Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Binary Authorization: globalPolicyEvaluationMode #2111

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions products/binaryauthorization/api.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,15 @@ objects:
- !ruby/object:Api::Type::String
name: description
description: A descriptive comment.
- !ruby/object:Api::Type::Enum
name: globalPolicyEvaluationMode
description: |
Controls the evaluation of a Google-maintained global admission policy
for common system-level images. Images not covered by the global
policy will be subject to the project admission policy.
values:
- :ENABLE
- :DISABLE
- !ruby/object:Api::Type::Array
name: admissionWhitelistPatterns
description: |
Expand Down
9 changes: 9 additions & 0 deletions products/binaryauthorization/terraform.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,16 @@ overrides: !ruby/object:Overrides::ResourceOverrides
vars:
attestor_name: "test-attestor"
note_name: "test-attestor-note"
- !ruby/object:Provider::Terraform::Examples
name: "binary_authorization_policy_global_evaluation"
primary_resource_id: "policy"
skip_test: true
vars:
attestor_name: "test-attestor"
note_name: "test-attestor-note"
properties:
globalPolicyEvaluationMode: !ruby/object:Overrides::Terraform::PropertyOverride
default_from_api: true
clusterAdmissionRules: !ruby/object:Overrides::Terraform::PropertyOverride
is_set: true
set_hash_func: |-
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
resource "google_binary_authorization_policy" "<%= ctx[:primary_resource_id] %>" {

default_admission_rule {
evaluation_mode = "REQUIRE_ATTESTATION"
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"]
}

global_policy_evaluation_mode = "ENABLE"

}

resource "google_container_analysis_note" "note" {
name = "<%= ctx[:vars]["note_name"] %>"
attestation_authority {
hint {
human_readable_name = "My attestor"
}
}
}

resource "google_binary_authorization_attestor" "attestor" {
name = "<%= ctx[:vars]["attestor_name"] %>"
attestation_authority_note {
note_reference = "${google_container_analysis_note.note.name}"
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ func TestAccBinaryAuthorizationPolicy_full(t *testing.T) {
Providers: testAccProviders,
Steps: []resource.TestStep{
{
Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, billingId, note, attestor),
Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, billingId, note, attestor, "ENABLE"),
},
{
ResourceName: "google_binary_authorization_policy.policy",
Expand Down Expand Up @@ -125,7 +125,15 @@ func TestAccBinaryAuthorizationPolicy_update(t *testing.T) {
ImportStateVerify: true,
},
{
Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, billingId, note, attestor),
Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, billingId, note, attestor, "ENABLE"),
},
{
ResourceName: "google_binary_authorization_policy.policy",
ImportState: true,
ImportStateVerify: true,
},
{
Config: testAccBinaryAuthorizationPolicyFull(pid, pname, org, billingId, note, attestor, "DISABLE"),
},
{
ResourceName: "google_binary_authorization_policy.policy",
Expand Down Expand Up @@ -211,7 +219,7 @@ resource "google_binary_authorization_policy" "policy" {
}

<% unless version == 'ga' -%>
func testAccBinaryAuthorizationPolicyFull(pid, pname, org, billing, note, attestor string) string {
func testAccBinaryAuthorizationPolicyFull(pid, pname, org, billing, note, attestor, gpmode string) string {
return fmt.Sprintf(`
// Use a separate project since each project can only have one policy
resource "google_project" "project" {
Expand Down Expand Up @@ -269,8 +277,10 @@ resource "google_binary_authorization_policy" "policy" {
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"]
}

global_policy_evaluation_mode = "%s"
}
`, pid, pname, org, billing, note, attestor)
`, pid, pname, org, billing, note, attestor, gpmode)
}

func testAccBinaryAuthorizationPolicy_separateProject(pid, pname, org, billing, note, attestor string) string {
Expand Down