Module binaryauthorization

@pulumi/gcp > binaryauthorization

class Attestor

extends CustomResource

An attestor that attests to container image artifacts.

Warning: This resource is in beta, and should be used with the terraform-provider-google-beta provider. See Provider Versions for more details on beta resources.

To get more information about Attestor, see:

Example Usage - Binary Authorization Attestor Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const note = new gcp.containeranalysis.Note("note", {
    attestationAuthority: {
        hint: {
            humanReadableName: "Attestor Note",
        },
    },
});
const attestor = new gcp.binaryauthorization.Attestor("attestor", {
    attestationAuthorityNote: {
        noteReference: note.name,
        publicKeys: [{
            asciiArmoredPgpPublicKey: `mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
+OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
=6Bvm
`,
        }],
    },
});

constructor

new Attestor(name: string, args: AttestorArgs, opts?: pulumi.CustomResourceOptions)

Create a Attestor resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AttestorState, opts?: pulumi.CustomResourceOptions): Attestor

Get an existing Attestor resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property attestationAuthorityNote

public attestationAuthorityNote: pulumi.Output<{
    delegationServiceAccountEmail: string;
    noteReference: string;
    publicKeys: {
        asciiArmoredPgpPublicKey: string;
        comment: undefined | string;
        id: string;
    }[];
}>;

property description

public description: pulumi.Output<string | undefined>;

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

property project

public project: pulumi.Output<string>;

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class Policy

extends CustomResource

A policy for container image binary authorization.

Warning: This resource is in beta, and should be used with the terraform-provider-google-beta provider. See Provider Versions for more details on beta resources.

To get more information about Policy, see:

Example Usage - Binary Authorization Policy Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const note = new gcp.containeranalysis.Note("note", {
    attestationAuthority: {
        hint: {
            humanReadableName: "My attestor",
        },
    },
});
const attestor = new gcp.binaryauthorization.Attestor("attestor", {
    attestationAuthorityNote: {
        noteReference: note.name,
    },
});
const policy = new gcp.binaryauthorization.Policy("policy", {
    admissionWhitelistPatterns: [{
        namePattern: "gcr.io/google_containers/*",
    }],
    clusterAdmissionRules: [{
        cluster: "us-central1-a.prod-cluster",
        enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG",
        evaluationMode: "REQUIRE_ATTESTATION",
        requireAttestationsBies: [attestor.name],
    }],
    defaultAdmissionRule: {
        enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG",
        evaluationMode: "ALWAYS_ALLOW",
    },
});

constructor

new Policy(name: string, args: PolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a Policy resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: PolicyState, opts?: pulumi.CustomResourceOptions): Policy

Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property admissionWhitelistPatterns

public admissionWhitelistPatterns: pulumi.Output<{
    namePattern: undefined | string;
}[] | undefined>;

property clusterAdmissionRules

public clusterAdmissionRules: pulumi.Output<{
    cluster: string;
    enforcementMode: undefined | string;
    evaluationMode: undefined | string;
    requireAttestationsBies: string[];
}[] | undefined>;

property defaultAdmissionRule

public defaultAdmissionRule: pulumi.Output<{
    enforcementMode: string;
    evaluationMode: string;
    requireAttestationsBies: string[];
}>;

property description

public description: pulumi.Output<string | undefined>;

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property project

public project: pulumi.Output<string>;

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

interface AttestorArgs

The set of arguments for constructing a Attestor resource.

property attestationAuthorityNote

attestationAuthorityNote: pulumi.Input<{
    delegationServiceAccountEmail: pulumi.Input<string>;
    noteReference: pulumi.Input<string>;
    publicKeys: pulumi.Input<pulumi.Input<{
        asciiArmoredPgpPublicKey: pulumi.Input<string>;
        comment: pulumi.Input<string>;
        id: pulumi.Input<string>;
    }>[]>;
}>;

property description

description?: pulumi.Input<string>;

property name

name?: pulumi.Input<string>;

property project

project?: pulumi.Input<string>;

interface AttestorState

Input properties used for looking up and filtering Attestor resources.

property attestationAuthorityNote

attestationAuthorityNote?: pulumi.Input<{
    delegationServiceAccountEmail: pulumi.Input<string>;
    noteReference: pulumi.Input<string>;
    publicKeys: pulumi.Input<pulumi.Input<{
        asciiArmoredPgpPublicKey: pulumi.Input<string>;
        comment: pulumi.Input<string>;
        id: pulumi.Input<string>;
    }>[]>;
}>;

property description

description?: pulumi.Input<string>;

property name

name?: pulumi.Input<string>;

property project

project?: pulumi.Input<string>;

interface PolicyArgs

The set of arguments for constructing a Policy resource.

property admissionWhitelistPatterns

admissionWhitelistPatterns?: pulumi.Input<pulumi.Input<{
    namePattern: pulumi.Input<string>;
}>[]>;

property clusterAdmissionRules

clusterAdmissionRules?: pulumi.Input<pulumi.Input<{
    cluster: pulumi.Input<string>;
    enforcementMode: pulumi.Input<string>;
    evaluationMode: pulumi.Input<string>;
    requireAttestationsBies: pulumi.Input<pulumi.Input<string>[]>;
}>[]>;

property defaultAdmissionRule

defaultAdmissionRule: pulumi.Input<{
    enforcementMode: pulumi.Input<string>;
    evaluationMode: pulumi.Input<string>;
    requireAttestationsBies: pulumi.Input<pulumi.Input<string>[]>;
}>;

property description

description?: pulumi.Input<string>;

property project

project?: pulumi.Input<string>;

interface PolicyState

Input properties used for looking up and filtering Policy resources.

property admissionWhitelistPatterns

admissionWhitelistPatterns?: pulumi.Input<pulumi.Input<{
    namePattern: pulumi.Input<string>;
}>[]>;

property clusterAdmissionRules

clusterAdmissionRules?: pulumi.Input<pulumi.Input<{
    cluster: pulumi.Input<string>;
    enforcementMode: pulumi.Input<string>;
    evaluationMode: pulumi.Input<string>;
    requireAttestationsBies: pulumi.Input<pulumi.Input<string>[]>;
}>[]>;

property defaultAdmissionRule

defaultAdmissionRule?: pulumi.Input<{
    enforcementMode: pulumi.Input<string>;
    evaluationMode: pulumi.Input<string>;
    requireAttestationsBies: pulumi.Input<pulumi.Input<string>[]>;
}>;

property description

description?: pulumi.Input<string>;

property project

project?: pulumi.Input<string>;