import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * A policy for container image binary authorization. * * To get more information about Policy, see: * * * [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/) * * How-to Guides * * [Official Documentation](https://cloud.google.com/binary-authorization/) * * ## Example Usage * * ### Binary Authorization Policy Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const note = new gcp.containeranalysis.Note("note", { * name: "test-attestor-note", * attestationAuthority: { * hint: { * humanReadableName: "My attestor", * }, * }, * }); * const attestor = new gcp.binaryauthorization.Attestor("attestor", { * name: "test-attestor", * attestationAuthorityNote: { * noteReference: note.name, * }, * }); * const policy = new gcp.binaryauthorization.Policy("policy", { * admissionWhitelistPatterns: [{ * namePattern: "gcr.io/google_containers/*", * }], * defaultAdmissionRule: { * evaluationMode: "ALWAYS_ALLOW", * enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG", * }, * clusterAdmissionRules: [{ * cluster: "us-central1-a.prod-cluster", * evaluationMode: "REQUIRE_ATTESTATION", * enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG", * requireAttestationsBies: [attestor.name], * }], * }); * ``` * ### Binary Authorization Policy Global Evaluation * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const note = new gcp.containeranalysis.Note("note", { * name: "test-attestor-note", * attestationAuthority: { * hint: { * humanReadableName: "My attestor", * }, * }, * }); * const attestor = new gcp.binaryauthorization.Attestor("attestor", { * name: "test-attestor", * attestationAuthorityNote: { * noteReference: note.name, * }, * }); * const policy = new gcp.binaryauthorization.Policy("policy", { * defaultAdmissionRule: { * evaluationMode: "REQUIRE_ATTESTATION", * enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG", * requireAttestationsBies: [attestor.name], * }, * globalPolicyEvaluationMode: "ENABLE", * }); * ``` * * ## Import * * Policy can be imported using any of these accepted formats: * * * `projects/{{project}}` * * * `{{project}}` * * When using the `pulumi import` command, Policy can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:binaryauthorization/policy:Policy default projects/{{project}} * ``` * * ```sh * $ pulumi import gcp:binaryauthorization/policy:Policy default {{project}} * ``` */ export declare class Policy extends pulumi.CustomResource { /** * Get an existing Policy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: PolicyState, opts?: pulumi.CustomResourceOptions): Policy; /** * Returns true if the given object is an instance of Policy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Policy; /** * A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the * image's admission requests will always be permitted regardless of your admission rules. */ readonly admissionWhitelistPatterns: pulumi.Output; /** * Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request * must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be * denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A * location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1'). */ readonly clusterAdmissionRules: pulumi.Output; /** * Default admission rule for a cluster without a per-cluster admission * rule. * Structure is documented below. */ readonly defaultAdmissionRule: pulumi.Output; /** * A descriptive comment. */ readonly description: pulumi.Output; /** * Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not * covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"] */ readonly globalPolicyEvaluationMode: pulumi.Output; readonly project: pulumi.Output; /** * Create a Policy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: PolicyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Policy resources. */ export interface PolicyState { /** * A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the * image's admission requests will always be permitted regardless of your admission rules. */ admissionWhitelistPatterns?: pulumi.Input[]>; /** * Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request * must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be * denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A * location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1'). */ clusterAdmissionRules?: pulumi.Input[]>; /** * Default admission rule for a cluster without a per-cluster admission * rule. * Structure is documented below. */ defaultAdmissionRule?: pulumi.Input; /** * A descriptive comment. */ description?: pulumi.Input; /** * Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not * covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"] */ globalPolicyEvaluationMode?: pulumi.Input; project?: pulumi.Input; } /** * The set of arguments for constructing a Policy resource. */ export interface PolicyArgs { /** * A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the * image's admission requests will always be permitted regardless of your admission rules. */ admissionWhitelistPatterns?: pulumi.Input[]>; /** * Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request * must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be * denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A * location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1'). */ clusterAdmissionRules?: pulumi.Input[]>; /** * Default admission rule for a cluster without a per-cluster admission * rule. * Structure is documented below. */ defaultAdmissionRule: pulumi.Input; /** * A descriptive comment. */ description?: pulumi.Input; /** * Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not * covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"] */ globalPolicyEvaluationMode?: pulumi.Input; project?: pulumi.Input; }