Google Binary Authorization Attestor
This page shows how to write Terraform for Binary Authorization Attestor and write them securely.
google_binary_authorization_attestor (Terraform)
The Attestor in Binary Authorization can be configured in Terraform with the resource name google_binary_authorization_attestor
. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_binary_authorization_attestor" "this" {
description = var.description
name = var.name
project = var.project
dynamic "attestation_authority_note" {
resource "google_binary_authorization_attestor" "attestor" {
name = format("%s-attestor", var.attestor_name)
project = var.project_id
attestation_authority_note {
note_reference = google_container_analysis_note.attestor-note.name
Parameters
-
description
optional - string
A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
The resource name.
-
project
optional computed - string -
attestation_authority_note
list block-
delegation_service_account_email
optional computed - string
This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the noteReference in Container Analysis (containeranalysis.notes.occurrences.viewer). This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.
-
note_reference
required - string
The resource name of a ATTESTATIONAUTHORITY Note, created by the user. If the Note is in a different project from the Attestor, it should be specified in the format 'projects//notes/' (or the legacy 'providers//notes/_'). This field may not be updated. An attestation by this attestor is stored as a Container Analysis ATTESTATION_AUTHORITY Occurrence that names a container image and that links to this Note.
-
public_keys
list block-
ascii_armored_pgp_public_key
optional - string
ASCII-armored representation of a PGP public key, as the entire output by the command 'gpg --export --armor foo@example.com' (either LF or CRLF line endings). When using this field, id should be left blank. The BinAuthz API handlers will calculate the ID and fill it in automatically. BinAuthz computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as upper-case hex. If id is provided by the caller, it will be overwritten by the API-calculated ID.
-
comment
optional - string
A descriptive comment. This field may be updated.
-
id
optional computed - string
The ID of this public key. Signatures verified by BinAuthz must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. Additional restrictions on this field can be imposed based on which public key type is encapsulated. See the documentation on publicKey cases below for details.
-
pkix_public_key
list block-
public_key_pem
optional - string
A PEM-encoded public key, as described in 'https://tools.ietf.org/html/rfc7468#section-13'
-
signature_algorithm
optional - string
The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in publicKeyPem (i.e. this algorithm must match that of the public key).
-
-
-
-
timeouts
single block
Explanation in Terraform Registry
An attestor that attests to container image artifacts. To get more information about Attestor, see:
- API documentation
- How-to Guides
Frequently asked questions
What is Google Binary Authorization Attestor?
Google Binary Authorization Attestor is a resource for Binary Authorization of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Binary Authorization Attestor?
For Terraform, the niveklabs/google and rosmo/gke-commonground-haven source code examples are useful. See the Terraform Example section for further details.