import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * A policy for container image binary authorization. * * To get more information about Policy, see: * * * [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/) * * How-to Guides * * [Official Documentation](https://cloud.google.com/binary-authorization/) * * ## Example Usage * * ### Binary Authorization Policy Basic * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const note = new gcp.containeranalysis.Note("note", { * name: "test-attestor-note", * attestationAuthority: { * hint: { * humanReadableName: "My attestor", * }, * }, * }); * const attestor = new gcp.binaryauthorization.Attestor("attestor", { * name: "test-attestor", * attestationAuthorityNote: { * noteReference: note.name, * }, * }); * const policy = new gcp.binaryauthorization.Policy("policy", { * admissionWhitelistPatterns: [{ * namePattern: "gcr.io/google_containers/*", * }], * defaultAdmissionRule: { * evaluationMode: "ALWAYS_ALLOW", * enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG", * }, * clusterAdmissionRules: [{ * cluster: "us-central1-a.prod-cluster", * evaluationMode: "REQUIRE_ATTESTATION", * enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG", * requireAttestationsBies: [attestor.name], * }], * }); * ``` * ### Binary Authorization Policy Global Evaluation * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as gcp from "@pulumi/gcp"; * * const note = new gcp.containeranalysis.Note("note", { * name: "test-attestor-note", * attestationAuthority: { * hint: { * humanReadableName: "My attestor", * }, * }, * }); * const attestor = new gcp.binaryauthorization.Attestor("attestor", { * name: "test-attestor", * attestationAuthorityNote: { * noteReference: note.name, * }, * }); * const policy = new gcp.binaryauthorization.Policy("policy", { * defaultAdmissionRule: { * evaluationMode: "REQUIRE_ATTESTATION", * enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG", * requireAttestationsBies: [attestor.name], * }, * globalPolicyEvaluationMode: "ENABLE", * }); * ``` * * ## Import * * Policy can be imported using any of these accepted formats: * * * `projects/{{project}}` * * `{{project}}` * * When using the `pulumi import` command, Policy can be imported using one of the formats above. For example: * * ```sh * $ pulumi import gcp:binaryauthorization/policy:Policy default projects/{{project}} * $ pulumi import gcp:binaryauthorization/policy:Policy default {{project}} * ``` */ export declare class Policy extends pulumi.CustomResource { /** * Get an existing Policy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: PolicyState, opts?: pulumi.CustomResourceOptions): Policy; /** * Returns true if the given object is an instance of Policy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Policy; /** * A whitelist of image patterns to exclude from admission rules. If an * image's name matches a whitelist pattern, the image's admission * requests will always be permitted regardless of your admission rules. * Structure is documented below. */ readonly admissionWhitelistPatterns: pulumi.Output; /** * Per-cluster admission rules. An admission rule specifies either that * all container images used in a pod creation request must be attested * to by one or more attestors, that all pod creations will be allowed, * or that all pod creations will be denied. There can be at most one * admission rule per cluster spec. * * Identifier format: `{{location}}.{{clusterId}}`. * A location is either a compute zone (e.g. `us-central1-a`) or a region * (e.g. `us-central1`). * Structure is documented below. */ readonly clusterAdmissionRules: pulumi.Output; /** * Default admission rule for a cluster without a per-cluster admission * rule. * Structure is documented below. */ readonly defaultAdmissionRule: pulumi.Output; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ readonly deletionPolicy: pulumi.Output; /** * A descriptive comment. */ readonly description: pulumi.Output; /** * Controls the evaluation of a Google-maintained global admission policy * for common system-level images. Images not covered by the global * policy will be subject to the project admission policy. * Possible values are: `ENABLE`, `DISABLE`. */ readonly globalPolicyEvaluationMode: pulumi.Output; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ readonly project: pulumi.Output; /** * Create a Policy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: PolicyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Policy resources. */ export interface PolicyState { /** * A whitelist of image patterns to exclude from admission rules. If an * image's name matches a whitelist pattern, the image's admission * requests will always be permitted regardless of your admission rules. * Structure is documented below. */ admissionWhitelistPatterns?: pulumi.Input[] | undefined>; /** * Per-cluster admission rules. An admission rule specifies either that * all container images used in a pod creation request must be attested * to by one or more attestors, that all pod creations will be allowed, * or that all pod creations will be denied. There can be at most one * admission rule per cluster spec. * * Identifier format: `{{location}}.{{clusterId}}`. * A location is either a compute zone (e.g. `us-central1-a`) or a region * (e.g. `us-central1`). * Structure is documented below. */ clusterAdmissionRules?: pulumi.Input[] | undefined>; /** * Default admission rule for a cluster without a per-cluster admission * rule. * Structure is documented below. */ defaultAdmissionRule?: pulumi.Input; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ deletionPolicy?: pulumi.Input; /** * A descriptive comment. */ description?: pulumi.Input; /** * Controls the evaluation of a Google-maintained global admission policy * for common system-level images. Images not covered by the global * policy will be subject to the project admission policy. * Possible values are: `ENABLE`, `DISABLE`. */ globalPolicyEvaluationMode?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; } /** * The set of arguments for constructing a Policy resource. */ export interface PolicyArgs { /** * A whitelist of image patterns to exclude from admission rules. If an * image's name matches a whitelist pattern, the image's admission * requests will always be permitted regardless of your admission rules. * Structure is documented below. */ admissionWhitelistPatterns?: pulumi.Input[] | undefined>; /** * Per-cluster admission rules. An admission rule specifies either that * all container images used in a pod creation request must be attested * to by one or more attestors, that all pod creations will be allowed, * or that all pod creations will be denied. There can be at most one * admission rule per cluster spec. * * Identifier format: `{{location}}.{{clusterId}}`. * A location is either a compute zone (e.g. `us-central1-a`) or a region * (e.g. `us-central1`). * Structure is documented below. */ clusterAdmissionRules?: pulumi.Input[] | undefined>; /** * Default admission rule for a cluster without a per-cluster admission * rule. * Structure is documented below. */ defaultAdmissionRule: pulumi.Input; /** * Whether Terraform will be prevented from destroying the resource. Defaults to DELETE. * When a 'terraform destroy' or 'pulumi up' would delete the resource, * the command will fail if this field is set to "PREVENT" in Terraform state. * When set to "ABANDON", the command will remove the resource from Terraform * management without updating or deleting the resource in the API. * When set to "DELETE", deleting the resource is allowed. */ deletionPolicy?: pulumi.Input; /** * A descriptive comment. */ description?: pulumi.Input; /** * Controls the evaluation of a Google-maintained global admission policy * for common system-level images. Images not covered by the global * policy will be subject to the project admission policy. * Possible values are: `ENABLE`, `DISABLE`. */ globalPolicyEvaluationMode?: pulumi.Input; /** * The ID of the project in which the resource belongs. * If it is not provided, the provider project is used. */ project?: pulumi.Input; } //# sourceMappingURL=policy.d.ts.map