2022-06-17 06:58:54 -07:00
|
|
|
# Google Cloud Artifact Registry Module
|
|
|
|
|
|
|
|
This module simplifies the creation of a Binary Authorization policy, attestors and attestor IAM bindings.
|
|
|
|
|
|
|
|
## Example
|
|
|
|
|
|
|
|
### Binary Athorization
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
module "binauthz" {
|
2022-09-06 08:46:09 -07:00
|
|
|
source = "./fabric/modules/binauthz"
|
2022-06-17 06:58:54 -07:00
|
|
|
project_id = "my_project"
|
|
|
|
global_policy_evaluation_mode = "DISABLE"
|
|
|
|
default_admission_rule = {
|
|
|
|
evaluation_mode = "ALWAYS_DENY"
|
|
|
|
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
|
|
|
|
attestors = null
|
|
|
|
}
|
|
|
|
cluster_admission_rules = {
|
|
|
|
"europe-west1-c.cluster" = {
|
|
|
|
evaluation_mode = "REQUIRE_ATTESTATION"
|
|
|
|
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
|
|
|
|
attestors = [ "test" ]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
attestors_config = {
|
|
|
|
"test": {
|
|
|
|
note_reference = null
|
|
|
|
pgp_public_keys = [
|
|
|
|
<<EOT
|
|
|
|
mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
|
|
|
|
bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
|
|
|
|
oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
|
|
|
|
V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
|
|
|
|
Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
|
|
|
|
83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
|
|
|
|
IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
|
|
|
|
uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
|
|
|
|
0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
|
|
|
|
51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
|
|
|
|
WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
|
|
|
|
MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
|
|
|
|
+OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
|
|
|
|
qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
|
|
|
|
=6Bvm
|
|
|
|
EOT
|
|
|
|
]
|
|
|
|
pkix_public_keys = null
|
|
|
|
iam = {
|
|
|
|
"roles/viewer" = ["user:user1@my_org.com"]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
# tftest modules=1 resources=4
|
|
|
|
|
|
|
|
```
|
|
|
|
<!-- BEGIN TFDOC -->
|
|
|
|
|
|
|
|
## Variables
|
|
|
|
|
|
|
|
| name | description | type | required | default |
|
|
|
|
|---|---|:---:|:---:|:---:|
|
|
|
|
| [project_id](variables.tf#L17) | Project ID. | <code>string</code> | ✓ | |
|
|
|
|
| [admission_whitelist_patterns](variables.tf#L28) | An image name pattern to allowlist | <code>list(string)</code> | | <code>null</code> |
|
|
|
|
| [attestors_config](variables.tf#L58) | Attestors configuration | <code title="map(object({ note_reference = string iam = map(list(string)) pgp_public_keys = list(string) pkix_public_keys = list(object({ id = string public_key_pem = string signature_algorithm = string })) }))">map(object({…}))</code> | | <code>null</code> |
|
|
|
|
| [cluster_admission_rules](variables.tf#L48) | Admission rules | <code title="map(object({ evaluation_mode = string enforcement_mode = string attestors = list(string) }))">map(object({…}))</code> | | <code>null</code> |
|
|
|
|
| [default_admission_rule](variables.tf#L34) | Default admission rule | <code title="object({ evaluation_mode = string enforcement_mode = string attestors = list(string) })">object({…})</code> | | <code title="{ evaluation_mode = "ALWAYS_ALLOW" enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG" attestors = null }">{…}</code> |
|
|
|
|
| [global_policy_evaluation_mode](variables.tf#L22) | Global policy evaluation mode. | <code>string</code> | | <code>null</code> |
|
|
|
|
|
|
|
|
## Outputs
|
|
|
|
|
|
|
|
| name | description | sensitive |
|
|
|
|
|---|---|:---:|
|
|
|
|
| [attestors](outputs.tf#L22) | Attestors. | |
|
|
|
|
| [id](outputs.tf#L17) | Binary Authorization policy ID | |
|
|
|
|
| [notes](outputs.tf#L30) | Notes. | |
|
|
|
|
|
|
|
|
<!-- END TFDOC -->
|