binaryauthorization

package
v8.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 8, 2024 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Attestor

type Attestor struct {
	pulumi.CustomResourceState

	// A Container Analysis ATTESTATION_AUTHORITY Note, created by the user.
	// Structure is documented below.
	AttestationAuthorityNote AttestorAttestationAuthorityNoteOutput `pulumi:"attestationAuthorityNote"`
	// A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
	Description pulumi.StringPtrOutput `pulumi:"description"`
	// The resource name.
	Name    pulumi.StringOutput `pulumi:"name"`
	Project pulumi.StringOutput `pulumi:"project"`
}

An attestor that attests to container image artifacts.

To get more information about Attestor, see:

* [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/) * How-to Guides

## Example Usage

### Binary Authorization Attestor Basic

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/containeranalysis"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		note, err := containeranalysis.NewNote(ctx, "note", &containeranalysis.NoteArgs{
			Name: pulumi.String("test-attestor-note"),
			AttestationAuthority: &containeranalysis.NoteAttestationAuthorityArgs{
				Hint: &containeranalysis.NoteAttestationAuthorityHintArgs{
					HumanReadableName: pulumi.String("Attestor Note"),
				},
			},
		})
		if err != nil {
			return err
		}
		_, err = binaryauthorization.NewAttestor(ctx, "attestor", &binaryauthorization.AttestorArgs{
			Name: pulumi.String("test-attestor"),
			AttestationAuthorityNote: &binaryauthorization.AttestorAttestationAuthorityNoteArgs{
				NoteReference: note.Name,
				PublicKeys: binaryauthorization.AttestorAttestationAuthorityNotePublicKeyArray{
					&binaryauthorization.AttestorAttestationAuthorityNotePublicKeyArgs{
						AsciiArmoredPgpPublicKey: pulumi.String(`mQENBFtP0doBCADF+joTiXWKVuP8kJt3fgpBSjT9h8ezMfKA4aXZctYLx5wslWQl

bB7Iu2ezkECNzoEeU7WxUe8a61pMCh9cisS9H5mB2K2uM4Jnf8tgFeXn3akJDVo0 oR1IC+Dp9mXbRSK3MAvKkOwWlG99sx3uEdvmeBRHBOO+grchLx24EThXFOyP9Fk6 V39j6xMjw4aggLD15B4V0v9JqBDdJiIYFzszZDL6pJwZrzcP0z8JO4rTZd+f64bD Mpj52j/pQfA8lZHOaAgb1OrthLdMrBAjoDjArV4Ek7vSbrcgYWcI6BhsQrFoxKdX 83TZKai55ZCfCLIskwUIzA1NLVwyzCS+fSN/ABEBAAG0KCJUZXN0IEF0dGVzdG9y IiA8ZGFuYWhvZmZtYW5AZ29vZ2xlLmNvbT6JAU4EEwEIADgWIQRfWkqHt6hpTA1L uY060eeM4dc66AUCW0/R2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA6 0eeM4dc66HdpCAC4ot3b0OyxPb0Ip+WT2U0PbpTBPJklesuwpIrM4Lh0N+1nVRLC 51WSmVbM8BiAFhLbN9LpdHhds1kUrHF7+wWAjdR8sqAj9otc6HGRM/3qfa2qgh+U WTEk/3us/rYSi7T7TkMuutRMIa1IkR13uKiW56csEMnbOQpn9rDqwIr5R8nlZP5h MAU9vdm1DIv567meMqTaVZgR3w7bck2P49AO8lO5ERFpVkErtu/98y+rUy9d789l +OPuS1NGnxI1YKsNaWJF4uJVuvQuZ1twrhCbGNtVorO2U12+cEq+YtUxj7kmdOC1 qoIRW6y0+UlAc+MbqfL0ziHDOAmcqz1GnROg =6Bvm `),

					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ### Binary Authorization Attestor Kms

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/containeranalysis"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		keyring, err := kms.NewKeyRing(ctx, "keyring", &kms.KeyRingArgs{
			Name:     pulumi.String("test-attestor-key-ring"),
			Location: pulumi.String("global"),
		})
		if err != nil {
			return err
		}
		_, err = kms.NewCryptoKey(ctx, "crypto-key", &kms.CryptoKeyArgs{
			Name:    pulumi.String("test-attestor-key"),
			KeyRing: keyring.ID(),
			Purpose: pulumi.String("ASYMMETRIC_SIGN"),
			VersionTemplate: &kms.CryptoKeyVersionTemplateArgs{
				Algorithm: pulumi.String("RSA_SIGN_PKCS1_4096_SHA512"),
			},
		})
		if err != nil {
			return err
		}
		version := kms.GetKMSCryptoKeyVersionOutput(ctx, kms.GetKMSCryptoKeyVersionOutputArgs{
			CryptoKey: crypto_key.ID(),
		}, nil)
		note, err := containeranalysis.NewNote(ctx, "note", &containeranalysis.NoteArgs{
			Name: pulumi.String("test-attestor-note"),
			AttestationAuthority: &containeranalysis.NoteAttestationAuthorityArgs{
				Hint: &containeranalysis.NoteAttestationAuthorityHintArgs{
					HumanReadableName: pulumi.String("Attestor Note"),
				},
			},
		})
		if err != nil {
			return err
		}
		_, err = binaryauthorization.NewAttestor(ctx, "attestor", &binaryauthorization.AttestorArgs{
			Name: pulumi.String("test-attestor"),
			AttestationAuthorityNote: &binaryauthorization.AttestorAttestationAuthorityNoteArgs{
				NoteReference: note.Name,
				PublicKeys: binaryauthorization.AttestorAttestationAuthorityNotePublicKeyArray{
					&binaryauthorization.AttestorAttestationAuthorityNotePublicKeyArgs{
						Id: version.ApplyT(func(version kms.GetKMSCryptoKeyVersionResult) (*string, error) {
							return &version.Id, nil
						}).(pulumi.StringPtrOutput),
						PkixPublicKey: &binaryauthorization.AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs{
							PublicKeyPem: version.ApplyT(func(version kms.GetKMSCryptoKeyVersionResult) (*string, error) {
								return &version.PublicKeys[0].Pem, nil
							}).(pulumi.StringPtrOutput),
							SignatureAlgorithm: version.ApplyT(func(version kms.GetKMSCryptoKeyVersionResult) (*string, error) {
								return &version.PublicKeys[0].Algorithm, nil
							}).(pulumi.StringPtrOutput),
						},
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Attestor can be imported using any of these accepted formats:

* `projects/{{project}}/attestors/{{name}}`

* `{{project}}/{{name}}`

* `{{name}}`

When using the `pulumi import` command, Attestor can be imported using one of the formats above. For example:

```sh $ pulumi import gcp:binaryauthorization/attestor:Attestor default projects/{{project}}/attestors/{{name}} ```

```sh $ pulumi import gcp:binaryauthorization/attestor:Attestor default {{project}}/{{name}} ```

```sh $ pulumi import gcp:binaryauthorization/attestor:Attestor default {{name}} ```

func GetAttestor

func GetAttestor(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AttestorState, opts ...pulumi.ResourceOption) (*Attestor, error)

GetAttestor gets an existing Attestor resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAttestor

func NewAttestor(ctx *pulumi.Context,
	name string, args *AttestorArgs, opts ...pulumi.ResourceOption) (*Attestor, error)

NewAttestor registers a new resource with the given unique name, arguments, and options.

func (*Attestor) ElementType

func (*Attestor) ElementType() reflect.Type

func (*Attestor) ToAttestorOutput

func (i *Attestor) ToAttestorOutput() AttestorOutput

func (*Attestor) ToAttestorOutputWithContext

func (i *Attestor) ToAttestorOutputWithContext(ctx context.Context) AttestorOutput

type AttestorArgs

type AttestorArgs struct {
	// A Container Analysis ATTESTATION_AUTHORITY Note, created by the user.
	// Structure is documented below.
	AttestationAuthorityNote AttestorAttestationAuthorityNoteInput
	// A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
	Description pulumi.StringPtrInput
	// The resource name.
	Name    pulumi.StringPtrInput
	Project pulumi.StringPtrInput
}

The set of arguments for constructing a Attestor resource.

func (AttestorArgs) ElementType

func (AttestorArgs) ElementType() reflect.Type

type AttestorArray

type AttestorArray []AttestorInput

func (AttestorArray) ElementType

func (AttestorArray) ElementType() reflect.Type

func (AttestorArray) ToAttestorArrayOutput

func (i AttestorArray) ToAttestorArrayOutput() AttestorArrayOutput

func (AttestorArray) ToAttestorArrayOutputWithContext

func (i AttestorArray) ToAttestorArrayOutputWithContext(ctx context.Context) AttestorArrayOutput

type AttestorArrayInput

type AttestorArrayInput interface {
	pulumi.Input

	ToAttestorArrayOutput() AttestorArrayOutput
	ToAttestorArrayOutputWithContext(context.Context) AttestorArrayOutput
}

AttestorArrayInput is an input type that accepts AttestorArray and AttestorArrayOutput values. You can construct a concrete instance of `AttestorArrayInput` via:

AttestorArray{ AttestorArgs{...} }

type AttestorArrayOutput

type AttestorArrayOutput struct{ *pulumi.OutputState }

func (AttestorArrayOutput) ElementType

func (AttestorArrayOutput) ElementType() reflect.Type

func (AttestorArrayOutput) Index

func (AttestorArrayOutput) ToAttestorArrayOutput

func (o AttestorArrayOutput) ToAttestorArrayOutput() AttestorArrayOutput

func (AttestorArrayOutput) ToAttestorArrayOutputWithContext

func (o AttestorArrayOutput) ToAttestorArrayOutputWithContext(ctx context.Context) AttestorArrayOutput

type AttestorAttestationAuthorityNote

type AttestorAttestationAuthorityNote struct {
	// (Output)
	// This field will contain the service account email address that
	// this Attestor will use as the principal when querying Container
	// Analysis. Attestor administrators must grant this service account
	// the IAM role needed to read attestations from the noteReference in
	// Container Analysis (containeranalysis.notes.occurrences.viewer).
	// This email address is fixed for the lifetime of the Attestor, but
	// callers should not make any other assumptions about the service
	// account email; future versions may use an email based on a
	// different naming pattern.
	DelegationServiceAccountEmail *string `pulumi:"delegationServiceAccountEmail"`
	// The resource name of a ATTESTATION_AUTHORITY Note, created by the
	// user. If the Note is in a different project from the Attestor, it
	// should be specified in the format `projects/*/notes/*` (or the legacy
	// `providers/*/notes/*`). This field may not be updated.
	// An attestation by this attestor is stored as a Container Analysis
	// ATTESTATION_AUTHORITY Occurrence that names a container image
	// and that links to this Note.
	NoteReference string `pulumi:"noteReference"`
	// Public keys that verify attestations signed by this attestor. This
	// field may be updated.
	// If this field is non-empty, one of the specified public keys must
	// verify that an attestation was signed by this attestor for the
	// image specified in the admission request.
	// If this field is empty, this attestor always returns that no valid
	// attestations exist.
	// Structure is documented below.
	PublicKeys []AttestorAttestationAuthorityNotePublicKey `pulumi:"publicKeys"`
}

type AttestorAttestationAuthorityNoteArgs

type AttestorAttestationAuthorityNoteArgs struct {
	// (Output)
	// This field will contain the service account email address that
	// this Attestor will use as the principal when querying Container
	// Analysis. Attestor administrators must grant this service account
	// the IAM role needed to read attestations from the noteReference in
	// Container Analysis (containeranalysis.notes.occurrences.viewer).
	// This email address is fixed for the lifetime of the Attestor, but
	// callers should not make any other assumptions about the service
	// account email; future versions may use an email based on a
	// different naming pattern.
	DelegationServiceAccountEmail pulumi.StringPtrInput `pulumi:"delegationServiceAccountEmail"`
	// The resource name of a ATTESTATION_AUTHORITY Note, created by the
	// user. If the Note is in a different project from the Attestor, it
	// should be specified in the format `projects/*/notes/*` (or the legacy
	// `providers/*/notes/*`). This field may not be updated.
	// An attestation by this attestor is stored as a Container Analysis
	// ATTESTATION_AUTHORITY Occurrence that names a container image
	// and that links to this Note.
	NoteReference pulumi.StringInput `pulumi:"noteReference"`
	// Public keys that verify attestations signed by this attestor. This
	// field may be updated.
	// If this field is non-empty, one of the specified public keys must
	// verify that an attestation was signed by this attestor for the
	// image specified in the admission request.
	// If this field is empty, this attestor always returns that no valid
	// attestations exist.
	// Structure is documented below.
	PublicKeys AttestorAttestationAuthorityNotePublicKeyArrayInput `pulumi:"publicKeys"`
}

func (AttestorAttestationAuthorityNoteArgs) ElementType

func (AttestorAttestationAuthorityNoteArgs) ToAttestorAttestationAuthorityNoteOutput

func (i AttestorAttestationAuthorityNoteArgs) ToAttestorAttestationAuthorityNoteOutput() AttestorAttestationAuthorityNoteOutput

func (AttestorAttestationAuthorityNoteArgs) ToAttestorAttestationAuthorityNoteOutputWithContext

func (i AttestorAttestationAuthorityNoteArgs) ToAttestorAttestationAuthorityNoteOutputWithContext(ctx context.Context) AttestorAttestationAuthorityNoteOutput

func (AttestorAttestationAuthorityNoteArgs) ToAttestorAttestationAuthorityNotePtrOutput

func (i AttestorAttestationAuthorityNoteArgs) ToAttestorAttestationAuthorityNotePtrOutput() AttestorAttestationAuthorityNotePtrOutput

func (AttestorAttestationAuthorityNoteArgs) ToAttestorAttestationAuthorityNotePtrOutputWithContext

func (i AttestorAttestationAuthorityNoteArgs) ToAttestorAttestationAuthorityNotePtrOutputWithContext(ctx context.Context) AttestorAttestationAuthorityNotePtrOutput

type AttestorAttestationAuthorityNoteInput

type AttestorAttestationAuthorityNoteInput interface {
	pulumi.Input

	ToAttestorAttestationAuthorityNoteOutput() AttestorAttestationAuthorityNoteOutput
	ToAttestorAttestationAuthorityNoteOutputWithContext(context.Context) AttestorAttestationAuthorityNoteOutput
}

AttestorAttestationAuthorityNoteInput is an input type that accepts AttestorAttestationAuthorityNoteArgs and AttestorAttestationAuthorityNoteOutput values. You can construct a concrete instance of `AttestorAttestationAuthorityNoteInput` via:

AttestorAttestationAuthorityNoteArgs{...}

type AttestorAttestationAuthorityNoteOutput

type AttestorAttestationAuthorityNoteOutput struct{ *pulumi.OutputState }

func (AttestorAttestationAuthorityNoteOutput) DelegationServiceAccountEmail

func (o AttestorAttestationAuthorityNoteOutput) DelegationServiceAccountEmail() pulumi.StringPtrOutput

(Output) This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the noteReference in Container Analysis (containeranalysis.notes.occurrences.viewer). This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.

func (AttestorAttestationAuthorityNoteOutput) ElementType

func (AttestorAttestationAuthorityNoteOutput) NoteReference

The resource name of a ATTESTATION_AUTHORITY Note, created by the user. If the Note is in a different project from the Attestor, it should be specified in the format `projects/*/notes/*` (or the legacy `providers/*/notes/*`). This field may not be updated. An attestation by this attestor is stored as a Container Analysis ATTESTATION_AUTHORITY Occurrence that names a container image and that links to this Note.

func (AttestorAttestationAuthorityNoteOutput) PublicKeys

Public keys that verify attestations signed by this attestor. This field may be updated. If this field is non-empty, one of the specified public keys must verify that an attestation was signed by this attestor for the image specified in the admission request. If this field is empty, this attestor always returns that no valid attestations exist. Structure is documented below.

func (AttestorAttestationAuthorityNoteOutput) ToAttestorAttestationAuthorityNoteOutput

func (o AttestorAttestationAuthorityNoteOutput) ToAttestorAttestationAuthorityNoteOutput() AttestorAttestationAuthorityNoteOutput

func (AttestorAttestationAuthorityNoteOutput) ToAttestorAttestationAuthorityNoteOutputWithContext

func (o AttestorAttestationAuthorityNoteOutput) ToAttestorAttestationAuthorityNoteOutputWithContext(ctx context.Context) AttestorAttestationAuthorityNoteOutput

func (AttestorAttestationAuthorityNoteOutput) ToAttestorAttestationAuthorityNotePtrOutput

func (o AttestorAttestationAuthorityNoteOutput) ToAttestorAttestationAuthorityNotePtrOutput() AttestorAttestationAuthorityNotePtrOutput

func (AttestorAttestationAuthorityNoteOutput) ToAttestorAttestationAuthorityNotePtrOutputWithContext

func (o AttestorAttestationAuthorityNoteOutput) ToAttestorAttestationAuthorityNotePtrOutputWithContext(ctx context.Context) AttestorAttestationAuthorityNotePtrOutput

type AttestorAttestationAuthorityNotePtrInput

type AttestorAttestationAuthorityNotePtrInput interface {
	pulumi.Input

	ToAttestorAttestationAuthorityNotePtrOutput() AttestorAttestationAuthorityNotePtrOutput
	ToAttestorAttestationAuthorityNotePtrOutputWithContext(context.Context) AttestorAttestationAuthorityNotePtrOutput
}

AttestorAttestationAuthorityNotePtrInput is an input type that accepts AttestorAttestationAuthorityNoteArgs, AttestorAttestationAuthorityNotePtr and AttestorAttestationAuthorityNotePtrOutput values. You can construct a concrete instance of `AttestorAttestationAuthorityNotePtrInput` via:

        AttestorAttestationAuthorityNoteArgs{...}

or:

        nil

type AttestorAttestationAuthorityNotePtrOutput

type AttestorAttestationAuthorityNotePtrOutput struct{ *pulumi.OutputState }

func (AttestorAttestationAuthorityNotePtrOutput) DelegationServiceAccountEmail

func (o AttestorAttestationAuthorityNotePtrOutput) DelegationServiceAccountEmail() pulumi.StringPtrOutput

(Output) This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the noteReference in Container Analysis (containeranalysis.notes.occurrences.viewer). This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.

func (AttestorAttestationAuthorityNotePtrOutput) Elem

func (AttestorAttestationAuthorityNotePtrOutput) ElementType

func (AttestorAttestationAuthorityNotePtrOutput) NoteReference

The resource name of a ATTESTATION_AUTHORITY Note, created by the user. If the Note is in a different project from the Attestor, it should be specified in the format `projects/*/notes/*` (or the legacy `providers/*/notes/*`). This field may not be updated. An attestation by this attestor is stored as a Container Analysis ATTESTATION_AUTHORITY Occurrence that names a container image and that links to this Note.

func (AttestorAttestationAuthorityNotePtrOutput) PublicKeys

Public keys that verify attestations signed by this attestor. This field may be updated. If this field is non-empty, one of the specified public keys must verify that an attestation was signed by this attestor for the image specified in the admission request. If this field is empty, this attestor always returns that no valid attestations exist. Structure is documented below.

func (AttestorAttestationAuthorityNotePtrOutput) ToAttestorAttestationAuthorityNotePtrOutput

func (o AttestorAttestationAuthorityNotePtrOutput) ToAttestorAttestationAuthorityNotePtrOutput() AttestorAttestationAuthorityNotePtrOutput

func (AttestorAttestationAuthorityNotePtrOutput) ToAttestorAttestationAuthorityNotePtrOutputWithContext

func (o AttestorAttestationAuthorityNotePtrOutput) ToAttestorAttestationAuthorityNotePtrOutputWithContext(ctx context.Context) AttestorAttestationAuthorityNotePtrOutput

type AttestorAttestationAuthorityNotePublicKey

type AttestorAttestationAuthorityNotePublicKey struct {
	// ASCII-armored representation of a PGP public key, as the
	// entire output by the command
	// `gpg --export --armor foo@example.com` (either LF or CRLF
	// line endings). When using this field, id should be left
	// blank. The BinAuthz API handlers will calculate the ID
	// and fill it in automatically. BinAuthz computes this ID
	// as the OpenPGP RFC4880 V4 fingerprint, represented as
	// upper-case hex. If id is provided by the caller, it will
	// be overwritten by the API-calculated ID.
	AsciiArmoredPgpPublicKey *string `pulumi:"asciiArmoredPgpPublicKey"`
	// A descriptive comment. This field may be updated.
	Comment *string `pulumi:"comment"`
	// The ID of this public key. Signatures verified by BinAuthz
	// must include the ID of the public key that can be used to
	// verify them, and that ID must match the contents of this
	// field exactly. Additional restrictions on this field can
	// be imposed based on which public key type is encapsulated.
	// See the documentation on publicKey cases below for details.
	Id *string `pulumi:"id"`
	// A raw PKIX SubjectPublicKeyInfo format public key.
	// NOTE: id may be explicitly provided by the caller when using this
	// type of public key, but it MUST be a valid RFC3986 URI. If id is left
	// blank, a default one will be computed based on the digest of the DER
	// encoding of the public key.
	// Structure is documented below.
	PkixPublicKey *AttestorAttestationAuthorityNotePublicKeyPkixPublicKey `pulumi:"pkixPublicKey"`
}

type AttestorAttestationAuthorityNotePublicKeyArgs

type AttestorAttestationAuthorityNotePublicKeyArgs struct {
	// ASCII-armored representation of a PGP public key, as the
	// entire output by the command
	// `gpg --export --armor foo@example.com` (either LF or CRLF
	// line endings). When using this field, id should be left
	// blank. The BinAuthz API handlers will calculate the ID
	// and fill it in automatically. BinAuthz computes this ID
	// as the OpenPGP RFC4880 V4 fingerprint, represented as
	// upper-case hex. If id is provided by the caller, it will
	// be overwritten by the API-calculated ID.
	AsciiArmoredPgpPublicKey pulumi.StringPtrInput `pulumi:"asciiArmoredPgpPublicKey"`
	// A descriptive comment. This field may be updated.
	Comment pulumi.StringPtrInput `pulumi:"comment"`
	// The ID of this public key. Signatures verified by BinAuthz
	// must include the ID of the public key that can be used to
	// verify them, and that ID must match the contents of this
	// field exactly. Additional restrictions on this field can
	// be imposed based on which public key type is encapsulated.
	// See the documentation on publicKey cases below for details.
	Id pulumi.StringPtrInput `pulumi:"id"`
	// A raw PKIX SubjectPublicKeyInfo format public key.
	// NOTE: id may be explicitly provided by the caller when using this
	// type of public key, but it MUST be a valid RFC3986 URI. If id is left
	// blank, a default one will be computed based on the digest of the DER
	// encoding of the public key.
	// Structure is documented below.
	PkixPublicKey AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrInput `pulumi:"pkixPublicKey"`
}

func (AttestorAttestationAuthorityNotePublicKeyArgs) ElementType

func (AttestorAttestationAuthorityNotePublicKeyArgs) ToAttestorAttestationAuthorityNotePublicKeyOutput

func (i AttestorAttestationAuthorityNotePublicKeyArgs) ToAttestorAttestationAuthorityNotePublicKeyOutput() AttestorAttestationAuthorityNotePublicKeyOutput

func (AttestorAttestationAuthorityNotePublicKeyArgs) ToAttestorAttestationAuthorityNotePublicKeyOutputWithContext

func (i AttestorAttestationAuthorityNotePublicKeyArgs) ToAttestorAttestationAuthorityNotePublicKeyOutputWithContext(ctx context.Context) AttestorAttestationAuthorityNotePublicKeyOutput

type AttestorAttestationAuthorityNotePublicKeyArray

type AttestorAttestationAuthorityNotePublicKeyArray []AttestorAttestationAuthorityNotePublicKeyInput

func (AttestorAttestationAuthorityNotePublicKeyArray) ElementType

func (AttestorAttestationAuthorityNotePublicKeyArray) ToAttestorAttestationAuthorityNotePublicKeyArrayOutput

func (i AttestorAttestationAuthorityNotePublicKeyArray) ToAttestorAttestationAuthorityNotePublicKeyArrayOutput() AttestorAttestationAuthorityNotePublicKeyArrayOutput

func (AttestorAttestationAuthorityNotePublicKeyArray) ToAttestorAttestationAuthorityNotePublicKeyArrayOutputWithContext

func (i AttestorAttestationAuthorityNotePublicKeyArray) ToAttestorAttestationAuthorityNotePublicKeyArrayOutputWithContext(ctx context.Context) AttestorAttestationAuthorityNotePublicKeyArrayOutput

type AttestorAttestationAuthorityNotePublicKeyArrayInput

type AttestorAttestationAuthorityNotePublicKeyArrayInput interface {
	pulumi.Input

	ToAttestorAttestationAuthorityNotePublicKeyArrayOutput() AttestorAttestationAuthorityNotePublicKeyArrayOutput
	ToAttestorAttestationAuthorityNotePublicKeyArrayOutputWithContext(context.Context) AttestorAttestationAuthorityNotePublicKeyArrayOutput
}

AttestorAttestationAuthorityNotePublicKeyArrayInput is an input type that accepts AttestorAttestationAuthorityNotePublicKeyArray and AttestorAttestationAuthorityNotePublicKeyArrayOutput values. You can construct a concrete instance of `AttestorAttestationAuthorityNotePublicKeyArrayInput` via:

AttestorAttestationAuthorityNotePublicKeyArray{ AttestorAttestationAuthorityNotePublicKeyArgs{...} }

type AttestorAttestationAuthorityNotePublicKeyArrayOutput

type AttestorAttestationAuthorityNotePublicKeyArrayOutput struct{ *pulumi.OutputState }

func (AttestorAttestationAuthorityNotePublicKeyArrayOutput) ElementType

func (AttestorAttestationAuthorityNotePublicKeyArrayOutput) Index

func (AttestorAttestationAuthorityNotePublicKeyArrayOutput) ToAttestorAttestationAuthorityNotePublicKeyArrayOutput

func (AttestorAttestationAuthorityNotePublicKeyArrayOutput) ToAttestorAttestationAuthorityNotePublicKeyArrayOutputWithContext

func (o AttestorAttestationAuthorityNotePublicKeyArrayOutput) ToAttestorAttestationAuthorityNotePublicKeyArrayOutputWithContext(ctx context.Context) AttestorAttestationAuthorityNotePublicKeyArrayOutput

type AttestorAttestationAuthorityNotePublicKeyInput

type AttestorAttestationAuthorityNotePublicKeyInput interface {
	pulumi.Input

	ToAttestorAttestationAuthorityNotePublicKeyOutput() AttestorAttestationAuthorityNotePublicKeyOutput
	ToAttestorAttestationAuthorityNotePublicKeyOutputWithContext(context.Context) AttestorAttestationAuthorityNotePublicKeyOutput
}

AttestorAttestationAuthorityNotePublicKeyInput is an input type that accepts AttestorAttestationAuthorityNotePublicKeyArgs and AttestorAttestationAuthorityNotePublicKeyOutput values. You can construct a concrete instance of `AttestorAttestationAuthorityNotePublicKeyInput` via:

AttestorAttestationAuthorityNotePublicKeyArgs{...}

type AttestorAttestationAuthorityNotePublicKeyOutput

type AttestorAttestationAuthorityNotePublicKeyOutput struct{ *pulumi.OutputState }

func (AttestorAttestationAuthorityNotePublicKeyOutput) AsciiArmoredPgpPublicKey

ASCII-armored representation of a PGP public key, as the entire output by the command `gpg --export --armor foo@example.com` (either LF or CRLF line endings). When using this field, id should be left blank. The BinAuthz API handlers will calculate the ID and fill it in automatically. BinAuthz computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as upper-case hex. If id is provided by the caller, it will be overwritten by the API-calculated ID.

func (AttestorAttestationAuthorityNotePublicKeyOutput) Comment

A descriptive comment. This field may be updated.

func (AttestorAttestationAuthorityNotePublicKeyOutput) ElementType

func (AttestorAttestationAuthorityNotePublicKeyOutput) Id

The ID of this public key. Signatures verified by BinAuthz must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. Additional restrictions on this field can be imposed based on which public key type is encapsulated. See the documentation on publicKey cases below for details.

func (AttestorAttestationAuthorityNotePublicKeyOutput) PkixPublicKey

A raw PKIX SubjectPublicKeyInfo format public key. NOTE: id may be explicitly provided by the caller when using this type of public key, but it MUST be a valid RFC3986 URI. If id is left blank, a default one will be computed based on the digest of the DER encoding of the public key. Structure is documented below.

func (AttestorAttestationAuthorityNotePublicKeyOutput) ToAttestorAttestationAuthorityNotePublicKeyOutput

func (o AttestorAttestationAuthorityNotePublicKeyOutput) ToAttestorAttestationAuthorityNotePublicKeyOutput() AttestorAttestationAuthorityNotePublicKeyOutput

func (AttestorAttestationAuthorityNotePublicKeyOutput) ToAttestorAttestationAuthorityNotePublicKeyOutputWithContext

func (o AttestorAttestationAuthorityNotePublicKeyOutput) ToAttestorAttestationAuthorityNotePublicKeyOutputWithContext(ctx context.Context) AttestorAttestationAuthorityNotePublicKeyOutput

type AttestorAttestationAuthorityNotePublicKeyPkixPublicKey

type AttestorAttestationAuthorityNotePublicKeyPkixPublicKey struct {
	// A PEM-encoded public key, as described in
	// `https://tools.ietf.org/html/rfc7468#section-13`
	PublicKeyPem *string `pulumi:"publicKeyPem"`
	// The signature algorithm used to verify a message against
	// a signature using this key. These signature algorithm must
	// match the structure and any object identifiers encoded in
	// publicKeyPem (i.e. this algorithm must match that of the
	// public key).
	//
	// ***
	SignatureAlgorithm *string `pulumi:"signatureAlgorithm"`
}

type AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs

type AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs struct {
	// A PEM-encoded public key, as described in
	// `https://tools.ietf.org/html/rfc7468#section-13`
	PublicKeyPem pulumi.StringPtrInput `pulumi:"publicKeyPem"`
	// The signature algorithm used to verify a message against
	// a signature using this key. These signature algorithm must
	// match the structure and any object identifiers encoded in
	// publicKeyPem (i.e. this algorithm must match that of the
	// public key).
	//
	// ***
	SignatureAlgorithm pulumi.StringPtrInput `pulumi:"signatureAlgorithm"`
}

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs) ElementType

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs) ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs) ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutputWithContext

func (i AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs) ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutputWithContext(ctx context.Context) AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs) ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs) ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutputWithContext

func (i AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs) ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutputWithContext(ctx context.Context) AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput

type AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyInput

type AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyInput interface {
	pulumi.Input

	ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput() AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput
	ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutputWithContext(context.Context) AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput
}

AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyInput is an input type that accepts AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs and AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput values. You can construct a concrete instance of `AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyInput` via:

AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs{...}

type AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput

type AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput struct{ *pulumi.OutputState }

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput) ElementType

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput) PublicKeyPem

A PEM-encoded public key, as described in `https://tools.ietf.org/html/rfc7468#section-13`

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput) SignatureAlgorithm

The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in publicKeyPem (i.e. this algorithm must match that of the public key).

***

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput) ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput) ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutputWithContext

func (o AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput) ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutputWithContext(ctx context.Context) AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput) ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput) ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutputWithContext

func (o AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyOutput) ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutputWithContext(ctx context.Context) AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput

type AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrInput

type AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrInput interface {
	pulumi.Input

	ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput() AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput
	ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutputWithContext(context.Context) AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput
}

AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrInput is an input type that accepts AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs, AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtr and AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput values. You can construct a concrete instance of `AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrInput` via:

        AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyArgs{...}

or:

        nil

type AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput

type AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput struct{ *pulumi.OutputState }

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput) Elem

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput) ElementType

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput) PublicKeyPem

A PEM-encoded public key, as described in `https://tools.ietf.org/html/rfc7468#section-13`

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput) SignatureAlgorithm

The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in publicKeyPem (i.e. this algorithm must match that of the public key).

***

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput) ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput

func (AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput) ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutputWithContext

func (o AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput) ToAttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutputWithContext(ctx context.Context) AttestorAttestationAuthorityNotePublicKeyPkixPublicKeyPtrOutput

type AttestorIamBinding

type AttestorIamBinding struct {
	pulumi.CustomResourceState

	// Used to find the parent resource to bind the IAM policy to
	Attestor  pulumi.StringOutput                  `pulumi:"attestor"`
	Condition AttestorIamBindingConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayOutput `pulumi:"members"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `binaryauthorization.AttestorIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Binary Authorization Attestor. Each of these resources serves a different use case:

* `binaryauthorization.AttestorIamPolicy`: Authoritative. Sets the IAM policy for the attestor and replaces any existing policy already attached. * `binaryauthorization.AttestorIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the attestor are preserved. * `binaryauthorization.AttestorIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the attestor are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `binaryauthorization.AttestorIamPolicy`: Retrieves the IAM policy for the attestor

> **Note:** `binaryauthorization.AttestorIamPolicy` **cannot** be used in conjunction with `binaryauthorization.AttestorIamBinding` and `binaryauthorization.AttestorIamMember` or they will fight over what your policy should be.

> **Note:** `binaryauthorization.AttestorIamBinding` resources **can be** used in conjunction with `binaryauthorization.AttestorIamMember` resources **only if** they do not grant privilege to the same role.

## binaryauthorization.AttestorIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/viewer",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = binaryauthorization.NewAttestorIamPolicy(ctx, "policy", &binaryauthorization.AttestorIamPolicyArgs{
			Project:    pulumi.Any(attestor.Project),
			Attestor:   pulumi.Any(attestor.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## binaryauthorization.AttestorIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := binaryauthorization.NewAttestorIamBinding(ctx, "binding", &binaryauthorization.AttestorIamBindingArgs{
			Project:  pulumi.Any(attestor.Project),
			Attestor: pulumi.Any(attestor.Name),
			Role:     pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## binaryauthorization.AttestorIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := binaryauthorization.NewAttestorIamMember(ctx, "member", &binaryauthorization.AttestorIamMemberArgs{
			Project:  pulumi.Any(attestor.Project),
			Attestor: pulumi.Any(attestor.Name),
			Role:     pulumi.String("roles/viewer"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Binary Authorization Attestor Three different resources help you manage your IAM policy for Binary Authorization Attestor. Each of these resources serves a different use case:

* `binaryauthorization.AttestorIamPolicy`: Authoritative. Sets the IAM policy for the attestor and replaces any existing policy already attached. * `binaryauthorization.AttestorIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the attestor are preserved. * `binaryauthorization.AttestorIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the attestor are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `binaryauthorization.AttestorIamPolicy`: Retrieves the IAM policy for the attestor

> **Note:** `binaryauthorization.AttestorIamPolicy` **cannot** be used in conjunction with `binaryauthorization.AttestorIamBinding` and `binaryauthorization.AttestorIamMember` or they will fight over what your policy should be.

> **Note:** `binaryauthorization.AttestorIamBinding` resources **can be** used in conjunction with `binaryauthorization.AttestorIamMember` resources **only if** they do not grant privilege to the same role.

## binaryauthorization.AttestorIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/viewer",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = binaryauthorization.NewAttestorIamPolicy(ctx, "policy", &binaryauthorization.AttestorIamPolicyArgs{
			Project:    pulumi.Any(attestor.Project),
			Attestor:   pulumi.Any(attestor.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## binaryauthorization.AttestorIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := binaryauthorization.NewAttestorIamBinding(ctx, "binding", &binaryauthorization.AttestorIamBindingArgs{
			Project:  pulumi.Any(attestor.Project),
			Attestor: pulumi.Any(attestor.Name),
			Role:     pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## binaryauthorization.AttestorIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := binaryauthorization.NewAttestorIamMember(ctx, "member", &binaryauthorization.AttestorIamMemberArgs{
			Project:  pulumi.Any(attestor.Project),
			Attestor: pulumi.Any(attestor.Name),
			Role:     pulumi.String("roles/viewer"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/attestors/{{name}}

* {{project}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Binary Authorization attestor IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:binaryauthorization/attestorIamBinding:AttestorIamBinding editor "projects/{{project}}/attestors/{{attestor}} roles/viewer user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:binaryauthorization/attestorIamBinding:AttestorIamBinding editor "projects/{{project}}/attestors/{{attestor}} roles/viewer" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:binaryauthorization/attestorIamBinding:AttestorIamBinding editor projects/{{project}}/attestors/{{attestor}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAttestorIamBinding

func GetAttestorIamBinding(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AttestorIamBindingState, opts ...pulumi.ResourceOption) (*AttestorIamBinding, error)

GetAttestorIamBinding gets an existing AttestorIamBinding resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAttestorIamBinding

func NewAttestorIamBinding(ctx *pulumi.Context,
	name string, args *AttestorIamBindingArgs, opts ...pulumi.ResourceOption) (*AttestorIamBinding, error)

NewAttestorIamBinding registers a new resource with the given unique name, arguments, and options.

func (*AttestorIamBinding) ElementType

func (*AttestorIamBinding) ElementType() reflect.Type

func (*AttestorIamBinding) ToAttestorIamBindingOutput

func (i *AttestorIamBinding) ToAttestorIamBindingOutput() AttestorIamBindingOutput

func (*AttestorIamBinding) ToAttestorIamBindingOutputWithContext

func (i *AttestorIamBinding) ToAttestorIamBindingOutputWithContext(ctx context.Context) AttestorIamBindingOutput

type AttestorIamBindingArgs

type AttestorIamBindingArgs struct {
	// Used to find the parent resource to bind the IAM policy to
	Attestor  pulumi.StringInput
	Condition AttestorIamBindingConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `binaryauthorization.AttestorIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a AttestorIamBinding resource.

func (AttestorIamBindingArgs) ElementType

func (AttestorIamBindingArgs) ElementType() reflect.Type

type AttestorIamBindingArray

type AttestorIamBindingArray []AttestorIamBindingInput

func (AttestorIamBindingArray) ElementType

func (AttestorIamBindingArray) ElementType() reflect.Type

func (AttestorIamBindingArray) ToAttestorIamBindingArrayOutput

func (i AttestorIamBindingArray) ToAttestorIamBindingArrayOutput() AttestorIamBindingArrayOutput

func (AttestorIamBindingArray) ToAttestorIamBindingArrayOutputWithContext

func (i AttestorIamBindingArray) ToAttestorIamBindingArrayOutputWithContext(ctx context.Context) AttestorIamBindingArrayOutput

type AttestorIamBindingArrayInput

type AttestorIamBindingArrayInput interface {
	pulumi.Input

	ToAttestorIamBindingArrayOutput() AttestorIamBindingArrayOutput
	ToAttestorIamBindingArrayOutputWithContext(context.Context) AttestorIamBindingArrayOutput
}

AttestorIamBindingArrayInput is an input type that accepts AttestorIamBindingArray and AttestorIamBindingArrayOutput values. You can construct a concrete instance of `AttestorIamBindingArrayInput` via:

AttestorIamBindingArray{ AttestorIamBindingArgs{...} }

type AttestorIamBindingArrayOutput

type AttestorIamBindingArrayOutput struct{ *pulumi.OutputState }

func (AttestorIamBindingArrayOutput) ElementType

func (AttestorIamBindingArrayOutput) Index

func (AttestorIamBindingArrayOutput) ToAttestorIamBindingArrayOutput

func (o AttestorIamBindingArrayOutput) ToAttestorIamBindingArrayOutput() AttestorIamBindingArrayOutput

func (AttestorIamBindingArrayOutput) ToAttestorIamBindingArrayOutputWithContext

func (o AttestorIamBindingArrayOutput) ToAttestorIamBindingArrayOutputWithContext(ctx context.Context) AttestorIamBindingArrayOutput

type AttestorIamBindingCondition

type AttestorIamBindingCondition struct {
	Description *string `pulumi:"description"`
	Expression  string  `pulumi:"expression"`
	Title       string  `pulumi:"title"`
}

type AttestorIamBindingConditionArgs

type AttestorIamBindingConditionArgs struct {
	Description pulumi.StringPtrInput `pulumi:"description"`
	Expression  pulumi.StringInput    `pulumi:"expression"`
	Title       pulumi.StringInput    `pulumi:"title"`
}

func (AttestorIamBindingConditionArgs) ElementType

func (AttestorIamBindingConditionArgs) ToAttestorIamBindingConditionOutput

func (i AttestorIamBindingConditionArgs) ToAttestorIamBindingConditionOutput() AttestorIamBindingConditionOutput

func (AttestorIamBindingConditionArgs) ToAttestorIamBindingConditionOutputWithContext

func (i AttestorIamBindingConditionArgs) ToAttestorIamBindingConditionOutputWithContext(ctx context.Context) AttestorIamBindingConditionOutput

func (AttestorIamBindingConditionArgs) ToAttestorIamBindingConditionPtrOutput

func (i AttestorIamBindingConditionArgs) ToAttestorIamBindingConditionPtrOutput() AttestorIamBindingConditionPtrOutput

func (AttestorIamBindingConditionArgs) ToAttestorIamBindingConditionPtrOutputWithContext

func (i AttestorIamBindingConditionArgs) ToAttestorIamBindingConditionPtrOutputWithContext(ctx context.Context) AttestorIamBindingConditionPtrOutput

type AttestorIamBindingConditionInput

type AttestorIamBindingConditionInput interface {
	pulumi.Input

	ToAttestorIamBindingConditionOutput() AttestorIamBindingConditionOutput
	ToAttestorIamBindingConditionOutputWithContext(context.Context) AttestorIamBindingConditionOutput
}

AttestorIamBindingConditionInput is an input type that accepts AttestorIamBindingConditionArgs and AttestorIamBindingConditionOutput values. You can construct a concrete instance of `AttestorIamBindingConditionInput` via:

AttestorIamBindingConditionArgs{...}

type AttestorIamBindingConditionOutput

type AttestorIamBindingConditionOutput struct{ *pulumi.OutputState }

func (AttestorIamBindingConditionOutput) Description

func (AttestorIamBindingConditionOutput) ElementType

func (AttestorIamBindingConditionOutput) Expression

func (AttestorIamBindingConditionOutput) Title

func (AttestorIamBindingConditionOutput) ToAttestorIamBindingConditionOutput

func (o AttestorIamBindingConditionOutput) ToAttestorIamBindingConditionOutput() AttestorIamBindingConditionOutput

func (AttestorIamBindingConditionOutput) ToAttestorIamBindingConditionOutputWithContext

func (o AttestorIamBindingConditionOutput) ToAttestorIamBindingConditionOutputWithContext(ctx context.Context) AttestorIamBindingConditionOutput

func (AttestorIamBindingConditionOutput) ToAttestorIamBindingConditionPtrOutput

func (o AttestorIamBindingConditionOutput) ToAttestorIamBindingConditionPtrOutput() AttestorIamBindingConditionPtrOutput

func (AttestorIamBindingConditionOutput) ToAttestorIamBindingConditionPtrOutputWithContext

func (o AttestorIamBindingConditionOutput) ToAttestorIamBindingConditionPtrOutputWithContext(ctx context.Context) AttestorIamBindingConditionPtrOutput

type AttestorIamBindingConditionPtrInput

type AttestorIamBindingConditionPtrInput interface {
	pulumi.Input

	ToAttestorIamBindingConditionPtrOutput() AttestorIamBindingConditionPtrOutput
	ToAttestorIamBindingConditionPtrOutputWithContext(context.Context) AttestorIamBindingConditionPtrOutput
}

AttestorIamBindingConditionPtrInput is an input type that accepts AttestorIamBindingConditionArgs, AttestorIamBindingConditionPtr and AttestorIamBindingConditionPtrOutput values. You can construct a concrete instance of `AttestorIamBindingConditionPtrInput` via:

        AttestorIamBindingConditionArgs{...}

or:

        nil

type AttestorIamBindingConditionPtrOutput

type AttestorIamBindingConditionPtrOutput struct{ *pulumi.OutputState }

func (AttestorIamBindingConditionPtrOutput) Description

func (AttestorIamBindingConditionPtrOutput) Elem

func (AttestorIamBindingConditionPtrOutput) ElementType

func (AttestorIamBindingConditionPtrOutput) Expression

func (AttestorIamBindingConditionPtrOutput) Title

func (AttestorIamBindingConditionPtrOutput) ToAttestorIamBindingConditionPtrOutput

func (o AttestorIamBindingConditionPtrOutput) ToAttestorIamBindingConditionPtrOutput() AttestorIamBindingConditionPtrOutput

func (AttestorIamBindingConditionPtrOutput) ToAttestorIamBindingConditionPtrOutputWithContext

func (o AttestorIamBindingConditionPtrOutput) ToAttestorIamBindingConditionPtrOutputWithContext(ctx context.Context) AttestorIamBindingConditionPtrOutput

type AttestorIamBindingInput

type AttestorIamBindingInput interface {
	pulumi.Input

	ToAttestorIamBindingOutput() AttestorIamBindingOutput
	ToAttestorIamBindingOutputWithContext(ctx context.Context) AttestorIamBindingOutput
}

type AttestorIamBindingMap

type AttestorIamBindingMap map[string]AttestorIamBindingInput

func (AttestorIamBindingMap) ElementType

func (AttestorIamBindingMap) ElementType() reflect.Type

func (AttestorIamBindingMap) ToAttestorIamBindingMapOutput

func (i AttestorIamBindingMap) ToAttestorIamBindingMapOutput() AttestorIamBindingMapOutput

func (AttestorIamBindingMap) ToAttestorIamBindingMapOutputWithContext

func (i AttestorIamBindingMap) ToAttestorIamBindingMapOutputWithContext(ctx context.Context) AttestorIamBindingMapOutput

type AttestorIamBindingMapInput

type AttestorIamBindingMapInput interface {
	pulumi.Input

	ToAttestorIamBindingMapOutput() AttestorIamBindingMapOutput
	ToAttestorIamBindingMapOutputWithContext(context.Context) AttestorIamBindingMapOutput
}

AttestorIamBindingMapInput is an input type that accepts AttestorIamBindingMap and AttestorIamBindingMapOutput values. You can construct a concrete instance of `AttestorIamBindingMapInput` via:

AttestorIamBindingMap{ "key": AttestorIamBindingArgs{...} }

type AttestorIamBindingMapOutput

type AttestorIamBindingMapOutput struct{ *pulumi.OutputState }

func (AttestorIamBindingMapOutput) ElementType

func (AttestorIamBindingMapOutput) MapIndex

func (AttestorIamBindingMapOutput) ToAttestorIamBindingMapOutput

func (o AttestorIamBindingMapOutput) ToAttestorIamBindingMapOutput() AttestorIamBindingMapOutput

func (AttestorIamBindingMapOutput) ToAttestorIamBindingMapOutputWithContext

func (o AttestorIamBindingMapOutput) ToAttestorIamBindingMapOutputWithContext(ctx context.Context) AttestorIamBindingMapOutput

type AttestorIamBindingOutput

type AttestorIamBindingOutput struct{ *pulumi.OutputState }

func (AttestorIamBindingOutput) Attestor

Used to find the parent resource to bind the IAM policy to

func (AttestorIamBindingOutput) Condition

func (AttestorIamBindingOutput) ElementType

func (AttestorIamBindingOutput) ElementType() reflect.Type

func (AttestorIamBindingOutput) Etag

(Computed) The etag of the IAM policy.

func (AttestorIamBindingOutput) Members

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (AttestorIamBindingOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (AttestorIamBindingOutput) Role

The role that should be applied. Only one `binaryauthorization.AttestorIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (AttestorIamBindingOutput) ToAttestorIamBindingOutput

func (o AttestorIamBindingOutput) ToAttestorIamBindingOutput() AttestorIamBindingOutput

func (AttestorIamBindingOutput) ToAttestorIamBindingOutputWithContext

func (o AttestorIamBindingOutput) ToAttestorIamBindingOutputWithContext(ctx context.Context) AttestorIamBindingOutput

type AttestorIamBindingState

type AttestorIamBindingState struct {
	// Used to find the parent resource to bind the IAM policy to
	Attestor  pulumi.StringPtrInput
	Condition AttestorIamBindingConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Members pulumi.StringArrayInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `binaryauthorization.AttestorIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (AttestorIamBindingState) ElementType

func (AttestorIamBindingState) ElementType() reflect.Type

type AttestorIamMember

type AttestorIamMember struct {
	pulumi.CustomResourceState

	// Used to find the parent resource to bind the IAM policy to
	Attestor  pulumi.StringOutput                 `pulumi:"attestor"`
	Condition AttestorIamMemberConditionPtrOutput `pulumi:"condition"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringOutput `pulumi:"member"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
	// The role that should be applied. Only one
	// `binaryauthorization.AttestorIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringOutput `pulumi:"role"`
}

Three different resources help you manage your IAM policy for Binary Authorization Attestor. Each of these resources serves a different use case:

* `binaryauthorization.AttestorIamPolicy`: Authoritative. Sets the IAM policy for the attestor and replaces any existing policy already attached. * `binaryauthorization.AttestorIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the attestor are preserved. * `binaryauthorization.AttestorIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the attestor are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `binaryauthorization.AttestorIamPolicy`: Retrieves the IAM policy for the attestor

> **Note:** `binaryauthorization.AttestorIamPolicy` **cannot** be used in conjunction with `binaryauthorization.AttestorIamBinding` and `binaryauthorization.AttestorIamMember` or they will fight over what your policy should be.

> **Note:** `binaryauthorization.AttestorIamBinding` resources **can be** used in conjunction with `binaryauthorization.AttestorIamMember` resources **only if** they do not grant privilege to the same role.

## binaryauthorization.AttestorIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/viewer",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = binaryauthorization.NewAttestorIamPolicy(ctx, "policy", &binaryauthorization.AttestorIamPolicyArgs{
			Project:    pulumi.Any(attestor.Project),
			Attestor:   pulumi.Any(attestor.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## binaryauthorization.AttestorIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := binaryauthorization.NewAttestorIamBinding(ctx, "binding", &binaryauthorization.AttestorIamBindingArgs{
			Project:  pulumi.Any(attestor.Project),
			Attestor: pulumi.Any(attestor.Name),
			Role:     pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## binaryauthorization.AttestorIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := binaryauthorization.NewAttestorIamMember(ctx, "member", &binaryauthorization.AttestorIamMemberArgs{
			Project:  pulumi.Any(attestor.Project),
			Attestor: pulumi.Any(attestor.Name),
			Role:     pulumi.String("roles/viewer"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Binary Authorization Attestor Three different resources help you manage your IAM policy for Binary Authorization Attestor. Each of these resources serves a different use case:

* `binaryauthorization.AttestorIamPolicy`: Authoritative. Sets the IAM policy for the attestor and replaces any existing policy already attached. * `binaryauthorization.AttestorIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the attestor are preserved. * `binaryauthorization.AttestorIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the attestor are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `binaryauthorization.AttestorIamPolicy`: Retrieves the IAM policy for the attestor

> **Note:** `binaryauthorization.AttestorIamPolicy` **cannot** be used in conjunction with `binaryauthorization.AttestorIamBinding` and `binaryauthorization.AttestorIamMember` or they will fight over what your policy should be.

> **Note:** `binaryauthorization.AttestorIamBinding` resources **can be** used in conjunction with `binaryauthorization.AttestorIamMember` resources **only if** they do not grant privilege to the same role.

## binaryauthorization.AttestorIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/viewer",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = binaryauthorization.NewAttestorIamPolicy(ctx, "policy", &binaryauthorization.AttestorIamPolicyArgs{
			Project:    pulumi.Any(attestor.Project),
			Attestor:   pulumi.Any(attestor.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## binaryauthorization.AttestorIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := binaryauthorization.NewAttestorIamBinding(ctx, "binding", &binaryauthorization.AttestorIamBindingArgs{
			Project:  pulumi.Any(attestor.Project),
			Attestor: pulumi.Any(attestor.Name),
			Role:     pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## binaryauthorization.AttestorIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := binaryauthorization.NewAttestorIamMember(ctx, "member", &binaryauthorization.AttestorIamMemberArgs{
			Project:  pulumi.Any(attestor.Project),
			Attestor: pulumi.Any(attestor.Name),
			Role:     pulumi.String("roles/viewer"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/attestors/{{name}}

* {{project}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Binary Authorization attestor IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:binaryauthorization/attestorIamMember:AttestorIamMember editor "projects/{{project}}/attestors/{{attestor}} roles/viewer user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:binaryauthorization/attestorIamMember:AttestorIamMember editor "projects/{{project}}/attestors/{{attestor}} roles/viewer" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:binaryauthorization/attestorIamMember:AttestorIamMember editor projects/{{project}}/attestors/{{attestor}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAttestorIamMember

func GetAttestorIamMember(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AttestorIamMemberState, opts ...pulumi.ResourceOption) (*AttestorIamMember, error)

GetAttestorIamMember gets an existing AttestorIamMember resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAttestorIamMember

func NewAttestorIamMember(ctx *pulumi.Context,
	name string, args *AttestorIamMemberArgs, opts ...pulumi.ResourceOption) (*AttestorIamMember, error)

NewAttestorIamMember registers a new resource with the given unique name, arguments, and options.

func (*AttestorIamMember) ElementType

func (*AttestorIamMember) ElementType() reflect.Type

func (*AttestorIamMember) ToAttestorIamMemberOutput

func (i *AttestorIamMember) ToAttestorIamMemberOutput() AttestorIamMemberOutput

func (*AttestorIamMember) ToAttestorIamMemberOutputWithContext

func (i *AttestorIamMember) ToAttestorIamMemberOutputWithContext(ctx context.Context) AttestorIamMemberOutput

type AttestorIamMemberArgs

type AttestorIamMemberArgs struct {
	// Used to find the parent resource to bind the IAM policy to
	Attestor  pulumi.StringInput
	Condition AttestorIamMemberConditionPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `binaryauthorization.AttestorIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringInput
}

The set of arguments for constructing a AttestorIamMember resource.

func (AttestorIamMemberArgs) ElementType

func (AttestorIamMemberArgs) ElementType() reflect.Type

type AttestorIamMemberArray

type AttestorIamMemberArray []AttestorIamMemberInput

func (AttestorIamMemberArray) ElementType

func (AttestorIamMemberArray) ElementType() reflect.Type

func (AttestorIamMemberArray) ToAttestorIamMemberArrayOutput

func (i AttestorIamMemberArray) ToAttestorIamMemberArrayOutput() AttestorIamMemberArrayOutput

func (AttestorIamMemberArray) ToAttestorIamMemberArrayOutputWithContext

func (i AttestorIamMemberArray) ToAttestorIamMemberArrayOutputWithContext(ctx context.Context) AttestorIamMemberArrayOutput

type AttestorIamMemberArrayInput

type AttestorIamMemberArrayInput interface {
	pulumi.Input

	ToAttestorIamMemberArrayOutput() AttestorIamMemberArrayOutput
	ToAttestorIamMemberArrayOutputWithContext(context.Context) AttestorIamMemberArrayOutput
}

AttestorIamMemberArrayInput is an input type that accepts AttestorIamMemberArray and AttestorIamMemberArrayOutput values. You can construct a concrete instance of `AttestorIamMemberArrayInput` via:

AttestorIamMemberArray{ AttestorIamMemberArgs{...} }

type AttestorIamMemberArrayOutput

type AttestorIamMemberArrayOutput struct{ *pulumi.OutputState }

func (AttestorIamMemberArrayOutput) ElementType

func (AttestorIamMemberArrayOutput) Index

func (AttestorIamMemberArrayOutput) ToAttestorIamMemberArrayOutput

func (o AttestorIamMemberArrayOutput) ToAttestorIamMemberArrayOutput() AttestorIamMemberArrayOutput

func (AttestorIamMemberArrayOutput) ToAttestorIamMemberArrayOutputWithContext

func (o AttestorIamMemberArrayOutput) ToAttestorIamMemberArrayOutputWithContext(ctx context.Context) AttestorIamMemberArrayOutput

type AttestorIamMemberCondition

type AttestorIamMemberCondition struct {
	Description *string `pulumi:"description"`
	Expression  string  `pulumi:"expression"`
	Title       string  `pulumi:"title"`
}

type AttestorIamMemberConditionArgs

type AttestorIamMemberConditionArgs struct {
	Description pulumi.StringPtrInput `pulumi:"description"`
	Expression  pulumi.StringInput    `pulumi:"expression"`
	Title       pulumi.StringInput    `pulumi:"title"`
}

func (AttestorIamMemberConditionArgs) ElementType

func (AttestorIamMemberConditionArgs) ToAttestorIamMemberConditionOutput

func (i AttestorIamMemberConditionArgs) ToAttestorIamMemberConditionOutput() AttestorIamMemberConditionOutput

func (AttestorIamMemberConditionArgs) ToAttestorIamMemberConditionOutputWithContext

func (i AttestorIamMemberConditionArgs) ToAttestorIamMemberConditionOutputWithContext(ctx context.Context) AttestorIamMemberConditionOutput

func (AttestorIamMemberConditionArgs) ToAttestorIamMemberConditionPtrOutput

func (i AttestorIamMemberConditionArgs) ToAttestorIamMemberConditionPtrOutput() AttestorIamMemberConditionPtrOutput

func (AttestorIamMemberConditionArgs) ToAttestorIamMemberConditionPtrOutputWithContext

func (i AttestorIamMemberConditionArgs) ToAttestorIamMemberConditionPtrOutputWithContext(ctx context.Context) AttestorIamMemberConditionPtrOutput

type AttestorIamMemberConditionInput

type AttestorIamMemberConditionInput interface {
	pulumi.Input

	ToAttestorIamMemberConditionOutput() AttestorIamMemberConditionOutput
	ToAttestorIamMemberConditionOutputWithContext(context.Context) AttestorIamMemberConditionOutput
}

AttestorIamMemberConditionInput is an input type that accepts AttestorIamMemberConditionArgs and AttestorIamMemberConditionOutput values. You can construct a concrete instance of `AttestorIamMemberConditionInput` via:

AttestorIamMemberConditionArgs{...}

type AttestorIamMemberConditionOutput

type AttestorIamMemberConditionOutput struct{ *pulumi.OutputState }

func (AttestorIamMemberConditionOutput) Description

func (AttestorIamMemberConditionOutput) ElementType

func (AttestorIamMemberConditionOutput) Expression

func (AttestorIamMemberConditionOutput) Title

func (AttestorIamMemberConditionOutput) ToAttestorIamMemberConditionOutput

func (o AttestorIamMemberConditionOutput) ToAttestorIamMemberConditionOutput() AttestorIamMemberConditionOutput

func (AttestorIamMemberConditionOutput) ToAttestorIamMemberConditionOutputWithContext

func (o AttestorIamMemberConditionOutput) ToAttestorIamMemberConditionOutputWithContext(ctx context.Context) AttestorIamMemberConditionOutput

func (AttestorIamMemberConditionOutput) ToAttestorIamMemberConditionPtrOutput

func (o AttestorIamMemberConditionOutput) ToAttestorIamMemberConditionPtrOutput() AttestorIamMemberConditionPtrOutput

func (AttestorIamMemberConditionOutput) ToAttestorIamMemberConditionPtrOutputWithContext

func (o AttestorIamMemberConditionOutput) ToAttestorIamMemberConditionPtrOutputWithContext(ctx context.Context) AttestorIamMemberConditionPtrOutput

type AttestorIamMemberConditionPtrInput

type AttestorIamMemberConditionPtrInput interface {
	pulumi.Input

	ToAttestorIamMemberConditionPtrOutput() AttestorIamMemberConditionPtrOutput
	ToAttestorIamMemberConditionPtrOutputWithContext(context.Context) AttestorIamMemberConditionPtrOutput
}

AttestorIamMemberConditionPtrInput is an input type that accepts AttestorIamMemberConditionArgs, AttestorIamMemberConditionPtr and AttestorIamMemberConditionPtrOutput values. You can construct a concrete instance of `AttestorIamMemberConditionPtrInput` via:

        AttestorIamMemberConditionArgs{...}

or:

        nil

type AttestorIamMemberConditionPtrOutput

type AttestorIamMemberConditionPtrOutput struct{ *pulumi.OutputState }

func (AttestorIamMemberConditionPtrOutput) Description

func (AttestorIamMemberConditionPtrOutput) Elem

func (AttestorIamMemberConditionPtrOutput) ElementType

func (AttestorIamMemberConditionPtrOutput) Expression

func (AttestorIamMemberConditionPtrOutput) Title

func (AttestorIamMemberConditionPtrOutput) ToAttestorIamMemberConditionPtrOutput

func (o AttestorIamMemberConditionPtrOutput) ToAttestorIamMemberConditionPtrOutput() AttestorIamMemberConditionPtrOutput

func (AttestorIamMemberConditionPtrOutput) ToAttestorIamMemberConditionPtrOutputWithContext

func (o AttestorIamMemberConditionPtrOutput) ToAttestorIamMemberConditionPtrOutputWithContext(ctx context.Context) AttestorIamMemberConditionPtrOutput

type AttestorIamMemberInput

type AttestorIamMemberInput interface {
	pulumi.Input

	ToAttestorIamMemberOutput() AttestorIamMemberOutput
	ToAttestorIamMemberOutputWithContext(ctx context.Context) AttestorIamMemberOutput
}

type AttestorIamMemberMap

type AttestorIamMemberMap map[string]AttestorIamMemberInput

func (AttestorIamMemberMap) ElementType

func (AttestorIamMemberMap) ElementType() reflect.Type

func (AttestorIamMemberMap) ToAttestorIamMemberMapOutput

func (i AttestorIamMemberMap) ToAttestorIamMemberMapOutput() AttestorIamMemberMapOutput

func (AttestorIamMemberMap) ToAttestorIamMemberMapOutputWithContext

func (i AttestorIamMemberMap) ToAttestorIamMemberMapOutputWithContext(ctx context.Context) AttestorIamMemberMapOutput

type AttestorIamMemberMapInput

type AttestorIamMemberMapInput interface {
	pulumi.Input

	ToAttestorIamMemberMapOutput() AttestorIamMemberMapOutput
	ToAttestorIamMemberMapOutputWithContext(context.Context) AttestorIamMemberMapOutput
}

AttestorIamMemberMapInput is an input type that accepts AttestorIamMemberMap and AttestorIamMemberMapOutput values. You can construct a concrete instance of `AttestorIamMemberMapInput` via:

AttestorIamMemberMap{ "key": AttestorIamMemberArgs{...} }

type AttestorIamMemberMapOutput

type AttestorIamMemberMapOutput struct{ *pulumi.OutputState }

func (AttestorIamMemberMapOutput) ElementType

func (AttestorIamMemberMapOutput) ElementType() reflect.Type

func (AttestorIamMemberMapOutput) MapIndex

func (AttestorIamMemberMapOutput) ToAttestorIamMemberMapOutput

func (o AttestorIamMemberMapOutput) ToAttestorIamMemberMapOutput() AttestorIamMemberMapOutput

func (AttestorIamMemberMapOutput) ToAttestorIamMemberMapOutputWithContext

func (o AttestorIamMemberMapOutput) ToAttestorIamMemberMapOutputWithContext(ctx context.Context) AttestorIamMemberMapOutput

type AttestorIamMemberOutput

type AttestorIamMemberOutput struct{ *pulumi.OutputState }

func (AttestorIamMemberOutput) Attestor

Used to find the parent resource to bind the IAM policy to

func (AttestorIamMemberOutput) Condition

func (AttestorIamMemberOutput) ElementType

func (AttestorIamMemberOutput) ElementType() reflect.Type

func (AttestorIamMemberOutput) Etag

(Computed) The etag of the IAM policy.

func (AttestorIamMemberOutput) Member

Identities that will be granted the privilege in `role`. Each entry can have one of the following values: * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account. * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account. * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com. * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com. * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com. * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com. * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project" * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project" * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"

func (AttestorIamMemberOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (AttestorIamMemberOutput) Role

The role that should be applied. Only one `binaryauthorization.AttestorIamBinding` can be used per role. Note that custom roles must be of the format `[projects|organizations]/{parent-name}/roles/{role-name}`.

func (AttestorIamMemberOutput) ToAttestorIamMemberOutput

func (o AttestorIamMemberOutput) ToAttestorIamMemberOutput() AttestorIamMemberOutput

func (AttestorIamMemberOutput) ToAttestorIamMemberOutputWithContext

func (o AttestorIamMemberOutput) ToAttestorIamMemberOutputWithContext(ctx context.Context) AttestorIamMemberOutput

type AttestorIamMemberState

type AttestorIamMemberState struct {
	// Used to find the parent resource to bind the IAM policy to
	Attestor  pulumi.StringPtrInput
	Condition AttestorIamMemberConditionPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// Identities that will be granted the privilege in `role`.
	// Each entry can have one of the following values:
	// * **allUsers**: A special identifier that represents anyone who is on the internet; with or without a Google account.
	// * **allAuthenticatedUsers**: A special identifier that represents anyone who is authenticated with a Google account or a service account.
	// * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
	// * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
	// * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
	// * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
	// * **projectOwner:projectid**: Owners of the given project. For example, "projectOwner:my-example-project"
	// * **projectEditor:projectid**: Editors of the given project. For example, "projectEditor:my-example-project"
	// * **projectViewer:projectid**: Viewers of the given project. For example, "projectViewer:my-example-project"
	Member pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
	// The role that should be applied. Only one
	// `binaryauthorization.AttestorIamBinding` can be used per role. Note that custom roles must be of the format
	// `[projects|organizations]/{parent-name}/roles/{role-name}`.
	Role pulumi.StringPtrInput
}

func (AttestorIamMemberState) ElementType

func (AttestorIamMemberState) ElementType() reflect.Type

type AttestorIamPolicy

type AttestorIamPolicy struct {
	pulumi.CustomResourceState

	// Used to find the parent resource to bind the IAM policy to
	Attestor pulumi.StringOutput `pulumi:"attestor"`
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringOutput `pulumi:"etag"`
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringOutput `pulumi:"policyData"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringOutput `pulumi:"project"`
}

Three different resources help you manage your IAM policy for Binary Authorization Attestor. Each of these resources serves a different use case:

* `binaryauthorization.AttestorIamPolicy`: Authoritative. Sets the IAM policy for the attestor and replaces any existing policy already attached. * `binaryauthorization.AttestorIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the attestor are preserved. * `binaryauthorization.AttestorIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the attestor are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `binaryauthorization.AttestorIamPolicy`: Retrieves the IAM policy for the attestor

> **Note:** `binaryauthorization.AttestorIamPolicy` **cannot** be used in conjunction with `binaryauthorization.AttestorIamBinding` and `binaryauthorization.AttestorIamMember` or they will fight over what your policy should be.

> **Note:** `binaryauthorization.AttestorIamBinding` resources **can be** used in conjunction with `binaryauthorization.AttestorIamMember` resources **only if** they do not grant privilege to the same role.

## binaryauthorization.AttestorIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/viewer",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = binaryauthorization.NewAttestorIamPolicy(ctx, "policy", &binaryauthorization.AttestorIamPolicyArgs{
			Project:    pulumi.Any(attestor.Project),
			Attestor:   pulumi.Any(attestor.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## binaryauthorization.AttestorIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := binaryauthorization.NewAttestorIamBinding(ctx, "binding", &binaryauthorization.AttestorIamBindingArgs{
			Project:  pulumi.Any(attestor.Project),
			Attestor: pulumi.Any(attestor.Name),
			Role:     pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## binaryauthorization.AttestorIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := binaryauthorization.NewAttestorIamMember(ctx, "member", &binaryauthorization.AttestorIamMemberArgs{
			Project:  pulumi.Any(attestor.Project),
			Attestor: pulumi.Any(attestor.Name),
			Role:     pulumi.String("roles/viewer"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## This resource supports User Project Overrides.

-

# IAM policy for Binary Authorization Attestor Three different resources help you manage your IAM policy for Binary Authorization Attestor. Each of these resources serves a different use case:

* `binaryauthorization.AttestorIamPolicy`: Authoritative. Sets the IAM policy for the attestor and replaces any existing policy already attached. * `binaryauthorization.AttestorIamBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the attestor are preserved. * `binaryauthorization.AttestorIamMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the attestor are preserved.

A data source can be used to retrieve policy data in advent you do not need creation

* `binaryauthorization.AttestorIamPolicy`: Retrieves the IAM policy for the attestor

> **Note:** `binaryauthorization.AttestorIamPolicy` **cannot** be used in conjunction with `binaryauthorization.AttestorIamBinding` and `binaryauthorization.AttestorIamMember` or they will fight over what your policy should be.

> **Note:** `binaryauthorization.AttestorIamBinding` resources **can be** used in conjunction with `binaryauthorization.AttestorIamMember` resources **only if** they do not grant privilege to the same role.

## binaryauthorization.AttestorIamPolicy

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/viewer",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = binaryauthorization.NewAttestorIamPolicy(ctx, "policy", &binaryauthorization.AttestorIamPolicyArgs{
			Project:    pulumi.Any(attestor.Project),
			Attestor:   pulumi.Any(attestor.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## binaryauthorization.AttestorIamBinding

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := binaryauthorization.NewAttestorIamBinding(ctx, "binding", &binaryauthorization.AttestorIamBindingArgs{
			Project:  pulumi.Any(attestor.Project),
			Attestor: pulumi.Any(attestor.Name),
			Role:     pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## binaryauthorization.AttestorIamMember

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := binaryauthorization.NewAttestorIamMember(ctx, "member", &binaryauthorization.AttestorIamMemberArgs{
			Project:  pulumi.Any(attestor.Project),
			Attestor: pulumi.Any(attestor.Name),
			Role:     pulumi.String("roles/viewer"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

For all import syntaxes, the "resource in question" can take any of the following forms:

* projects/{{project}}/attestors/{{name}}

* {{project}}/{{name}}

* {{name}}

Any variables not passed in the import command will be taken from the provider configuration.

Binary Authorization attestor IAM resources can be imported using the resource identifiers, role, and member.

IAM member imports use space-delimited identifiers: the resource in question, the role, and the member identity, e.g.

```sh $ pulumi import gcp:binaryauthorization/attestorIamPolicy:AttestorIamPolicy editor "projects/{{project}}/attestors/{{attestor}} roles/viewer user:jane@example.com" ```

IAM binding imports use space-delimited identifiers: the resource in question and the role, e.g.

```sh $ pulumi import gcp:binaryauthorization/attestorIamPolicy:AttestorIamPolicy editor "projects/{{project}}/attestors/{{attestor}} roles/viewer" ```

IAM policy imports use the identifier of the resource in question, e.g.

```sh $ pulumi import gcp:binaryauthorization/attestorIamPolicy:AttestorIamPolicy editor projects/{{project}}/attestors/{{attestor}} ```

-> **Custom Roles**: If you're importing a IAM resource with a custom role, make sure to use the

full name of the custom role, e.g. `[projects/my-project|organizations/my-org]/roles/my-custom-role`.

func GetAttestorIamPolicy

func GetAttestorIamPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *AttestorIamPolicyState, opts ...pulumi.ResourceOption) (*AttestorIamPolicy, error)

GetAttestorIamPolicy gets an existing AttestorIamPolicy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewAttestorIamPolicy

func NewAttestorIamPolicy(ctx *pulumi.Context,
	name string, args *AttestorIamPolicyArgs, opts ...pulumi.ResourceOption) (*AttestorIamPolicy, error)

NewAttestorIamPolicy registers a new resource with the given unique name, arguments, and options.

func (*AttestorIamPolicy) ElementType

func (*AttestorIamPolicy) ElementType() reflect.Type

func (*AttestorIamPolicy) ToAttestorIamPolicyOutput

func (i *AttestorIamPolicy) ToAttestorIamPolicyOutput() AttestorIamPolicyOutput

func (*AttestorIamPolicy) ToAttestorIamPolicyOutputWithContext

func (i *AttestorIamPolicy) ToAttestorIamPolicyOutputWithContext(ctx context.Context) AttestorIamPolicyOutput

type AttestorIamPolicyArgs

type AttestorIamPolicyArgs struct {
	// Used to find the parent resource to bind the IAM policy to
	Attestor pulumi.StringInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

The set of arguments for constructing a AttestorIamPolicy resource.

func (AttestorIamPolicyArgs) ElementType

func (AttestorIamPolicyArgs) ElementType() reflect.Type

type AttestorIamPolicyArray

type AttestorIamPolicyArray []AttestorIamPolicyInput

func (AttestorIamPolicyArray) ElementType

func (AttestorIamPolicyArray) ElementType() reflect.Type

func (AttestorIamPolicyArray) ToAttestorIamPolicyArrayOutput

func (i AttestorIamPolicyArray) ToAttestorIamPolicyArrayOutput() AttestorIamPolicyArrayOutput

func (AttestorIamPolicyArray) ToAttestorIamPolicyArrayOutputWithContext

func (i AttestorIamPolicyArray) ToAttestorIamPolicyArrayOutputWithContext(ctx context.Context) AttestorIamPolicyArrayOutput

type AttestorIamPolicyArrayInput

type AttestorIamPolicyArrayInput interface {
	pulumi.Input

	ToAttestorIamPolicyArrayOutput() AttestorIamPolicyArrayOutput
	ToAttestorIamPolicyArrayOutputWithContext(context.Context) AttestorIamPolicyArrayOutput
}

AttestorIamPolicyArrayInput is an input type that accepts AttestorIamPolicyArray and AttestorIamPolicyArrayOutput values. You can construct a concrete instance of `AttestorIamPolicyArrayInput` via:

AttestorIamPolicyArray{ AttestorIamPolicyArgs{...} }

type AttestorIamPolicyArrayOutput

type AttestorIamPolicyArrayOutput struct{ *pulumi.OutputState }

func (AttestorIamPolicyArrayOutput) ElementType

func (AttestorIamPolicyArrayOutput) Index

func (AttestorIamPolicyArrayOutput) ToAttestorIamPolicyArrayOutput

func (o AttestorIamPolicyArrayOutput) ToAttestorIamPolicyArrayOutput() AttestorIamPolicyArrayOutput

func (AttestorIamPolicyArrayOutput) ToAttestorIamPolicyArrayOutputWithContext

func (o AttestorIamPolicyArrayOutput) ToAttestorIamPolicyArrayOutputWithContext(ctx context.Context) AttestorIamPolicyArrayOutput

type AttestorIamPolicyInput

type AttestorIamPolicyInput interface {
	pulumi.Input

	ToAttestorIamPolicyOutput() AttestorIamPolicyOutput
	ToAttestorIamPolicyOutputWithContext(ctx context.Context) AttestorIamPolicyOutput
}

type AttestorIamPolicyMap

type AttestorIamPolicyMap map[string]AttestorIamPolicyInput

func (AttestorIamPolicyMap) ElementType

func (AttestorIamPolicyMap) ElementType() reflect.Type

func (AttestorIamPolicyMap) ToAttestorIamPolicyMapOutput

func (i AttestorIamPolicyMap) ToAttestorIamPolicyMapOutput() AttestorIamPolicyMapOutput

func (AttestorIamPolicyMap) ToAttestorIamPolicyMapOutputWithContext

func (i AttestorIamPolicyMap) ToAttestorIamPolicyMapOutputWithContext(ctx context.Context) AttestorIamPolicyMapOutput

type AttestorIamPolicyMapInput

type AttestorIamPolicyMapInput interface {
	pulumi.Input

	ToAttestorIamPolicyMapOutput() AttestorIamPolicyMapOutput
	ToAttestorIamPolicyMapOutputWithContext(context.Context) AttestorIamPolicyMapOutput
}

AttestorIamPolicyMapInput is an input type that accepts AttestorIamPolicyMap and AttestorIamPolicyMapOutput values. You can construct a concrete instance of `AttestorIamPolicyMapInput` via:

AttestorIamPolicyMap{ "key": AttestorIamPolicyArgs{...} }

type AttestorIamPolicyMapOutput

type AttestorIamPolicyMapOutput struct{ *pulumi.OutputState }

func (AttestorIamPolicyMapOutput) ElementType

func (AttestorIamPolicyMapOutput) ElementType() reflect.Type

func (AttestorIamPolicyMapOutput) MapIndex

func (AttestorIamPolicyMapOutput) ToAttestorIamPolicyMapOutput

func (o AttestorIamPolicyMapOutput) ToAttestorIamPolicyMapOutput() AttestorIamPolicyMapOutput

func (AttestorIamPolicyMapOutput) ToAttestorIamPolicyMapOutputWithContext

func (o AttestorIamPolicyMapOutput) ToAttestorIamPolicyMapOutputWithContext(ctx context.Context) AttestorIamPolicyMapOutput

type AttestorIamPolicyOutput

type AttestorIamPolicyOutput struct{ *pulumi.OutputState }

func (AttestorIamPolicyOutput) Attestor

Used to find the parent resource to bind the IAM policy to

func (AttestorIamPolicyOutput) ElementType

func (AttestorIamPolicyOutput) ElementType() reflect.Type

func (AttestorIamPolicyOutput) Etag

(Computed) The etag of the IAM policy.

func (AttestorIamPolicyOutput) PolicyData

The policy data generated by a `organizations.getIAMPolicy` data source.

func (AttestorIamPolicyOutput) Project

The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.

func (AttestorIamPolicyOutput) ToAttestorIamPolicyOutput

func (o AttestorIamPolicyOutput) ToAttestorIamPolicyOutput() AttestorIamPolicyOutput

func (AttestorIamPolicyOutput) ToAttestorIamPolicyOutputWithContext

func (o AttestorIamPolicyOutput) ToAttestorIamPolicyOutputWithContext(ctx context.Context) AttestorIamPolicyOutput

type AttestorIamPolicyState

type AttestorIamPolicyState struct {
	// Used to find the parent resource to bind the IAM policy to
	Attestor pulumi.StringPtrInput
	// (Computed) The etag of the IAM policy.
	Etag pulumi.StringPtrInput
	// The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData pulumi.StringPtrInput
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput
}

func (AttestorIamPolicyState) ElementType

func (AttestorIamPolicyState) ElementType() reflect.Type

type AttestorInput

type AttestorInput interface {
	pulumi.Input

	ToAttestorOutput() AttestorOutput
	ToAttestorOutputWithContext(ctx context.Context) AttestorOutput
}

type AttestorMap

type AttestorMap map[string]AttestorInput

func (AttestorMap) ElementType

func (AttestorMap) ElementType() reflect.Type

func (AttestorMap) ToAttestorMapOutput

func (i AttestorMap) ToAttestorMapOutput() AttestorMapOutput

func (AttestorMap) ToAttestorMapOutputWithContext

func (i AttestorMap) ToAttestorMapOutputWithContext(ctx context.Context) AttestorMapOutput

type AttestorMapInput

type AttestorMapInput interface {
	pulumi.Input

	ToAttestorMapOutput() AttestorMapOutput
	ToAttestorMapOutputWithContext(context.Context) AttestorMapOutput
}

AttestorMapInput is an input type that accepts AttestorMap and AttestorMapOutput values. You can construct a concrete instance of `AttestorMapInput` via:

AttestorMap{ "key": AttestorArgs{...} }

type AttestorMapOutput

type AttestorMapOutput struct{ *pulumi.OutputState }

func (AttestorMapOutput) ElementType

func (AttestorMapOutput) ElementType() reflect.Type

func (AttestorMapOutput) MapIndex

func (AttestorMapOutput) ToAttestorMapOutput

func (o AttestorMapOutput) ToAttestorMapOutput() AttestorMapOutput

func (AttestorMapOutput) ToAttestorMapOutputWithContext

func (o AttestorMapOutput) ToAttestorMapOutputWithContext(ctx context.Context) AttestorMapOutput

type AttestorOutput

type AttestorOutput struct{ *pulumi.OutputState }

func (AttestorOutput) AttestationAuthorityNote

func (o AttestorOutput) AttestationAuthorityNote() AttestorAttestationAuthorityNoteOutput

A Container Analysis ATTESTATION_AUTHORITY Note, created by the user. Structure is documented below.

func (AttestorOutput) Description

func (o AttestorOutput) Description() pulumi.StringPtrOutput

A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.

func (AttestorOutput) ElementType

func (AttestorOutput) ElementType() reflect.Type

func (AttestorOutput) Name

The resource name.

func (AttestorOutput) Project

func (o AttestorOutput) Project() pulumi.StringOutput

func (AttestorOutput) ToAttestorOutput

func (o AttestorOutput) ToAttestorOutput() AttestorOutput

func (AttestorOutput) ToAttestorOutputWithContext

func (o AttestorOutput) ToAttestorOutputWithContext(ctx context.Context) AttestorOutput

type AttestorState

type AttestorState struct {
	// A Container Analysis ATTESTATION_AUTHORITY Note, created by the user.
	// Structure is documented below.
	AttestationAuthorityNote AttestorAttestationAuthorityNotePtrInput
	// A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.
	Description pulumi.StringPtrInput
	// The resource name.
	Name    pulumi.StringPtrInput
	Project pulumi.StringPtrInput
}

func (AttestorState) ElementType

func (AttestorState) ElementType() reflect.Type

type LookupAttestorIamPolicyArgs

type LookupAttestorIamPolicyArgs struct {
	// Used to find the parent resource to bind the IAM policy to
	Attestor string `pulumi:"attestor"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project *string `pulumi:"project"`
}

A collection of arguments for invoking getAttestorIamPolicy.

type LookupAttestorIamPolicyOutputArgs

type LookupAttestorIamPolicyOutputArgs struct {
	// Used to find the parent resource to bind the IAM policy to
	Attestor pulumi.StringInput `pulumi:"attestor"`
	// The ID of the project in which the resource belongs.
	// If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
	Project pulumi.StringPtrInput `pulumi:"project"`
}

A collection of arguments for invoking getAttestorIamPolicy.

func (LookupAttestorIamPolicyOutputArgs) ElementType

type LookupAttestorIamPolicyResult

type LookupAttestorIamPolicyResult struct {
	Attestor string `pulumi:"attestor"`
	// (Computed) The etag of the IAM policy.
	Etag string `pulumi:"etag"`
	// The provider-assigned unique ID for this managed resource.
	Id string `pulumi:"id"`
	// (Required only by `binaryauthorization.AttestorIamPolicy`) The policy data generated by
	// a `organizations.getIAMPolicy` data source.
	PolicyData string `pulumi:"policyData"`
	Project    string `pulumi:"project"`
}

A collection of values returned by getAttestorIamPolicy.

func LookupAttestorIamPolicy

func LookupAttestorIamPolicy(ctx *pulumi.Context, args *LookupAttestorIamPolicyArgs, opts ...pulumi.InvokeOption) (*LookupAttestorIamPolicyResult, error)

Retrieves the current IAM policy data for attestor

## example

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := binaryauthorization.LookupAttestorIamPolicy(ctx, &binaryauthorization.LookupAttestorIamPolicyArgs{
			Project:  pulumi.StringRef(attestor.Project),
			Attestor: attestor.Name,
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

```

type LookupAttestorIamPolicyResultOutput

type LookupAttestorIamPolicyResultOutput struct{ *pulumi.OutputState }

A collection of values returned by getAttestorIamPolicy.

func (LookupAttestorIamPolicyResultOutput) Attestor

func (LookupAttestorIamPolicyResultOutput) ElementType

func (LookupAttestorIamPolicyResultOutput) Etag

(Computed) The etag of the IAM policy.

func (LookupAttestorIamPolicyResultOutput) Id

The provider-assigned unique ID for this managed resource.

func (LookupAttestorIamPolicyResultOutput) PolicyData

(Required only by `binaryauthorization.AttestorIamPolicy`) The policy data generated by a `organizations.getIAMPolicy` data source.

func (LookupAttestorIamPolicyResultOutput) Project

func (LookupAttestorIamPolicyResultOutput) ToLookupAttestorIamPolicyResultOutput

func (o LookupAttestorIamPolicyResultOutput) ToLookupAttestorIamPolicyResultOutput() LookupAttestorIamPolicyResultOutput

func (LookupAttestorIamPolicyResultOutput) ToLookupAttestorIamPolicyResultOutputWithContext

func (o LookupAttestorIamPolicyResultOutput) ToLookupAttestorIamPolicyResultOutputWithContext(ctx context.Context) LookupAttestorIamPolicyResultOutput

type Policy

type Policy struct {
	pulumi.CustomResourceState

	// A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the
	// image's admission requests will always be permitted regardless of your admission rules.
	AdmissionWhitelistPatterns PolicyAdmissionWhitelistPatternArrayOutput `pulumi:"admissionWhitelistPatterns"`
	// Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request
	// must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be
	// denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A
	// location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
	ClusterAdmissionRules PolicyClusterAdmissionRuleArrayOutput `pulumi:"clusterAdmissionRules"`
	// Default admission rule for a cluster without a per-cluster admission
	// rule.
	// Structure is documented below.
	DefaultAdmissionRule PolicyDefaultAdmissionRuleOutput `pulumi:"defaultAdmissionRule"`
	// A descriptive comment.
	Description pulumi.StringPtrOutput `pulumi:"description"`
	// Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not
	// covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
	GlobalPolicyEvaluationMode pulumi.StringOutput `pulumi:"globalPolicyEvaluationMode"`
	Project                    pulumi.StringOutput `pulumi:"project"`
}

A policy for container image binary authorization.

To get more information about Policy, see:

* [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/) * How-to Guides

## Example Usage

### Binary Authorization Policy Basic

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/containeranalysis"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		note, err := containeranalysis.NewNote(ctx, "note", &containeranalysis.NoteArgs{
			Name: pulumi.String("test-attestor-note"),
			AttestationAuthority: &containeranalysis.NoteAttestationAuthorityArgs{
				Hint: &containeranalysis.NoteAttestationAuthorityHintArgs{
					HumanReadableName: pulumi.String("My attestor"),
				},
			},
		})
		if err != nil {
			return err
		}
		attestor, err := binaryauthorization.NewAttestor(ctx, "attestor", &binaryauthorization.AttestorArgs{
			Name: pulumi.String("test-attestor"),
			AttestationAuthorityNote: &binaryauthorization.AttestorAttestationAuthorityNoteArgs{
				NoteReference: note.Name,
			},
		})
		if err != nil {
			return err
		}
		_, err = binaryauthorization.NewPolicy(ctx, "policy", &binaryauthorization.PolicyArgs{
			AdmissionWhitelistPatterns: binaryauthorization.PolicyAdmissionWhitelistPatternArray{
				&binaryauthorization.PolicyAdmissionWhitelistPatternArgs{
					NamePattern: pulumi.String("gcr.io/google_containers/*"),
				},
			},
			DefaultAdmissionRule: &binaryauthorization.PolicyDefaultAdmissionRuleArgs{
				EvaluationMode:  pulumi.String("ALWAYS_ALLOW"),
				EnforcementMode: pulumi.String("ENFORCED_BLOCK_AND_AUDIT_LOG"),
			},
			ClusterAdmissionRules: binaryauthorization.PolicyClusterAdmissionRuleArray{
				&binaryauthorization.PolicyClusterAdmissionRuleArgs{
					Cluster:         pulumi.String("us-central1-a.prod-cluster"),
					EvaluationMode:  pulumi.String("REQUIRE_ATTESTATION"),
					EnforcementMode: pulumi.String("ENFORCED_BLOCK_AND_AUDIT_LOG"),
					RequireAttestationsBies: pulumi.StringArray{
						attestor.Name,
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

``` ### Binary Authorization Policy Global Evaluation

```go package main

import (

"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi-gcp/sdk/v8/go/gcp/containeranalysis"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"

)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		note, err := containeranalysis.NewNote(ctx, "note", &containeranalysis.NoteArgs{
			Name: pulumi.String("test-attestor-note"),
			AttestationAuthority: &containeranalysis.NoteAttestationAuthorityArgs{
				Hint: &containeranalysis.NoteAttestationAuthorityHintArgs{
					HumanReadableName: pulumi.String("My attestor"),
				},
			},
		})
		if err != nil {
			return err
		}
		attestor, err := binaryauthorization.NewAttestor(ctx, "attestor", &binaryauthorization.AttestorArgs{
			Name: pulumi.String("test-attestor"),
			AttestationAuthorityNote: &binaryauthorization.AttestorAttestationAuthorityNoteArgs{
				NoteReference: note.Name,
			},
		})
		if err != nil {
			return err
		}
		_, err = binaryauthorization.NewPolicy(ctx, "policy", &binaryauthorization.PolicyArgs{
			DefaultAdmissionRule: &binaryauthorization.PolicyDefaultAdmissionRuleArgs{
				EvaluationMode:  pulumi.String("REQUIRE_ATTESTATION"),
				EnforcementMode: pulumi.String("ENFORCED_BLOCK_AND_AUDIT_LOG"),
				RequireAttestationsBies: pulumi.StringArray{
					attestor.Name,
				},
			},
			GlobalPolicyEvaluationMode: pulumi.String("ENABLE"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

```

## Import

Policy can be imported using any of these accepted formats:

* `projects/{{project}}`

* `{{project}}`

When using the `pulumi import` command, Policy can be imported using one of the formats above. For example:

```sh $ pulumi import gcp:binaryauthorization/policy:Policy default projects/{{project}} ```

```sh $ pulumi import gcp:binaryauthorization/policy:Policy default {{project}} ```

func GetPolicy

func GetPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *PolicyState, opts ...pulumi.ResourceOption) (*Policy, error)

GetPolicy gets an existing Policy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewPolicy

func NewPolicy(ctx *pulumi.Context,
	name string, args *PolicyArgs, opts ...pulumi.ResourceOption) (*Policy, error)

NewPolicy registers a new resource with the given unique name, arguments, and options.

func (*Policy) ElementType

func (*Policy) ElementType() reflect.Type

func (*Policy) ToPolicyOutput

func (i *Policy) ToPolicyOutput() PolicyOutput

func (*Policy) ToPolicyOutputWithContext

func (i *Policy) ToPolicyOutputWithContext(ctx context.Context) PolicyOutput

type PolicyAdmissionWhitelistPattern

type PolicyAdmissionWhitelistPattern struct {
	// An image name pattern to whitelist, in the form
	// `registry/path/to/image`. This supports a trailing * as a
	// wildcard, but this is allowed only in text after the registry/
	// part.
	NamePattern string `pulumi:"namePattern"`
}

type PolicyAdmissionWhitelistPatternArgs

type PolicyAdmissionWhitelistPatternArgs struct {
	// An image name pattern to whitelist, in the form
	// `registry/path/to/image`. This supports a trailing * as a
	// wildcard, but this is allowed only in text after the registry/
	// part.
	NamePattern pulumi.StringInput `pulumi:"namePattern"`
}

func (PolicyAdmissionWhitelistPatternArgs) ElementType

func (PolicyAdmissionWhitelistPatternArgs) ToPolicyAdmissionWhitelistPatternOutput

func (i PolicyAdmissionWhitelistPatternArgs) ToPolicyAdmissionWhitelistPatternOutput() PolicyAdmissionWhitelistPatternOutput

func (PolicyAdmissionWhitelistPatternArgs) ToPolicyAdmissionWhitelistPatternOutputWithContext

func (i PolicyAdmissionWhitelistPatternArgs) ToPolicyAdmissionWhitelistPatternOutputWithContext(ctx context.Context) PolicyAdmissionWhitelistPatternOutput

type PolicyAdmissionWhitelistPatternArray

type PolicyAdmissionWhitelistPatternArray []PolicyAdmissionWhitelistPatternInput

func (PolicyAdmissionWhitelistPatternArray) ElementType

func (PolicyAdmissionWhitelistPatternArray) ToPolicyAdmissionWhitelistPatternArrayOutput

func (i PolicyAdmissionWhitelistPatternArray) ToPolicyAdmissionWhitelistPatternArrayOutput() PolicyAdmissionWhitelistPatternArrayOutput

func (PolicyAdmissionWhitelistPatternArray) ToPolicyAdmissionWhitelistPatternArrayOutputWithContext

func (i PolicyAdmissionWhitelistPatternArray) ToPolicyAdmissionWhitelistPatternArrayOutputWithContext(ctx context.Context) PolicyAdmissionWhitelistPatternArrayOutput

type PolicyAdmissionWhitelistPatternArrayInput

type PolicyAdmissionWhitelistPatternArrayInput interface {
	pulumi.Input

	ToPolicyAdmissionWhitelistPatternArrayOutput() PolicyAdmissionWhitelistPatternArrayOutput
	ToPolicyAdmissionWhitelistPatternArrayOutputWithContext(context.Context) PolicyAdmissionWhitelistPatternArrayOutput
}

PolicyAdmissionWhitelistPatternArrayInput is an input type that accepts PolicyAdmissionWhitelistPatternArray and PolicyAdmissionWhitelistPatternArrayOutput values. You can construct a concrete instance of `PolicyAdmissionWhitelistPatternArrayInput` via:

PolicyAdmissionWhitelistPatternArray{ PolicyAdmissionWhitelistPatternArgs{...} }

type PolicyAdmissionWhitelistPatternArrayOutput

type PolicyAdmissionWhitelistPatternArrayOutput struct{ *pulumi.OutputState }

func (PolicyAdmissionWhitelistPatternArrayOutput) ElementType

func (PolicyAdmissionWhitelistPatternArrayOutput) Index

func (PolicyAdmissionWhitelistPatternArrayOutput) ToPolicyAdmissionWhitelistPatternArrayOutput

func (o PolicyAdmissionWhitelistPatternArrayOutput) ToPolicyAdmissionWhitelistPatternArrayOutput() PolicyAdmissionWhitelistPatternArrayOutput

func (PolicyAdmissionWhitelistPatternArrayOutput) ToPolicyAdmissionWhitelistPatternArrayOutputWithContext

func (o PolicyAdmissionWhitelistPatternArrayOutput) ToPolicyAdmissionWhitelistPatternArrayOutputWithContext(ctx context.Context) PolicyAdmissionWhitelistPatternArrayOutput

type PolicyAdmissionWhitelistPatternInput

type PolicyAdmissionWhitelistPatternInput interface {
	pulumi.Input

	ToPolicyAdmissionWhitelistPatternOutput() PolicyAdmissionWhitelistPatternOutput
	ToPolicyAdmissionWhitelistPatternOutputWithContext(context.Context) PolicyAdmissionWhitelistPatternOutput
}

PolicyAdmissionWhitelistPatternInput is an input type that accepts PolicyAdmissionWhitelistPatternArgs and PolicyAdmissionWhitelistPatternOutput values. You can construct a concrete instance of `PolicyAdmissionWhitelistPatternInput` via:

PolicyAdmissionWhitelistPatternArgs{...}

type PolicyAdmissionWhitelistPatternOutput

type PolicyAdmissionWhitelistPatternOutput struct{ *pulumi.OutputState }

func (PolicyAdmissionWhitelistPatternOutput) ElementType

func (PolicyAdmissionWhitelistPatternOutput) NamePattern

An image name pattern to whitelist, in the form `registry/path/to/image`. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

func (PolicyAdmissionWhitelistPatternOutput) ToPolicyAdmissionWhitelistPatternOutput

func (o PolicyAdmissionWhitelistPatternOutput) ToPolicyAdmissionWhitelistPatternOutput() PolicyAdmissionWhitelistPatternOutput

func (PolicyAdmissionWhitelistPatternOutput) ToPolicyAdmissionWhitelistPatternOutputWithContext

func (o PolicyAdmissionWhitelistPatternOutput) ToPolicyAdmissionWhitelistPatternOutputWithContext(ctx context.Context) PolicyAdmissionWhitelistPatternOutput

type PolicyArgs

type PolicyArgs struct {
	// A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the
	// image's admission requests will always be permitted regardless of your admission rules.
	AdmissionWhitelistPatterns PolicyAdmissionWhitelistPatternArrayInput
	// Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request
	// must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be
	// denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A
	// location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
	ClusterAdmissionRules PolicyClusterAdmissionRuleArrayInput
	// Default admission rule for a cluster without a per-cluster admission
	// rule.
	// Structure is documented below.
	DefaultAdmissionRule PolicyDefaultAdmissionRuleInput
	// A descriptive comment.
	Description pulumi.StringPtrInput
	// Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not
	// covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
	GlobalPolicyEvaluationMode pulumi.StringPtrInput
	Project                    pulumi.StringPtrInput
}

The set of arguments for constructing a Policy resource.

func (PolicyArgs) ElementType

func (PolicyArgs) ElementType() reflect.Type

type PolicyArray

type PolicyArray []PolicyInput

func (PolicyArray) ElementType

func (PolicyArray) ElementType() reflect.Type

func (PolicyArray) ToPolicyArrayOutput

func (i PolicyArray) ToPolicyArrayOutput() PolicyArrayOutput

func (PolicyArray) ToPolicyArrayOutputWithContext

func (i PolicyArray) ToPolicyArrayOutputWithContext(ctx context.Context) PolicyArrayOutput

type PolicyArrayInput

type PolicyArrayInput interface {
	pulumi.Input

	ToPolicyArrayOutput() PolicyArrayOutput
	ToPolicyArrayOutputWithContext(context.Context) PolicyArrayOutput
}

PolicyArrayInput is an input type that accepts PolicyArray and PolicyArrayOutput values. You can construct a concrete instance of `PolicyArrayInput` via:

PolicyArray{ PolicyArgs{...} }

type PolicyArrayOutput

type PolicyArrayOutput struct{ *pulumi.OutputState }

func (PolicyArrayOutput) ElementType

func (PolicyArrayOutput) ElementType() reflect.Type

func (PolicyArrayOutput) Index

func (PolicyArrayOutput) ToPolicyArrayOutput

func (o PolicyArrayOutput) ToPolicyArrayOutput() PolicyArrayOutput

func (PolicyArrayOutput) ToPolicyArrayOutputWithContext

func (o PolicyArrayOutput) ToPolicyArrayOutputWithContext(ctx context.Context) PolicyArrayOutput

type PolicyClusterAdmissionRule

type PolicyClusterAdmissionRule struct {
	// The identifier for this object. Format specified above.
	Cluster string `pulumi:"cluster"`
	// The action when a pod creation is denied by the admission rule.
	// Possible values are: `ENFORCED_BLOCK_AND_AUDIT_LOG`, `DRYRUN_AUDIT_LOG_ONLY`.
	EnforcementMode string `pulumi:"enforcementMode"`
	// How this admission rule will be evaluated.
	// Possible values are: `ALWAYS_ALLOW`, `REQUIRE_ATTESTATION`, `ALWAYS_DENY`.
	EvaluationMode string `pulumi:"evaluationMode"`
	// The resource names of the attestors that must attest to a
	// container image. If the attestor is in a different project from the
	// policy, it should be specified in the format `projects/*/attestors/*`.
	// Each attestor must exist before a policy can reference it. To add an
	// attestor to a policy the principal issuing the policy change
	// request must be able to read the attestor resource.
	// Note: this field must be non-empty when the evaluationMode field
	// specifies REQUIRE_ATTESTATION, otherwise it must be empty.
	RequireAttestationsBies []string `pulumi:"requireAttestationsBies"`
}

type PolicyClusterAdmissionRuleArgs

type PolicyClusterAdmissionRuleArgs struct {
	// The identifier for this object. Format specified above.
	Cluster pulumi.StringInput `pulumi:"cluster"`
	// The action when a pod creation is denied by the admission rule.
	// Possible values are: `ENFORCED_BLOCK_AND_AUDIT_LOG`, `DRYRUN_AUDIT_LOG_ONLY`.
	EnforcementMode pulumi.StringInput `pulumi:"enforcementMode"`
	// How this admission rule will be evaluated.
	// Possible values are: `ALWAYS_ALLOW`, `REQUIRE_ATTESTATION`, `ALWAYS_DENY`.
	EvaluationMode pulumi.StringInput `pulumi:"evaluationMode"`
	// The resource names of the attestors that must attest to a
	// container image. If the attestor is in a different project from the
	// policy, it should be specified in the format `projects/*/attestors/*`.
	// Each attestor must exist before a policy can reference it. To add an
	// attestor to a policy the principal issuing the policy change
	// request must be able to read the attestor resource.
	// Note: this field must be non-empty when the evaluationMode field
	// specifies REQUIRE_ATTESTATION, otherwise it must be empty.
	RequireAttestationsBies pulumi.StringArrayInput `pulumi:"requireAttestationsBies"`
}

func (PolicyClusterAdmissionRuleArgs) ElementType

func (PolicyClusterAdmissionRuleArgs) ToPolicyClusterAdmissionRuleOutput

func (i PolicyClusterAdmissionRuleArgs) ToPolicyClusterAdmissionRuleOutput() PolicyClusterAdmissionRuleOutput

func (PolicyClusterAdmissionRuleArgs) ToPolicyClusterAdmissionRuleOutputWithContext

func (i PolicyClusterAdmissionRuleArgs) ToPolicyClusterAdmissionRuleOutputWithContext(ctx context.Context) PolicyClusterAdmissionRuleOutput

type PolicyClusterAdmissionRuleArray

type PolicyClusterAdmissionRuleArray []PolicyClusterAdmissionRuleInput

func (PolicyClusterAdmissionRuleArray) ElementType

func (PolicyClusterAdmissionRuleArray) ToPolicyClusterAdmissionRuleArrayOutput

func (i PolicyClusterAdmissionRuleArray) ToPolicyClusterAdmissionRuleArrayOutput() PolicyClusterAdmissionRuleArrayOutput

func (PolicyClusterAdmissionRuleArray) ToPolicyClusterAdmissionRuleArrayOutputWithContext

func (i PolicyClusterAdmissionRuleArray) ToPolicyClusterAdmissionRuleArrayOutputWithContext(ctx context.Context) PolicyClusterAdmissionRuleArrayOutput

type PolicyClusterAdmissionRuleArrayInput

type PolicyClusterAdmissionRuleArrayInput interface {
	pulumi.Input

	ToPolicyClusterAdmissionRuleArrayOutput() PolicyClusterAdmissionRuleArrayOutput
	ToPolicyClusterAdmissionRuleArrayOutputWithContext(context.Context) PolicyClusterAdmissionRuleArrayOutput
}

PolicyClusterAdmissionRuleArrayInput is an input type that accepts PolicyClusterAdmissionRuleArray and PolicyClusterAdmissionRuleArrayOutput values. You can construct a concrete instance of `PolicyClusterAdmissionRuleArrayInput` via:

PolicyClusterAdmissionRuleArray{ PolicyClusterAdmissionRuleArgs{...} }

type PolicyClusterAdmissionRuleArrayOutput

type PolicyClusterAdmissionRuleArrayOutput struct{ *pulumi.OutputState }

func (PolicyClusterAdmissionRuleArrayOutput) ElementType

func (PolicyClusterAdmissionRuleArrayOutput) Index

func (PolicyClusterAdmissionRuleArrayOutput) ToPolicyClusterAdmissionRuleArrayOutput

func (o PolicyClusterAdmissionRuleArrayOutput) ToPolicyClusterAdmissionRuleArrayOutput() PolicyClusterAdmissionRuleArrayOutput

func (PolicyClusterAdmissionRuleArrayOutput) ToPolicyClusterAdmissionRuleArrayOutputWithContext

func (o PolicyClusterAdmissionRuleArrayOutput) ToPolicyClusterAdmissionRuleArrayOutputWithContext(ctx context.Context) PolicyClusterAdmissionRuleArrayOutput

type PolicyClusterAdmissionRuleInput

type PolicyClusterAdmissionRuleInput interface {
	pulumi.Input

	ToPolicyClusterAdmissionRuleOutput() PolicyClusterAdmissionRuleOutput
	ToPolicyClusterAdmissionRuleOutputWithContext(context.Context) PolicyClusterAdmissionRuleOutput
}

PolicyClusterAdmissionRuleInput is an input type that accepts PolicyClusterAdmissionRuleArgs and PolicyClusterAdmissionRuleOutput values. You can construct a concrete instance of `PolicyClusterAdmissionRuleInput` via:

PolicyClusterAdmissionRuleArgs{...}

type PolicyClusterAdmissionRuleOutput

type PolicyClusterAdmissionRuleOutput struct{ *pulumi.OutputState }

func (PolicyClusterAdmissionRuleOutput) Cluster

The identifier for this object. Format specified above.

func (PolicyClusterAdmissionRuleOutput) ElementType

func (PolicyClusterAdmissionRuleOutput) EnforcementMode

The action when a pod creation is denied by the admission rule. Possible values are: `ENFORCED_BLOCK_AND_AUDIT_LOG`, `DRYRUN_AUDIT_LOG_ONLY`.

func (PolicyClusterAdmissionRuleOutput) EvaluationMode

How this admission rule will be evaluated. Possible values are: `ALWAYS_ALLOW`, `REQUIRE_ATTESTATION`, `ALWAYS_DENY`.

func (PolicyClusterAdmissionRuleOutput) RequireAttestationsBies

func (o PolicyClusterAdmissionRuleOutput) RequireAttestationsBies() pulumi.StringArrayOutput

The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluationMode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

func (PolicyClusterAdmissionRuleOutput) ToPolicyClusterAdmissionRuleOutput

func (o PolicyClusterAdmissionRuleOutput) ToPolicyClusterAdmissionRuleOutput() PolicyClusterAdmissionRuleOutput

func (PolicyClusterAdmissionRuleOutput) ToPolicyClusterAdmissionRuleOutputWithContext

func (o PolicyClusterAdmissionRuleOutput) ToPolicyClusterAdmissionRuleOutputWithContext(ctx context.Context) PolicyClusterAdmissionRuleOutput

type PolicyDefaultAdmissionRule

type PolicyDefaultAdmissionRule struct {
	// The action when a pod creation is denied by the admission rule.
	// Possible values are: `ENFORCED_BLOCK_AND_AUDIT_LOG`, `DRYRUN_AUDIT_LOG_ONLY`.
	//
	// ***
	EnforcementMode string `pulumi:"enforcementMode"`
	// How this admission rule will be evaluated.
	// Possible values are: `ALWAYS_ALLOW`, `REQUIRE_ATTESTATION`, `ALWAYS_DENY`.
	EvaluationMode string `pulumi:"evaluationMode"`
	// The resource names of the attestors that must attest to a
	// container image. If the attestor is in a different project from the
	// policy, it should be specified in the format `projects/*/attestors/*`.
	// Each attestor must exist before a policy can reference it. To add an
	// attestor to a policy the principal issuing the policy change
	// request must be able to read the attestor resource.
	// Note: this field must be non-empty when the evaluationMode field
	// specifies REQUIRE_ATTESTATION, otherwise it must be empty.
	RequireAttestationsBies []string `pulumi:"requireAttestationsBies"`
}

type PolicyDefaultAdmissionRuleArgs

type PolicyDefaultAdmissionRuleArgs struct {
	// The action when a pod creation is denied by the admission rule.
	// Possible values are: `ENFORCED_BLOCK_AND_AUDIT_LOG`, `DRYRUN_AUDIT_LOG_ONLY`.
	//
	// ***
	EnforcementMode pulumi.StringInput `pulumi:"enforcementMode"`
	// How this admission rule will be evaluated.
	// Possible values are: `ALWAYS_ALLOW`, `REQUIRE_ATTESTATION`, `ALWAYS_DENY`.
	EvaluationMode pulumi.StringInput `pulumi:"evaluationMode"`
	// The resource names of the attestors that must attest to a
	// container image. If the attestor is in a different project from the
	// policy, it should be specified in the format `projects/*/attestors/*`.
	// Each attestor must exist before a policy can reference it. To add an
	// attestor to a policy the principal issuing the policy change
	// request must be able to read the attestor resource.
	// Note: this field must be non-empty when the evaluationMode field
	// specifies REQUIRE_ATTESTATION, otherwise it must be empty.
	RequireAttestationsBies pulumi.StringArrayInput `pulumi:"requireAttestationsBies"`
}

func (PolicyDefaultAdmissionRuleArgs) ElementType

func (PolicyDefaultAdmissionRuleArgs) ToPolicyDefaultAdmissionRuleOutput

func (i PolicyDefaultAdmissionRuleArgs) ToPolicyDefaultAdmissionRuleOutput() PolicyDefaultAdmissionRuleOutput

func (PolicyDefaultAdmissionRuleArgs) ToPolicyDefaultAdmissionRuleOutputWithContext

func (i PolicyDefaultAdmissionRuleArgs) ToPolicyDefaultAdmissionRuleOutputWithContext(ctx context.Context) PolicyDefaultAdmissionRuleOutput

func (PolicyDefaultAdmissionRuleArgs) ToPolicyDefaultAdmissionRulePtrOutput

func (i PolicyDefaultAdmissionRuleArgs) ToPolicyDefaultAdmissionRulePtrOutput() PolicyDefaultAdmissionRulePtrOutput

func (PolicyDefaultAdmissionRuleArgs) ToPolicyDefaultAdmissionRulePtrOutputWithContext

func (i PolicyDefaultAdmissionRuleArgs) ToPolicyDefaultAdmissionRulePtrOutputWithContext(ctx context.Context) PolicyDefaultAdmissionRulePtrOutput

type PolicyDefaultAdmissionRuleInput

type PolicyDefaultAdmissionRuleInput interface {
	pulumi.Input

	ToPolicyDefaultAdmissionRuleOutput() PolicyDefaultAdmissionRuleOutput
	ToPolicyDefaultAdmissionRuleOutputWithContext(context.Context) PolicyDefaultAdmissionRuleOutput
}

PolicyDefaultAdmissionRuleInput is an input type that accepts PolicyDefaultAdmissionRuleArgs and PolicyDefaultAdmissionRuleOutput values. You can construct a concrete instance of `PolicyDefaultAdmissionRuleInput` via:

PolicyDefaultAdmissionRuleArgs{...}

type PolicyDefaultAdmissionRuleOutput

type PolicyDefaultAdmissionRuleOutput struct{ *pulumi.OutputState }

func (PolicyDefaultAdmissionRuleOutput) ElementType

func (PolicyDefaultAdmissionRuleOutput) EnforcementMode

The action when a pod creation is denied by the admission rule. Possible values are: `ENFORCED_BLOCK_AND_AUDIT_LOG`, `DRYRUN_AUDIT_LOG_ONLY`.

***

func (PolicyDefaultAdmissionRuleOutput) EvaluationMode

How this admission rule will be evaluated. Possible values are: `ALWAYS_ALLOW`, `REQUIRE_ATTESTATION`, `ALWAYS_DENY`.

func (PolicyDefaultAdmissionRuleOutput) RequireAttestationsBies

func (o PolicyDefaultAdmissionRuleOutput) RequireAttestationsBies() pulumi.StringArrayOutput

The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluationMode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

func (PolicyDefaultAdmissionRuleOutput) ToPolicyDefaultAdmissionRuleOutput

func (o PolicyDefaultAdmissionRuleOutput) ToPolicyDefaultAdmissionRuleOutput() PolicyDefaultAdmissionRuleOutput

func (PolicyDefaultAdmissionRuleOutput) ToPolicyDefaultAdmissionRuleOutputWithContext

func (o PolicyDefaultAdmissionRuleOutput) ToPolicyDefaultAdmissionRuleOutputWithContext(ctx context.Context) PolicyDefaultAdmissionRuleOutput

func (PolicyDefaultAdmissionRuleOutput) ToPolicyDefaultAdmissionRulePtrOutput

func (o PolicyDefaultAdmissionRuleOutput) ToPolicyDefaultAdmissionRulePtrOutput() PolicyDefaultAdmissionRulePtrOutput

func (PolicyDefaultAdmissionRuleOutput) ToPolicyDefaultAdmissionRulePtrOutputWithContext

func (o PolicyDefaultAdmissionRuleOutput) ToPolicyDefaultAdmissionRulePtrOutputWithContext(ctx context.Context) PolicyDefaultAdmissionRulePtrOutput

type PolicyDefaultAdmissionRulePtrInput

type PolicyDefaultAdmissionRulePtrInput interface {
	pulumi.Input

	ToPolicyDefaultAdmissionRulePtrOutput() PolicyDefaultAdmissionRulePtrOutput
	ToPolicyDefaultAdmissionRulePtrOutputWithContext(context.Context) PolicyDefaultAdmissionRulePtrOutput
}

PolicyDefaultAdmissionRulePtrInput is an input type that accepts PolicyDefaultAdmissionRuleArgs, PolicyDefaultAdmissionRulePtr and PolicyDefaultAdmissionRulePtrOutput values. You can construct a concrete instance of `PolicyDefaultAdmissionRulePtrInput` via:

        PolicyDefaultAdmissionRuleArgs{...}

or:

        nil

type PolicyDefaultAdmissionRulePtrOutput

type PolicyDefaultAdmissionRulePtrOutput struct{ *pulumi.OutputState }

func (PolicyDefaultAdmissionRulePtrOutput) Elem

func (PolicyDefaultAdmissionRulePtrOutput) ElementType

func (PolicyDefaultAdmissionRulePtrOutput) EnforcementMode

The action when a pod creation is denied by the admission rule. Possible values are: `ENFORCED_BLOCK_AND_AUDIT_LOG`, `DRYRUN_AUDIT_LOG_ONLY`.

***

func (PolicyDefaultAdmissionRulePtrOutput) EvaluationMode

How this admission rule will be evaluated. Possible values are: `ALWAYS_ALLOW`, `REQUIRE_ATTESTATION`, `ALWAYS_DENY`.

func (PolicyDefaultAdmissionRulePtrOutput) RequireAttestationsBies

func (o PolicyDefaultAdmissionRulePtrOutput) RequireAttestationsBies() pulumi.StringArrayOutput

The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluationMode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

func (PolicyDefaultAdmissionRulePtrOutput) ToPolicyDefaultAdmissionRulePtrOutput

func (o PolicyDefaultAdmissionRulePtrOutput) ToPolicyDefaultAdmissionRulePtrOutput() PolicyDefaultAdmissionRulePtrOutput

func (PolicyDefaultAdmissionRulePtrOutput) ToPolicyDefaultAdmissionRulePtrOutputWithContext

func (o PolicyDefaultAdmissionRulePtrOutput) ToPolicyDefaultAdmissionRulePtrOutputWithContext(ctx context.Context) PolicyDefaultAdmissionRulePtrOutput

type PolicyInput

type PolicyInput interface {
	pulumi.Input

	ToPolicyOutput() PolicyOutput
	ToPolicyOutputWithContext(ctx context.Context) PolicyOutput
}

type PolicyMap

type PolicyMap map[string]PolicyInput

func (PolicyMap) ElementType

func (PolicyMap) ElementType() reflect.Type

func (PolicyMap) ToPolicyMapOutput

func (i PolicyMap) ToPolicyMapOutput() PolicyMapOutput

func (PolicyMap) ToPolicyMapOutputWithContext

func (i PolicyMap) ToPolicyMapOutputWithContext(ctx context.Context) PolicyMapOutput

type PolicyMapInput

type PolicyMapInput interface {
	pulumi.Input

	ToPolicyMapOutput() PolicyMapOutput
	ToPolicyMapOutputWithContext(context.Context) PolicyMapOutput
}

PolicyMapInput is an input type that accepts PolicyMap and PolicyMapOutput values. You can construct a concrete instance of `PolicyMapInput` via:

PolicyMap{ "key": PolicyArgs{...} }

type PolicyMapOutput

type PolicyMapOutput struct{ *pulumi.OutputState }

func (PolicyMapOutput) ElementType

func (PolicyMapOutput) ElementType() reflect.Type

func (PolicyMapOutput) MapIndex

func (PolicyMapOutput) ToPolicyMapOutput

func (o PolicyMapOutput) ToPolicyMapOutput() PolicyMapOutput

func (PolicyMapOutput) ToPolicyMapOutputWithContext

func (o PolicyMapOutput) ToPolicyMapOutputWithContext(ctx context.Context) PolicyMapOutput

type PolicyOutput

type PolicyOutput struct{ *pulumi.OutputState }

func (PolicyOutput) AdmissionWhitelistPatterns

func (o PolicyOutput) AdmissionWhitelistPatterns() PolicyAdmissionWhitelistPatternArrayOutput

A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.

func (PolicyOutput) ClusterAdmissionRules

func (o PolicyOutput) ClusterAdmissionRules() PolicyClusterAdmissionRuleArrayOutput

Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').

func (PolicyOutput) DefaultAdmissionRule

func (o PolicyOutput) DefaultAdmissionRule() PolicyDefaultAdmissionRuleOutput

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

func (PolicyOutput) Description

func (o PolicyOutput) Description() pulumi.StringPtrOutput

A descriptive comment.

func (PolicyOutput) ElementType

func (PolicyOutput) ElementType() reflect.Type

func (PolicyOutput) GlobalPolicyEvaluationMode

func (o PolicyOutput) GlobalPolicyEvaluationMode() pulumi.StringOutput

Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]

func (PolicyOutput) Project

func (o PolicyOutput) Project() pulumi.StringOutput

func (PolicyOutput) ToPolicyOutput

func (o PolicyOutput) ToPolicyOutput() PolicyOutput

func (PolicyOutput) ToPolicyOutputWithContext

func (o PolicyOutput) ToPolicyOutputWithContext(ctx context.Context) PolicyOutput

type PolicyState

type PolicyState struct {
	// A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the
	// image's admission requests will always be permitted regardless of your admission rules.
	AdmissionWhitelistPatterns PolicyAdmissionWhitelistPatternArrayInput
	// Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request
	// must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be
	// denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A
	// location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
	ClusterAdmissionRules PolicyClusterAdmissionRuleArrayInput
	// Default admission rule for a cluster without a per-cluster admission
	// rule.
	// Structure is documented below.
	DefaultAdmissionRule PolicyDefaultAdmissionRulePtrInput
	// A descriptive comment.
	Description pulumi.StringPtrInput
	// Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not
	// covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
	GlobalPolicyEvaluationMode pulumi.StringPtrInput
	Project                    pulumi.StringPtrInput
}

func (PolicyState) ElementType

func (PolicyState) ElementType() reflect.Type

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL