Google Binary Authorization Policy
This page shows how to write Terraform for Binary Authorization Policy and write them securely.
google_binary_authorization_policy (Terraform)
The Policy in Binary Authorization can be configured in Terraform with the resource name google_binary_authorization_policy
. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_binary_authorization_policy" "binauthz-policy" {
project = var.project_id
dynamic "admission_whitelist_patterns" {
for_each = var.compliance_testing_use ? concat(var.admission_allowlist, local.compliance_containers) : var.admission_allowlist
content {
resource "google_binary_authorization_policy" "this" {
description = var.description
global_policy_evaluation_mode = var.global_policy_evaluation_mode
project = var.project
dynamic "admission_whitelist_patterns" {
resource "google_binary_authorization_policy" "policy" {
admission_whitelist_patterns {
name_pattern = "$region-docker.pkg.dev/$projectId/$containerRegistryName/*"
}
default_admission_rule {
Parameters
-
description
optional - string
A descriptive comment.
-
global_policy_evaluation_mode
optional computed - string
Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
-
id
optional computed - string -
project
optional computed - string -
admission_whitelist_patterns
list block-
name_pattern
required - string
An image name pattern to whitelist, in the form 'registry/path/to/image'. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.
-
-
cluster_admission_rules
set block-
cluster
required - string -
enforcement_mode
required - string
The action when a pod creation is denied by the admission rule. Possible values: ["ENFORCED_BLOCK_AND_AUDIT_LOG", "DRYRUN_AUDIT_LOG_ONLY"]
-
evaluation_mode
required - string
How this admission rule will be evaluated. Possible values: ["ALWAYS_ALLOW", "REQUIRE_ATTESTATION", "ALWAYS_DENY"]
-
require_attestations_by
optional - set of string
The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format 'projects//attestors/'. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
-
-
default_admission_rule
list block-
enforcement_mode
required - string
The action when a pod creation is denied by the admission rule. Possible values: ["ENFORCED_BLOCK_AND_AUDIT_LOG", "DRYRUN_AUDIT_LOG_ONLY"]
-
evaluation_mode
required - string
How this admission rule will be evaluated. Possible values: ["ALWAYS_ALLOW", "REQUIRE_ATTESTATION", "ALWAYS_DENY"]
-
require_attestations_by
optional - set of string
The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format 'projects//attestors/'. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
-
-
timeouts
single block
Explanation in Terraform Registry
A policy for container image binary authorization. To get more information about Policy, see:
- API documentation
- How-to Guides
Frequently asked questions
What is Google Binary Authorization Policy?
Google Binary Authorization Policy is a resource for Binary Authorization of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Binary Authorization Policy?
For Terraform, the rosmo/gke-commonground-haven, niveklabs/google and mathieu-benoit/mygkecluster source code examples are useful. See the Terraform Example section for further details.