permalink |
---|
/binary_authorization_policy/ |
binary_authorization_policy
represents the google_binary_authorization_policy
Terraform resource.
This package contains functions and utilities for setting up the resource using Jsonnet code.
fn new()
fn newAttrs()
fn withAdmissionWhitelistPatterns()
fn withAdmissionWhitelistPatternsMixin()
fn withClusterAdmissionRules()
fn withClusterAdmissionRulesMixin()
fn withDefaultAdmissionRule()
fn withDefaultAdmissionRuleMixin()
fn withDescription()
fn withGlobalPolicyEvaluationMode()
fn withProject()
fn withTimeouts()
fn withTimeoutsMixin()
obj admission_whitelist_patterns
obj cluster_admission_rules
obj default_admission_rule
obj timeouts
new()
google.binary_authorization_policy.new
injects a new google_binary_authorization_policy
Terraform resource
block into the root module document.
Additionally, this inserts a private function into the _ref
attribute that generates references to attributes of the
resource. For example, if you added a new instance to the root using:
# arguments omitted for brevity
google.binary_authorization_policy.new('some_id')
You can get the reference to the id
field of the created google.binary_authorization_policy
using the reference:
$._ref.google_binary_authorization_policy.some_id.get('id')
This is the same as directly entering "${ google_binary_authorization_policy.some_id.id }"
as the value.
NOTE: if you are chaining multiple resources together in a merge operation, you may not be able to use super
, self
,
or $
to refer to the root object. Instead, make an explicit outer object using local
.
Args:
resourceLabel
(string
): The name label of the block.description
(string
): A descriptive comment. Whennull
, thedescription
field will be omitted from the resulting object.global_policy_evaluation_mode
(string
): Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"] Whennull
, theglobal_policy_evaluation_mode
field will be omitted from the resulting object.project
(string
): Set theproject
field on the resulting resource block. Whennull
, theproject
field will be omitted from the resulting object.admission_whitelist_patterns
(list[obj]
): A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules. Whennull
, theadmission_whitelist_patterns
sub block will be omitted from the resulting object. When setting the sub block, it is recommended to construct the object using the google.binary_authorization_policy.admission_whitelist_patterns.new constructor.cluster_admission_rules
(list[obj]
): Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.
Identifier format: '{{location}}.{{clusterId}}'.
A location is either a compute zone (e.g. 'us-central1-a') or a region
(e.g. 'us-central1'). When null
, the cluster_admission_rules
sub block will be omitted from the resulting object. When setting the sub block, it is recommended to construct the object using the google.binary_authorization_policy.cluster_admission_rules.new constructor.
default_admission_rule
(list[obj]
): Default admission rule for a cluster without a per-cluster admission rule. Whennull
, thedefault_admission_rule
sub block will be omitted from the resulting object. When setting the sub block, it is recommended to construct the object using the google.binary_authorization_policy.default_admission_rule.new constructor.timeouts
(obj
): Set thetimeouts
field on the resulting resource block. Whennull
, thetimeouts
sub block will be omitted from the resulting object. When setting the sub block, it is recommended to construct the object using the google.binary_authorization_policy.timeouts.new constructor.
Returns:
- A mixin object that injects the new resource into the root Terraform configuration.
newAttrs()
google.binary_authorization_policy.newAttrs
constructs a new object with attributes and blocks configured for the binary_authorization_policy
Terraform resource.
Unlike google.binary_authorization_policy.new, this function will not inject the resource
block into the root Terraform document. Instead, this must be passed in as the attrs
argument for the
tf.withResource function to build a complete block.
This is most useful when you need to preprocess the attributes with functions, conditional, or looping logic prior to injecting into a complete block.
Args:
description
(string
): A descriptive comment. Whennull
, thedescription
field will be omitted from the resulting object.global_policy_evaluation_mode
(string
): Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"] Whennull
, theglobal_policy_evaluation_mode
field will be omitted from the resulting object.project
(string
): Set theproject
field on the resulting object. Whennull
, theproject
field will be omitted from the resulting object.admission_whitelist_patterns
(list[obj]
): A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules. Whennull
, theadmission_whitelist_patterns
sub block will be omitted from the resulting object. When setting the sub block, it is recommended to construct the object using the google.binary_authorization_policy.admission_whitelist_patterns.new constructor.cluster_admission_rules
(list[obj]
): Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.
Identifier format: '{{location}}.{{clusterId}}'.
A location is either a compute zone (e.g. 'us-central1-a') or a region
(e.g. 'us-central1'). When null
, the cluster_admission_rules
sub block will be omitted from the resulting object. When setting the sub block, it is recommended to construct the object using the google.binary_authorization_policy.cluster_admission_rules.new constructor.
default_admission_rule
(list[obj]
): Default admission rule for a cluster without a per-cluster admission rule. Whennull
, thedefault_admission_rule
sub block will be omitted from the resulting object. When setting the sub block, it is recommended to construct the object using the google.binary_authorization_policy.default_admission_rule.new constructor.timeouts
(obj
): Set thetimeouts
field on the resulting object. Whennull
, thetimeouts
sub block will be omitted from the resulting object. When setting the sub block, it is recommended to construct the object using the google.binary_authorization_policy.timeouts.new constructor.
Returns:
- An attribute object that can be used with tf.withResource to construct a new
binary_authorization_policy
resource into the root Terraform configuration.
withAdmissionWhitelistPatterns()
google.list[obj].withAdmissionWhitelistPatterns
constructs a mixin object that can be merged into the list[obj]
Terraform resource block to set or update the admission_whitelist_patterns field.
This function will replace the array with the passed in value
. If you wish to instead append the
passed in value to the existing array, use the google.list[obj].withAdmissionWhitelistPatternsMixin function.
Args:
resourceLabel
(string
): The name label of the block to update.value
(list[obj]
): The value to set for theadmission_whitelist_patterns
field.
withAdmissionWhitelistPatternsMixin()
google.list[obj].withAdmissionWhitelistPatternsMixin
constructs a mixin object that can be merged into the list[obj]
Terraform resource block to set or update the admission_whitelist_patterns field.
This function will append the passed in array or object to the existing array. If you wish
to instead replace the array with the passed in value
, use the google.list[obj].withAdmissionWhitelistPatterns
function.
Args:
resourceLabel
(string
): The name label of the block to update.value
(list[obj]
): The value to set for theadmission_whitelist_patterns
field.
withClusterAdmissionRules()
google.list[obj].withClusterAdmissionRules
constructs a mixin object that can be merged into the list[obj]
Terraform resource block to set or update the cluster_admission_rules field.
This function will replace the array with the passed in value
. If you wish to instead append the
passed in value to the existing array, use the google.list[obj].withClusterAdmissionRulesMixin function.
Args:
resourceLabel
(string
): The name label of the block to update.value
(list[obj]
): The value to set for thecluster_admission_rules
field.
withClusterAdmissionRulesMixin()
google.list[obj].withClusterAdmissionRulesMixin
constructs a mixin object that can be merged into the list[obj]
Terraform resource block to set or update the cluster_admission_rules field.
This function will append the passed in array or object to the existing array. If you wish
to instead replace the array with the passed in value
, use the google.list[obj].withClusterAdmissionRules
function.
Args:
resourceLabel
(string
): The name label of the block to update.value
(list[obj]
): The value to set for thecluster_admission_rules
field.
withDefaultAdmissionRule()
google.list[obj].withDefaultAdmissionRule
constructs a mixin object that can be merged into the list[obj]
Terraform resource block to set or update the default_admission_rule field.
This function will replace the array with the passed in value
. If you wish to instead append the
passed in value to the existing array, use the google.list[obj].withDefaultAdmissionRuleMixin function.
Args:
resourceLabel
(string
): The name label of the block to update.value
(list[obj]
): The value to set for thedefault_admission_rule
field.
withDefaultAdmissionRuleMixin()
google.list[obj].withDefaultAdmissionRuleMixin
constructs a mixin object that can be merged into the list[obj]
Terraform resource block to set or update the default_admission_rule field.
This function will append the passed in array or object to the existing array. If you wish
to instead replace the array with the passed in value
, use the google.list[obj].withDefaultAdmissionRule
function.
Args:
resourceLabel
(string
): The name label of the block to update.value
(list[obj]
): The value to set for thedefault_admission_rule
field.
withDescription()
google.string.withDescription
constructs a mixin object that can be merged into the string
Terraform resource block to set or update the description field.
Args:
resourceLabel
(string
): The name label of the block to update.value
(string
): The value to set for thedescription
field.
withGlobalPolicyEvaluationMode()
google.string.withGlobalPolicyEvaluationMode
constructs a mixin object that can be merged into the string
Terraform resource block to set or update the global_policy_evaluation_mode field.
Args:
resourceLabel
(string
): The name label of the block to update.value
(string
): The value to set for theglobal_policy_evaluation_mode
field.
withProject()
google.string.withProject
constructs a mixin object that can be merged into the string
Terraform resource block to set or update the project field.
Args:
resourceLabel
(string
): The name label of the block to update.value
(string
): The value to set for theproject
field.
withTimeouts()
google.obj.withTimeouts
constructs a mixin object that can be merged into the obj
Terraform resource block to set or update the timeouts field.
This function will replace the map with the passed in value
. If you wish to instead merge the
passed in value to the existing map, use the google.obj.withTimeoutsMixin function.
Args:
resourceLabel
(string
): The name label of the block to update.value
(obj
): The value to set for thetimeouts
field.
withTimeoutsMixin()
google.obj.withTimeoutsMixin
constructs a mixin object that can be merged into the obj
Terraform resource block to set or update the timeouts field.
This function will merge the passed in value to the existing map. If you wish
to instead replace the entire map with the passed in value
, use the google.obj.withTimeouts
function.
Args:
resourceLabel
(string
): The name label of the block to update.value
(obj
): The value to set for thetimeouts
field.
new()
google.binary_authorization_policy.admission_whitelist_patterns.new
constructs a new object with attributes and blocks configured for the admission_whitelist_patterns
Terraform sub block.
Args:
name_pattern
(string
): An image name pattern to whitelist, in the form 'registry/path/to/image'. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.
Returns:
- An attribute object that represents the
admission_whitelist_patterns
sub block.
new()
google.binary_authorization_policy.cluster_admission_rules.new
constructs a new object with attributes and blocks configured for the cluster_admission_rules
Terraform sub block.
Args:
cluster
(string
): Set thecluster
field on the resulting object.enforcement_mode
(string
): The action when a pod creation is denied by the admission rule. Possible values: ["ENFORCED_BLOCK_AND_AUDIT_LOG", "DRYRUN_AUDIT_LOG_ONLY"]evaluation_mode
(string
): How this admission rule will be evaluated. Possible values: ["ALWAYS_ALLOW", "REQUIRE_ATTESTATION", "ALWAYS_DENY"]require_attestations_by
(list
): The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format 'projects//attestors/'. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource.
Note: this field must be non-empty when the evaluation_mode field
specifies REQUIRE_ATTESTATION, otherwise it must be empty. When null
, the require_attestations_by
field will be omitted from the resulting object.
Returns:
- An attribute object that represents the
cluster_admission_rules
sub block.
new()
google.binary_authorization_policy.default_admission_rule.new
constructs a new object with attributes and blocks configured for the default_admission_rule
Terraform sub block.
Args:
enforcement_mode
(string
): The action when a pod creation is denied by the admission rule. Possible values: ["ENFORCED_BLOCK_AND_AUDIT_LOG", "DRYRUN_AUDIT_LOG_ONLY"]evaluation_mode
(string
): How this admission rule will be evaluated. Possible values: ["ALWAYS_ALLOW", "REQUIRE_ATTESTATION", "ALWAYS_DENY"]require_attestations_by
(list
): The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format 'projects//attestors/'. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource.
Note: this field must be non-empty when the evaluation_mode field
specifies REQUIRE_ATTESTATION, otherwise it must be empty. When null
, the require_attestations_by
field will be omitted from the resulting object.
Returns:
- An attribute object that represents the
default_admission_rule
sub block.
new()
google.binary_authorization_policy.timeouts.new
constructs a new object with attributes and blocks configured for the timeouts
Terraform sub block.
Args:
create
(string
): Set thecreate
field on the resulting object. Whennull
, thecreate
field will be omitted from the resulting object.delete
(string
): Set thedelete
field on the resulting object. Whennull
, thedelete
field will be omitted from the resulting object.update
(string
): Set theupdate
field on the resulting object. Whennull
, theupdate
field will be omitted from the resulting object.
Returns:
- An attribute object that represents the
timeouts
sub block.