Binary Authorization: globalPolicyEvaluationMode (#4124)

Signed-off-by: Modular Magician <[email protected]>
hashicorp · Aug 6, 2019 · cdcb66f · cdcb66f
1 parent d768791
commit cdcb66f
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 0 deletions.
diff --git a/google/resource_binary_authorization_policy.go b/google/resource_binary_authorization_policy.go
@@ -158,6 +158,12 @@ func resourceBinaryAuthorizationPolicy() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"global_policy_evaluation_mode": {
+				Type:         schema.TypeString,
+				Computed:     true,
+				Optional:     true,
+				ValidateFunc: validation.StringInSlice([]string{"ENABLE", "DISABLE", ""}, false),
+			},
 			"project": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -178,6 +184,12 @@ func resourceBinaryAuthorizationPolicyCreate(d *schema.ResourceData, meta interf
 	} else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(descriptionProp)) && (ok || !reflect.DeepEqual(v, descriptionProp)) {
 		obj["description"] = descriptionProp
 	}
+	globalPolicyEvaluationModeProp, err := expandBinaryAuthorizationPolicyGlobalPolicyEvaluationMode(d.Get("global_policy_evaluation_mode"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("global_policy_evaluation_mode"); !isEmptyValue(reflect.ValueOf(globalPolicyEvaluationModeProp)) && (ok || !reflect.DeepEqual(v, globalPolicyEvaluationModeProp)) {
+		obj["globalPolicyEvaluationMode"] = globalPolicyEvaluationModeProp
+	}
 	admissionWhitelistPatternsProp, err := expandBinaryAuthorizationPolicyAdmissionWhitelistPatterns(d.Get("admission_whitelist_patterns"), d, config)
 	if err != nil {
 		return err
@@ -244,6 +256,9 @@ func resourceBinaryAuthorizationPolicyRead(d *schema.ResourceData, meta interfac
 	if err := d.Set("description", flattenBinaryAuthorizationPolicyDescription(res["description"], d)); err != nil {
 		return fmt.Errorf("Error reading Policy: %s", err)
 	}
+	if err := d.Set("global_policy_evaluation_mode", flattenBinaryAuthorizationPolicyGlobalPolicyEvaluationMode(res["globalPolicyEvaluationMode"], d)); err != nil {
+		return fmt.Errorf("Error reading Policy: %s", err)
+	}
 	if err := d.Set("admission_whitelist_patterns", flattenBinaryAuthorizationPolicyAdmissionWhitelistPatterns(res["admissionWhitelistPatterns"], d)); err != nil {
 		return fmt.Errorf("Error reading Policy: %s", err)
 	}
@@ -267,6 +282,12 @@ func resourceBinaryAuthorizationPolicyUpdate(d *schema.ResourceData, meta interf
 	} else if v, ok := d.GetOkExists("description"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, descriptionProp)) {
 		obj["description"] = descriptionProp
 	}
+	globalPolicyEvaluationModeProp, err := expandBinaryAuthorizationPolicyGlobalPolicyEvaluationMode(d.Get("global_policy_evaluation_mode"), d, config)
+	if err != nil {
+		return err
+	} else if v, ok := d.GetOkExists("global_policy_evaluation_mode"); !isEmptyValue(reflect.ValueOf(v)) && (ok || !reflect.DeepEqual(v, globalPolicyEvaluationModeProp)) {
+		obj["globalPolicyEvaluationMode"] = globalPolicyEvaluationModeProp
+	}
 	admissionWhitelistPatternsProp, err := expandBinaryAuthorizationPolicyAdmissionWhitelistPatterns(d.Get("admission_whitelist_patterns"), d, config)
 	if err != nil {
 		return err
@@ -344,6 +365,10 @@ func flattenBinaryAuthorizationPolicyDescription(v interface{}, d *schema.Resour
 	return v
 }
 
+func flattenBinaryAuthorizationPolicyGlobalPolicyEvaluationMode(v interface{}, d *schema.ResourceData) interface{} {
+	return v
+}
+
 func flattenBinaryAuthorizationPolicyAdmissionWhitelistPatterns(v interface{}, d *schema.ResourceData) interface{} {
 	if v == nil {
 		return v
@@ -434,6 +459,10 @@ func expandBinaryAuthorizationPolicyDescription(v interface{}, d TerraformResour
 	return v, nil
 }
 
+func expandBinaryAuthorizationPolicyGlobalPolicyEvaluationMode(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
+	return v, nil
+}
+
 func expandBinaryAuthorizationPolicyAdmissionWhitelistPatterns(v interface{}, d TerraformResourceData, config *Config) (interface{}, error) {
 	l := v.([]interface{})
 	req := make([]interface{}, 0, len(l))

diff --git a/website/docs/r/binary_authorization_policy.html.markdown b/website/docs/r/binary_authorization_policy.html.markdown
@@ -61,6 +61,38 @@ resource "google_container_analysis_note" "note" {
   }
 }
 
+resource "google_binary_authorization_attestor" "attestor" {
+  name = "test-attestor"
+  attestation_authority_note {
+    note_reference = "${google_container_analysis_note.note.name}"
+  }
+}
+```
+## Example Usage - Binary Authorization Policy Global Evaluation
+
+
+```hcl
+resource "google_binary_authorization_policy" "policy" {
+
+  default_admission_rule {
+    evaluation_mode = "REQUIRE_ATTESTATION"
+    enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
+    require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"]
+  }
+
+  global_policy_evaluation_mode = "ENABLE"
+
+}
+
+resource "google_container_analysis_note" "note" {
+  name = "test-attestor-note"
+  attestation_authority {
+    hint {
+      human_readable_name = "My attestor"
+    }
+  }
+}
+
 resource "google_binary_authorization_attestor" "attestor" {
   name = "test-attestor"
   attestation_authority_note {
@@ -108,6 +140,12 @@ The `default_admission_rule` block supports:
   (Optional)
   A descriptive comment.
 
+* `global_policy_evaluation_mode` -
+  (Optional)
+  Controls the evaluation of a Google-maintained global admission policy
+  for common system-level images. Images not covered by the global
+  policy will be subject to the project admission policy.
+
 * `admission_whitelist_patterns` -
   (Optional)
   A whitelist of image patterns to exclude from admission rules. If an