googleContainerAnalysisOccurrence
An occurrence is an instance of a Note, or type of analysis that can be done for a resource.
To get more information about Occurrence, see:
- API documentation
- How-to Guides
- Official Documentation
Example Usage - Container Analysis Occurrence Kms
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
const googleContainerAnalysisNoteNote =
new google.containerAnalysisNote.ContainerAnalysisNote(this, "note", {
attestation_authority: [
{
hint: [
{
human_readable_name: "Attestor Note",
},
],
},
],
name: "attestation-note",
});
const dataGoogleKmsKeyRingKeyring =
new google.dataGoogleKmsKeyRing.DataGoogleKmsKeyRing(this, "keyring", {
location: "global",
name: "my-key-ring",
});
const dataGoogleKmsCryptoKeyCryptoKey =
new google.dataGoogleKmsCryptoKey.DataGoogleKmsCryptoKey(this, "crypto-key", {
key_ring: dataGoogleKmsKeyRingKeyring.id,
name: "my-key",
});
const dataGoogleKmsCryptoKeyVersionVersion =
new google.dataGoogleKmsCryptoKeyVersion.DataGoogleKmsCryptoKeyVersion(
this,
"version",
{
crypto_key: dataGoogleKmsCryptoKeyCryptoKey.id,
}
);
new google.binaryAuthorizationAttestor.BinaryAuthorizationAttestor(
this,
"attestor",
{
attestation_authority_note: [
{
note_reference: googleContainerAnalysisNoteNote.name,
public_keys: [
{
id: dataGoogleKmsCryptoKeyVersionVersion.id,
pkix_public_key: [
{
public_key_pem: `\${${dataGoogleKmsCryptoKeyVersionVersion.publicKey.fqn}[0].pem}`,
signature_algorithm: `\${${dataGoogleKmsCryptoKeyVersionVersion.publicKey.fqn}[0].algorithm}`,
},
],
},
],
},
],
name: "attestor",
}
);
new google.containerAnalysisOccurrence.ContainerAnalysisOccurrence(
this,
"occurrence",
{
attestation: [
{
serialized_payload: '${filebase64("path/to/my/payload.json")}',
signatures: [
{
public_key_id: dataGoogleKmsCryptoKeyVersionVersion.id,
serialized_payload: '${filebase64("path/to/my/payload.json.sig")}',
},
],
},
],
note_name: googleContainerAnalysisNoteNote.id,
resource_uri: "gcr.io/my-project/my-image",
}
);
Argument Reference
The following arguments are supported:
-
resourceUri- (Required) Required. Immutable. A URI that represents the resource for which the occurrence applies. For example, https://gcr.io/project/image@sha256:123abc for a Docker image. -
noteName- (Required) The analysis note associated with this occurrence, in the form of projects/[PROJECT]/notes/[NOTE_ID]. This field can be used as a filter in list requests. -
attestation- (Required) Occurrence that represents a single "attestation". The authenticity of an attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the authority to which this attestation is attached is primarily useful for lookup (how to find this attestation if you already know the authority and artifact to be verified) and intent (for which authority this attestation was intended to sign. Structure is documented below.
The attestation block supports:
-
serializedPayload- (Required) The serialized payload that is verified by one or more signatures. A base64-encoded string. -
signatures- (Required) One or more signatures over serializedPayload. Verifier implementations should consider this attestation message verified if at least one signature verifies serializedPayload. See Signature in common.proto for more details on signature structure and verification. Structure is documented below.
The signatures block supports:
-
signature- (Optional) The content of the signature, an opaque bytestring. The payload that this signature verifies MUST be unambiguously provided with the Signature during verification. A wrapper message might provide the payload explicitly. Alternatively, a message might have a canonical serialization that can always be unambiguously computed to derive the payload. -
publicKeyId- (Required) The identifier for the public key that verifies this signature. MUST be an RFC3986 conformant URI. * When possible, the key id should be an immutable reference, such as a cryptographic digest. Examples of valid values:- OpenPGP V4 public key fingerprint. See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr for more details on this scheme.
openpgp4Fpr:74Faf3B861Bda0870C7B6Def607E48D2A663Aeea- RFC6920 digest-named SubjectPublicKeyInfo (digest of the DER serialization):
- "ni:///sha-256;cD9o9Cq6LG3jD0iKXqEi_vdjJGecm_iXkbqVoScViaU"
-
remediation- (Optional) A description of actions that can be taken to remedy the note. -
project- (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
-
id- an identifier for the resource with formatprojects/{{project}}/occurrences/{{name}} -
name- The name of the occurrence. -
kind- The note kind which explicitly denotes which of the occurrence details are specified. This field can be used as a filter in list requests. -
createTime- The time when the repository was created. -
updateTime- The time when the repository was last updated.
Timeouts
This resource provides the following Timeouts configuration options:
create- Default is 20 minutes.update- Default is 20 minutes.delete- Default is 20 minutes.
Import
Occurrence can be imported using any of these accepted formats:
$ terraform import google_container_analysis_occurrence.default projects/{{project}}/occurrences/{{name}}
$ terraform import google_container_analysis_occurrence.default {{project}}/{{name}}
$ terraform import google_container_analysis_occurrence.default {{name}}
User Project Overrides
This resource supports User Project Overrides.