Skip to content

Commit

Permalink
Binary Authorization: globalPolicyEvaluationMode (#2111)
Browse files Browse the repository at this point in the history
Merged PR #2111.
  • Loading branch information
drebes authored and modular-magician committed Aug 6, 2019
1 parent 1487096 commit abb75df
Show file tree
Hide file tree
Showing 4 changed files with 59 additions and 4 deletions.
9 changes: 9 additions & 0 deletions products/binaryauthorization/api.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,15 @@ objects:
- !ruby/object:Api::Type::String
name: description
description: A descriptive comment.
- !ruby/object:Api::Type::Enum
name: globalPolicyEvaluationMode
description: |
Controls the evaluation of a Google-maintained global admission policy
for common system-level images. Images not covered by the global
policy will be subject to the project admission policy.
values:
- :ENABLE
- :DISABLE
- !ruby/object:Api::Type::Array
name: admissionWhitelistPatterns
description: |
Expand Down
9 changes: 9 additions & 0 deletions products/binaryauthorization/terraform.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,16 @@ overrides: !ruby/object:Overrides::ResourceOverrides
vars:
attestor_name: "test-attestor"
note_name: "test-attestor-note"
- !ruby/object:Provider::Terraform::Examples
name: "binary_authorization_policy_global_evaluation"
primary_resource_id: "policy"
skip_test: true
vars:
attestor_name: "test-attestor"
note_name: "test-attestor-note"
properties:
globalPolicyEvaluationMode: !ruby/object:Overrides::Terraform::PropertyOverride
default_from_api: true
clusterAdmissionRules: !ruby/object:Overrides::Terraform::PropertyOverride
is_set: true
set_hash_func: |-
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
resource "google_binary_authorization_policy" "<%= ctx[:primary_resource_id] %>" {

default_admission_rule {
evaluation_mode = "REQUIRE_ATTESTATION"
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"]
}

global_policy_evaluation_mode = "ENABLE"

}

resource "google_container_analysis_note" "note" {
name = "<%= ctx[:vars]["note_name"] %>"
attestation_authority {
hint {
human_readable_name = "My attestor"
}
}
}

resource "google_binary_authorization_attestor" "attestor" {
name = "<%= ctx[:vars]["attestor_name"] %>"
attestation_authority_note {
note_reference = "${google_container_analysis_note.note.name}"
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ func TestAccBinaryAuthorizationPolicy_full(t *testing.T) {
Providers: testAccProviders,
Steps: []resource.TestStep{
{
Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, billingId, note, attestor),
Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, billingId, note, attestor, "ENABLE"),
},
{
ResourceName: "google_binary_authorization_policy.policy",
Expand Down Expand Up @@ -125,7 +125,15 @@ func TestAccBinaryAuthorizationPolicy_update(t *testing.T) {
ImportStateVerify: true,
},
{
Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, billingId, note, attestor),
Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, billingId, note, attestor, "ENABLE"),
},
{
ResourceName: "google_binary_authorization_policy.policy",
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, billingId, note, attestor, "DISABLE"),
},
{
ResourceName: "google_binary_authorization_policy.policy",
Expand Down Expand Up @@ -211,7 +219,7 @@ resource "google_binary_authorization_policy" "policy" {
}

<% unless version == 'ga' -%>
func testAccBinaryAuthorizationPolicyFull(pid, pname, org, billing, note, attestor string) string {
func testAccBinaryAuthorizationPolicyFull(pid, pname, org, billing, note, attestor, gpmode string) string {
return fmt.Sprintf(`
// Use a separate project since each project can only have one policy
resource "google_project" "project" {
Expand Down Expand Up @@ -269,8 +277,10 @@ resource "google_binary_authorization_policy" "policy" {
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"]
}

global_policy_evaluation_mode = "%s"
}
`, pid, pname, org, billing, note, attestor)
`, pid, pname, org, billing, note, attestor, gpmode)
}

func testAccBinaryAuthorizationPolicy_separateProject(pid, pname, org, billing, note, attestor string) string {
Expand Down

0 comments on commit abb75df

Please sign in to comment.