-
Notifications
You must be signed in to change notification settings - Fork 2
/
resource_schema.yaml
239 lines (228 loc) · 9.03 KB
/
resource_schema.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
openapi: 3.0.0
info:
title: Terra Resource Buffer Service Resource Config
description: |
Terra Resource Buffering Service definitions of resource config schema.
The templates follows Cloud original openApi, schemas can be found here: https://github.com/APIs-guru/openapi-directory/tree/master/APIs
version: 0.0.1
# This file defines component models to be reused, not a service path.
paths: {}
components:
schemas:
# We are not doing polymorphism at this moment because of lack of support in swagger-codegen or openApiGenerator
# Now ResourceConfig contains all possible resource configs, and we will assume there is only one being set
# when using this.
ResourceConfig:
description: |-
Reource Config template in Terra
required:
- configName
properties:
configName:
description: |-
Name of the config
type: string
gcpProjectConfig:
$ref: '#/components/schemas/GcpProjectConfig'
type: object
GcpProjectConfig:
description: |-
Represents a GCP Project resource with extra cloud resource setup when creating project.
required:
- projectIdSchema
properties:
projectIdSchema:
$ref: '#/components/schemas/ProjectIdSchema'
parentFolderId:
description: |-
The parent folder id of created project.
type: string
billingAccount:
description: |-
The billing account id the project associated to.
type: string
enabledApis:
description: |-
List of APIs to enable
type: array
items:
type: string
iamBindings:
description: |-
List of GCP IAM bindings
type: array
items:
$ref: '#/components/schemas/IamBinding'
network:
$ref: '#/components/schemas/Network'
computeEngine:
$ref: '#/components/schemas/ComputeEngine'
storage:
$ref: '#/components/schemas/Storage'
kubernetesEngine:
$ref: '#/components/schemas/KubernetesEngine'
serviceUsage:
$ref: '#/components/schemas/ServiceUsage'
securityGroup:
description: |-
The security group to be used for this project
type: string
autoDelete:
description: |-
Whether projects from this pool should be automatically deleted a
short time after being handed out.
type: boolean
default: false
type: object
ProjectIdSchema:
description: |-
How to generate project Id, including prefix and the naming schema. For example, projectIdPrefix is
aou_rw, projectIdScheme is random_char, the generated project Id might be aou_rw_a1bc23
properties:
prefix:
description: |-
The created project name prefix.
type: string
scheme:
type: string
enum: ['RANDOM_CHAR', 'TWO_WORDS_NUMBER']
description: >
Id Scheme:
* `RANDOM_CHAR` - all random letters/numbers, length is defined in generator code.
* `TWO_WORDS_NUMBER` - an adjective, noun pair with a short random numeric suffix.
type: object
IamBinding:
description: Associates `members` with a `role`.
properties:
members:
description: "GCP identities, see https://cloud.google.com/resource-manager/reference/rest/Shared.Types/Binding"
items:
type: string
type: array
example: ["group:[email protected]", "serviceAccount:[email protected]"]
role:
description: Role that is assigned to `members`. For example, `roles/viewer`, `roles/editor`, or `roles/owner`.
type: string
type: object
Network:
description: Network setup for the project.
properties:
enableNetworkMonitoring:
description: |-
Make network traffic is measured. If enabled, turn on flow logs, enable private google access.
See https://docs.google.com/document/d/1ccz2kzDL68CPofZ-b95ykQIudCgh7OCSFJ4Ym4Oz0r0/edit for more context.
Note: Having NetworkMonitoring requires usePrivateGoogleAccess to be true. So usePrivateGoogleAccess will be true
if this is set to true.
type: boolean
default: false
keepDefaultNetwork:
description: |-
Keep the default VPC network if this flag is true, otherwise delete it.
Note: This might not be working if organization policy orgconstraints/compute.skipDefaultNetworkCreation is on.
type: boolean
default: false
enablePrivateGoogleAccess:
description: |-
Whether to config Private Google Access for storage and bigquery API. See: https://cloud.google.com/vpc/docs/configure-private-google-access
Note: Having NetworkMonitoring requires usePrivateGoogleAccess to be true. So usePrivateGoogleAccess will be true
if this is set to true.
type: boolean
default: false
enableCloudRegistryPrivateGoogleAccess:
description: |-
Whether to config Private Google Access for gcr.io.
type: boolean
default: false
enableArtifactRegistryPrivateGoogleAccess:
description: |-
Whether to config Private Google Access for Google Artifact Registry.
type: boolean
default: false
blockBatchInternetAccess:
description: |-
Whether to allow GCE VMs have internet access for batch analysis. If ture, few firewall rules will be created to block egress
access. Interactive analysis(Leonardo GCE or Dataproc master node) VMs are not affected.
See: https://docs.google.com/document/d/1elBUrHVoFzT8k5bofDxPi1bLPzJAYed-mc10ZfNz8CY/edit?resourcekey=0-7pDBBKNL6n3K7imr2V0fpA
type: boolean
default: false
blockedRegions:
description: |-
Subnetworks will be created for the regions in CreateSubnetsStep.REGION_TO_IP_RANGE, excluding these
blockedRegions.
type: array
items:
type: string
internalAccessTargetTags:
description: |-
target tags where internal ingress rule is applied. if not set, the default is leonardo
type: array
items:
type: string
enableSshViaIap:
description: ingress rule that allows ssh to VM through IAP.
type: boolean
default: false
enableNatGateway:
description: Whether to use public NAT gateway for GCE VMs.
type: boolean
default: false
type: object
ComputeEngine:
description: Compute Engine setup for the project.
properties:
keepDefaultServiceAcct:
description: |-
Keep the default Compute Engine service account if this flag is true, otherwise delete it.
type: boolean
default: false
type: object
Storage:
description: Google Cloud Storage used by the project
properties:
createLogBucket:
description: |-
Create a bucket for logging (object-level access enabled).
type: boolean
default: true
type: object
KubernetesEngine:
description: Google Kubernetes Engine configurations
properties:
createGkeDefaultServiceAccount:
description: |-
Whether to create a service as the default GKE node runner.
See https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#permissions"
type: boolean
type: object
ServiceUsage:
description: |-
Service Usage Consumer Quota Overrides. Individual services correspond to properties on this
object.
properties:
bigQuery:
$ref: '#/components/schemas/BigQueryQuotas'
type: object
BigQueryQuotas:
description: Consumer Quota Overrides for BigQuery service usage
properties:
overrideBigQueryDailyUsageQuota:
description: |-
If true, apply the override value given by bigQueryDailyUsageQuotaOverrideValueBytes.
This two-property approach is necessary as we can't use a default with BigDecimal in Java,
and there's no way to generate Optional types.
type: boolean
default: false
bigQueryDailyUsageQuotaOverrideValueMebibytes:
description: |-
Daily maximum query usage per project in MiB. Ignored if overrideBigQueryDailyUsageQuota is
false.
type: number
format: long
bigQueryDailyUsageQuotaOverrideValueBytes:
description: |-
Deprecated. Use bigQueryDailyUsageQuotaOverrideValueMebibytes instead.
Keeping this only for legacy pool; can remove once vpc_sc_v8 pool is retired.
type: number
format: long
deprecated: true
type: object