform import google_binary_authorization_policy.default projects/{{project}}
$ terraform import google_binary_authorization_policy.default {{project}}
```
## User Project Overrides
This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).