From cc30fbbbbcf232c6535156f1e596995e1bd2dcaf Mon Sep 17 00:00:00 2001
From: Mike! <mike@ensor.cc>
Date: Tue, 26 May 2020 18:20:03 -0700
Subject: [PATCH] feat: Add submodule for creating a binary authentication
 attestor (#530)

---
 modules/binary-authorization/README.md    | 73 +++++++++++++++++++++
 modules/binary-authorization/main.tf      | 78 +++++++++++++++++++++++
 modules/binary-authorization/outputs.tf   | 25 ++++++++
 modules/binary-authorization/variables.tf | 36 +++++++++++
 4 files changed, 212 insertions(+)
 create mode 100644 modules/binary-authorization/README.md
 create mode 100644 modules/binary-authorization/main.tf
 create mode 100644 modules/binary-authorization/outputs.tf
 create mode 100644 modules/binary-authorization/variables.tf

diff --git a/modules/binary-authorization/README.md b/modules/binary-authorization/README.md
new file mode 100644
index 000000000..9c3f6b7fa
--- /dev/null
+++ b/modules/binary-authorization/README.md
@@ -0,0 +1,73 @@
+# Binary Authorization Infrastructure
+
+This module creates the infrastructure and Attestors necessary to generate attestations on image digests.
+
+## Compatibility/Requirements
+
+* GCP Project ID where the project has an active billing account associated with it
+* Terraform version 0.12+
+* Google Kubernetes Engine cluster with "Binary Authorization" enabled
+
+## Usage
+
+```tf
+# Create a Key Ring
+resource "google_kms_key_ring" "keyring" {
+  name     = "my-example-attestor-key-ring"
+  location = var.keyring-region
+  lifecycle {
+    prevent_destroy = false
+  }
+}
+
+# Create Quality Assurance attestor
+module "quality-attestor" {
+  source = "terraform-google-modules/kubernetes-engine/google//modules/binary-authorization"
+
+  attestor-name = "quality-assurance"
+  keyring-id    = google_kms_key_ring.keyring.id
+}
+
+```
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| attestor-name | Name of the attestor | string | n/a | yes |
+| project\_id | Project ID to apply services into | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| attestor | Name of the built attestor |
+| key | Name of the Key created for the attestor |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Next Steps
+
+After building the Attestors, Attestations can be associated with image digests.
+
+This module does not include a Binary Authorization policy for a cluster.  A sample policy implemented as Dry-Run/Log-Only using our "quality-assurance" Attestor could look like this:
+
+```tf
+resource "google_binary_authorization_policy" "policy" {
+
+  admission_whitelist_patterns {
+    name_pattern = "gcr.io/${var.project_id}/*" # Enable local project GCR
+  }
+
+  global_policy_evaluation_mode = "ENABLE"
+
+  # Production ready (all attestors required)
+  default_admission_rule {
+    evaluation_mode  = "REQUIRE_ATTESTATION"
+    enforcement_mode = "DRYRUN_AUDIT_LOG_ONLY"
+    require_attestations_by = [
+      module.quality-attestor.attestor  # Our Attestor
+    ]
+  }
+}
+```
diff --git a/modules/binary-authorization/main.tf b/modules/binary-authorization/main.tf
new file mode 100644
index 000000000..29ccb2178
--- /dev/null
+++ b/modules/binary-authorization/main.tf
@@ -0,0 +1,78 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  required_enabled_apis = [
+    "containeranalysis.googleapis.com",
+    "binaryauthorization.googleapis.com",
+    "container.googleapis.com",
+    "cloudkms.googleapis.com"
+  ]
+}
+
+module "project-services" {
+  source  = "terraform-google-modules/project-factory/google//modules/project_services"
+  version = "~> 8.0"
+
+  project_id = var.project_id
+
+  activate_apis = local.required_enabled_apis
+}
+
+resource "google_binary_authorization_attestor" "attestor" {
+  project = var.project_id
+  name    = "${var.attestor-name}-attestor"
+  attestation_authority_note {
+    note_reference = google_container_analysis_note.build-note.name
+    public_keys {
+      id = data.google_kms_crypto_key_version.version.id
+      pkix_public_key {
+        public_key_pem      = data.google_kms_crypto_key_version.version.public_key[0].pem
+        signature_algorithm = data.google_kms_crypto_key_version.version.public_key[0].algorithm
+      }
+    }
+  }
+}
+
+resource "google_container_analysis_note" "build-note" {
+  project = var.project_id
+  name    = "${var.attestor-name}-attestor-note"
+  attestation_authority {
+    hint {
+      human_readable_name = "${var.attestor-name} Attestor"
+    }
+  }
+}
+
+# KEYS
+
+data "google_kms_crypto_key_version" "version" {
+  crypto_key = google_kms_crypto_key.crypto-key.id
+}
+
+resource "google_kms_crypto_key" "crypto-key" {
+  name     = "${var.attestor-name}-attestor-key"
+  key_ring = var.keyring-id
+  purpose  = "ASYMMETRIC_SIGN"
+
+  version_template {
+    algorithm = var.crypto-algorithm
+  }
+
+  lifecycle {
+    prevent_destroy = false
+  }
+}
diff --git a/modules/binary-authorization/outputs.tf b/modules/binary-authorization/outputs.tf
new file mode 100644
index 000000000..95d3324f5
--- /dev/null
+++ b/modules/binary-authorization/outputs.tf
@@ -0,0 +1,25 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "key" {
+  value       = google_kms_crypto_key.crypto-key.name
+  description = "Name of the Key created for the attestor"
+}
+
+output "attestor" {
+  value       = google_binary_authorization_attestor.attestor.name
+  description = "Name of the built attestor"
+}
diff --git a/modules/binary-authorization/variables.tf b/modules/binary-authorization/variables.tf
new file mode 100644
index 000000000..1b8578077
--- /dev/null
+++ b/modules/binary-authorization/variables.tf
@@ -0,0 +1,36 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  type        = string
+  description = "Project ID to apply services into"
+}
+
+variable "attestor-name" {
+  type        = string
+  description = "Name of the attestor"
+}
+
+variable keyring-id {
+  type        = string
+  description = "Keyring ID to attach attestor keys"
+}
+
+variable crypto-algorithm {
+  type        = string
+  default     = "RSA_SIGN_PKCS1_4096_SHA512"
+  description = "Algorithm used for the async signing keys"
+}