Google Cloud Classic v7.19.0, Apr 18 24

Google Cloud Classic v7.19.0 published on Thursday, Apr 18, 2024 by Pulumi

gcp.binaryauthorization.Policy

Explore with Pulumi AI

Google Cloud Classic v7.19.0 published on Thursday, Apr 18, 2024 by Pulumi

pulumi/pulumi-gcp

Example Usage

Binary Authorization Policy Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const note = new gcp.containeranalysis.Note("note", {
    name: "test-attestor-note",
    attestationAuthority: {
        hint: {
            humanReadableName: "My attestor",
        },
    },
});
const attestor = new gcp.binaryauthorization.Attestor("attestor", {
    name: "test-attestor",
    attestationAuthorityNote: {
        noteReference: note.name,
    },
});
const policy = new gcp.binaryauthorization.Policy("policy", {
    admissionWhitelistPatterns: [{
        namePattern: "gcr.io/google_containers/*",
    }],
    defaultAdmissionRule: {
        evaluationMode: "ALWAYS_ALLOW",
        enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG",
    },
    clusterAdmissionRules: [{
        cluster: "us-central1-a.prod-cluster",
        evaluationMode: "REQUIRE_ATTESTATION",
        enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG",
        requireAttestationsBies: [attestor.name],
    }],
});

import pulumi
import pulumi_gcp as gcp

note = gcp.containeranalysis.Note("note",
    name="test-attestor-note",
    attestation_authority=gcp.containeranalysis.NoteAttestationAuthorityArgs(
        hint=gcp.containeranalysis.NoteAttestationAuthorityHintArgs(
            human_readable_name="My attestor",
        ),
    ))
attestor = gcp.binaryauthorization.Attestor("attestor",
    name="test-attestor",
    attestation_authority_note=gcp.binaryauthorization.AttestorAttestationAuthorityNoteArgs(
        note_reference=note.name,
    ))
policy = gcp.binaryauthorization.Policy("policy",
    admission_whitelist_patterns=[gcp.binaryauthorization.PolicyAdmissionWhitelistPatternArgs(
        name_pattern="gcr.io/google_containers/*",
    )],
    default_admission_rule=gcp.binaryauthorization.PolicyDefaultAdmissionRuleArgs(
        evaluation_mode="ALWAYS_ALLOW",
        enforcement_mode="ENFORCED_BLOCK_AND_AUDIT_LOG",
    ),
    cluster_admission_rules=[gcp.binaryauthorization.PolicyClusterAdmissionRuleArgs(
        cluster="us-central1-a.prod-cluster",
        evaluation_mode="REQUIRE_ATTESTATION",
        enforcement_mode="ENFORCED_BLOCK_AND_AUDIT_LOG",
        require_attestations_bies=[attestor.name],
    )])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/binaryauthorization"
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/containeranalysis"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		note, err := containeranalysis.NewNote(ctx, "note", &containeranalysis.NoteArgs{
			Name: pulumi.String("test-attestor-note"),
			AttestationAuthority: &containeranalysis.NoteAttestationAuthorityArgs{
				Hint: &containeranalysis.NoteAttestationAuthorityHintArgs{
					HumanReadableName: pulumi.String("My attestor"),
				},
			},
		})
		if err != nil {
			return err
		}
		attestor, err := binaryauthorization.NewAttestor(ctx, "attestor", &binaryauthorization.AttestorArgs{
			Name: pulumi.String("test-attestor"),
			AttestationAuthorityNote: &binaryauthorization.AttestorAttestationAuthorityNoteArgs{
				NoteReference: note.Name,
			},
		})
		if err != nil {
			return err
		}
		_, err = binaryauthorization.NewPolicy(ctx, "policy", &binaryauthorization.PolicyArgs{
			AdmissionWhitelistPatterns: binaryauthorization.PolicyAdmissionWhitelistPatternArray{
				&binaryauthorization.PolicyAdmissionWhitelistPatternArgs{
					NamePattern: pulumi.String("gcr.io/google_containers/*"),
				},
			},
			DefaultAdmissionRule: &binaryauthorization.PolicyDefaultAdmissionRuleArgs{
				EvaluationMode:  pulumi.String("ALWAYS_ALLOW"),
				EnforcementMode: pulumi.String("ENFORCED_BLOCK_AND_AUDIT_LOG"),
			},
			ClusterAdmissionRules: binaryauthorization.PolicyClusterAdmissionRuleArray{
				&binaryauthorization.PolicyClusterAdmissionRuleArgs{
					Cluster:         pulumi.String("us-central1-a.prod-cluster"),
					EvaluationMode:  pulumi.String("REQUIRE_ATTESTATION"),
					EnforcementMode: pulumi.String("ENFORCED_BLOCK_AND_AUDIT_LOG"),
					RequireAttestationsBies: pulumi.StringArray{
						attestor.Name,
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var note = new Gcp.ContainerAnalysis.Note("note", new()
    {
        Name = "test-attestor-note",
        AttestationAuthority = new Gcp.ContainerAnalysis.Inputs.NoteAttestationAuthorityArgs
        {
            Hint = new Gcp.ContainerAnalysis.Inputs.NoteAttestationAuthorityHintArgs
            {
                HumanReadableName = "My attestor",
            },
        },
    });

    var attestor = new Gcp.BinaryAuthorization.Attestor("attestor", new()
    {
        Name = "test-attestor",
        AttestationAuthorityNote = new Gcp.BinaryAuthorization.Inputs.AttestorAttestationAuthorityNoteArgs
        {
            NoteReference = note.Name,
        },
    });

    var policy = new Gcp.BinaryAuthorization.Policy("policy", new()
    {
        AdmissionWhitelistPatterns = new[]
        {
            new Gcp.BinaryAuthorization.Inputs.PolicyAdmissionWhitelistPatternArgs
            {
                NamePattern = "gcr.io/google_containers/*",
            },
        },
        DefaultAdmissionRule = new Gcp.BinaryAuthorization.Inputs.PolicyDefaultAdmissionRuleArgs
        {
            EvaluationMode = "ALWAYS_ALLOW",
            EnforcementMode = "ENFORCED_BLOCK_AND_AUDIT_LOG",
        },
        ClusterAdmissionRules = new[]
        {
            new Gcp.BinaryAuthorization.Inputs.PolicyClusterAdmissionRuleArgs
            {
                Cluster = "us-central1-a.prod-cluster",
                EvaluationMode = "REQUIRE_ATTESTATION",
                EnforcementMode = "ENFORCED_BLOCK_AND_AUDIT_LOG",
                RequireAttestationsBies = new[]
                {
                    attestor.Name,
                },
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.containeranalysis.Note;
import com.pulumi.gcp.containeranalysis.NoteArgs;
import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityArgs;
import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityHintArgs;
import com.pulumi.gcp.binaryauthorization.Attestor;
import com.pulumi.gcp.binaryauthorization.AttestorArgs;
import com.pulumi.gcp.binaryauthorization.inputs.AttestorAttestationAuthorityNoteArgs;
import com.pulumi.gcp.binaryauthorization.Policy;
import com.pulumi.gcp.binaryauthorization.PolicyArgs;
import com.pulumi.gcp.binaryauthorization.inputs.PolicyAdmissionWhitelistPatternArgs;
import com.pulumi.gcp.binaryauthorization.inputs.PolicyDefaultAdmissionRuleArgs;
import com.pulumi.gcp.binaryauthorization.inputs.PolicyClusterAdmissionRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var note = new Note("note", NoteArgs.builder()        
            .name("test-attestor-note")
            .attestationAuthority(NoteAttestationAuthorityArgs.builder()
                .hint(NoteAttestationAuthorityHintArgs.builder()
                    .humanReadableName("My attestor")
                    .build())
                .build())
            .build());

        var attestor = new Attestor("attestor", AttestorArgs.builder()        
            .name("test-attestor")
            .attestationAuthorityNote(AttestorAttestationAuthorityNoteArgs.builder()
                .noteReference(note.name())
                .build())
            .build());

        var policy = new Policy("policy", PolicyArgs.builder()        
            .admissionWhitelistPatterns(PolicyAdmissionWhitelistPatternArgs.builder()
                .namePattern("gcr.io/google_containers/*")
                .build())
            .defaultAdmissionRule(PolicyDefaultAdmissionRuleArgs.builder()
                .evaluationMode("ALWAYS_ALLOW")
                .enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG")
                .build())
            .clusterAdmissionRules(PolicyClusterAdmissionRuleArgs.builder()
                .cluster("us-central1-a.prod-cluster")
                .evaluationMode("REQUIRE_ATTESTATION")
                .enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG")
                .requireAttestationsBies(attestor.name())
                .build())
            .build());

    }
}

resources:
  policy:
    type: gcp:binaryauthorization:Policy
    properties:
      admissionWhitelistPatterns:
        - namePattern: gcr.io/google_containers/*
      defaultAdmissionRule:
        evaluationMode: ALWAYS_ALLOW
        enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
      clusterAdmissionRules:
        - cluster: us-central1-a.prod-cluster
          evaluationMode: REQUIRE_ATTESTATION
          enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
          requireAttestationsBies:
            - ${attestor.name}
  note:
    type: gcp:containeranalysis:Note
    properties:
      name: test-attestor-note
      attestationAuthority:
        hint:
          humanReadableName: My attestor
  attestor:
    type: gcp:binaryauthorization:Attestor
    properties:
      name: test-attestor
      attestationAuthorityNote:
        noteReference: ${note.name}

Binary Authorization Policy Global Evaluation

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const note = new gcp.containeranalysis.Note("note", {
    name: "test-attestor-note",
    attestationAuthority: {
        hint: {
            humanReadableName: "My attestor",
        },
    },
});
const attestor = new gcp.binaryauthorization.Attestor("attestor", {
    name: "test-attestor",
    attestationAuthorityNote: {
        noteReference: note.name,
    },
});
const policy = new gcp.binaryauthorization.Policy("policy", {
    defaultAdmissionRule: {
        evaluationMode: "REQUIRE_ATTESTATION",
        enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG",
        requireAttestationsBies: [attestor.name],
    },
    globalPolicyEvaluationMode: "ENABLE",
});

import pulumi
import pulumi_gcp as gcp

note = gcp.containeranalysis.Note("note",
    name="test-attestor-note",
    attestation_authority=gcp.containeranalysis.NoteAttestationAuthorityArgs(
        hint=gcp.containeranalysis.NoteAttestationAuthorityHintArgs(
            human_readable_name="My attestor",
        ),
    ))
attestor = gcp.binaryauthorization.Attestor("attestor",
    name="test-attestor",
    attestation_authority_note=gcp.binaryauthorization.AttestorAttestationAuthorityNoteArgs(
        note_reference=note.name,
    ))
policy = gcp.binaryauthorization.Policy("policy",
    default_admission_rule=gcp.binaryauthorization.PolicyDefaultAdmissionRuleArgs(
        evaluation_mode="REQUIRE_ATTESTATION",
        enforcement_mode="ENFORCED_BLOCK_AND_AUDIT_LOG",
        require_attestations_bies=[attestor.name],
    ),
    global_policy_evaluation_mode="ENABLE")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/binaryauthorization"
	"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/containeranalysis"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		note, err := containeranalysis.NewNote(ctx, "note", &containeranalysis.NoteArgs{
			Name: pulumi.String("test-attestor-note"),
			AttestationAuthority: &containeranalysis.NoteAttestationAuthorityArgs{
				Hint: &containeranalysis.NoteAttestationAuthorityHintArgs{
					HumanReadableName: pulumi.String("My attestor"),
				},
			},
		})
		if err != nil {
			return err
		}
		attestor, err := binaryauthorization.NewAttestor(ctx, "attestor", &binaryauthorization.AttestorArgs{
			Name: pulumi.String("test-attestor"),
			AttestationAuthorityNote: &binaryauthorization.AttestorAttestationAuthorityNoteArgs{
				NoteReference: note.Name,
			},
		})
		if err != nil {
			return err
		}
		_, err = binaryauthorization.NewPolicy(ctx, "policy", &binaryauthorization.PolicyArgs{
			DefaultAdmissionRule: &binaryauthorization.PolicyDefaultAdmissionRuleArgs{
				EvaluationMode:  pulumi.String("REQUIRE_ATTESTATION"),
				EnforcementMode: pulumi.String("ENFORCED_BLOCK_AND_AUDIT_LOG"),
				RequireAttestationsBies: pulumi.StringArray{
					attestor.Name,
				},
			},
			GlobalPolicyEvaluationMode: pulumi.String("ENABLE"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var note = new Gcp.ContainerAnalysis.Note("note", new()
    {
        Name = "test-attestor-note",
        AttestationAuthority = new Gcp.ContainerAnalysis.Inputs.NoteAttestationAuthorityArgs
        {
            Hint = new Gcp.ContainerAnalysis.Inputs.NoteAttestationAuthorityHintArgs
            {
                HumanReadableName = "My attestor",
            },
        },
    });

    var attestor = new Gcp.BinaryAuthorization.Attestor("attestor", new()
    {
        Name = "test-attestor",
        AttestationAuthorityNote = new Gcp.BinaryAuthorization.Inputs.AttestorAttestationAuthorityNoteArgs
        {
            NoteReference = note.Name,
        },
    });

    var policy = new Gcp.BinaryAuthorization.Policy("policy", new()
    {
        DefaultAdmissionRule = new Gcp.BinaryAuthorization.Inputs.PolicyDefaultAdmissionRuleArgs
        {
            EvaluationMode = "REQUIRE_ATTESTATION",
            EnforcementMode = "ENFORCED_BLOCK_AND_AUDIT_LOG",
            RequireAttestationsBies = new[]
            {
                attestor.Name,
            },
        },
        GlobalPolicyEvaluationMode = "ENABLE",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.containeranalysis.Note;
import com.pulumi.gcp.containeranalysis.NoteArgs;
import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityArgs;
import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityHintArgs;
import com.pulumi.gcp.binaryauthorization.Attestor;
import com.pulumi.gcp.binaryauthorization.AttestorArgs;
import com.pulumi.gcp.binaryauthorization.inputs.AttestorAttestationAuthorityNoteArgs;
import com.pulumi.gcp.binaryauthorization.Policy;
import com.pulumi.gcp.binaryauthorization.PolicyArgs;
import com.pulumi.gcp.binaryauthorization.inputs.PolicyDefaultAdmissionRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var note = new Note("note", NoteArgs.builder()        
            .name("test-attestor-note")
            .attestationAuthority(NoteAttestationAuthorityArgs.builder()
                .hint(NoteAttestationAuthorityHintArgs.builder()
                    .humanReadableName("My attestor")
                    .build())
                .build())
            .build());

        var attestor = new Attestor("attestor", AttestorArgs.builder()        
            .name("test-attestor")
            .attestationAuthorityNote(AttestorAttestationAuthorityNoteArgs.builder()
                .noteReference(note.name())
                .build())
            .build());

        var policy = new Policy("policy", PolicyArgs.builder()        
            .defaultAdmissionRule(PolicyDefaultAdmissionRuleArgs.builder()
                .evaluationMode("REQUIRE_ATTESTATION")
                .enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG")
                .requireAttestationsBies(attestor.name())
                .build())
            .globalPolicyEvaluationMode("ENABLE")
            .build());

    }
}

resources:
  policy:
    type: gcp:binaryauthorization:Policy
    properties:
      defaultAdmissionRule:
        evaluationMode: REQUIRE_ATTESTATION
        enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
        requireAttestationsBies:
          - ${attestor.name}
      globalPolicyEvaluationMode: ENABLE
  note:
    type: gcp:containeranalysis:Note
    properties:
      name: test-attestor-note
      attestationAuthority:
        hint:
          humanReadableName: My attestor
  attestor:
    type: gcp:binaryauthorization:Attestor
    properties:
      name: test-attestor
      attestationAuthorityNote:
        noteReference: ${note.name}

Create Policy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Policy(name: string, args: PolicyArgs, opts?: CustomResourceOptions);

@overload
def Policy(resource_name: str,
           args: PolicyArgs,
           opts: Optional[ResourceOptions] = None)

@overload
def Policy(resource_name: str,
           opts: Optional[ResourceOptions] = None,
           default_admission_rule: Optional[PolicyDefaultAdmissionRuleArgs] = None,
           admission_whitelist_patterns: Optional[Sequence[PolicyAdmissionWhitelistPatternArgs]] = None,
           cluster_admission_rules: Optional[Sequence[PolicyClusterAdmissionRuleArgs]] = None,
           description: Optional[str] = None,
           global_policy_evaluation_mode: Optional[str] = None,
           project: Optional[str] = None)

func NewPolicy(ctx *Context, name string, args PolicyArgs, opts ...ResourceOption) (*Policy, error)

public Policy(string name, PolicyArgs args, CustomResourceOptions? opts = null)

public Policy(String name, PolicyArgs args)
public Policy(String name, PolicyArgs args, CustomResourceOptions options)

type: gcp:binaryauthorization:Policy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args PolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args PolicyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args PolicyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args PolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args PolicyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Example

The following reference example uses placeholder values for all input properties.

var policyResource = new Gcp.BinaryAuthorization.Policy("policyResource", new()
{
    DefaultAdmissionRule = new Gcp.BinaryAuthorization.Inputs.PolicyDefaultAdmissionRuleArgs
    {
        EnforcementMode = "string",
        EvaluationMode = "string",
        RequireAttestationsBies = new[]
        {
            "string",
        },
    },
    AdmissionWhitelistPatterns = new[]
    {
        new Gcp.BinaryAuthorization.Inputs.PolicyAdmissionWhitelistPatternArgs
        {
            NamePattern = "string",
        },
    },
    ClusterAdmissionRules = new[]
    {
        new Gcp.BinaryAuthorization.Inputs.PolicyClusterAdmissionRuleArgs
        {
            Cluster = "string",
            EnforcementMode = "string",
            EvaluationMode = "string",
            RequireAttestationsBies = new[]
            {
                "string",
            },
        },
    },
    Description = "string",
    GlobalPolicyEvaluationMode = "string",
    Project = "string",
});

example, err := binaryauthorization.NewPolicy(ctx, "policyResource", &binaryauthorization.PolicyArgs{
	DefaultAdmissionRule: &binaryauthorization.PolicyDefaultAdmissionRuleArgs{
		EnforcementMode: pulumi.String("string"),
		EvaluationMode:  pulumi.String("string"),
		RequireAttestationsBies: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	AdmissionWhitelistPatterns: binaryauthorization.PolicyAdmissionWhitelistPatternArray{
		&binaryauthorization.PolicyAdmissionWhitelistPatternArgs{
			NamePattern: pulumi.String("string"),
		},
	},
	ClusterAdmissionRules: binaryauthorization.PolicyClusterAdmissionRuleArray{
		&binaryauthorization.PolicyClusterAdmissionRuleArgs{
			Cluster:         pulumi.String("string"),
			EnforcementMode: pulumi.String("string"),
			EvaluationMode:  pulumi.String("string"),
			RequireAttestationsBies: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
	},
	Description:                pulumi.String("string"),
	GlobalPolicyEvaluationMode: pulumi.String("string"),
	Project:                    pulumi.String("string"),
})

var policyResource = new Policy("policyResource", PolicyArgs.builder()        
    .defaultAdmissionRule(PolicyDefaultAdmissionRuleArgs.builder()
        .enforcementMode("string")
        .evaluationMode("string")
        .requireAttestationsBies("string")
        .build())
    .admissionWhitelistPatterns(PolicyAdmissionWhitelistPatternArgs.builder()
        .namePattern("string")
        .build())
    .clusterAdmissionRules(PolicyClusterAdmissionRuleArgs.builder()
        .cluster("string")
        .enforcementMode("string")
        .evaluationMode("string")
        .requireAttestationsBies("string")
        .build())
    .description("string")
    .globalPolicyEvaluationMode("string")
    .project("string")
    .build());

policy_resource = gcp.binaryauthorization.Policy("policyResource",
    default_admission_rule=gcp.binaryauthorization.PolicyDefaultAdmissionRuleArgs(
        enforcement_mode="string",
        evaluation_mode="string",
        require_attestations_bies=["string"],
    ),
    admission_whitelist_patterns=[gcp.binaryauthorization.PolicyAdmissionWhitelistPatternArgs(
        name_pattern="string",
    )],
    cluster_admission_rules=[gcp.binaryauthorization.PolicyClusterAdmissionRuleArgs(
        cluster="string",
        enforcement_mode="string",
        evaluation_mode="string",
        require_attestations_bies=["string"],
    )],
    description="string",
    global_policy_evaluation_mode="string",
    project="string")

const policyResource = new gcp.binaryauthorization.Policy("policyResource", {
    defaultAdmissionRule: {
        enforcementMode: "string",
        evaluationMode: "string",
        requireAttestationsBies: ["string"],
    },
    admissionWhitelistPatterns: [{
        namePattern: "string",
    }],
    clusterAdmissionRules: [{
        cluster: "string",
        enforcementMode: "string",
        evaluationMode: "string",
        requireAttestationsBies: ["string"],
    }],
    description: "string",
    globalPolicyEvaluationMode: "string",
    project: "string",
});

type: gcp:binaryauthorization:Policy
properties:
    admissionWhitelistPatterns:
        - namePattern: string
    clusterAdmissionRules:
        - cluster: string
          enforcementMode: string
          evaluationMode: string
          requireAttestationsBies:
            - string
    defaultAdmissionRule:
        enforcementMode: string
        evaluationMode: string
        requireAttestationsBies:
            - string
    description: string
    globalPolicyEvaluationMode: string
    project: string

Policy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The Policy resource accepts the following input properties:

DefaultAdmissionRule PolicyDefaultAdmissionRule

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

AdmissionWhitelistPatterns List<PolicyAdmissionWhitelistPattern>

A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules. Structure is documented below.

ClusterAdmissionRules List<PolicyClusterAdmissionRule>

Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.

Identifier format: {{location}}.{{clusterId}}. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). Structure is documented below.

Description string

A descriptive comment.

GlobalPolicyEvaluationMode string

Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values are: ENABLE, DISABLE.

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

DefaultAdmissionRule PolicyDefaultAdmissionRuleArgs

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

AdmissionWhitelistPatterns []PolicyAdmissionWhitelistPatternArgs

ClusterAdmissionRules []PolicyClusterAdmissionRuleArgs

Identifier format: {{location}}.{{clusterId}}. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). Structure is documented below.

Description string

A descriptive comment.

GlobalPolicyEvaluationMode string

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

defaultAdmissionRule PolicyDefaultAdmissionRule

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

admissionWhitelistPatterns List<PolicyAdmissionWhitelistPattern>

clusterAdmissionRules List<PolicyClusterAdmissionRule>

Identifier format: {{location}}.{{clusterId}}. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). Structure is documented below.

description String

A descriptive comment.

globalPolicyEvaluationMode String

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

defaultAdmissionRule PolicyDefaultAdmissionRule

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

admissionWhitelistPatterns PolicyAdmissionWhitelistPattern[]

clusterAdmissionRules PolicyClusterAdmissionRule[]

Identifier format: {{location}}.{{clusterId}}. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). Structure is documented below.

description string

A descriptive comment.

globalPolicyEvaluationMode string

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

default_admission_rule PolicyDefaultAdmissionRuleArgs

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

admission_whitelist_patterns Sequence[PolicyAdmissionWhitelistPatternArgs]

cluster_admission_rules Sequence[PolicyClusterAdmissionRuleArgs]

Identifier format: {{location}}.{{clusterId}}. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). Structure is documented below.

description str

A descriptive comment.

global_policy_evaluation_mode str

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

defaultAdmissionRule Property Map

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

admissionWhitelistPatterns List<Property Map>

clusterAdmissionRules List<Property Map>

Identifier format: {{location}}.{{clusterId}}. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). Structure is documented below.

description String

A descriptive comment.

globalPolicyEvaluationMode String

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Outputs

All input properties are implicitly available as output properties. Additionally, the Policy resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing Policy Resource

Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: PolicyState, opts?: CustomResourceOptions): Policy

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        admission_whitelist_patterns: Optional[Sequence[PolicyAdmissionWhitelistPatternArgs]] = None,
        cluster_admission_rules: Optional[Sequence[PolicyClusterAdmissionRuleArgs]] = None,
        default_admission_rule: Optional[PolicyDefaultAdmissionRuleArgs] = None,
        description: Optional[str] = None,
        global_policy_evaluation_mode: Optional[str] = None,
        project: Optional[str] = None) -> Policy

func GetPolicy(ctx *Context, name string, id IDInput, state *PolicyState, opts ...ResourceOption) (*Policy, error)

public static Policy Get(string name, Input<string> id, PolicyState? state, CustomResourceOptions? opts = null)

public static Policy get(String name, Output<String> id, PolicyState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AdmissionWhitelistPatterns List<PolicyAdmissionWhitelistPattern>

ClusterAdmissionRules List<PolicyClusterAdmissionRule>

Identifier format: {{location}}.{{clusterId}}. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). Structure is documented below.

DefaultAdmissionRule PolicyDefaultAdmissionRule

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

Description string

A descriptive comment.

GlobalPolicyEvaluationMode string

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

AdmissionWhitelistPatterns []PolicyAdmissionWhitelistPatternArgs

ClusterAdmissionRules []PolicyClusterAdmissionRuleArgs

Identifier format: {{location}}.{{clusterId}}. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). Structure is documented below.

DefaultAdmissionRule PolicyDefaultAdmissionRuleArgs

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

Description string

A descriptive comment.

GlobalPolicyEvaluationMode string

Project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

admissionWhitelistPatterns List<PolicyAdmissionWhitelistPattern>

clusterAdmissionRules List<PolicyClusterAdmissionRule>

Identifier format: {{location}}.{{clusterId}}. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). Structure is documented below.

defaultAdmissionRule PolicyDefaultAdmissionRule

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

description String

A descriptive comment.

globalPolicyEvaluationMode String

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

admissionWhitelistPatterns PolicyAdmissionWhitelistPattern[]

clusterAdmissionRules PolicyClusterAdmissionRule[]

Identifier format: {{location}}.{{clusterId}}. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). Structure is documented below.

defaultAdmissionRule PolicyDefaultAdmissionRule

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

description string

A descriptive comment.

globalPolicyEvaluationMode string

project string

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

admission_whitelist_patterns Sequence[PolicyAdmissionWhitelistPatternArgs]

cluster_admission_rules Sequence[PolicyClusterAdmissionRuleArgs]

Identifier format: {{location}}.{{clusterId}}. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). Structure is documented below.

default_admission_rule PolicyDefaultAdmissionRuleArgs

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

description str

A descriptive comment.

global_policy_evaluation_mode str

project str

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

admissionWhitelistPatterns List<Property Map>

clusterAdmissionRules List<Property Map>

Identifier format: {{location}}.{{clusterId}}. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). Structure is documented below.

defaultAdmissionRule Property Map

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

description String

A descriptive comment.

globalPolicyEvaluationMode String

project String

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Supporting Types

PolicyAdmissionWhitelistPattern, PolicyAdmissionWhitelistPatternArgs

NamePattern string: An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

NamePattern string: An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

namePattern String: An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

namePattern string: An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

name_pattern str: An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

namePattern String: An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

PolicyClusterAdmissionRule, PolicyClusterAdmissionRuleArgs

Cluster string: The identifier for this object. Format specified above.
EnforcementMode string: The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
EvaluationMode string: How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
RequireAttestationsBies List<string>: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

Cluster string: The identifier for this object. Format specified above.
EnforcementMode string: The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
EvaluationMode string: How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
RequireAttestationsBies []string: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

cluster String: The identifier for this object. Format specified above.
enforcementMode String: The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
evaluationMode String: How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
requireAttestationsBies List<String>: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

cluster string: The identifier for this object. Format specified above.
enforcementMode string: The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
evaluationMode string: How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
requireAttestationsBies string[]: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

cluster str: The identifier for this object. Format specified above.
enforcement_mode str: The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
evaluation_mode str: How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
require_attestations_bies Sequence[str]: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

cluster String: The identifier for this object. Format specified above.
enforcementMode String: The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
evaluationMode String: How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
requireAttestationsBies List<String>: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

PolicyDefaultAdmissionRule, PolicyDefaultAdmissionRuleArgs

EnforcementMode string: The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
EvaluationMode string: How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
RequireAttestationsBies List<string>: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

EnforcementMode string: The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
EvaluationMode string: How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
RequireAttestationsBies []string: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

enforcementMode String: The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
evaluationMode String: How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
requireAttestationsBies List<String>: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

enforcementMode string: The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
evaluationMode string: How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
requireAttestationsBies string[]: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

enforcement_mode str: The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
evaluation_mode str: How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
require_attestations_bies Sequence[str]: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

enforcementMode String: The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
evaluationMode String: How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
requireAttestationsBies List<String>: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

Import

Policy can be imported using any of these accepted formats:

projects/{{project}}
{{project}}

When using the pulumi import command, Policy can be imported using one of the formats above. For example:

$ pulumi import gcp:binaryauthorization/policy:Policy default projects/{{project}}

$ pulumi import gcp:binaryauthorization/policy:Policy default {{project}}

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Google Cloud (GCP) Classic pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

Google Cloud Classic v7.19.0 published on Thursday, Apr 18, 2024 by Pulumi

pulumi/pulumi-gcp

gcp.binaryauthorization.Policy

On this page

On this page

Example Usage

Binary Authorization Policy Basic

Binary Authorization Policy Global Evaluation

Create Policy Resource

Constructor syntax

Parameters

Example

Policy Resource Properties

Inputs

Outputs

Look up Existing Policy Resource

Supporting Types

PolicyAdmissionWhitelistPattern, PolicyAdmissionWhitelistPatternArgs

PolicyClusterAdmissionRule, PolicyClusterAdmissionRuleArgs

PolicyDefaultAdmissionRule, PolicyDefaultAdmissionRuleArgs

Import

Package Details

On this page

On this page