An occurrence is an instance of a Note, or type of analysis that can be done for a resource.
To get more information about Occurrence, see:
resource "google_binary_authorization_attestor" "attestor" {
name = "attestor"
attestation_authority_note {
note_reference = google_container_analysis_note.note.name
public_keys {
id = data.google_kms_crypto_key_version.version.id
pkix_public_key {
public_key_pem = data.google_kms_crypto_key_version.version.public_key[0].pem
signature_algorithm = data.google_kms_crypto_key_version.version.public_key[0].algorithm
}
}
}
}
resource "google_container_analysis_note" "note" {
name = "attestation-note"
attestation_authority {
hint {
human_readable_name = "Attestor Note"
}
}
}
data "google_kms_key_ring" "keyring" {
name = "my-key-ring"
location = "global"
}
data "google_kms_crypto_key" "crypto-key" {
name = "my-key"
key_ring = data.google_kms_key_ring.keyring.id
}
data "google_kms_crypto_key_version" "version" {
crypto_key = data.google_kms_crypto_key.crypto-key.id
}
resource "google_container_analysis_occurrence" "occurrence" {
resource_uri = "gcr.io/my-project/my-image"
note_name = google_container_analysis_note.note.id
// See "Creating Attestations" Guide for expected
// payload and signature formats.
attestation {
serialized_payload = filebase64("path/to/my/payload.json")
signatures {
public_key_id = data.google_kms_crypto_key_version.version.id
serialized_payload = filebase64("path/to/my/payload.json.sig")
}
}
}
The following arguments are supported:
resource_uri
-
(Required)
Required. Immutable. A URI that represents the resource for which
the occurrence applies. For example,
https://gcr.io/project/image@sha256:123abc for a Docker image.
note_name
-
(Required)
The analysis note associated with this occurrence, in the form of
projects/[PROJECT]/notes/[NOTE_ID]. This field can be used as a
filter in list requests.
attestation
-
(Required)
Occurrence that represents a single "attestation". The authenticity
of an attestation can be verified using the attached signature.
If the verifier trusts the public key of the signer, then verifying
the signature is sufficient to establish trust. In this circumstance,
the authority to which this attestation is attached is primarily
useful for lookup (how to find this attestation if you already
know the authority and artifact to be verified) and intent (for
which authority this attestation was intended to sign.
Structure is documented below.
The attestation
block supports:
serialized_payload
-
(Required)
The serialized payload that is verified by one or
more signatures. A base64-encoded string.
signatures
-
(Required)
One or more signatures over serializedPayload.
Verifier implementations should consider this attestation
message verified if at least one signature verifies
serializedPayload. See Signature in common.proto for more
details on signature structure and verification.
Structure is documented below.
The signatures
block supports:
signature
-
(Optional)
The content of the signature, an opaque bytestring.
The payload that this signature verifies MUST be
unambiguously provided with the Signature during
verification. A wrapper message might provide the
payload explicitly. Alternatively, a message might
have a canonical serialization that can always be
unambiguously computed to derive the payload.
public_key_id
-
(Required)
The identifier for the public key that verifies this
signature. MUST be an RFC3986 conformant
URI. * When possible, the key id should be an
immutable reference, such as a cryptographic digest.
Examples of valid values:
openpgp4fpr:74FAF3B861BDA0870C7B6DEF607E48D2A663AEEA
remediation
-
(Optional)
A description of actions that can be taken to remedy the note.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/occurrences/{{name}}
name
-
The name of the occurrence.
kind
-
The note kind which explicitly denotes which of the occurrence
details are specified. This field can be used as a filter in list
requests.
create_time
-
The time when the repository was created.
update_time
-
The time when the repository was last updated.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.Occurrence can be imported using any of these accepted formats:
projects/{{project}}/occurrences/{{name}}
{{project}}/{{name}}
{{name}}
In Terraform v1.5.0 and later, use an import
block to import Occurrence using one of the formats above. For example:
import {
id = "projects/{{project}}/occurrences/{{name}}"
to = google_container_analysis_occurrence.default
}
When using the terraform import
command, Occurrence can be imported using one of the formats above. For example:
$ terraform import google_container_analysis_occurrence.default projects/{{project}}/occurrences/{{name}}
$ terraform import google_container_analysis_occurrence.default {{project}}/{{name}}
$ terraform import google_container_analysis_occurrence.default {{name}}
This resource supports User Project Overrides.