zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/modules/binauthz/README.md

4.1 KiB
Raw Permalink Blame History

Google Cloud Artifact Registry Module

This module simplifies the creation of a Binary Authorization policy, attestors and attestor IAM bindings.

Example

Binary Authorization

module "binauthz" {
  source                        = "./fabric/modules/binauthz"
  project_id                    = "my_project"
  global_policy_evaluation_mode = "DISABLE"
  default_admission_rule = {
    evaluation_mode  = "ALWAYS_DENY"
    enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
    attestors        = null
  }
  cluster_admission_rules = {
    "europe-west1-c.cluster" = {
      evaluation_mode  = "REQUIRE_ATTESTATION"
      enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
      attestors        = ["test"]
    }
  }
  attestors_config = {
    "test" : {
      note_reference = null
      pgp_public_keys = [
        <<EOT
            mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl
            bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0
            oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6
            V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD
            Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX
            83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y
            IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L
            uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6
            0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC
            51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U
            WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h
            MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l
            +OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1
            qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg
            =6Bvm
            EOT
      ]
      pkix_public_keys = null
      iam = {
        "roles/viewer" = ["user:user1@my_org.com"]
      }
    }
  }
}
# tftest modules=1 resources=4

Variables

name description type required default
project_id Project ID. string
admission_whitelist_patterns An image name pattern to allowlist. list(string) null
attestors_config Attestors configuration. map(object({…})) null
cluster_admission_rules Admission rules. map(object({…})) null
default_admission_rule Default admission rule. object({…}) {…}
global_policy_evaluation_mode Global policy evaluation mode. string null

Outputs

name description sensitive
attestors Attestors.
id Fully qualified Binary Authorization policy ID.
notes Notes.