-
Notifications
You must be signed in to change notification settings - Fork 542
/
metadata.yaml
399 lines (398 loc) · 17 KB
/
metadata.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: blueprints.cloud.google.com/v1alpha1
kind: BlueprintMetadata
metadata:
name: terraform-google-project-factory
annotations:
config.kubernetes.io/local-config: "true"
spec:
info:
title: Google Cloud Project Factory Terraform Module
source:
repo: https://github.com/terraform-google-modules/terraform-google-project-factory.git
sourceType: git
version: 17.0.0
actuationTool:
flavor: Terraform
version: ">=0.13.0"
description: {}
content:
subBlueprints:
- name: app_engine
location: modules/app_engine
- name: budget
location: modules/budget
- name: core_project_factory
location: modules/core_project_factory
- name: essential_contacts
location: modules/essential_contacts
- name: fabric-project
location: modules/fabric-project
- name: gsuite_enabled
location: modules/gsuite_enabled
- name: gsuite_group
location: modules/gsuite_group
- name: project_services
location: modules/project_services
- name: quota_manager
location: modules/quota_manager
- name: shared_vpc_access
location: modules/shared_vpc_access
- name: svpc_service_project
location: modules/svpc_service_project
examples:
- name: app_engine
location: examples/app_engine
- name: budget_project
location: examples/budget_project
- name: essential_contacts
location: examples/essential_contacts
- name: fabric_project
location: examples/fabric_project
- name: gke_shared_vpc
location: examples/gke_shared_vpc
- name: group_project
location: examples/group_project
- name: project-hierarchy
location: examples/project-hierarchy
- name: project_services
location: examples/project_services
- name: quota_project
location: examples/quota_project
- name: shared_vpc
location: examples/shared_vpc
- name: simple_project
location: examples/simple_project
- name: tags_project
location: examples/tags_project
interfaces:
variables:
- name: random_project_id
description: Adds a suffix of 4 random characters to the `project_id`.
varType: bool
defaultValue: false
- name: random_project_id_length
description: Sets the length of `random_project_id` to the provided length, and uses a `random_string` for a larger collusion domain. Recommended for use with CI.
varType: number
- name: org_id
description: The organization ID.
varType: string
- name: domain
description: The domain name (optional).
varType: string
defaultValue: ""
- name: name
description: The name for the project
varType: string
required: true
- name: project_id
description: The ID to give the project. If not provided, the `name` will be used.
varType: string
defaultValue: ""
- name: svpc_host_project_id
description: The ID of the host project which hosts the shared VPC
varType: string
defaultValue: ""
- name: enable_shared_vpc_host_project
description: If this project is a shared VPC host project. If true, you must *not* set svpc_host_project_id variable. Default is false.
varType: bool
defaultValue: false
- name: billing_account
description: The ID of the billing account to associate this project with
varType: string
required: true
- name: folder_id
description: The ID of a folder to host this project
varType: string
defaultValue: ""
- name: group_name
description: A group to control the project by being assigned group_role (defaults to project editor)
varType: string
defaultValue: ""
- name: group_role
description: The role to give the controlling group (group_name) over the project (defaults to project editor)
varType: string
defaultValue: roles/editor
- name: create_project_sa
description: Whether the default service account for the project shall be created
varType: bool
defaultValue: true
- name: project_sa_name
description: Default service account name for the project.
varType: string
defaultValue: project-service-account
- name: sa_role
description: A role to give the default Service Account for the project (defaults to none)
varType: string
defaultValue: ""
- name: activate_apis
description: The list of apis to activate within the project
varType: list(string)
defaultValue:
- compute.googleapis.com
- name: activate_api_identities
description: " The list of service identities (Google Managed service account for the API) to force-create for the project (e.g. in order to grant additional roles).\n APIs in this list will automatically be appended to `activate_apis`.\n Not including the API in this list will follow the default behaviour for identity creation (which is usually when the first resource using the API is created).\n Any roles (e.g. service agent role) must be explicitly listed. See https://cloud.google.com/iam/docs/understanding-roles#service-agent-roles-roles for a list of related roles.\n"
varType: |-
list(object({
api = string
roles = list(string)
}))
defaultValue: []
- name: usage_bucket_name
description: Name of a GCS bucket to store GCE usage reports in (optional)
varType: string
defaultValue: ""
- name: usage_bucket_prefix
description: Prefix in the GCS bucket to store GCE usage reports in (optional)
varType: string
defaultValue: ""
- name: shared_vpc_subnets
description: List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id)
varType: list(string)
defaultValue: []
- name: labels
description: Map of labels for project
varType: map(string)
defaultValue: {}
- name: bucket_project
description: A project to create a GCS bucket (bucket_name) in, useful for Terraform state (optional)
varType: string
defaultValue: ""
- name: bucket_name
description: A name for a GCS bucket to create (in the bucket_project project), useful for Terraform state (optional)
varType: string
defaultValue: ""
- name: bucket_location
description: The location for a GCS bucket to create (optional)
varType: string
defaultValue: US
- name: bucket_versioning
description: Enable versioning for a GCS bucket to create (optional)
varType: bool
defaultValue: false
- name: bucket_labels
description: " A map of key/value label pairs to assign to the bucket (optional)"
varType: map(string)
defaultValue: {}
- name: bucket_force_destroy
description: Force the deletion of all objects within the GCS bucket when deleting the bucket (optional)
varType: bool
defaultValue: false
- name: bucket_ula
description: Enable Uniform Bucket Level Access
varType: bool
defaultValue: true
- name: bucket_pap
description: Enable Public Access Prevention. Possible values are "enforced" or "inherited".
varType: string
defaultValue: inherited
- name: auto_create_network
description: Create the default network
varType: bool
defaultValue: false
- name: lien
description: Add a lien on the project to prevent accidental deletion
varType: bool
defaultValue: false
- name: disable_services_on_destroy
description: Whether project services will be disabled when the resources are destroyed
varType: bool
defaultValue: true
- name: default_service_account
description: "Project default service account setting: can be one of `delete`, `deprivilege`, `disable`, or `keep`."
varType: string
defaultValue: disable
- name: disable_dependent_services
description: Whether services that are enabled and which depend on this service should also be disabled when this service is destroyed.
varType: bool
defaultValue: true
- name: budget_amount
description: The amount to use for a budget alert
varType: number
- name: budget_display_name
description: "The display name of the budget. If not set defaults to `Budget For <projects[0]|All Projects>` "
varType: string
- name: budget_alert_pubsub_topic
description: The name of the Cloud Pub/Sub topic where budget related messages will be published, in the form of `projects/{project_id}/topics/{topic_id}`
varType: string
- name: budget_monitoring_notification_channels
description: A list of monitoring notification channels in the form `[projects/{project_id}/notificationChannels/{channel_id}]`. A maximum of 5 channels are allowed.
varType: list(string)
defaultValue: []
- name: budget_alert_spent_percents
description: A list of percentages of the budget to alert on when threshold is exceeded
varType: list(number)
defaultValue:
- 0.5
- 0.7
- 1
- name: budget_alert_spend_basis
description: The type of basis used to determine if spend has passed the threshold
varType: string
defaultValue: CURRENT_SPEND
- name: budget_labels
description: A single label and value pair specifying that usage from only this set of labeled resources should be included in the budget.
varType: map(string)
defaultValue: {}
- name: budget_calendar_period
description: Specifies the calendar period for the budget. Possible values are MONTH, QUARTER, YEAR, CALENDAR_PERIOD_UNSPECIFIED, CUSTOM. custom_period_start_date and custom_period_end_date must be set if CUSTOM
varType: string
- name: budget_custom_period_start_date
description: Specifies the start date (DD-MM-YYYY) for the calendar_period CUSTOM
varType: string
- name: budget_custom_period_end_date
description: Specifies the end date (DD-MM-YYYY) for the calendar_period CUSTOM
varType: string
- name: vpc_service_control_attach_enabled
description: Whether the project will be attached to a VPC Service Control Perimeter in ENFORCED MODE. vpc_service_control_attach_dry_run should be false for this to be true
varType: bool
defaultValue: false
- name: vpc_service_control_attach_dry_run
description: Whether the project will be attached to a VPC Service Control Perimeter in Dry Run Mode. vpc_service_control_attach_enabled should be false for this to be true
varType: bool
defaultValue: false
- name: vpc_service_control_perimeter_name
description: The name of a VPC Service Control Perimeter to add the created project to
varType: string
- name: vpc_service_control_sleep_duration
description: The duration to sleep in seconds before adding the project to a shared VPC after the project is added to the VPC Service Control Perimeter. VPC-SC is eventually consistent.
varType: string
defaultValue: 5s
- name: grant_services_security_admin_role
description: Whether or not to grant Kubernetes Engine Service Agent the Security Admin role on the host project so it can manage firewall rules
varType: bool
defaultValue: false
- name: grant_network_role
description: Whether or not to grant networkUser role on the host project/subnets
varType: bool
defaultValue: true
- name: consumer_quotas
description: The quotas configuration you want to override for the project.
varType: |-
list(object({
service = string,
metric = string,
dimensions = map(string),
limit = string,
value = string,
}))
defaultValue: []
- name: default_network_tier
description: Default Network Service Tier for resources created in this project. If unset, the value will not be modified. See https://cloud.google.com/network-tiers/docs/using-network-service-tiers and https://cloud.google.com/network-tiers.
varType: string
defaultValue: ""
- name: essential_contacts
description: A mapping of users or groups to be assigned as Essential Contacts to the project, specifying a notification category
varType: map(list(string))
defaultValue: {}
- name: language_tag
description: Language code to be used for essential contacts notifications
varType: string
defaultValue: en-US
- name: tag_binding_values
description: Tag values to bind the project to.
varType: list(string)
defaultValue: []
- name: cloud_armor_tier
description: "Managed protection tier to be set. Possible values are: CA_STANDARD, CA_ENTERPRISE_PAYGO"
varType: string
- name: deletion_policy
description: The deletion policy for the project.
varType: string
defaultValue: PREVENT
outputs:
- name: api_s_account
description: API service account email
- name: api_s_account_fmt
description: API service account email formatted for terraform use
- name: budget_name
description: The name of the budget if created
- name: domain
description: The organization's domain
- name: enabled_api_identities
description: Enabled API identities in the project
- name: enabled_apis
description: Enabled APIs in the project
- name: group_email
description: The email of the G Suite group with group_name
- name: project_bucket_self_link
description: Project's bucket selfLink
- name: project_bucket_url
description: Project's bucket url
- name: project_id
description: ID of the project
- name: project_name
description: Name of the project
- name: project_number
description: Numeric identifier for the project
- name: service_account_display_name
description: The display name of the default service account
- name: service_account_email
description: The email of the default service account
- name: service_account_id
description: The id of the default service account
- name: service_account_name
description: The fully-qualified name of the default service account
- name: service_account_unique_id
description: The unique id of the default service account
- name: tag_bindings
description: Tag bindings
- name: usage_report_export_bucket
description: GCE usage reports bucket
requirements:
roles:
- level: Project
roles:
- roles/owner
- roles/compute.admin
- roles/iam.serviceAccountAdmin
- roles/resourcemanager.projectIamAdmin
- roles/storage.admin
- roles/iam.serviceAccountUser
- roles/billing.projectManager
- level: Project
roles:
- roles/owner
- roles/resourcemanager.projectCreator
- roles/resourcemanager.folderAdmin
- roles/resourcemanager.folderIamAdmin
- roles/billing.projectManager
- roles/compute.xpnAdmin
- level: Project
roles:
- roles/accesscontextmanager.policyAdmin
- roles/resourcemanager.organizationViewer
- roles/resourcemanager.tagAdmin
- roles/resourcemanager.tagUser
services:
- admin.googleapis.com
- appengine.googleapis.com
- cloudbilling.googleapis.com
- cloudresourcemanager.googleapis.com
- compute.googleapis.com
- iam.googleapis.com
- iamcredentials.googleapis.com
- oslogin.googleapis.com
- serviceusage.googleapis.com
- billingbudgets.googleapis.com
- pubsub.googleapis.com
- accesscontextmanager.googleapis.com
- essentialcontacts.googleapis.com
- serviceconsumermanagement.googleapis.com
providerVersions:
- source: hashicorp/google
version: ">= 5.41, < 7"
- source: hashicorp/google-beta
version: ">= 5.41, < 7"