From abb75df5899d632ebcfb758ebf1046d111736869 Mon Sep 17 00:00:00 2001 From: Roberto Jung Drebes Date: Wed, 7 Aug 2019 01:35:09 +0200 Subject: [PATCH] Binary Authorization: globalPolicyEvaluationMode (#2111) Merged PR #2111. --- products/binaryauthorization/api.yaml | 9 +++++++ products/binaryauthorization/terraform.yaml | 9 +++++++ ...horization_policy_global_evaluation.tf.erb | 27 +++++++++++++++++++ ...rce_binaryauthorization_policy_test.go.erb | 18 ++++++++++--- 4 files changed, 59 insertions(+), 4 deletions(-) create mode 100644 templates/terraform/examples/binary_authorization_policy_global_evaluation.tf.erb diff --git a/products/binaryauthorization/api.yaml b/products/binaryauthorization/api.yaml index 497a40a22935..8526e87db164 100644 --- a/products/binaryauthorization/api.yaml +++ b/products/binaryauthorization/api.yaml @@ -155,6 +155,15 @@ objects: - !ruby/object:Api::Type::String name: description description: A descriptive comment. + - !ruby/object:Api::Type::Enum + name: globalPolicyEvaluationMode + description: | + Controls the evaluation of a Google-maintained global admission policy + for common system-level images. Images not covered by the global + policy will be subject to the project admission policy. + values: + - :ENABLE + - :DISABLE - !ruby/object:Api::Type::Array name: admissionWhitelistPatterns description: | diff --git a/products/binaryauthorization/terraform.yaml b/products/binaryauthorization/terraform.yaml index 40ab65b230b2..5be611636460 100644 --- a/products/binaryauthorization/terraform.yaml +++ b/products/binaryauthorization/terraform.yaml @@ -63,7 +63,16 @@ overrides: !ruby/object:Overrides::ResourceOverrides vars: attestor_name: "test-attestor" note_name: "test-attestor-note" + - !ruby/object:Provider::Terraform::Examples + name: "binary_authorization_policy_global_evaluation" + primary_resource_id: "policy" + skip_test: true + vars: + attestor_name: "test-attestor" + note_name: "test-attestor-note" properties: + globalPolicyEvaluationMode: !ruby/object:Overrides::Terraform::PropertyOverride + default_from_api: true clusterAdmissionRules: !ruby/object:Overrides::Terraform::PropertyOverride is_set: true set_hash_func: |- diff --git a/templates/terraform/examples/binary_authorization_policy_global_evaluation.tf.erb b/templates/terraform/examples/binary_authorization_policy_global_evaluation.tf.erb new file mode 100644 index 000000000000..0f83f97aba09 --- /dev/null +++ b/templates/terraform/examples/binary_authorization_policy_global_evaluation.tf.erb @@ -0,0 +1,27 @@ +resource "google_binary_authorization_policy" "<%= ctx[:primary_resource_id] %>" { + + default_admission_rule { + evaluation_mode = "REQUIRE_ATTESTATION" + enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG" + require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"] + } + + global_policy_evaluation_mode = "ENABLE" + +} + +resource "google_container_analysis_note" "note" { + name = "<%= ctx[:vars]["note_name"] %>" + attestation_authority { + hint { + human_readable_name = "My attestor" + } + } +} + +resource "google_binary_authorization_attestor" "attestor" { + name = "<%= ctx[:vars]["attestor_name"] %>" + attestation_authority_note { + note_reference = "${google_container_analysis_note.note.name}" + } +} diff --git a/third_party/terraform/tests/resource_binaryauthorization_policy_test.go.erb b/third_party/terraform/tests/resource_binaryauthorization_policy_test.go.erb index 61f477e8649f..b6eb90306eee 100644 --- a/third_party/terraform/tests/resource_binaryauthorization_policy_test.go.erb +++ b/third_party/terraform/tests/resource_binaryauthorization_policy_test.go.erb @@ -54,7 +54,7 @@ func TestAccBinaryAuthorizationPolicy_full(t *testing.T) { Providers: testAccProviders, Steps: []resource.TestStep{ { - Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, billingId, note, attestor), + Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, billingId, note, attestor, "ENABLE"), }, { ResourceName: "google_binary_authorization_policy.policy", @@ -125,7 +125,15 @@ func TestAccBinaryAuthorizationPolicy_update(t *testing.T) { ImportStateVerify: true, }, { - Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, billingId, note, attestor), + Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, billingId, note, attestor, "ENABLE"), + }, + { + ResourceName: "google_binary_authorization_policy.policy", + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, billingId, note, attestor, "DISABLE"), }, { ResourceName: "google_binary_authorization_policy.policy", @@ -211,7 +219,7 @@ resource "google_binary_authorization_policy" "policy" { } <% unless version == 'ga' -%> -func testAccBinaryAuthorizationPolicyFull(pid, pname, org, billing, note, attestor string) string { +func testAccBinaryAuthorizationPolicyFull(pid, pname, org, billing, note, attestor, gpmode string) string { return fmt.Sprintf(` // Use a separate project since each project can only have one policy resource "google_project" "project" { @@ -269,8 +277,10 @@ resource "google_binary_authorization_policy" "policy" { enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG" require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"] } + + global_policy_evaluation_mode = "%s" } -`, pid, pname, org, billing, note, attestor) +`, pid, pname, org, billing, note, attestor, gpmode) } func testAccBinaryAuthorizationPolicy_separateProject(pid, pname, org, billing, note, attestor string) string {