1. Docs
  2. Reference
  3. API
  4. @pulumi/gcp
  5. binaryauthorization

Module binaryauthorization

This page documents the language specification for the gcp package. If you're looking for help working with the inputs, outputs, or functions of gcp resources in a Pulumi program, please see the resource documentation for examples and API reference.

Resources

Others

Resources

Resource Attestor

class Attestor extends CustomResource

An attestor that attests to container image artifacts.

To get more information about Attestor, see:

Example Usage - Binary Authorization Attestor Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const note = new gcp.containeranalysis.Note("note", {attestation_authority: {
    hint: {
        humanReadableName: "Attestor Note",
    },
}});
const attestor = new gcp.binaryauthorization.Attestor("attestor", {attestation_authority_note: {
    noteReference: note.name,
    public_keys: [{
        asciiArmoredPgpPublicKey: `mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
+OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
=6Bvm
`,
    }],
}});

constructor

new Attestor(name: string, args: AttestorArgs, opts?: pulumi.CustomResourceOptions)

Create a Attestor resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AttestorState, opts?: pulumi.CustomResourceOptions): Attestor

Get an existing Attestor resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Attestor

Returns true if the given object is an instance of Attestor. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property attestationAuthorityNote

public attestationAuthorityNote: pulumi.Output<AttestorAttestationAuthorityNote>;

A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.

property description

public description: pulumi.Output<string | undefined>;

A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The resource name.

property project

public project: pulumi.Output<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AttestorIamBinding

class AttestorIamBinding extends CustomResource

Three different resources help you manage your IAM policy for Binary Authorization Attestor. Each of these resources serves a different use case:

  • gcp.binaryauthorization.AttestorIamPolicy: Authoritative. Sets the IAM policy for the attestor and replaces any existing policy already attached.
  • gcp.binaryauthorization.AttestorIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the attestor are preserved.
  • gcp.binaryauthorization.AttestorIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the attestor are preserved.

Note: gcp.binaryauthorization.AttestorIamPolicy cannot be used in conjunction with gcp.binaryauthorization.AttestorIamBinding and gcp.binaryauthorization.AttestorIamMember or they will fight over what your policy should be.

Note: gcp.binaryauthorization.AttestorIamBinding resources can be used in conjunction with gcp.binaryauthorization.AttestorIamMember resources only if they do not grant privilege to the same role.

google_binary_authorization_attestor_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/viewer",
        members: ["user:jane@example.com"],
    }],
});
const policy = new gcp.binaryauthorization.AttestorIamPolicy("policy", {
    project: google_binary_authorization_attestor.attestor.project,
    attestor: google_binary_authorization_attestor.attestor.name,
    policyData: admin.then(admin => admin.policyData),
});

google_binary_authorization_attestor_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.binaryauthorization.AttestorIamBinding("binding", {
    project: google_binary_authorization_attestor.attestor.project,
    attestor: google_binary_authorization_attestor.attestor.name,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

google_binary_authorization_attestor_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.binaryauthorization.AttestorIamMember("member", {
    project: google_binary_authorization_attestor.attestor.project,
    attestor: google_binary_authorization_attestor.attestor.name,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

constructor

new AttestorIamBinding(name: string, args: AttestorIamBindingArgs, opts?: pulumi.CustomResourceOptions)

Create a AttestorIamBinding resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AttestorIamBindingState, opts?: pulumi.CustomResourceOptions): AttestorIamBinding

Get an existing AttestorIamBinding resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AttestorIamBinding

Returns true if the given object is an instance of AttestorIamBinding. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property attestor

public attestor: pulumi.Output<string>;

Used to find the parent resource to bind the IAM policy to

property condition

public condition: pulumi.Output<AttestorIamBindingCondition | undefined>;

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property members

public members: pulumi.Output<string[]>;

property project

public project: pulumi.Output<string>;

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

property role

public role: pulumi.Output<string>;

The role that should be applied. Only one gcp.binaryauthorization.AttestorIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AttestorIamMember

class AttestorIamMember extends CustomResource

Three different resources help you manage your IAM policy for Binary Authorization Attestor. Each of these resources serves a different use case:

  • gcp.binaryauthorization.AttestorIamPolicy: Authoritative. Sets the IAM policy for the attestor and replaces any existing policy already attached.
  • gcp.binaryauthorization.AttestorIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the attestor are preserved.
  • gcp.binaryauthorization.AttestorIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the attestor are preserved.

Note: gcp.binaryauthorization.AttestorIamPolicy cannot be used in conjunction with gcp.binaryauthorization.AttestorIamBinding and gcp.binaryauthorization.AttestorIamMember or they will fight over what your policy should be.

Note: gcp.binaryauthorization.AttestorIamBinding resources can be used in conjunction with gcp.binaryauthorization.AttestorIamMember resources only if they do not grant privilege to the same role.

google_binary_authorization_attestor_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/viewer",
        members: ["user:jane@example.com"],
    }],
});
const policy = new gcp.binaryauthorization.AttestorIamPolicy("policy", {
    project: google_binary_authorization_attestor.attestor.project,
    attestor: google_binary_authorization_attestor.attestor.name,
    policyData: admin.then(admin => admin.policyData),
});

google_binary_authorization_attestor_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.binaryauthorization.AttestorIamBinding("binding", {
    project: google_binary_authorization_attestor.attestor.project,
    attestor: google_binary_authorization_attestor.attestor.name,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

google_binary_authorization_attestor_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.binaryauthorization.AttestorIamMember("member", {
    project: google_binary_authorization_attestor.attestor.project,
    attestor: google_binary_authorization_attestor.attestor.name,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

constructor

new AttestorIamMember(name: string, args: AttestorIamMemberArgs, opts?: pulumi.CustomResourceOptions)

Create a AttestorIamMember resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AttestorIamMemberState, opts?: pulumi.CustomResourceOptions): AttestorIamMember

Get an existing AttestorIamMember resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AttestorIamMember

Returns true if the given object is an instance of AttestorIamMember. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property attestor

public attestor: pulumi.Output<string>;

Used to find the parent resource to bind the IAM policy to

property condition

public condition: pulumi.Output<AttestorIamMemberCondition | undefined>;

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property member

public member: pulumi.Output<string>;

property project

public project: pulumi.Output<string>;

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

property role

public role: pulumi.Output<string>;

The role that should be applied. Only one gcp.binaryauthorization.AttestorIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource AttestorIamPolicy

class AttestorIamPolicy extends CustomResource

Three different resources help you manage your IAM policy for Binary Authorization Attestor. Each of these resources serves a different use case:

  • gcp.binaryauthorization.AttestorIamPolicy: Authoritative. Sets the IAM policy for the attestor and replaces any existing policy already attached.
  • gcp.binaryauthorization.AttestorIamBinding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the attestor are preserved.
  • gcp.binaryauthorization.AttestorIamMember: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the attestor are preserved.

Note: gcp.binaryauthorization.AttestorIamPolicy cannot be used in conjunction with gcp.binaryauthorization.AttestorIamBinding and gcp.binaryauthorization.AttestorIamMember or they will fight over what your policy should be.

Note: gcp.binaryauthorization.AttestorIamBinding resources can be used in conjunction with gcp.binaryauthorization.AttestorIamMember resources only if they do not grant privilege to the same role.

google_binary_authorization_attestor_iam_policy

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    binding: [{
        role: "roles/viewer",
        members: ["user:jane@example.com"],
    }],
});
const policy = new gcp.binaryauthorization.AttestorIamPolicy("policy", {
    project: google_binary_authorization_attestor.attestor.project,
    attestor: google_binary_authorization_attestor.attestor.name,
    policyData: admin.then(admin => admin.policyData),
});

google_binary_authorization_attestor_iam_binding

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.binaryauthorization.AttestorIamBinding("binding", {
    project: google_binary_authorization_attestor.attestor.project,
    attestor: google_binary_authorization_attestor.attestor.name,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

google_binary_authorization_attestor_iam_member

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.binaryauthorization.AttestorIamMember("member", {
    project: google_binary_authorization_attestor.attestor.project,
    attestor: google_binary_authorization_attestor.attestor.name,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

constructor

new AttestorIamPolicy(name: string, args: AttestorIamPolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a AttestorIamPolicy resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AttestorIamPolicyState, opts?: pulumi.CustomResourceOptions): AttestorIamPolicy

Get an existing AttestorIamPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is AttestorIamPolicy

Returns true if the given object is an instance of AttestorIamPolicy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property attestor

public attestor: pulumi.Output<string>;

Used to find the parent resource to bind the IAM policy to

property etag

public etag: pulumi.Output<string>;

(Computed) The etag of the IAM policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policyData

public policyData: pulumi.Output<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

property project

public project: pulumi.Output<string>;

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource Policy

class Policy extends CustomResource

A policy for container image binary authorization.

To get more information about Policy, see:

Example Usage - Binary Authorization Policy Basic

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const note = new gcp.containeranalysis.Note("note", {attestation_authority: {
    hint: {
        humanReadableName: "My attestor",
    },
}});
const attestor = new gcp.binaryauthorization.Attestor("attestor", {attestation_authority_note: {
    noteReference: note.name,
}});
const policy = new gcp.binaryauthorization.Policy("policy", {
    admission_whitelist_patterns: [{
        namePattern: "gcr.io/google_containers/*",
    }],
    default_admission_rule: {
        evaluationMode: "ALWAYS_ALLOW",
        enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG",
    },
    cluster_admission_rules: [{
        cluster: "us-central1-a.prod-cluster",
        evaluationMode: "REQUIRE_ATTESTATION",
        enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG",
        requireAttestationsBies: [attestor.name],
    }],
});

Example Usage - Binary Authorization Policy Global Evaluation

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const note = new gcp.containeranalysis.Note("note", {attestation_authority: {
    hint: {
        humanReadableName: "My attestor",
    },
}});
const attestor = new gcp.binaryauthorization.Attestor("attestor", {attestation_authority_note: {
    noteReference: note.name,
}});
const policy = new gcp.binaryauthorization.Policy("policy", {
    default_admission_rule: {
        evaluationMode: "REQUIRE_ATTESTATION",
        enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG",
        requireAttestationsBies: [attestor.name],
    },
    globalPolicyEvaluationMode: "ENABLE",
});

constructor

new Policy(name: string, args: PolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a Policy resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: PolicyState, opts?: pulumi.CustomResourceOptions): Policy

Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Policy

Returns true if the given object is an instance of Policy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property admissionWhitelistPatterns

public admissionWhitelistPatterns: pulumi.Output<PolicyAdmissionWhitelistPattern[] | undefined>;

A whitelist of image patterns to exclude from admission rules. If an image’s name matches a whitelist pattern, the image’s admission requests will always be permitted regardless of your admission rules. Structure is documented below.

property clusterAdmissionRules

public clusterAdmissionRules: pulumi.Output<PolicyClusterAdmissionRule[] | undefined>;

Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.

property defaultAdmissionRule

public defaultAdmissionRule: pulumi.Output<PolicyDefaultAdmissionRule>;

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

property description

public description: pulumi.Output<string | undefined>;

A descriptive comment.

property globalPolicyEvaluationMode

public globalPolicyEvaluationMode: pulumi.Output<string>;

Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property project

public project: pulumi.Output<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Others

interface AttestorArgs

interface AttestorArgs

The set of arguments for constructing a Attestor resource.

property attestationAuthorityNote

attestationAuthorityNote: pulumi.Input<AttestorAttestationAuthorityNote>;

A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.

property description

description?: pulumi.Input<string>;

A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.

property name

name?: pulumi.Input<string>;

The resource name.

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

interface AttestorIamBindingArgs

interface AttestorIamBindingArgs

The set of arguments for constructing a AttestorIamBinding resource.

property attestor

attestor: pulumi.Input<string>;

Used to find the parent resource to bind the IAM policy to

property condition

condition?: pulumi.Input<AttestorIamBindingCondition>;

property members

members: pulumi.Input<pulumi.Input<string>[]>;

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

property role

role: pulumi.Input<string>;

The role that should be applied. Only one gcp.binaryauthorization.AttestorIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface AttestorIamBindingState

interface AttestorIamBindingState

Input properties used for looking up and filtering AttestorIamBinding resources.

property attestor

attestor?: pulumi.Input<string>;

Used to find the parent resource to bind the IAM policy to

property condition

condition?: pulumi.Input<AttestorIamBindingCondition>;

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the IAM policy.

property members

members?: pulumi.Input<pulumi.Input<string>[]>;

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

property role

role?: pulumi.Input<string>;

The role that should be applied. Only one gcp.binaryauthorization.AttestorIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface AttestorIamMemberArgs

interface AttestorIamMemberArgs

The set of arguments for constructing a AttestorIamMember resource.

property attestor

attestor: pulumi.Input<string>;

Used to find the parent resource to bind the IAM policy to

property condition

condition?: pulumi.Input<AttestorIamMemberCondition>;

property member

member: pulumi.Input<string>;

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

property role

role: pulumi.Input<string>;

The role that should be applied. Only one gcp.binaryauthorization.AttestorIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface AttestorIamMemberState

interface AttestorIamMemberState

Input properties used for looking up and filtering AttestorIamMember resources.

property attestor

attestor?: pulumi.Input<string>;

Used to find the parent resource to bind the IAM policy to

property condition

condition?: pulumi.Input<AttestorIamMemberCondition>;

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the IAM policy.

property member

member?: pulumi.Input<string>;

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

property role

role?: pulumi.Input<string>;

The role that should be applied. Only one gcp.binaryauthorization.AttestorIamBinding can be used per role. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

interface AttestorIamPolicyArgs

interface AttestorIamPolicyArgs

The set of arguments for constructing a AttestorIamPolicy resource.

property attestor

attestor: pulumi.Input<string>;

Used to find the parent resource to bind the IAM policy to

property policyData

policyData: pulumi.Input<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

interface AttestorIamPolicyState

interface AttestorIamPolicyState

Input properties used for looking up and filtering AttestorIamPolicy resources.

property attestor

attestor?: pulumi.Input<string>;

Used to find the parent resource to bind the IAM policy to

property etag

etag?: pulumi.Input<string>;

(Computed) The etag of the IAM policy.

property policyData

policyData?: pulumi.Input<string>;

The policy data generated by a gcp.organizations.getIAMPolicy data source.

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

interface AttestorState

interface AttestorState

Input properties used for looking up and filtering Attestor resources.

property attestationAuthorityNote

attestationAuthorityNote?: pulumi.Input<AttestorAttestationAuthorityNote>;

A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.

property description

description?: pulumi.Input<string>;

A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.

property name

name?: pulumi.Input<string>;

The resource name.

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

interface PolicyArgs

interface PolicyArgs

The set of arguments for constructing a Policy resource.

property admissionWhitelistPatterns

admissionWhitelistPatterns?: pulumi.Input<pulumi.Input<PolicyAdmissionWhitelistPattern>[]>;

A whitelist of image patterns to exclude from admission rules. If an image’s name matches a whitelist pattern, the image’s admission requests will always be permitted regardless of your admission rules. Structure is documented below.

property clusterAdmissionRules

clusterAdmissionRules?: pulumi.Input<pulumi.Input<PolicyClusterAdmissionRule>[]>;

Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.

property defaultAdmissionRule

defaultAdmissionRule: pulumi.Input<PolicyDefaultAdmissionRule>;

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

property description

description?: pulumi.Input<string>;

A descriptive comment.

property globalPolicyEvaluationMode

globalPolicyEvaluationMode?: pulumi.Input<string>;

Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy.

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

interface PolicyState

interface PolicyState

Input properties used for looking up and filtering Policy resources.

property admissionWhitelistPatterns

admissionWhitelistPatterns?: pulumi.Input<pulumi.Input<PolicyAdmissionWhitelistPattern>[]>;

A whitelist of image patterns to exclude from admission rules. If an image’s name matches a whitelist pattern, the image’s admission requests will always be permitted regardless of your admission rules. Structure is documented below.

property clusterAdmissionRules

clusterAdmissionRules?: pulumi.Input<pulumi.Input<PolicyClusterAdmissionRule>[]>;

Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.

property defaultAdmissionRule

defaultAdmissionRule?: pulumi.Input<PolicyDefaultAdmissionRule>;

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

property description

description?: pulumi.Input<string>;

A descriptive comment.

property globalPolicyEvaluationMode

globalPolicyEvaluationMode?: pulumi.Input<string>;

Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy.

property project

project?: pulumi.Input<string>;

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.