From 76d6f626cf2da68f5b28a095472ec9d02f17e098 Mon Sep 17 00:00:00 2001
From: Pyronewbic <kan.nam.dev@gmail.com>
Date: Wed, 20 May 2026 23:06:36 +0530
Subject: [PATCH] sec: enforce Binary Auth REQUIRE_ATTESTATION policy

---
 terraform/binary-auth.tf | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/terraform/binary-auth.tf b/terraform/binary-auth.tf
index 3d90bed..7d74f00 100644
--- a/terraform/binary-auth.tf
+++ b/terraform/binary-auth.tf
@@ -79,8 +79,12 @@ resource "google_binary_authorization_policy" "default" {
   global_policy_evaluation_mode = "ENABLE"
 
   default_admission_rule {
-    evaluation_mode  = "ALWAYS_ALLOW"
+    evaluation_mode  = "REQUIRE_ATTESTATION"
     enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
+
+    require_attestations_by = [
+      google_binary_authorization_attestor.deploy.name,
+    ]
   }
 
   depends_on = [google_project_service.binaryauthorization]