v1beta2

type AdmissionWhitelistPatternsInitParameters struct {

	// An image name pattern to whitelist, in the form
	// registry/path/to/image. This supports a trailing * as a
	// wildcard, but this is allowed only in text after the registry/
	// part.
	NamePattern *string `json:"namePattern,omitempty" tf:"name_pattern,omitempty"`
}

type AdmissionWhitelistPatternsObservation struct {

	// An image name pattern to whitelist, in the form
	// registry/path/to/image. This supports a trailing * as a
	// wildcard, but this is allowed only in text after the registry/
	// part.
	NamePattern *string `json:"namePattern,omitempty" tf:"name_pattern,omitempty"`
}

type AdmissionWhitelistPatternsParameters struct {

	// An image name pattern to whitelist, in the form
	// registry/path/to/image. This supports a trailing * as a
	// wildcard, but this is allowed only in text after the registry/
	// part.
	// +kubebuilder:validation:Optional
	NamePattern *string `json:"namePattern" tf:"name_pattern,omitempty"`
}

type AttestationAuthorityNoteInitParameters struct {

	// The resource name of a ATTESTATION_AUTHORITY Note, created by the
	// user. If the Note is in a different project from the Attestor, it
	// should be specified in the format projects/*/notes/* (or the legacy
	// providers/*/notes/*). This field may not be updated.
	// An attestation by this attestor is stored as a Container Analysis
	// ATTESTATION_AUTHORITY Occurrence that names a container image
	// and that links to this Note.
	// +crossplane:generate:reference:type=github.com/upbound/provider-gcp/apis/containeranalysis/v1beta2.Note
	NoteReference *string `json:"noteReference,omitempty" tf:"note_reference,omitempty"`

	// Reference to a Note in containeranalysis to populate noteReference.
	// +kubebuilder:validation:Optional
	NoteReferenceRef *v1.Reference `json:"noteReferenceRef,omitempty" tf:"-"`

	// Selector for a Note in containeranalysis to populate noteReference.
	// +kubebuilder:validation:Optional
	NoteReferenceSelector *v1.Selector `json:"noteReferenceSelector,omitempty" tf:"-"`

	// Public keys that verify attestations signed by this attestor. This
	// field may be updated.
	// If this field is non-empty, one of the specified public keys must
	// verify that an attestation was signed by this attestor for the
	// image specified in the admission request.
	// If this field is empty, this attestor always returns that no valid
	// attestations exist.
	// Structure is documented below.
	PublicKeys []PublicKeysInitParameters `json:"publicKeys,omitempty" tf:"public_keys,omitempty"`
}

type AttestationAuthorityNoteObservation struct {

	// (Output)
	// This field will contain the service account email address that
	// this Attestor will use as the principal when querying Container
	// Analysis. Attestor administrators must grant this service account
	// the IAM role needed to read attestations from the noteReference in
	// Container Analysis (containeranalysis.notes.occurrences.viewer).
	// This email address is fixed for the lifetime of the Attestor, but
	// callers should not make any other assumptions about the service
	// account email; future versions may use an email based on a
	// different naming pattern.
	DelegationServiceAccountEmail *string `json:"delegationServiceAccountEmail,omitempty" tf:"delegation_service_account_email,omitempty"`

	// The resource name of a ATTESTATION_AUTHORITY Note, created by the
	// user. If the Note is in a different project from the Attestor, it
	// should be specified in the format projects/*/notes/* (or the legacy
	// providers/*/notes/*). This field may not be updated.
	// An attestation by this attestor is stored as a Container Analysis
	// ATTESTATION_AUTHORITY Occurrence that names a container image
	// and that links to this Note.
	NoteReference *string `json:"noteReference,omitempty" tf:"note_reference,omitempty"`

	// Public keys that verify attestations signed by this attestor. This
	// field may be updated.
	// If this field is non-empty, one of the specified public keys must
	// verify that an attestation was signed by this attestor for the
	// image specified in the admission request.
	// If this field is empty, this attestor always returns that no valid
	// attestations exist.
	// Structure is documented below.
	PublicKeys []PublicKeysObservation `json:"publicKeys,omitempty" tf:"public_keys,omitempty"`
}

type AttestationAuthorityNoteParameters struct {

	// The resource name of a ATTESTATION_AUTHORITY Note, created by the
	// user. If the Note is in a different project from the Attestor, it
	// should be specified in the format projects/*/notes/* (or the legacy
	// providers/*/notes/*). This field may not be updated.
	// An attestation by this attestor is stored as a Container Analysis
	// ATTESTATION_AUTHORITY Occurrence that names a container image
	// and that links to this Note.
	// +crossplane:generate:reference:type=github.com/upbound/provider-gcp/apis/containeranalysis/v1beta2.Note
	// +kubebuilder:validation:Optional
	NoteReference *string `json:"noteReference,omitempty" tf:"note_reference,omitempty"`

	// Reference to a Note in containeranalysis to populate noteReference.
	// +kubebuilder:validation:Optional
	NoteReferenceRef *v1.Reference `json:"noteReferenceRef,omitempty" tf:"-"`

	// Selector for a Note in containeranalysis to populate noteReference.
	// +kubebuilder:validation:Optional
	NoteReferenceSelector *v1.Selector `json:"noteReferenceSelector,omitempty" tf:"-"`

	// Public keys that verify attestations signed by this attestor. This
	// field may be updated.
	// If this field is non-empty, one of the specified public keys must
	// verify that an attestation was signed by this attestor for the
	// image specified in the admission request.
	// If this field is empty, this attestor always returns that no valid
	// attestations exist.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	PublicKeys []PublicKeysParameters `json:"publicKeys,omitempty" tf:"public_keys,omitempty"`
}

type Attestor struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.attestationAuthorityNote) || (has(self.initProvider) && has(self.initProvider.attestationAuthorityNote))",message="spec.forProvider.attestationAuthorityNote is a required parameter"
	Spec   AttestorSpec   `json:"spec"`
	Status AttestorStatus `json:"status,omitempty"`
}

type AttestorInitParameters struct {

	// A Container Analysis ATTESTATION_AUTHORITY Note, created by the user.
	// Structure is documented below.
	AttestationAuthorityNote *AttestationAuthorityNoteInitParameters `json:"attestationAuthorityNote,omitempty" tf:"attestation_authority_note,omitempty"`

	// A descriptive comment. This field may be updated. The field may be
	// displayed in chooser dialogs.
	Description *string `json:"description,omitempty" tf:"description,omitempty"`

	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project *string `json:"project,omitempty" tf:"project,omitempty"`
}

type AttestorList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []Attestor `json:"items"`
}

type AttestorObservation struct {

	// A Container Analysis ATTESTATION_AUTHORITY Note, created by the user.
	// Structure is documented below.
	AttestationAuthorityNote *AttestationAuthorityNoteObservation `json:"attestationAuthorityNote,omitempty" tf:"attestation_authority_note,omitempty"`

	// A descriptive comment. This field may be updated. The field may be
	// displayed in chooser dialogs.
	Description *string `json:"description,omitempty" tf:"description,omitempty"`

	// an identifier for the resource with format projects/{{project}}/attestors/{{name}}
	ID *string `json:"id,omitempty" tf:"id,omitempty"`

	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project *string `json:"project,omitempty" tf:"project,omitempty"`
}

type AttestorParameters struct {

	// A Container Analysis ATTESTATION_AUTHORITY Note, created by the user.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	AttestationAuthorityNote *AttestationAuthorityNoteParameters `json:"attestationAuthorityNote,omitempty" tf:"attestation_authority_note,omitempty"`

	// A descriptive comment. This field may be updated. The field may be
	// displayed in chooser dialogs.
	// +kubebuilder:validation:Optional
	Description *string `json:"description,omitempty" tf:"description,omitempty"`

	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	// +kubebuilder:validation:Optional
	Project *string `json:"project,omitempty" tf:"project,omitempty"`
}

type AttestorSpec struct {
	v1.ResourceSpec `json:",inline"`
	ForProvider     AttestorParameters `json:"forProvider"`
	// THIS IS A BETA FIELD. It will be honored
	// unless the Management Policies feature flag is disabled.
	// InitProvider holds the same fields as ForProvider, with the exception
	// of Identifier and other resource reference fields. The fields that are
	// in InitProvider are merged into ForProvider when the resource is created.
	// The same fields are also added to the terraform ignore_changes hook, to
	// avoid updating them after creation. This is useful for fields that are
	// required on creation, but we do not desire to update them after creation,
	// for example because of an external controller is managing them, like an
	// autoscaler.
	InitProvider AttestorInitParameters `json:"initProvider,omitempty"`
}

type AttestorStatus struct {
	v1.ResourceStatus `json:",inline"`
	AtProvider        AttestorObservation `json:"atProvider,omitempty"`
}

type ClusterAdmissionRulesInitParameters struct {

	// The identifier for this object. Format specified above.
	Cluster *string `json:"cluster,omitempty" tf:"cluster,omitempty"`

	// The action when a pod creation is denied by the admission rule.
	// Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
	EnforcementMode *string `json:"enforcementMode,omitempty" tf:"enforcement_mode,omitempty"`

	// How this admission rule will be evaluated.
	// Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
	EvaluationMode *string `json:"evaluationMode,omitempty" tf:"evaluation_mode,omitempty"`

	// The resource names of the attestors that must attest to a
	// container image. If the attestor is in a different project from the
	// policy, it should be specified in the format projects/*/attestors/*.
	// Each attestor must exist before a policy can reference it. To add an
	// attestor to a policy the principal issuing the policy change
	// request must be able to read the attestor resource.
	// Note: this field must be non-empty when the evaluation_mode field
	// specifies REQUIRE_ATTESTATION, otherwise it must be empty.
	// +listType=set
	RequireAttestationsBy []*string `json:"requireAttestationsBy,omitempty" tf:"require_attestations_by,omitempty"`
}

type ClusterAdmissionRulesObservation struct {

	// The identifier for this object. Format specified above.
	Cluster *string `json:"cluster,omitempty" tf:"cluster,omitempty"`

	// The action when a pod creation is denied by the admission rule.
	// Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
	EnforcementMode *string `json:"enforcementMode,omitempty" tf:"enforcement_mode,omitempty"`

	// How this admission rule will be evaluated.
	// Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
	EvaluationMode *string `json:"evaluationMode,omitempty" tf:"evaluation_mode,omitempty"`

	// The resource names of the attestors that must attest to a
	// container image. If the attestor is in a different project from the
	// policy, it should be specified in the format projects/*/attestors/*.
	// Each attestor must exist before a policy can reference it. To add an
	// attestor to a policy the principal issuing the policy change
	// request must be able to read the attestor resource.
	// Note: this field must be non-empty when the evaluation_mode field
	// specifies REQUIRE_ATTESTATION, otherwise it must be empty.
	// +listType=set
	RequireAttestationsBy []*string `json:"requireAttestationsBy,omitempty" tf:"require_attestations_by,omitempty"`
}

type ClusterAdmissionRulesParameters struct {

	// The identifier for this object. Format specified above.
	// +kubebuilder:validation:Optional
	Cluster *string `json:"cluster" tf:"cluster,omitempty"`

	// The action when a pod creation is denied by the admission rule.
	// Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
	// +kubebuilder:validation:Optional
	EnforcementMode *string `json:"enforcementMode" tf:"enforcement_mode,omitempty"`

	// How this admission rule will be evaluated.
	// Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
	// +kubebuilder:validation:Optional
	EvaluationMode *string `json:"evaluationMode" tf:"evaluation_mode,omitempty"`

	// The resource names of the attestors that must attest to a
	// container image. If the attestor is in a different project from the
	// policy, it should be specified in the format projects/*/attestors/*.
	// Each attestor must exist before a policy can reference it. To add an
	// attestor to a policy the principal issuing the policy change
	// request must be able to read the attestor resource.
	// Note: this field must be non-empty when the evaluation_mode field
	// specifies REQUIRE_ATTESTATION, otherwise it must be empty.
	// +kubebuilder:validation:Optional
	// +listType=set
	RequireAttestationsBy []*string `json:"requireAttestationsBy,omitempty" tf:"require_attestations_by,omitempty"`
}

type DefaultAdmissionRuleInitParameters struct {

	// The action when a pod creation is denied by the admission rule.
	// Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
	EnforcementMode *string `json:"enforcementMode,omitempty" tf:"enforcement_mode,omitempty"`

	// How this admission rule will be evaluated.
	// Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
	EvaluationMode *string `json:"evaluationMode,omitempty" tf:"evaluation_mode,omitempty"`

	// The resource names of the attestors that must attest to a
	// container image. If the attestor is in a different project from the
	// policy, it should be specified in the format projects/*/attestors/*.
	// Each attestor must exist before a policy can reference it. To add an
	// attestor to a policy the principal issuing the policy change
	// request must be able to read the attestor resource.
	// Note: this field must be non-empty when the evaluation_mode field
	// specifies REQUIRE_ATTESTATION, otherwise it must be empty.
	// +listType=set
	RequireAttestationsBy []*string `json:"requireAttestationsBy,omitempty" tf:"require_attestations_by,omitempty"`
}

type DefaultAdmissionRuleObservation struct {

	// The action when a pod creation is denied by the admission rule.
	// Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
	EnforcementMode *string `json:"enforcementMode,omitempty" tf:"enforcement_mode,omitempty"`

	// How this admission rule will be evaluated.
	// Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
	EvaluationMode *string `json:"evaluationMode,omitempty" tf:"evaluation_mode,omitempty"`

	// The resource names of the attestors that must attest to a
	// container image. If the attestor is in a different project from the
	// policy, it should be specified in the format projects/*/attestors/*.
	// Each attestor must exist before a policy can reference it. To add an
	// attestor to a policy the principal issuing the policy change
	// request must be able to read the attestor resource.
	// Note: this field must be non-empty when the evaluation_mode field
	// specifies REQUIRE_ATTESTATION, otherwise it must be empty.
	// +listType=set
	RequireAttestationsBy []*string `json:"requireAttestationsBy,omitempty" tf:"require_attestations_by,omitempty"`
}

type DefaultAdmissionRuleParameters struct {

	// The action when a pod creation is denied by the admission rule.
	// Possible values are: ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY.
	// +kubebuilder:validation:Optional
	EnforcementMode *string `json:"enforcementMode" tf:"enforcement_mode,omitempty"`

	// How this admission rule will be evaluated.
	// Possible values are: ALWAYS_ALLOW, REQUIRE_ATTESTATION, ALWAYS_DENY.
	// +kubebuilder:validation:Optional
	EvaluationMode *string `json:"evaluationMode" tf:"evaluation_mode,omitempty"`

	// The resource names of the attestors that must attest to a
	// container image. If the attestor is in a different project from the
	// policy, it should be specified in the format projects/*/attestors/*.
	// Each attestor must exist before a policy can reference it. To add an
	// attestor to a policy the principal issuing the policy change
	// request must be able to read the attestor resource.
	// Note: this field must be non-empty when the evaluation_mode field
	// specifies REQUIRE_ATTESTATION, otherwise it must be empty.
	// +kubebuilder:validation:Optional
	// +listType=set
	RequireAttestationsBy []*string `json:"requireAttestationsBy,omitempty" tf:"require_attestations_by,omitempty"`
}

type PkixPublicKeyInitParameters struct {

	// A PEM-encoded public key, as described in
	// https://tools.ietf.org/html/rfc7468#section-13
	PublicKeyPem *string `json:"publicKeyPem,omitempty" tf:"public_key_pem,omitempty"`

	// The signature algorithm used to verify a message against
	// a signature using this key. These signature algorithm must
	// match the structure and any object identifiers encoded in
	// publicKeyPem (i.e. this algorithm must match that of the
	// public key).
	SignatureAlgorithm *string `json:"signatureAlgorithm,omitempty" tf:"signature_algorithm,omitempty"`
}

type PkixPublicKeyObservation struct {

	// A PEM-encoded public key, as described in
	// https://tools.ietf.org/html/rfc7468#section-13
	PublicKeyPem *string `json:"publicKeyPem,omitempty" tf:"public_key_pem,omitempty"`

	// The signature algorithm used to verify a message against
	// a signature using this key. These signature algorithm must
	// match the structure and any object identifiers encoded in
	// publicKeyPem (i.e. this algorithm must match that of the
	// public key).
	SignatureAlgorithm *string `json:"signatureAlgorithm,omitempty" tf:"signature_algorithm,omitempty"`
}

type PkixPublicKeyParameters struct {

	// A PEM-encoded public key, as described in
	// https://tools.ietf.org/html/rfc7468#section-13
	// +kubebuilder:validation:Optional
	PublicKeyPem *string `json:"publicKeyPem,omitempty" tf:"public_key_pem,omitempty"`

	// The signature algorithm used to verify a message against
	// a signature using this key. These signature algorithm must
	// match the structure and any object identifiers encoded in
	// publicKeyPem (i.e. this algorithm must match that of the
	// public key).
	// +kubebuilder:validation:Optional
	SignatureAlgorithm *string `json:"signatureAlgorithm,omitempty" tf:"signature_algorithm,omitempty"`
}

type Policy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	// +kubebuilder:validation:XValidation:rule="!('*' in self.managementPolicies || 'Create' in self.managementPolicies || 'Update' in self.managementPolicies) || has(self.forProvider.defaultAdmissionRule) || (has(self.initProvider) && has(self.initProvider.defaultAdmissionRule))",message="spec.forProvider.defaultAdmissionRule is a required parameter"
	Spec   PolicySpec   `json:"spec"`
	Status PolicyStatus `json:"status,omitempty"`
}

type PolicyInitParameters struct {

	// A whitelist of image patterns to exclude from admission rules. If an
	// image's name matches a whitelist pattern, the image's admission
	// requests will always be permitted regardless of your admission rules.
	// Structure is documented below.
	AdmissionWhitelistPatterns []AdmissionWhitelistPatternsInitParameters `json:"admissionWhitelistPatterns,omitempty" tf:"admission_whitelist_patterns,omitempty"`

	// Per-cluster admission rules. An admission rule specifies either that
	// all container images used in a pod creation request must be attested
	// to by one or more attestors, that all pod creations will be allowed,
	// or that all pod creations will be denied. There can be at most one
	// admission rule per cluster spec.
	ClusterAdmissionRules []ClusterAdmissionRulesInitParameters `json:"clusterAdmissionRules,omitempty" tf:"cluster_admission_rules,omitempty"`

	// Default admission rule for a cluster without a per-cluster admission
	// rule.
	// Structure is documented below.
	DefaultAdmissionRule *DefaultAdmissionRuleInitParameters `json:"defaultAdmissionRule,omitempty" tf:"default_admission_rule,omitempty"`

	// A descriptive comment.
	Description *string `json:"description,omitempty" tf:"description,omitempty"`

	// Controls the evaluation of a Google-maintained global admission policy
	// for common system-level images. Images not covered by the global
	// policy will be subject to the project admission policy.
	// Possible values are: ENABLE, DISABLE.
	GlobalPolicyEvaluationMode *string `json:"globalPolicyEvaluationMode,omitempty" tf:"global_policy_evaluation_mode,omitempty"`

	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project *string `json:"project,omitempty" tf:"project,omitempty"`
}

type PolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []Policy `json:"items"`
}

type PolicyObservation struct {

	// A whitelist of image patterns to exclude from admission rules. If an
	// image's name matches a whitelist pattern, the image's admission
	// requests will always be permitted regardless of your admission rules.
	// Structure is documented below.
	AdmissionWhitelistPatterns []AdmissionWhitelistPatternsObservation `json:"admissionWhitelistPatterns,omitempty" tf:"admission_whitelist_patterns,omitempty"`

	// Per-cluster admission rules. An admission rule specifies either that
	// all container images used in a pod creation request must be attested
	// to by one or more attestors, that all pod creations will be allowed,
	// or that all pod creations will be denied. There can be at most one
	// admission rule per cluster spec.
	ClusterAdmissionRules []ClusterAdmissionRulesObservation `json:"clusterAdmissionRules,omitempty" tf:"cluster_admission_rules,omitempty"`

	// Default admission rule for a cluster without a per-cluster admission
	// rule.
	// Structure is documented below.
	DefaultAdmissionRule *DefaultAdmissionRuleObservation `json:"defaultAdmissionRule,omitempty" tf:"default_admission_rule,omitempty"`

	// A descriptive comment.
	Description *string `json:"description,omitempty" tf:"description,omitempty"`

	// Controls the evaluation of a Google-maintained global admission policy
	// for common system-level images. Images not covered by the global
	// policy will be subject to the project admission policy.
	// Possible values are: ENABLE, DISABLE.
	GlobalPolicyEvaluationMode *string `json:"globalPolicyEvaluationMode,omitempty" tf:"global_policy_evaluation_mode,omitempty"`

	// an identifier for the resource with format projects/{{project}}
	ID *string `json:"id,omitempty" tf:"id,omitempty"`

	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	Project *string `json:"project,omitempty" tf:"project,omitempty"`
}

type PolicyParameters struct {

	// A whitelist of image patterns to exclude from admission rules. If an
	// image's name matches a whitelist pattern, the image's admission
	// requests will always be permitted regardless of your admission rules.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	AdmissionWhitelistPatterns []AdmissionWhitelistPatternsParameters `json:"admissionWhitelistPatterns,omitempty" tf:"admission_whitelist_patterns,omitempty"`

	// Per-cluster admission rules. An admission rule specifies either that
	// all container images used in a pod creation request must be attested
	// to by one or more attestors, that all pod creations will be allowed,
	// or that all pod creations will be denied. There can be at most one
	// admission rule per cluster spec.
	// +kubebuilder:validation:Optional
	ClusterAdmissionRules []ClusterAdmissionRulesParameters `json:"clusterAdmissionRules,omitempty" tf:"cluster_admission_rules,omitempty"`

	// Default admission rule for a cluster without a per-cluster admission
	// rule.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	DefaultAdmissionRule *DefaultAdmissionRuleParameters `json:"defaultAdmissionRule,omitempty" tf:"default_admission_rule,omitempty"`

	// A descriptive comment.
	// +kubebuilder:validation:Optional
	Description *string `json:"description,omitempty" tf:"description,omitempty"`

	// Controls the evaluation of a Google-maintained global admission policy
	// for common system-level images. Images not covered by the global
	// policy will be subject to the project admission policy.
	// Possible values are: ENABLE, DISABLE.
	// +kubebuilder:validation:Optional
	GlobalPolicyEvaluationMode *string `json:"globalPolicyEvaluationMode,omitempty" tf:"global_policy_evaluation_mode,omitempty"`

	// The ID of the project in which the resource belongs.
	// If it is not provided, the provider project is used.
	// +kubebuilder:validation:Optional
	Project *string `json:"project,omitempty" tf:"project,omitempty"`
}

type PolicySpec struct {
	v1.ResourceSpec `json:",inline"`
	ForProvider     PolicyParameters `json:"forProvider"`
	// THIS IS A BETA FIELD. It will be honored
	// unless the Management Policies feature flag is disabled.
	// InitProvider holds the same fields as ForProvider, with the exception
	// of Identifier and other resource reference fields. The fields that are
	// in InitProvider are merged into ForProvider when the resource is created.
	// The same fields are also added to the terraform ignore_changes hook, to
	// avoid updating them after creation. This is useful for fields that are
	// required on creation, but we do not desire to update them after creation,
	// for example because of an external controller is managing them, like an
	// autoscaler.
	InitProvider PolicyInitParameters `json:"initProvider,omitempty"`
}

type PolicyStatus struct {
	v1.ResourceStatus `json:",inline"`
	AtProvider        PolicyObservation `json:"atProvider,omitempty"`
}

type PublicKeysInitParameters struct {

	// ASCII-armored representation of a PGP public key, as the
	// entire output by the command
	// gpg --export --armor foo@example.com (either LF or CRLF
	// line endings). When using this field, id should be left
	// blank. The BinAuthz API handlers will calculate the ID
	// and fill it in automatically. BinAuthz computes this ID
	// as the OpenPGP RFC4880 V4 fingerprint, represented as
	// upper-case hex. If id is provided by the caller, it will
	// be overwritten by the API-calculated ID.
	ASCIIArmoredPgpPublicKey *string `json:"asciiArmoredPgpPublicKey,omitempty" tf:"ascii_armored_pgp_public_key,omitempty"`

	// A descriptive comment. This field may be updated.
	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`

	// The ID of this public key. Signatures verified by BinAuthz
	// must include the ID of the public key that can be used to
	// verify them, and that ID must match the contents of this
	// field exactly. Additional restrictions on this field can
	// be imposed based on which public key type is encapsulated.
	// See the documentation on publicKey cases below for details.
	ID *string `json:"id,omitempty" tf:"id,omitempty"`

	// A raw PKIX SubjectPublicKeyInfo format public key.
	// NOTE: id may be explicitly provided by the caller when using this
	// type of public key, but it MUST be a valid RFC3986 URI. If id is left
	// blank, a default one will be computed based on the digest of the DER
	// encoding of the public key.
	// Structure is documented below.
	PkixPublicKey *PkixPublicKeyInitParameters `json:"pkixPublicKey,omitempty" tf:"pkix_public_key,omitempty"`
}

type PublicKeysObservation struct {

	// ASCII-armored representation of a PGP public key, as the
	// entire output by the command
	// gpg --export --armor foo@example.com (either LF or CRLF
	// line endings). When using this field, id should be left
	// blank. The BinAuthz API handlers will calculate the ID
	// and fill it in automatically. BinAuthz computes this ID
	// as the OpenPGP RFC4880 V4 fingerprint, represented as
	// upper-case hex. If id is provided by the caller, it will
	// be overwritten by the API-calculated ID.
	ASCIIArmoredPgpPublicKey *string `json:"asciiArmoredPgpPublicKey,omitempty" tf:"ascii_armored_pgp_public_key,omitempty"`

	// A descriptive comment. This field may be updated.
	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`

	// The ID of this public key. Signatures verified by BinAuthz
	// must include the ID of the public key that can be used to
	// verify them, and that ID must match the contents of this
	// field exactly. Additional restrictions on this field can
	// be imposed based on which public key type is encapsulated.
	// See the documentation on publicKey cases below for details.
	ID *string `json:"id,omitempty" tf:"id,omitempty"`

	// A raw PKIX SubjectPublicKeyInfo format public key.
	// NOTE: id may be explicitly provided by the caller when using this
	// type of public key, but it MUST be a valid RFC3986 URI. If id is left
	// blank, a default one will be computed based on the digest of the DER
	// encoding of the public key.
	// Structure is documented below.
	PkixPublicKey *PkixPublicKeyObservation `json:"pkixPublicKey,omitempty" tf:"pkix_public_key,omitempty"`
}

type PublicKeysParameters struct {

	// ASCII-armored representation of a PGP public key, as the
	// entire output by the command
	// gpg --export --armor foo@example.com (either LF or CRLF
	// line endings). When using this field, id should be left
	// blank. The BinAuthz API handlers will calculate the ID
	// and fill it in automatically. BinAuthz computes this ID
	// as the OpenPGP RFC4880 V4 fingerprint, represented as
	// upper-case hex. If id is provided by the caller, it will
	// be overwritten by the API-calculated ID.
	// +kubebuilder:validation:Optional
	ASCIIArmoredPgpPublicKey *string `json:"asciiArmoredPgpPublicKey,omitempty" tf:"ascii_armored_pgp_public_key,omitempty"`

	// A descriptive comment. This field may be updated.
	// +kubebuilder:validation:Optional
	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`

	// The ID of this public key. Signatures verified by BinAuthz
	// must include the ID of the public key that can be used to
	// verify them, and that ID must match the contents of this
	// field exactly. Additional restrictions on this field can
	// be imposed based on which public key type is encapsulated.
	// See the documentation on publicKey cases below for details.
	// +kubebuilder:validation:Optional
	ID *string `json:"id,omitempty" tf:"id,omitempty"`

	// A raw PKIX SubjectPublicKeyInfo format public key.
	// NOTE: id may be explicitly provided by the caller when using this
	// type of public key, but it MUST be a valid RFC3986 URI. If id is left
	// blank, a default one will be computed based on the digest of the DER
	// encoding of the public key.
	// Structure is documented below.
	// +kubebuilder:validation:Optional
	PkixPublicKey *PkixPublicKeyParameters `json:"pkixPublicKey,omitempty" tf:"pkix_public_key,omitempty"`
}