1. Packages
  2. Google Cloud (GCP) Classic
  3. API Docs
  4. binaryauthorization
  5. Policy
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

gcp.binaryauthorization.Policy

Explore with Pulumi AI

gcp logo
Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi

    A policy for container image binary authorization.

    To get more information about Policy, see:

    Example Usage

    Binary Authorization Policy Basic

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const note = new gcp.containeranalysis.Note("note", {
        name: "test-attestor-note",
        attestationAuthority: {
            hint: {
                humanReadableName: "My attestor",
            },
        },
    });
    const attestor = new gcp.binaryauthorization.Attestor("attestor", {
        name: "test-attestor",
        attestationAuthorityNote: {
            noteReference: note.name,
        },
    });
    const policy = new gcp.binaryauthorization.Policy("policy", {
        admissionWhitelistPatterns: [{
            namePattern: "gcr.io/google_containers/*",
        }],
        defaultAdmissionRule: {
            evaluationMode: "ALWAYS_ALLOW",
            enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG",
        },
        clusterAdmissionRules: [{
            cluster: "us-central1-a.prod-cluster",
            evaluationMode: "REQUIRE_ATTESTATION",
            enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG",
            requireAttestationsBies: [attestor.name],
        }],
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    note = gcp.containeranalysis.Note("note",
        name="test-attestor-note",
        attestation_authority={
            "hint": {
                "human_readable_name": "My attestor",
            },
        })
    attestor = gcp.binaryauthorization.Attestor("attestor",
        name="test-attestor",
        attestation_authority_note={
            "note_reference": note.name,
        })
    policy = gcp.binaryauthorization.Policy("policy",
        admission_whitelist_patterns=[{
            "name_pattern": "gcr.io/google_containers/*",
        }],
        default_admission_rule={
            "evaluation_mode": "ALWAYS_ALLOW",
            "enforcement_mode": "ENFORCED_BLOCK_AND_AUDIT_LOG",
        },
        cluster_admission_rules=[{
            "cluster": "us-central1-a.prod-cluster",
            "evaluation_mode": "REQUIRE_ATTESTATION",
            "enforcement_mode": "ENFORCED_BLOCK_AND_AUDIT_LOG",
            "require_attestations_bies": [attestor.name],
        }])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/containeranalysis"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		note, err := containeranalysis.NewNote(ctx, "note", &containeranalysis.NoteArgs{
    			Name: pulumi.String("test-attestor-note"),
    			AttestationAuthority: &containeranalysis.NoteAttestationAuthorityArgs{
    				Hint: &containeranalysis.NoteAttestationAuthorityHintArgs{
    					HumanReadableName: pulumi.String("My attestor"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		attestor, err := binaryauthorization.NewAttestor(ctx, "attestor", &binaryauthorization.AttestorArgs{
    			Name: pulumi.String("test-attestor"),
    			AttestationAuthorityNote: &binaryauthorization.AttestorAttestationAuthorityNoteArgs{
    				NoteReference: note.Name,
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = binaryauthorization.NewPolicy(ctx, "policy", &binaryauthorization.PolicyArgs{
    			AdmissionWhitelistPatterns: binaryauthorization.PolicyAdmissionWhitelistPatternArray{
    				&binaryauthorization.PolicyAdmissionWhitelistPatternArgs{
    					NamePattern: pulumi.String("gcr.io/google_containers/*"),
    				},
    			},
    			DefaultAdmissionRule: &binaryauthorization.PolicyDefaultAdmissionRuleArgs{
    				EvaluationMode:  pulumi.String("ALWAYS_ALLOW"),
    				EnforcementMode: pulumi.String("ENFORCED_BLOCK_AND_AUDIT_LOG"),
    			},
    			ClusterAdmissionRules: binaryauthorization.PolicyClusterAdmissionRuleArray{
    				&binaryauthorization.PolicyClusterAdmissionRuleArgs{
    					Cluster:         pulumi.String("us-central1-a.prod-cluster"),
    					EvaluationMode:  pulumi.String("REQUIRE_ATTESTATION"),
    					EnforcementMode: pulumi.String("ENFORCED_BLOCK_AND_AUDIT_LOG"),
    					RequireAttestationsBies: pulumi.StringArray{
    						attestor.Name,
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var note = new Gcp.ContainerAnalysis.Note("note", new()
        {
            Name = "test-attestor-note",
            AttestationAuthority = new Gcp.ContainerAnalysis.Inputs.NoteAttestationAuthorityArgs
            {
                Hint = new Gcp.ContainerAnalysis.Inputs.NoteAttestationAuthorityHintArgs
                {
                    HumanReadableName = "My attestor",
                },
            },
        });
    
        var attestor = new Gcp.BinaryAuthorization.Attestor("attestor", new()
        {
            Name = "test-attestor",
            AttestationAuthorityNote = new Gcp.BinaryAuthorization.Inputs.AttestorAttestationAuthorityNoteArgs
            {
                NoteReference = note.Name,
            },
        });
    
        var policy = new Gcp.BinaryAuthorization.Policy("policy", new()
        {
            AdmissionWhitelistPatterns = new[]
            {
                new Gcp.BinaryAuthorization.Inputs.PolicyAdmissionWhitelistPatternArgs
                {
                    NamePattern = "gcr.io/google_containers/*",
                },
            },
            DefaultAdmissionRule = new Gcp.BinaryAuthorization.Inputs.PolicyDefaultAdmissionRuleArgs
            {
                EvaluationMode = "ALWAYS_ALLOW",
                EnforcementMode = "ENFORCED_BLOCK_AND_AUDIT_LOG",
            },
            ClusterAdmissionRules = new[]
            {
                new Gcp.BinaryAuthorization.Inputs.PolicyClusterAdmissionRuleArgs
                {
                    Cluster = "us-central1-a.prod-cluster",
                    EvaluationMode = "REQUIRE_ATTESTATION",
                    EnforcementMode = "ENFORCED_BLOCK_AND_AUDIT_LOG",
                    RequireAttestationsBies = new[]
                    {
                        attestor.Name,
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.containeranalysis.Note;
    import com.pulumi.gcp.containeranalysis.NoteArgs;
    import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityArgs;
    import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityHintArgs;
    import com.pulumi.gcp.binaryauthorization.Attestor;
    import com.pulumi.gcp.binaryauthorization.AttestorArgs;
    import com.pulumi.gcp.binaryauthorization.inputs.AttestorAttestationAuthorityNoteArgs;
    import com.pulumi.gcp.binaryauthorization.Policy;
    import com.pulumi.gcp.binaryauthorization.PolicyArgs;
    import com.pulumi.gcp.binaryauthorization.inputs.PolicyAdmissionWhitelistPatternArgs;
    import com.pulumi.gcp.binaryauthorization.inputs.PolicyDefaultAdmissionRuleArgs;
    import com.pulumi.gcp.binaryauthorization.inputs.PolicyClusterAdmissionRuleArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var note = new Note("note", NoteArgs.builder()
                .name("test-attestor-note")
                .attestationAuthority(NoteAttestationAuthorityArgs.builder()
                    .hint(NoteAttestationAuthorityHintArgs.builder()
                        .humanReadableName("My attestor")
                        .build())
                    .build())
                .build());
    
            var attestor = new Attestor("attestor", AttestorArgs.builder()
                .name("test-attestor")
                .attestationAuthorityNote(AttestorAttestationAuthorityNoteArgs.builder()
                    .noteReference(note.name())
                    .build())
                .build());
    
            var policy = new Policy("policy", PolicyArgs.builder()
                .admissionWhitelistPatterns(PolicyAdmissionWhitelistPatternArgs.builder()
                    .namePattern("gcr.io/google_containers/*")
                    .build())
                .defaultAdmissionRule(PolicyDefaultAdmissionRuleArgs.builder()
                    .evaluationMode("ALWAYS_ALLOW")
                    .enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG")
                    .build())
                .clusterAdmissionRules(PolicyClusterAdmissionRuleArgs.builder()
                    .cluster("us-central1-a.prod-cluster")
                    .evaluationMode("REQUIRE_ATTESTATION")
                    .enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG")
                    .requireAttestationsBies(attestor.name())
                    .build())
                .build());
    
        }
    }
    
    resources:
      policy:
        type: gcp:binaryauthorization:Policy
        properties:
          admissionWhitelistPatterns:
            - namePattern: gcr.io/google_containers/*
          defaultAdmissionRule:
            evaluationMode: ALWAYS_ALLOW
            enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
          clusterAdmissionRules:
            - cluster: us-central1-a.prod-cluster
              evaluationMode: REQUIRE_ATTESTATION
              enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
              requireAttestationsBies:
                - ${attestor.name}
      note:
        type: gcp:containeranalysis:Note
        properties:
          name: test-attestor-note
          attestationAuthority:
            hint:
              humanReadableName: My attestor
      attestor:
        type: gcp:binaryauthorization:Attestor
        properties:
          name: test-attestor
          attestationAuthorityNote:
            noteReference: ${note.name}
    

    Binary Authorization Policy Global Evaluation

    import * as pulumi from "@pulumi/pulumi";
    import * as gcp from "@pulumi/gcp";
    
    const note = new gcp.containeranalysis.Note("note", {
        name: "test-attestor-note",
        attestationAuthority: {
            hint: {
                humanReadableName: "My attestor",
            },
        },
    });
    const attestor = new gcp.binaryauthorization.Attestor("attestor", {
        name: "test-attestor",
        attestationAuthorityNote: {
            noteReference: note.name,
        },
    });
    const policy = new gcp.binaryauthorization.Policy("policy", {
        defaultAdmissionRule: {
            evaluationMode: "REQUIRE_ATTESTATION",
            enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG",
            requireAttestationsBies: [attestor.name],
        },
        globalPolicyEvaluationMode: "ENABLE",
    });
    
    import pulumi
    import pulumi_gcp as gcp
    
    note = gcp.containeranalysis.Note("note",
        name="test-attestor-note",
        attestation_authority={
            "hint": {
                "human_readable_name": "My attestor",
            },
        })
    attestor = gcp.binaryauthorization.Attestor("attestor",
        name="test-attestor",
        attestation_authority_note={
            "note_reference": note.name,
        })
    policy = gcp.binaryauthorization.Policy("policy",
        default_admission_rule={
            "evaluation_mode": "REQUIRE_ATTESTATION",
            "enforcement_mode": "ENFORCED_BLOCK_AND_AUDIT_LOG",
            "require_attestations_bies": [attestor.name],
        },
        global_policy_evaluation_mode="ENABLE")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
    	"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/containeranalysis"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		note, err := containeranalysis.NewNote(ctx, "note", &containeranalysis.NoteArgs{
    			Name: pulumi.String("test-attestor-note"),
    			AttestationAuthority: &containeranalysis.NoteAttestationAuthorityArgs{
    				Hint: &containeranalysis.NoteAttestationAuthorityHintArgs{
    					HumanReadableName: pulumi.String("My attestor"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		attestor, err := binaryauthorization.NewAttestor(ctx, "attestor", &binaryauthorization.AttestorArgs{
    			Name: pulumi.String("test-attestor"),
    			AttestationAuthorityNote: &binaryauthorization.AttestorAttestationAuthorityNoteArgs{
    				NoteReference: note.Name,
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = binaryauthorization.NewPolicy(ctx, "policy", &binaryauthorization.PolicyArgs{
    			DefaultAdmissionRule: &binaryauthorization.PolicyDefaultAdmissionRuleArgs{
    				EvaluationMode:  pulumi.String("REQUIRE_ATTESTATION"),
    				EnforcementMode: pulumi.String("ENFORCED_BLOCK_AND_AUDIT_LOG"),
    				RequireAttestationsBies: pulumi.StringArray{
    					attestor.Name,
    				},
    			},
    			GlobalPolicyEvaluationMode: pulumi.String("ENABLE"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Gcp = Pulumi.Gcp;
    
    return await Deployment.RunAsync(() => 
    {
        var note = new Gcp.ContainerAnalysis.Note("note", new()
        {
            Name = "test-attestor-note",
            AttestationAuthority = new Gcp.ContainerAnalysis.Inputs.NoteAttestationAuthorityArgs
            {
                Hint = new Gcp.ContainerAnalysis.Inputs.NoteAttestationAuthorityHintArgs
                {
                    HumanReadableName = "My attestor",
                },
            },
        });
    
        var attestor = new Gcp.BinaryAuthorization.Attestor("attestor", new()
        {
            Name = "test-attestor",
            AttestationAuthorityNote = new Gcp.BinaryAuthorization.Inputs.AttestorAttestationAuthorityNoteArgs
            {
                NoteReference = note.Name,
            },
        });
    
        var policy = new Gcp.BinaryAuthorization.Policy("policy", new()
        {
            DefaultAdmissionRule = new Gcp.BinaryAuthorization.Inputs.PolicyDefaultAdmissionRuleArgs
            {
                EvaluationMode = "REQUIRE_ATTESTATION",
                EnforcementMode = "ENFORCED_BLOCK_AND_AUDIT_LOG",
                RequireAttestationsBies = new[]
                {
                    attestor.Name,
                },
            },
            GlobalPolicyEvaluationMode = "ENABLE",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.gcp.containeranalysis.Note;
    import com.pulumi.gcp.containeranalysis.NoteArgs;
    import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityArgs;
    import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityHintArgs;
    import com.pulumi.gcp.binaryauthorization.Attestor;
    import com.pulumi.gcp.binaryauthorization.AttestorArgs;
    import com.pulumi.gcp.binaryauthorization.inputs.AttestorAttestationAuthorityNoteArgs;
    import com.pulumi.gcp.binaryauthorization.Policy;
    import com.pulumi.gcp.binaryauthorization.PolicyArgs;
    import com.pulumi.gcp.binaryauthorization.inputs.PolicyDefaultAdmissionRuleArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var note = new Note("note", NoteArgs.builder()
                .name("test-attestor-note")
                .attestationAuthority(NoteAttestationAuthorityArgs.builder()
                    .hint(NoteAttestationAuthorityHintArgs.builder()
                        .humanReadableName("My attestor")
                        .build())
                    .build())
                .build());
    
            var attestor = new Attestor("attestor", AttestorArgs.builder()
                .name("test-attestor")
                .attestationAuthorityNote(AttestorAttestationAuthorityNoteArgs.builder()
                    .noteReference(note.name())
                    .build())
                .build());
    
            var policy = new Policy("policy", PolicyArgs.builder()
                .defaultAdmissionRule(PolicyDefaultAdmissionRuleArgs.builder()
                    .evaluationMode("REQUIRE_ATTESTATION")
                    .enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG")
                    .requireAttestationsBies(attestor.name())
                    .build())
                .globalPolicyEvaluationMode("ENABLE")
                .build());
    
        }
    }
    
    resources:
      policy:
        type: gcp:binaryauthorization:Policy
        properties:
          defaultAdmissionRule:
            evaluationMode: REQUIRE_ATTESTATION
            enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
            requireAttestationsBies:
              - ${attestor.name}
          globalPolicyEvaluationMode: ENABLE
      note:
        type: gcp:containeranalysis:Note
        properties:
          name: test-attestor-note
          attestationAuthority:
            hint:
              humanReadableName: My attestor
      attestor:
        type: gcp:binaryauthorization:Attestor
        properties:
          name: test-attestor
          attestationAuthorityNote:
            noteReference: ${note.name}
    

    Create Policy Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Policy(name: string, args: PolicyArgs, opts?: CustomResourceOptions);
    @overload
    def Policy(resource_name: str,
               args: PolicyArgs,
               opts: Optional[ResourceOptions] = None)
    
    @overload
    def Policy(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               default_admission_rule: Optional[PolicyDefaultAdmissionRuleArgs] = None,
               admission_whitelist_patterns: Optional[Sequence[PolicyAdmissionWhitelistPatternArgs]] = None,
               cluster_admission_rules: Optional[Sequence[PolicyClusterAdmissionRuleArgs]] = None,
               description: Optional[str] = None,
               global_policy_evaluation_mode: Optional[str] = None,
               project: Optional[str] = None)
    func NewPolicy(ctx *Context, name string, args PolicyArgs, opts ...ResourceOption) (*Policy, error)
    public Policy(string name, PolicyArgs args, CustomResourceOptions? opts = null)
    public Policy(String name, PolicyArgs args)
    public Policy(String name, PolicyArgs args, CustomResourceOptions options)
    
    type: gcp:binaryauthorization:Policy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var policyResource = new Gcp.BinaryAuthorization.Policy("policyResource", new()
    {
        DefaultAdmissionRule = new Gcp.BinaryAuthorization.Inputs.PolicyDefaultAdmissionRuleArgs
        {
            EnforcementMode = "string",
            EvaluationMode = "string",
            RequireAttestationsBies = new[]
            {
                "string",
            },
        },
        AdmissionWhitelistPatterns = new[]
        {
            new Gcp.BinaryAuthorization.Inputs.PolicyAdmissionWhitelistPatternArgs
            {
                NamePattern = "string",
            },
        },
        ClusterAdmissionRules = new[]
        {
            new Gcp.BinaryAuthorization.Inputs.PolicyClusterAdmissionRuleArgs
            {
                Cluster = "string",
                EnforcementMode = "string",
                EvaluationMode = "string",
                RequireAttestationsBies = new[]
                {
                    "string",
                },
            },
        },
        Description = "string",
        GlobalPolicyEvaluationMode = "string",
        Project = "string",
    });
    
    example, err := binaryauthorization.NewPolicy(ctx, "policyResource", &binaryauthorization.PolicyArgs{
    	DefaultAdmissionRule: &binaryauthorization.PolicyDefaultAdmissionRuleArgs{
    		EnforcementMode: pulumi.String("string"),
    		EvaluationMode:  pulumi.String("string"),
    		RequireAttestationsBies: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    	},
    	AdmissionWhitelistPatterns: binaryauthorization.PolicyAdmissionWhitelistPatternArray{
    		&binaryauthorization.PolicyAdmissionWhitelistPatternArgs{
    			NamePattern: pulumi.String("string"),
    		},
    	},
    	ClusterAdmissionRules: binaryauthorization.PolicyClusterAdmissionRuleArray{
    		&binaryauthorization.PolicyClusterAdmissionRuleArgs{
    			Cluster:         pulumi.String("string"),
    			EnforcementMode: pulumi.String("string"),
    			EvaluationMode:  pulumi.String("string"),
    			RequireAttestationsBies: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    	},
    	Description:                pulumi.String("string"),
    	GlobalPolicyEvaluationMode: pulumi.String("string"),
    	Project:                    pulumi.String("string"),
    })
    
    var policyResource = new Policy("policyResource", PolicyArgs.builder()
        .defaultAdmissionRule(PolicyDefaultAdmissionRuleArgs.builder()
            .enforcementMode("string")
            .evaluationMode("string")
            .requireAttestationsBies("string")
            .build())
        .admissionWhitelistPatterns(PolicyAdmissionWhitelistPatternArgs.builder()
            .namePattern("string")
            .build())
        .clusterAdmissionRules(PolicyClusterAdmissionRuleArgs.builder()
            .cluster("string")
            .enforcementMode("string")
            .evaluationMode("string")
            .requireAttestationsBies("string")
            .build())
        .description("string")
        .globalPolicyEvaluationMode("string")
        .project("string")
        .build());
    
    policy_resource = gcp.binaryauthorization.Policy("policyResource",
        default_admission_rule={
            "enforcement_mode": "string",
            "evaluation_mode": "string",
            "require_attestations_bies": ["string"],
        },
        admission_whitelist_patterns=[{
            "name_pattern": "string",
        }],
        cluster_admission_rules=[{
            "cluster": "string",
            "enforcement_mode": "string",
            "evaluation_mode": "string",
            "require_attestations_bies": ["string"],
        }],
        description="string",
        global_policy_evaluation_mode="string",
        project="string")
    
    const policyResource = new gcp.binaryauthorization.Policy("policyResource", {
        defaultAdmissionRule: {
            enforcementMode: "string",
            evaluationMode: "string",
            requireAttestationsBies: ["string"],
        },
        admissionWhitelistPatterns: [{
            namePattern: "string",
        }],
        clusterAdmissionRules: [{
            cluster: "string",
            enforcementMode: "string",
            evaluationMode: "string",
            requireAttestationsBies: ["string"],
        }],
        description: "string",
        globalPolicyEvaluationMode: "string",
        project: "string",
    });
    
    type: gcp:binaryauthorization:Policy
    properties:
        admissionWhitelistPatterns:
            - namePattern: string
        clusterAdmissionRules:
            - cluster: string
              enforcementMode: string
              evaluationMode: string
              requireAttestationsBies:
                - string
        defaultAdmissionRule:
            enforcementMode: string
            evaluationMode: string
            requireAttestationsBies:
                - string
        description: string
        globalPolicyEvaluationMode: string
        project: string
    

    Policy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The Policy resource accepts the following input properties:

    DefaultAdmissionRule PolicyDefaultAdmissionRule
    Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
    AdmissionWhitelistPatterns List<PolicyAdmissionWhitelistPattern>
    A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
    ClusterAdmissionRules List<PolicyClusterAdmissionRule>
    Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
    Description string
    A descriptive comment.
    GlobalPolicyEvaluationMode string
    Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
    Project string
    DefaultAdmissionRule PolicyDefaultAdmissionRuleArgs
    Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
    AdmissionWhitelistPatterns []PolicyAdmissionWhitelistPatternArgs
    A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
    ClusterAdmissionRules []PolicyClusterAdmissionRuleArgs
    Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
    Description string
    A descriptive comment.
    GlobalPolicyEvaluationMode string
    Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
    Project string
    defaultAdmissionRule PolicyDefaultAdmissionRule
    Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
    admissionWhitelistPatterns List<PolicyAdmissionWhitelistPattern>
    A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
    clusterAdmissionRules List<PolicyClusterAdmissionRule>
    Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
    description String
    A descriptive comment.
    globalPolicyEvaluationMode String
    Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
    project String
    defaultAdmissionRule PolicyDefaultAdmissionRule
    Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
    admissionWhitelistPatterns PolicyAdmissionWhitelistPattern[]
    A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
    clusterAdmissionRules PolicyClusterAdmissionRule[]
    Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
    description string
    A descriptive comment.
    globalPolicyEvaluationMode string
    Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
    project string
    default_admission_rule PolicyDefaultAdmissionRuleArgs
    Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
    admission_whitelist_patterns Sequence[PolicyAdmissionWhitelistPatternArgs]
    A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
    cluster_admission_rules Sequence[PolicyClusterAdmissionRuleArgs]
    Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
    description str
    A descriptive comment.
    global_policy_evaluation_mode str
    Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
    project str
    defaultAdmissionRule Property Map
    Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
    admissionWhitelistPatterns List<Property Map>
    A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
    clusterAdmissionRules List<Property Map>
    Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
    description String
    A descriptive comment.
    globalPolicyEvaluationMode String
    Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
    project String

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Policy resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing Policy Resource

    Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: PolicyState, opts?: CustomResourceOptions): Policy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            admission_whitelist_patterns: Optional[Sequence[PolicyAdmissionWhitelistPatternArgs]] = None,
            cluster_admission_rules: Optional[Sequence[PolicyClusterAdmissionRuleArgs]] = None,
            default_admission_rule: Optional[PolicyDefaultAdmissionRuleArgs] = None,
            description: Optional[str] = None,
            global_policy_evaluation_mode: Optional[str] = None,
            project: Optional[str] = None) -> Policy
    func GetPolicy(ctx *Context, name string, id IDInput, state *PolicyState, opts ...ResourceOption) (*Policy, error)
    public static Policy Get(string name, Input<string> id, PolicyState? state, CustomResourceOptions? opts = null)
    public static Policy get(String name, Output<String> id, PolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AdmissionWhitelistPatterns List<PolicyAdmissionWhitelistPattern>
    A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
    ClusterAdmissionRules List<PolicyClusterAdmissionRule>
    Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
    DefaultAdmissionRule PolicyDefaultAdmissionRule
    Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
    Description string
    A descriptive comment.
    GlobalPolicyEvaluationMode string
    Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
    Project string
    AdmissionWhitelistPatterns []PolicyAdmissionWhitelistPatternArgs
    A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
    ClusterAdmissionRules []PolicyClusterAdmissionRuleArgs
    Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
    DefaultAdmissionRule PolicyDefaultAdmissionRuleArgs
    Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
    Description string
    A descriptive comment.
    GlobalPolicyEvaluationMode string
    Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
    Project string
    admissionWhitelistPatterns List<PolicyAdmissionWhitelistPattern>
    A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
    clusterAdmissionRules List<PolicyClusterAdmissionRule>
    Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
    defaultAdmissionRule PolicyDefaultAdmissionRule
    Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
    description String
    A descriptive comment.
    globalPolicyEvaluationMode String
    Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
    project String
    admissionWhitelistPatterns PolicyAdmissionWhitelistPattern[]
    A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
    clusterAdmissionRules PolicyClusterAdmissionRule[]
    Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
    defaultAdmissionRule PolicyDefaultAdmissionRule
    Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
    description string
    A descriptive comment.
    globalPolicyEvaluationMode string
    Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
    project string
    admission_whitelist_patterns Sequence[PolicyAdmissionWhitelistPatternArgs]
    A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
    cluster_admission_rules Sequence[PolicyClusterAdmissionRuleArgs]
    Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
    default_admission_rule PolicyDefaultAdmissionRuleArgs
    Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
    description str
    A descriptive comment.
    global_policy_evaluation_mode str
    Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
    project str
    admissionWhitelistPatterns List<Property Map>
    A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
    clusterAdmissionRules List<Property Map>
    Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
    defaultAdmissionRule Property Map
    Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
    description String
    A descriptive comment.
    globalPolicyEvaluationMode String
    Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
    project String

    Supporting Types

    PolicyAdmissionWhitelistPattern, PolicyAdmissionWhitelistPatternArgs

    NamePattern string
    An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.
    NamePattern string
    An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.
    namePattern String
    An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.
    namePattern string
    An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.
    name_pattern str
    An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.
    namePattern String
    An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

    PolicyClusterAdmissionRule, PolicyClusterAdmissionRuleArgs

    Cluster string
    The identifier for this object. Format specified above.
    EnforcementMode string
    The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
    EvaluationMode string
    How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
    RequireAttestationsBies List<string>
    The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
    Cluster string
    The identifier for this object. Format specified above.
    EnforcementMode string
    The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
    EvaluationMode string
    How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
    RequireAttestationsBies []string
    The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
    cluster String
    The identifier for this object. Format specified above.
    enforcementMode String
    The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
    evaluationMode String
    How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
    requireAttestationsBies List<String>
    The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
    cluster string
    The identifier for this object. Format specified above.
    enforcementMode string
    The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
    evaluationMode string
    How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
    requireAttestationsBies string[]
    The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
    cluster str
    The identifier for this object. Format specified above.
    enforcement_mode str
    The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
    evaluation_mode str
    How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
    require_attestations_bies Sequence[str]
    The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
    cluster String
    The identifier for this object. Format specified above.
    enforcementMode String
    The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
    evaluationMode String
    How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
    requireAttestationsBies List<String>
    The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

    PolicyDefaultAdmissionRule, PolicyDefaultAdmissionRuleArgs

    EnforcementMode string
    The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.


    EvaluationMode string
    How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
    RequireAttestationsBies List<string>
    The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
    EnforcementMode string
    The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.


    EvaluationMode string
    How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
    RequireAttestationsBies []string
    The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
    enforcementMode String
    The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.


    evaluationMode String
    How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
    requireAttestationsBies List<String>
    The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
    enforcementMode string
    The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.


    evaluationMode string
    How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
    requireAttestationsBies string[]
    The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
    enforcement_mode str
    The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.


    evaluation_mode str
    How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
    require_attestations_bies Sequence[str]
    The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
    enforcementMode String
    The action when a pod creation is denied by the admission rule. Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.


    evaluationMode String
    How this admission rule will be evaluated. Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
    requireAttestationsBies List<String>
    The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

    Import

    Policy can be imported using any of these accepted formats:

    • projects/{{project}}

    • {{project}}

    When using the pulumi import command, Policy can be imported using one of the formats above. For example:

    $ pulumi import gcp:binaryauthorization/policy:Policy default projects/{{project}}
    
    $ pulumi import gcp:binaryauthorization/policy:Policy default {{project}}
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Google Cloud (GCP) Classic pulumi/pulumi-gcp
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the google-beta Terraform Provider.
    gcp logo
    Google Cloud Classic v8.9.3 published on Monday, Nov 18, 2024 by Pulumi