1. Docs
  2. Reference
  3. API
  4. pulumi_gcp
  5. binaryauthorization

This page documents the language specification for the gcp package. If you're looking for help working with the inputs, outputs, or functions of gcp resources in a Pulumi program, please see the resource documentation for examples and API reference.

binaryauthorization

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-gcp repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-google repo.

class pulumi_gcp.binaryauthorization.Attestor(resource_name, opts=None, attestation_authority_note=None, description=None, name=None, project=None, __props__=None, __name__=None, __opts__=None)

An attestor that attests to container image artifacts.

To get more information about Attestor, see:

import pulumi
import pulumi_gcp as gcp

note = gcp.containeranalysis.Note("note", attestation_authority={
    "hint": {
        "humanReadableName": "Attestor Note",
    },
})
attestor = gcp.binaryauthorization.Attestor("attestor", attestation_authority_note={
    "noteReference": note.name,
    "public_keys": [{
        "asciiArmoredPgpPublicKey": """mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
+OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
=6Bvm
""",
    }],
})
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • attestation_authority_note (pulumi.Input[dict]) – A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.

  • description (pulumi.Input[str]) – A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.

  • name (pulumi.Input[str]) – The resource name.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The attestation_authority_note object supports the following:

  • delegationServiceAccountEmail (pulumi.Input[str]) - - This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the noteReference in Container Analysis (containeranalysis.notes.occurrences.viewer). This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.

  • noteReference (pulumi.Input[str]) - The resource name of a ATTESTATION_AUTHORITY Note, created by the user. If the Note is in a different project from the Attestor, it should be specified in the format projects/*/notes/* (or the legacy providers/*/notes/*). This field may not be updated. An attestation by this attestor is stored as a Container Analysis ATTESTATION_AUTHORITY Occurrence that names a container image and that links to this Note.

  • publicKeys (pulumi.Input[list]) - Public keys that verify attestations signed by this attestor. This field may be updated. If this field is non-empty, one of the specified public keys must verify that an attestation was signed by this attestor for the image specified in the admission request. If this field is empty, this attestor always returns that no valid attestations exist. Structure is documented below.

    • asciiArmoredPgpPublicKey (pulumi.Input[str]) - ASCII-armored representation of a PGP public key, as the entire output by the command gpg --export --armor foo@example.com (either LF or CRLF line endings). When using this field, id should be left blank. The BinAuthz API handlers will calculate the ID and fill it in automatically. BinAuthz computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as upper-case hex. If id is provided by the caller, it will be overwritten by the API-calculated ID.

    • comment (pulumi.Input[str]) - A descriptive comment. This field may be updated.

    • id (pulumi.Input[str]) - The ID of this public key. Signatures verified by BinAuthz must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. Additional restrictions on this field can be imposed based on which public key type is encapsulated. See the documentation on publicKey cases below for details.

    • pkixPublicKey (pulumi.Input[dict]) - A raw PKIX SubjectPublicKeyInfo format public key. NOTE: id may be explicitly provided by the caller when using this type of public key, but it MUST be a valid RFC3986 URI. If id is left blank, a default one will be computed based on the digest of the DER encoding of the public key. Structure is documented below.

      • publicKeyPem (pulumi.Input[str]) - A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13

      • signatureAlgorithm (pulumi.Input[str]) - The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in publicKeyPem (i.e. this algorithm must match that of the public key).

attestation_authority_note: pulumi.Output[dict] = None

A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.

  • delegationServiceAccountEmail (str) - - This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the noteReference in Container Analysis (containeranalysis.notes.occurrences.viewer). This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.

  • noteReference (str) - The resource name of a ATTESTATION_AUTHORITY Note, created by the user. If the Note is in a different project from the Attestor, it should be specified in the format projects/*/notes/* (or the legacy providers/*/notes/*). This field may not be updated. An attestation by this attestor is stored as a Container Analysis ATTESTATION_AUTHORITY Occurrence that names a container image and that links to this Note.

  • publicKeys (list) - Public keys that verify attestations signed by this attestor. This field may be updated. If this field is non-empty, one of the specified public keys must verify that an attestation was signed by this attestor for the image specified in the admission request. If this field is empty, this attestor always returns that no valid attestations exist. Structure is documented below.

    • asciiArmoredPgpPublicKey (str) - ASCII-armored representation of a PGP public key, as the entire output by the command gpg --export --armor foo@example.com (either LF or CRLF line endings). When using this field, id should be left blank. The BinAuthz API handlers will calculate the ID and fill it in automatically. BinAuthz computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as upper-case hex. If id is provided by the caller, it will be overwritten by the API-calculated ID.

    • comment (str) - A descriptive comment. This field may be updated.

    • id (str) - The ID of this public key. Signatures verified by BinAuthz must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. Additional restrictions on this field can be imposed based on which public key type is encapsulated. See the documentation on publicKey cases below for details.

    • pkixPublicKey (dict) - A raw PKIX SubjectPublicKeyInfo format public key. NOTE: id may be explicitly provided by the caller when using this type of public key, but it MUST be a valid RFC3986 URI. If id is left blank, a default one will be computed based on the digest of the DER encoding of the public key. Structure is documented below.

      • publicKeyPem (str) - A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13

      • signatureAlgorithm (str) - The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in publicKeyPem (i.e. this algorithm must match that of the public key).

description: pulumi.Output[str] = None

A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.

name: pulumi.Output[str] = None

The resource name.

project: pulumi.Output[str] = None

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

static get(resource_name, id, opts=None, attestation_authority_note=None, description=None, name=None, project=None)

Get an existing Attestor resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • attestation_authority_note (pulumi.Input[dict]) – A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.

  • description (pulumi.Input[str]) – A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.

  • name (pulumi.Input[str]) – The resource name.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The attestation_authority_note object supports the following:

  • delegationServiceAccountEmail (pulumi.Input[str]) - - This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the noteReference in Container Analysis (containeranalysis.notes.occurrences.viewer). This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.

  • noteReference (pulumi.Input[str]) - The resource name of a ATTESTATION_AUTHORITY Note, created by the user. If the Note is in a different project from the Attestor, it should be specified in the format projects/*/notes/* (or the legacy providers/*/notes/*). This field may not be updated. An attestation by this attestor is stored as a Container Analysis ATTESTATION_AUTHORITY Occurrence that names a container image and that links to this Note.

  • publicKeys (pulumi.Input[list]) - Public keys that verify attestations signed by this attestor. This field may be updated. If this field is non-empty, one of the specified public keys must verify that an attestation was signed by this attestor for the image specified in the admission request. If this field is empty, this attestor always returns that no valid attestations exist. Structure is documented below.

    • asciiArmoredPgpPublicKey (pulumi.Input[str]) - ASCII-armored representation of a PGP public key, as the entire output by the command gpg --export --armor foo@example.com (either LF or CRLF line endings). When using this field, id should be left blank. The BinAuthz API handlers will calculate the ID and fill it in automatically. BinAuthz computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as upper-case hex. If id is provided by the caller, it will be overwritten by the API-calculated ID.

    • comment (pulumi.Input[str]) - A descriptive comment. This field may be updated.

    • id (pulumi.Input[str]) - The ID of this public key. Signatures verified by BinAuthz must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. Additional restrictions on this field can be imposed based on which public key type is encapsulated. See the documentation on publicKey cases below for details.

    • pkixPublicKey (pulumi.Input[dict]) - A raw PKIX SubjectPublicKeyInfo format public key. NOTE: id may be explicitly provided by the caller when using this type of public key, but it MUST be a valid RFC3986 URI. If id is left blank, a default one will be computed based on the digest of the DER encoding of the public key. Structure is documented below.

      • publicKeyPem (pulumi.Input[str]) - A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13

      • signatureAlgorithm (pulumi.Input[str]) - The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in publicKeyPem (i.e. this algorithm must match that of the public key).

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.binaryauthorization.AttestorIamBinding(resource_name, opts=None, attestor=None, condition=None, members=None, project=None, role=None, __props__=None, __name__=None, __opts__=None)

Three different resources help you manage your IAM policy for Binary Authorization Attestor. Each of these resources serves a different use case:

  • binaryauthorization.AttestorIamPolicy: Authoritative. Sets the IAM policy for the attestor and replaces any existing policy already attached.

  • binaryauthorization.AttestorIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the attestor are preserved.

  • binaryauthorization.AttestorIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the attestor are preserved.

Note: binaryauthorization.AttestorIamPolicy cannot be used in conjunction with binaryauthorization.AttestorIamBinding and binaryauthorization.AttestorIamMember or they will fight over what your policy should be.

Note: binaryauthorization.AttestorIamBinding resources can be used in conjunction with binaryauthorization.AttestorIamMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/viewer",
    "members": ["user:jane@example.com"],
}])
policy = gcp.binaryauthorization.AttestorIamPolicy("policy",
    project=google_binary_authorization_attestor["attestor"]["project"],
    attestor=google_binary_authorization_attestor["attestor"]["name"],
    policy_data=admin.policy_data)

import pulumi
import pulumi_gcp as gcp

binding = gcp.binaryauthorization.AttestorIamBinding("binding",
    project=google_binary_authorization_attestor["attestor"]["project"],
    attestor=google_binary_authorization_attestor["attestor"]["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])

import pulumi
import pulumi_gcp as gcp

member = gcp.binaryauthorization.AttestorIamMember("member",
    project=google_binary_authorization_attestor["attestor"]["project"],
    attestor=google_binary_authorization_attestor["attestor"]["name"],
    role="roles/viewer",
    member="user:jane@example.com")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • attestor (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • role (pulumi.Input[str]) – The role that should be applied. Only one binaryauthorization.AttestorIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

  • description (pulumi.Input[str])

  • expression (pulumi.Input[str])

  • title (pulumi.Input[str])

attestor: pulumi.Output[str] = None

Used to find the parent resource to bind the IAM policy to

etag: pulumi.Output[str] = None

(Computed) The etag of the IAM policy.

project: pulumi.Output[str] = None

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

role: pulumi.Output[str] = None

The role that should be applied. Only one binaryauthorization.AttestorIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

static get(resource_name, id, opts=None, attestor=None, condition=None, etag=None, members=None, project=None, role=None)

Get an existing AttestorIamBinding resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • attestor (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

  • etag (pulumi.Input[str]) – (Computed) The etag of the IAM policy.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • role (pulumi.Input[str]) – The role that should be applied. Only one binaryauthorization.AttestorIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

  • description (pulumi.Input[str])

  • expression (pulumi.Input[str])

  • title (pulumi.Input[str])

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.binaryauthorization.AttestorIamMember(resource_name, opts=None, attestor=None, condition=None, member=None, project=None, role=None, __props__=None, __name__=None, __opts__=None)

Three different resources help you manage your IAM policy for Binary Authorization Attestor. Each of these resources serves a different use case:

  • binaryauthorization.AttestorIamPolicy: Authoritative. Sets the IAM policy for the attestor and replaces any existing policy already attached.

  • binaryauthorization.AttestorIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the attestor are preserved.

  • binaryauthorization.AttestorIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the attestor are preserved.

Note: binaryauthorization.AttestorIamPolicy cannot be used in conjunction with binaryauthorization.AttestorIamBinding and binaryauthorization.AttestorIamMember or they will fight over what your policy should be.

Note: binaryauthorization.AttestorIamBinding resources can be used in conjunction with binaryauthorization.AttestorIamMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/viewer",
    "members": ["user:jane@example.com"],
}])
policy = gcp.binaryauthorization.AttestorIamPolicy("policy",
    project=google_binary_authorization_attestor["attestor"]["project"],
    attestor=google_binary_authorization_attestor["attestor"]["name"],
    policy_data=admin.policy_data)

import pulumi
import pulumi_gcp as gcp

binding = gcp.binaryauthorization.AttestorIamBinding("binding",
    project=google_binary_authorization_attestor["attestor"]["project"],
    attestor=google_binary_authorization_attestor["attestor"]["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])

import pulumi
import pulumi_gcp as gcp

member = gcp.binaryauthorization.AttestorIamMember("member",
    project=google_binary_authorization_attestor["attestor"]["project"],
    attestor=google_binary_authorization_attestor["attestor"]["name"],
    role="roles/viewer",
    member="user:jane@example.com")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • attestor (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • role (pulumi.Input[str]) – The role that should be applied. Only one binaryauthorization.AttestorIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

  • description (pulumi.Input[str])

  • expression (pulumi.Input[str])

  • title (pulumi.Input[str])

attestor: pulumi.Output[str] = None

Used to find the parent resource to bind the IAM policy to

etag: pulumi.Output[str] = None

(Computed) The etag of the IAM policy.

project: pulumi.Output[str] = None

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

role: pulumi.Output[str] = None

The role that should be applied. Only one binaryauthorization.AttestorIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

static get(resource_name, id, opts=None, attestor=None, condition=None, etag=None, member=None, project=None, role=None)

Get an existing AttestorIamMember resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • attestor (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

  • etag (pulumi.Input[str]) – (Computed) The etag of the IAM policy.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

  • role (pulumi.Input[str]) – The role that should be applied. Only one binaryauthorization.AttestorIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

The condition object supports the following:

  • description (pulumi.Input[str])

  • expression (pulumi.Input[str])

  • title (pulumi.Input[str])

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.binaryauthorization.AttestorIamPolicy(resource_name, opts=None, attestor=None, policy_data=None, project=None, __props__=None, __name__=None, __opts__=None)

Three different resources help you manage your IAM policy for Binary Authorization Attestor. Each of these resources serves a different use case:

  • binaryauthorization.AttestorIamPolicy: Authoritative. Sets the IAM policy for the attestor and replaces any existing policy already attached.

  • binaryauthorization.AttestorIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the attestor are preserved.

  • binaryauthorization.AttestorIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the attestor are preserved.

Note: binaryauthorization.AttestorIamPolicy cannot be used in conjunction with binaryauthorization.AttestorIamBinding and binaryauthorization.AttestorIamMember or they will fight over what your policy should be.

Note: binaryauthorization.AttestorIamBinding resources can be used in conjunction with binaryauthorization.AttestorIamMember resources only if they do not grant privilege to the same role.

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(binding=[{
    "role": "roles/viewer",
    "members": ["user:jane@example.com"],
}])
policy = gcp.binaryauthorization.AttestorIamPolicy("policy",
    project=google_binary_authorization_attestor["attestor"]["project"],
    attestor=google_binary_authorization_attestor["attestor"]["name"],
    policy_data=admin.policy_data)

import pulumi
import pulumi_gcp as gcp

binding = gcp.binaryauthorization.AttestorIamBinding("binding",
    project=google_binary_authorization_attestor["attestor"]["project"],
    attestor=google_binary_authorization_attestor["attestor"]["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])

import pulumi
import pulumi_gcp as gcp

member = gcp.binaryauthorization.AttestorIamMember("member",
    project=google_binary_authorization_attestor["attestor"]["project"],
    attestor=google_binary_authorization_attestor["attestor"]["name"],
    role="roles/viewer",
    member="user:jane@example.com")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • attestor (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

  • policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

attestor: pulumi.Output[str] = None

Used to find the parent resource to bind the IAM policy to

etag: pulumi.Output[str] = None

(Computed) The etag of the IAM policy.

policy_data: pulumi.Output[str] = None

The policy data generated by a organizations.getIAMPolicy data source.

project: pulumi.Output[str] = None

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

static get(resource_name, id, opts=None, attestor=None, etag=None, policy_data=None, project=None)

Get an existing AttestorIamPolicy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • attestor (pulumi.Input[str]) – Used to find the parent resource to bind the IAM policy to

  • etag (pulumi.Input[str]) – (Computed) The etag of the IAM policy.

  • policy_data (pulumi.Input[str]) – The policy data generated by a organizations.getIAMPolicy data source.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_gcp.binaryauthorization.Policy(resource_name, opts=None, admission_whitelist_patterns=None, cluster_admission_rules=None, default_admission_rule=None, description=None, global_policy_evaluation_mode=None, project=None, __props__=None, __name__=None, __opts__=None)

A policy for container image binary authorization.

To get more information about Policy, see:

import pulumi
import pulumi_gcp as gcp

note = gcp.containeranalysis.Note("note", attestation_authority={
    "hint": {
        "humanReadableName": "My attestor",
    },
})
attestor = gcp.binaryauthorization.Attestor("attestor", attestation_authority_note={
    "noteReference": note.name,
})
policy = gcp.binaryauthorization.Policy("policy",
    admission_whitelist_patterns=[{
        "namePattern": "gcr.io/google_containers/*",
    }],
    default_admission_rule={
        "evaluationMode": "ALWAYS_ALLOW",
        "enforcementMode": "ENFORCED_BLOCK_AND_AUDIT_LOG",
    },
    cluster_admission_rules=[{
        "cluster": "us-central1-a.prod-cluster",
        "evaluationMode": "REQUIRE_ATTESTATION",
        "enforcementMode": "ENFORCED_BLOCK_AND_AUDIT_LOG",
        "requireAttestationsBies": [attestor.name],
    }])

import pulumi
import pulumi_gcp as gcp

note = gcp.containeranalysis.Note("note", attestation_authority={
    "hint": {
        "humanReadableName": "My attestor",
    },
})
attestor = gcp.binaryauthorization.Attestor("attestor", attestation_authority_note={
    "noteReference": note.name,
})
policy = gcp.binaryauthorization.Policy("policy",
    default_admission_rule={
        "evaluationMode": "REQUIRE_ATTESTATION",
        "enforcementMode": "ENFORCED_BLOCK_AND_AUDIT_LOG",
        "requireAttestationsBies": [attestor.name],
    },
    global_policy_evaluation_mode="ENABLE")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • admission_whitelist_patterns (pulumi.Input[list]) – A whitelist of image patterns to exclude from admission rules. If an image’s name matches a whitelist pattern, the image’s admission requests will always be permitted regardless of your admission rules. Structure is documented below.

  • cluster_admission_rules (pulumi.Input[list]) – Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.

  • default_admission_rule (pulumi.Input[dict]) – Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

  • description (pulumi.Input[str]) – A descriptive comment.

  • global_policy_evaluation_mode (pulumi.Input[str]) – Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The admission_whitelist_patterns object supports the following:

  • namePattern (pulumi.Input[str]) - An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

The cluster_admission_rules object supports the following:

  • cluster (pulumi.Input[str]) - The identifier for this object. Format specified above.

  • enforcementMode (pulumi.Input[str]) - The action when a pod creation is denied by the admission rule.

  • evaluationMode (pulumi.Input[str]) - How this admission rule will be evaluated.

  • requireAttestationsBies (pulumi.Input[list]) - The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

The default_admission_rule object supports the following:

  • enforcementMode (pulumi.Input[str]) - The action when a pod creation is denied by the admission rule.

  • evaluationMode (pulumi.Input[str]) - How this admission rule will be evaluated.

  • requireAttestationsBies (pulumi.Input[list]) - The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

admission_whitelist_patterns: pulumi.Output[list] = None

A whitelist of image patterns to exclude from admission rules. If an image’s name matches a whitelist pattern, the image’s admission requests will always be permitted regardless of your admission rules. Structure is documented below.

  • namePattern (str) - An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

cluster_admission_rules: pulumi.Output[list] = None

Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.

  • cluster (str) - The identifier for this object. Format specified above.

  • enforcementMode (str) - The action when a pod creation is denied by the admission rule.

  • evaluationMode (str) - How this admission rule will be evaluated.

  • requireAttestationsBies (list) - The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

default_admission_rule: pulumi.Output[dict] = None

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

  • enforcementMode (str) - The action when a pod creation is denied by the admission rule.

  • evaluationMode (str) - How this admission rule will be evaluated.

  • requireAttestationsBies (list) - The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

description: pulumi.Output[str] = None

A descriptive comment.

global_policy_evaluation_mode: pulumi.Output[str] = None

Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy.

project: pulumi.Output[str] = None

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

static get(resource_name, id, opts=None, admission_whitelist_patterns=None, cluster_admission_rules=None, default_admission_rule=None, description=None, global_policy_evaluation_mode=None, project=None)

Get an existing Policy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • admission_whitelist_patterns (pulumi.Input[list]) – A whitelist of image patterns to exclude from admission rules. If an image’s name matches a whitelist pattern, the image’s admission requests will always be permitted regardless of your admission rules. Structure is documented below.

  • cluster_admission_rules (pulumi.Input[list]) – Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.

  • default_admission_rule (pulumi.Input[dict]) – Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

  • description (pulumi.Input[str]) – A descriptive comment.

  • global_policy_evaluation_mode (pulumi.Input[str]) – Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy.

  • project (pulumi.Input[str]) – The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The admission_whitelist_patterns object supports the following:

  • namePattern (pulumi.Input[str]) - An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

The cluster_admission_rules object supports the following:

  • cluster (pulumi.Input[str]) - The identifier for this object. Format specified above.

  • enforcementMode (pulumi.Input[str]) - The action when a pod creation is denied by the admission rule.

  • evaluationMode (pulumi.Input[str]) - How this admission rule will be evaluated.

  • requireAttestationsBies (pulumi.Input[list]) - The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

The default_admission_rule object supports the following:

  • enforcementMode (pulumi.Input[str]) - The action when a pod creation is denied by the admission rule.

  • evaluationMode (pulumi.Input[str]) - How this admission rule will be evaluated.

  • requireAttestationsBies (pulumi.Input[list]) - The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str