kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Align schemas (#3447)

Browse Source 
* enforce schema uniqueness

* schemas

* fix tests
This commit is contained in:
Ludovico Magnocavallo
2025-10-21 14:03:40 +02:00
committed by GitHub
parent c60ae3652a
commit a4cc7cd979
11 changed files with 2492 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
fast/stages/0-org-setup/schemas/folder.schema.json
View File

@@ -1 +0,0 @@
../../../../modules/project-factory/schemas/folder.schema.json

555
fast/stages/0-org-setup/schemas/folder.schema.json Normal file
View File

@@ -0,0 +1,555 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Folder",
"type": "object",
"additionalProperties": false,
"properties": {
"automation": {
"type": "object",
"additionalProperties": false,
"required": [
"project"
],
"properties": {
"prefix": {
"type": "string"
},
"project": {
"type": "string"
},
"bucket": {
"$ref": "#/$defs/bucket"
},
"service_accounts": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-z0-9-]+$": {
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
"type": "string"
},
"iam": {
"$ref": "#/$defs/iam"
},
"iam_bindings": {
"$ref": "#/$defs/iam_bindings"
},
"iam_bindings_additive": {
"$ref": "#/$defs/iam_bindings_additive"
},
"iam_billing_roles": {
"$ref": "#/$defs/iam_billing_roles"
},
"iam_folder_roles": {
"$ref": "#/$defs/iam_folder_roles"
},
"iam_organization_roles": {
"$ref": "#/$defs/iam_organization_roles"
},
"iam_project_roles": {
"$ref": "#/$defs/iam_project_roles"
},
"iam_sa_roles": {
"$ref": "#/$defs/iam_sa_roles"
},
"iam_storage_roles": {
"$ref": "#/$defs/iam_storage_roles"
}
}
}
}
}
}
},
"factories_config": {
"type": "object",
"additionalProperties": false,
"properties": {
"org_policies": {
"type": "string"
},
"pam_entitlements": {
"type": "string"
},
"scc_sha_custom_modules": {
"type": "string"
}
}
},
"iam": {
"$ref": "#/$defs/iam"
},
"iam_bindings": {
"$ref": "#/$defs/iam_bindings"
},
"iam_bindings_additive": {
"$ref": "#/$defs/iam_bindings_additive"
},
"iam_by_principals": {
"$ref": "#/$defs/iam_by_principals"
},
"name": {
"type": "string"
},
"org_policies": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-z]+\\.": {
"type": "object",
"properties": {
"inherit_from_parent": {
"type": "boolean"
},
"reset": {
"type": "boolean"
},
"rules": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"allow": {
"type": "object",
"additionalProperties": false,
"properties": {
"all": {
"type": "boolean"
},
"values": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"deny": {
"type": "object",
"additionalProperties": false,
"properties": {
"all": {
"type": "boolean"
},
"values": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"enforce": {
"type": "boolean"
},
"condition": {
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
"type": "string"
},
"expression": {
"type": "string"
},
"location": {
"type": "string"
},
"title": {
"type": "string"
}
}
}
}
}
}
}
}
}
},
"pam_entitlements": {
"$ref": "#/$defs/pam_entitlements"
},
"parent": {
"type": "string",
"pattern": "^(?:folders/[0-9]+|organizations/[0-9]+|\\$folder_ids:[a-z0-9_-]+)$"
},
"tag_bindings": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-z0-9_-]+$": {
"type": "string"
}
}
}
},
"$defs": {
"bucket": {
"type": "object",
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"description": {
"type": "string"
},
"iam": {
"$ref": "#/$defs/iam"
},
"iam_bindings": {
"$ref": "#/$defs/iam_bindings"
},
"iam_bindings_additive": {
"$ref": "#/$defs/iam_bindings_additive"
},
"force_destroy": {
"type": "boolean"
},
"labels": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"location": {
"type": "string"
},
"managed_folders": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-zA-Z0-9][a-zA-Z0-9_/-]+$": {
"type": "object",
"additionalProperties": false,
"properties": {
"force_destroy": {
"type": "boolean"
},
"iam": {
"$ref": "#/$defs/iam"
},
"iam_bindings": {
"$ref": "#/$defs/iam_bindings"
},
"iam_bindings_additive": {
"$ref": "#/$defs/iam_bindings_additive"
}
}
}
}
},
"prefix": {
"type": "string"
},
"storage_class": {
"type": "string"
},
"uniform_bucket_level_access": {
"type": "boolean"
},
"versioning": {
"type": "boolean"
}
}
},
"iam": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^(?:roles/|\\$custom_roles:)": {
"type": "array",
"items": {
"type": "string",
"pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:)"
}
}
}
},
"iam_bindings": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-z0-9_-]+$": {
"type": "object",
"additionalProperties": false,
"properties": {
"members": {
"type": "array",
"items": {
"type": "string",
"pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:)"
}
},
"role": {
"type": "string",
"pattern": "^(?:roles/|\\$custom_roles:)"
},
"condition": {
"type": "object",
"additionalProperties": false,
"required": [
"expression",
"title"
],
"properties": {
"expression": {
"type": "string"
},
"title": {
"type": "string"
},
"description": {
"type": "string"
}
}
}
}
}
}
},
"iam_bindings_additive": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-z0-9_-]+$": {
"type": "object",
"additionalProperties": false,
"properties": {
"member": {
"type": "string",
"pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:)"
},
"role": {
"type": "string",
"pattern": "^(?:roles/|\\$custom_roles:)"
},
"condition": {
"type": "object",
"additionalProperties": false,
"required": [
"expression",
"title"
],
"properties": {
"expression": {
"type": "string"
},
"title": {
"type": "string"
},
"description": {
"type": "string"
}
}
}
}
}
}
},
"iam_by_principals": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:)": {
"type": "array",
"items": {
"type": "string",
"pattern": "^(?:roles/|\\$custom_roles:)"
}
}
}
},
"iam_billing_roles": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-z0-9-]+$": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"iam_folder_roles": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-z0-9-]+$": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"iam_organization_roles": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-z0-9-]+$": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"iam_project_roles": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-z0-9-]+$": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"iam_sa_roles": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-z0-9-]+$": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"iam_storage_roles": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-z0-9-]+$": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"pam_entitlements": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-z][a-z0-9-]{0,61}[a-z0-9]$": {
"type": "object",
"properties": {
"max_request_duration": {
"type": "string"
},
"eligible_users": {
"type": "array",
"items": {
"type": "string"
}
},
"privileged_access": {
"type": "array",
"items": {
"type": "object",
"properties": {
"role": {
"type": "string"
},
"condition": {
"type": "string"
}
},
"required": [
"role"
],
"additionalProperties": false
}
},
"requester_justification_config": {
"type": "object",
"properties": {
"not_mandatory": {
"type": "boolean"
},
"unstructured": {
"type": "boolean"
}
},
"additionalProperties": false
},
"manual_approvals": {
"type": "object",
"properties": {
"require_approver_justification": {
"type": "boolean"
},
"steps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"approvers": {
"type": "array",
"items": {
"type": "string"
}
},
"approvals_needed": {
"type": "number"
},
"approver_email_recipients": {
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"approvers"
],
"additionalProperties": false
}
}
},
"required": [
"require_approver_justification",
"steps"
],
"additionalProperties": false
},
"additional_notification_targets": {
"type": "object",
"properties": {
"admin_email_recipients": {
"type": "array",
"items": {
"type": "string"
}
},
"requester_email_recipients": {
"type": "array",
"items": {
"type": "string"
}
}
},
"additionalProperties": false
}
},
"required": [
"max_request_duration",
"eligible_users",
"privileged_access"
],
"additionalProperties": false
}
}
}
}
}

1
fast/stages/0-org-setup/schemas/folder.schema.md
View File

@@ -1 +0,0 @@
../../../../modules/project-factory/schemas/folder.schema.md

188
fast/stages/0-org-setup/schemas/folder.schema.md Normal file
View File

@@ -0,0 +1,188 @@
# Folder
<!-- markdownlint-disable MD036 -->
## Properties
*additional properties: false*
- **automation**: *object*
<br>*additional properties: false*
- **prefix**: *string*
- ⁺**project**: *string*
- **bucket**: *reference([bucket](#refs-bucket))*
- **service_accounts**: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *object*
<br>*additional properties: false*
- **description**: *string*
- **iam**: *reference([iam](#refs-iam))*
- **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))*
- **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))*
- **iam_billing_roles**: *reference([iam_billing_roles](#refs-iam_billing_roles))*
- **iam_folder_roles**: *reference([iam_folder_roles](#refs-iam_folder_roles))*
- **iam_organization_roles**: *reference([iam_organization_roles](#refs-iam_organization_roles))*
- **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))*
- **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))*
- **iam_storage_roles**: *reference([iam_storage_roles](#refs-iam_storage_roles))*
- **factories_config**: *object*
<br>*additional properties: false*
- **org_policies**: *string*
- **pam_entitlements**: *string*
- **scc_sha_custom_modules**: *string*
- **iam**: *reference([iam](#refs-iam))*
- **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))*
- **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))*
- **iam_by_principals**: *reference([iam_by_principals](#refs-iam_by_principals))*
- **name**: *string*
- **org_policies**: *object*
<br>*additional properties: false*
- **`^[a-z]+\.`**: *object*
- **inherit_from_parent**: *boolean*
- **reset**: *boolean*
- **rules**: *array*
- items: *object*
<br>*additional properties: false*
- **allow**: *object*
<br>*additional properties: false*
- **all**: *boolean*
- **values**: *array*
- items: *string*
- **deny**: *object*
<br>*additional properties: false*
- **all**: *boolean*
- **values**: *array*
- items: *string*
- **enforce**: *boolean*
- **condition**: *object*
<br>*additional properties: false*
- **description**: *string*
- **expression**: *string*
- **location**: *string*
- **title**: *string*
- **pam_entitlements**: *reference([pam_entitlements](#refs-pam_entitlements))*
- **parent**: *string*
<br>*pattern: ^(?:folders/[0-9]+|organizations/[0-9]+|\$folder_ids:[a-z0-9_-]+)$*
- **tag_bindings**: *object*
<br>*additional properties: false*
- **`^[a-z0-9_-]+$`**: *string*
## Definitions
- **bucket**<a name="refs-bucket"></a>: *object*
<br>*additional properties: false*
- **name**: *string*
- **description**: *string*
- **iam**: *reference([iam](#refs-iam))*
- **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))*
- **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))*
- **force_destroy**: *boolean*
- **labels**: *object*
*additional properties: String*
- **location**: *string*
- **managed_folders**: *object*
<br>*additional properties: false*
- **`^[a-zA-Z0-9][a-zA-Z0-9_/-]+$`**: *object*
<br>*additional properties: false*
- **force_destroy**: *boolean*
- **iam**: *reference([iam](#refs-iam))*
- **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))*
- **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))*
- **prefix**: *string*
- **storage_class**: *string*
- **uniform_bucket_level_access**: *boolean*
- **versioning**: *boolean*
- **iam**<a name="refs-iam"></a>: *object*
<br>*additional properties: false*
- **`^(?:roles/|\$custom_roles:)`**: *array*
- items: *string*
<br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:)*
- **iam_bindings**<a name="refs-iam_bindings"></a>: *object*
<br>*additional properties: false*
- **`^[a-z0-9_-]+$`**: *object*
<br>*additional properties: false*
- **members**: *array*
- items: *string*
<br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:)*
- **role**: *string*
<br>*pattern: ^(?:roles/|\$custom_roles:)*
- **condition**: *object*
<br>*additional properties: false*
- ⁺**expression**: *string*
- ⁺**title**: *string*
- **description**: *string*
- **iam_bindings_additive**<a name="refs-iam_bindings_additive"></a>: *object*
<br>*additional properties: false*
- **`^[a-z0-9_-]+$`**: *object*
<br>*additional properties: false*
- **member**: *string*
<br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:)*
- **role**: *string*
<br>*pattern: ^(?:roles/|\$custom_roles:)*
- **condition**: *object*
<br>*additional properties: false*
- ⁺**expression**: *string*
- ⁺**title**: *string*
- **description**: *string*
- **iam_by_principals**<a name="refs-iam_by_principals"></a>: *object*
<br>*additional properties: false*
- **`^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:)`**: *array*
- items: *string*
<br>*pattern: ^(?:roles/|\$custom_roles:)*
- **iam_billing_roles**<a name="refs-iam_billing_roles"></a>: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *array*
- items: *string*
- **iam_folder_roles**<a name="refs-iam_folder_roles"></a>: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *array*
- items: *string*
- **iam_organization_roles**<a name="refs-iam_organization_roles"></a>: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *array*
- items: *string*
- **iam_project_roles**<a name="refs-iam_project_roles"></a>: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *array*
- items: *string*
- **iam_sa_roles**<a name="refs-iam_sa_roles"></a>: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *array*
- items: *string*
- **iam_storage_roles**<a name="refs-iam_storage_roles"></a>: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *array*
- items: *string*
- **pam_entitlements**<a name="refs-pam_entitlements"></a>: *object*
<br>*additional properties: false*
- **`^[a-z][a-z0-9-]{0,61}[a-z0-9]$`**: *object*
<br>*additional properties: false*
- ⁺**max_request_duration**: *string*
- ⁺**eligible_users**: *array*
- items: *string*
- ⁺**privileged_access**: *array*
- items: *object*
<br>*additional properties: false*
- ⁺**role**: *string*
- **condition**: *string*
- **requester_justification_config**: *object*
<br>*additional properties: false*
- **not_mandatory**: *boolean*
- **unstructured**: *boolean*
- **manual_approvals**: *object*
<br>*additional properties: false*
- ⁺**require_approver_justification**: *boolean*
- ⁺**steps**: *array*
- items: *object*
<br>*additional properties: false*
- ⁺**approvers**: *array*
- items: *string*
- **approvals_needed**: *number*
- **approver_email_recipients**: *array*
- items: *string*
- **additional_notification_targets**: *object*
<br>*additional properties: false*
- **admin_email_recipients**: *array*
- items: *string*
- **requester_email_recipients**: *array*
- items: *string*

1
fast/stages/0-org-setup/schemas/project.schema.json
View File

@@ -1 +0,0 @@
../../../../modules/project-factory/schemas/project.schema.json

1008
fast/stages/0-org-setup/schemas/project.schema.json Normal file
View File

File diff suppressed because it is too large Load Diff

1
fast/stages/0-org-setup/schemas/project.schema.md
View File

@@ -1 +0,0 @@
../../../../modules/project-factory/schemas/project.schema.md

310
fast/stages/0-org-setup/schemas/project.schema.md Normal file
View File

@@ -0,0 +1,310 @@
# Project
<!-- markdownlint-disable MD036 -->
## Properties
*additional properties: false*
- **automation**: *object*
<br>*additional properties: false*
- **prefix**: *string*
- ⁺**project**: *string*
- **bucket**: *reference([bucket](#refs-bucket))*
- **service_accounts**: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *object*
<br>*additional properties: false*
- **description**: *string*
- **iam**: *reference([iam](#refs-iam))*
- **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))*
- **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))*
- **iam_billing_roles**: *reference([iam_billing_roles](#refs-iam_billing_roles))*
- **iam_folder_roles**: *reference([iam_folder_roles](#refs-iam_folder_roles))*
- **iam_organization_roles**: *reference([iam_organization_roles](#refs-iam_organization_roles))*
- **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))*
- **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))*
- **iam_storage_roles**: *reference([iam_storage_roles](#refs-iam_storage_roles))*
- **billing_account**: *string*
- **billing_budgets**: *array*
- items: *string*
- **buckets**: *reference([buckets](#refs-buckets))*
- **contacts**: *object*
<br>*additional properties: false*
- **`^[a-z0-9_-]+$`**: *array*
- items: *string*
- **deletion_policy**: *string*
<br>*enum: ['PREVENT', 'DELETE', 'ABANDON']*
- **factories_config**: *object*
<br>*additional properties: false*
- **custom_roles**: *string*
- **observability**: *string*
- **org_policies**: *string*
- **quotas**: *string*
- **scc_sha_custom_modules**: *string*
- **tags**: *string*
- **iam**: *reference([iam](#refs-iam))*
- **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))*
- **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))*
- **iam_by_principals**: *reference([iam_by_principals](#refs-iam_by_principals))*
- **labels**: *object*
- **pam_entitlements**: *reference([pam_entitlements](#refs-pam_entitlements))*
- **log_buckets**: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *reference([log_bucket](#refs-log_bucket))*
- **metric_scopes**: *array*
- items: *string*
- **name**: *string*
- **org_policies**: *object*
<br>*additional properties: false*
- **`^[a-z]+\.`**: *object*
- **inherit_from_parent**: *boolean*
- **reset**: *boolean*
- **rules**: *array*
- items: *object*
<br>*additional properties: false*
- **allow**: *object*
<br>*additional properties: false*
- **all**: *boolean*
- **values**: *array*
- items: *string*
- **deny**: *object*
<br>*additional properties: false*
- **all**: *boolean*
- **values**: *array*
- items: *string*
- **enforce**: *boolean*
- **condition**: *object*
<br>*additional properties: false*
- **description**: *string*
- **expression**: *string*
- **location**: *string*
- **title**: *string*
- **quotas**: *object*
<br>*additional properties: false*
- **`^[a-zA-Z0-9_-]+$`**: *object*
<br>*additional properties: false*
- ⁺**service**: *string*
- ⁺**quota_id**: *string*
- ⁺**preferred_value**: *number*
- **dimensions**: *object*
*additional properties: String*
- **justification**: *string*
- **contact_email**: *string*
- **annotations**: *object*
*additional properties: String*
- **ignore_safety_checks**: *string*
<br>*enum: ['QUOTA_DECREASE_BELOW_USAGE', 'QUOTA_DECREASE_PERCENTAGE_TOO_HIGH', 'QUOTA_SAFETY_CHECK_UNSPECIFIED']*
- **parent**: *string*
- **prefix**: *string*
- **project_reuse**: *object*
<br>*additional properties: false*
- **use_data_source**: *boolean*
- **attributes**: *object*
- ⁺**name**: *string*
- ⁺**number**: *number*
- **services_enabled**: *array*
- items: *string*
- **project_template**: *string*
- **service_accounts**: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *object*
<br>*additional properties: false*
- **display_name**: *string*
- **iam**: *reference([iam](#refs-iam))*
- **iam_self_roles**: *array*
- items: *string*
- **iam_project_roles**: *reference([iam_project_roles](#refs-iam_project_roles))*
- **iam_sa_roles**: *reference([iam_sa_roles](#refs-iam_sa_roles))*
- **service_encryption_key_ids**: *object*
<br>*additional properties: false*
- **`^[a-z-]+\.googleapis\.com$`**: *array*
- items: *string*
- **services**: *array*
- items: *string*
<br>*pattern: ^[a-z-]+\.googleapis\.com$*
- **shared_vpc_host_config**: *object*
<br>*additional properties: false*
- ⁺**enabled**: *boolean*
- **service_projects**: *array*
- items: *string*
- **shared_vpc_service_config**: *object*
<br>*additional properties: false*
- ⁺**host_project**: *string*
- **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))*
- **network_users**: *array*
- items: *string*
- **service_agent_iam**: *object*
- **`^[a-z0-9_-]+$`**: *array*
- items: *string*
- **service_agent_subnet_iam**: *object*
- **`^[a-z0-9_-]+$`**: *array*
- items: *string*
- **service_iam_grants**: *array*
- items: *string*
- **network_subnet_users**: *object*
- **`^[a-z0-9_-]+$`**: *array*
- items: *string*
- **tag_bindings**: *object*
<br>*additional properties: false*
- **`^[a-z0-9_-]+$`**: *string*
- **tags**: *object*
*additional properties: Object*
- **universe**: *object*
<br>*additional properties: false*
- **prefix**: *string*
- **forced_jit_service_identities**: *array*
- items: *string*
- **unavailable_services**: *array*
- items: *string*
- **unavailable_service_identities**: *array*
- items: *string*
- **vpc_sc**: *object*
- ⁺**perimeter_name**: *string*
- **is_dry_run**: *boolean*
- **datasets**: *object*
<br>*additional properties: false*
- **`^[a-z0-9_]+$`**: *object*
<br>*additional properties: false*
- **friendly_name**: *string*
- **location**: *string*
## Definitions
- **bucket**<a name="refs-bucket"></a>: *object*
<br>*additional properties: false*
- **name**: *string*
- **create**: *boolean*
- **description**: *string*
- **iam**: *reference([iam](#refs-iam))*
- **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))*
- **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))*
- **force_destroy**: *boolean*
- **labels**: *object*
*additional properties: String*
- **location**: *string*
- **managed_folders**: *object*
<br>*additional properties: false*
- **`^[a-zA-Z0-9][a-zA-Z0-9_/-]+$`**: *object*
<br>*additional properties: false*
- **force_destroy**: *boolean*
- **iam**: *reference([iam](#refs-iam))*
- **iam_bindings**: *reference([iam_bindings](#refs-iam_bindings))*
- **iam_bindings_additive**: *reference([iam_bindings_additive](#refs-iam_bindings_additive))*
- **prefix**: *string*
- **storage_class**: *string*
- **uniform_bucket_level_access**: *boolean*
- **versioning**: *boolean*
- **retention_policy**: *object*
<br>*additional properties: false*
- **retention_period**: *number*
- **is_locked**: *boolean*
- **enable_object_retention**: *boolean*
- **buckets**<a name="refs-buckets"></a>: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *reference([bucket](#refs-bucket))*
- **iam**<a name="refs-iam"></a>: *object*
<br>*additional properties: false*
- **`^(?:roles/|\$custom_roles:)`**: *array*
- items: *string*
<br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:||\$iam_principals:[a-z0-9_-]+)*
- **iam_bindings**<a name="refs-iam_bindings"></a>: *object*
<br>*additional properties: false*
- **`^[a-z0-9_-]+$`**: *object*
<br>*additional properties: false*
- **members**: *array*
- items: *string*
<br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:[a-z0-9_-]+)*
- **role**: *string*
<br>*pattern: ^(?:roles/|\$custom_roles:)*
- **condition**: *object*
<br>*additional properties: false*
- ⁺**expression**: *string*
- ⁺**title**: *string*
- **description**: *string*
- **iam_bindings_additive**<a name="refs-iam_bindings_additive"></a>: *object*
<br>*additional properties: false*
- **`^[a-z0-9_-]+$`**: *object*
<br>*additional properties: false*
- **member**: *string*
<br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:[a-z0-9_-]+)*
- **role**: *string*
<br>*pattern: ^(?:roles/|\$custom_roles:)*
- **condition**: *object*
<br>*additional properties: false*
- ⁺**expression**: *string*
- ⁺**title**: *string*
- **description**: *string*
- **iam_by_principals**<a name="refs-iam_by_principals"></a>: *object*
<br>*additional properties: false*
- **`^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:[a-z0-9_-]+)`**: *array*
- items: *string*
<br>*pattern: ^(?:roles/|\$custom_roles:)*
- **iam_billing_roles**<a name="refs-iam_billing_roles"></a>: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *array*
- items: *string*
- **iam_folder_roles**<a name="refs-iam_folder_roles"></a>: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *array*
- items: *string*
- **iam_organization_roles**<a name="refs-iam_organization_roles"></a>: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *array*
- items: *string*
- **iam_project_roles**<a name="refs-iam_project_roles"></a>: *object*
<br>*additional properties: false*
- **`^(?:[a-z0-9-]|\$project_ids:[a-z0-9_-])+$`**: *array*
- items: *string*
- **iam_sa_roles**<a name="refs-iam_sa_roles"></a>: *object*
<br>*additional properties: false*
- **`^(?:\$service_account_ids:|projects/)`**: *array*
- items: *string*
- **iam_storage_roles**<a name="refs-iam_storage_roles"></a>: *object*
<br>*additional properties: false*
- **`^[a-z0-9-]+$`**: *array*
- items: *string*
- **log_bucket**<a name="refs-log_bucket"></a>: *object*
<br>*additional properties: false*
- **description**: *string*
- **kms_key_name**: *string*
- **location**: *string*
- **log_analytics**: *object*
<br>*additional properties: false*
- **enable**: *boolean*
- **dataset_link_id**: *string*
- **description**: *string*
- **retention**: *number*
- **pam_entitlements**<a name="refs-pam_entitlements"></a>: *object*
<br>*additional properties: false*
- **`^[a-z][a-z0-9-]{0,61}[a-z0-9]$`**: *object*
<br>*additional properties: false*
- ⁺**max_request_duration**: *string*
- ⁺**eligible_users**: *array*
- items: *string*
- ⁺**privileged_access**: *array*
- items: *object*
<br>*additional properties: false*
- ⁺**role**: *string*
- **condition**: *string*
- **requester_justification_config**: *object*
<br>*additional properties: false*
- **not_mandatory**: *boolean*
- **unstructured**: *boolean*
- **manual_approvals**: *object*
<br>*additional properties: false*
- ⁺**require_approver_justification**: *boolean*
- ⁺**steps**: *array*
- items: *object*
<br>*additional properties: false*
- ⁺**approvers**: *array*
- items: *string*
- **approvals_needed**: *number*
- **approver_email_recipients**: *array*
- items: *string*
- **additional_notification_targets**: *object*
<br>*additional properties: false*
- **admin_email_recipients**: *array*
- items: *string*
- **requester_email_recipients**: *array*
- items: *string*

1
fast/stages/1-vpcsc/schemas/perimeter.schema.json
View File

@@ -1 +0,0 @@
../../../../modules/vpc-sc/schemas/perimeters.schema.json

120
fast/stages/1-vpcsc/schemas/perimeter.schema.json Normal file
View File

@@ -0,0 +1,120 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "perimeters",
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
"type": "string"
},
"ignore_resource_changes": {
"type": "boolean",
"default": false
},
"spec": {
"type": "object",
"properties": {
"access_levels": {
"type": "array",
"items": {
"type": "string"
}
},
"egress_policies": {
"type": "array",
"items": {
"type": "string"
}
},
"ingress_policies": {
"type": "array",
"items": {
"type": "string"
}
},
"restricted_services": {
"type": "array",
"items": {
"type": "string"
}
},
"resources": {
"type": "array",
"items": {
"type": "string"
}
},
"vpc_accessible_services": {
"$ref": "#/$defs/VpcAccessibleServices"
}
},
"additionalProperties": false
},
"status": {
"type": "object",
"properties": {
"access_levels": {
"type": "array",
"items": {
"type": "string"
}
},
"egress_policies": {
"type": "array",
"items": {
"type": "string"
}
},
"ingress_policies": {
"type": "array",
"items": {
"type": "string"
}
},
"resources": {
"type": "array",
"items": {
"type": "string"
}
},
"restricted_services": {
"type": "array",
"items": {
"type": "string"
}
},
"vpc_accessible_services": {
"$ref": "#/$defs/VpcAccessibleServices"
}
},
"additionalProperties": false
},
"title": {
"type": "string"
},
"use_explicit_dry_run_spec": {
"type": "boolean",
"default": false
}
},
"$defs": {
"VpcAccessibleServices": {
"type": "object",
"additionalProperties": false,
"properties": {
"allowed_services": {
"type": "array",
"items": {
"type": "string"
}
},
"enable_restriction": {
"type": "boolean"
}
},
"required": [
"allowed_services"
]
}
}
}

216
fast/stages/2-security/schemas/project.schema.json
View File

@@ -88,6 +88,24 @@
} }
} }
}, },
"datasets": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-z0-9_]+$": {
"type": "object",
"additionalProperties": false,
"properties": {
"friendly_name": {
"type": "string"
},
"location": {
"type": "string"
}
}
}
}
},
"deletion_policy": { "deletion_policy": {
"type": "string", "type": "string",
"enum": [ "enum": [
@@ -96,6 +114,33 @@
"ABANDON" "ABANDON"
] ]
}, },
"factories_config": {
"type": "object",
"additionalProperties": false,
"properties": {
"custom_roles": {
"type": "string"
},
"observability": {
"type": "string"
},
"org_policies": {
"type": "string"
},
"org_policies": {
"type": "string"
},
"quotas": {
"type": "string"
},
"scc_sha_custom_modules": {
"type": "string"
},
"tags": {
"type": "string"
}
}
},
"iam": { "iam": {
"$ref": "#/$defs/iam" "$ref": "#/$defs/iam"
}, },
@@ -108,9 +153,15 @@
"iam_by_principals": { "iam_by_principals": {
"$ref": "#/$defs/iam_by_principals" "$ref": "#/$defs/iam_by_principals"
}, },
"iam_by_principals_additive": {
"$ref": "#/$defs/iam_by_principals"
},
"labels": { "labels": {
"type": "object" "type": "object"
}, },
"pam_entitlements": {
"$ref": "#/$defs/pam_entitlements"
},
"log_buckets": { "log_buckets": {
"type": "object", "type": "object",
"additionalProperties": false, "additionalProperties": false,
@@ -295,6 +346,9 @@
} }
} }
}, },
"project_template": {
"type": "string"
},
"service_accounts": { "service_accounts": {
"type": "object", "type": "object",
"additionalProperties": false, "additionalProperties": false,
@@ -482,6 +536,33 @@
} }
} }
}, },
"universe": {
"type": "object",
"additionalProperties": false,
"properties": {
"prefix": {
"type": "string"
},
"forced_jit_service_identities": {
"type": "array",
"items": {
"type": "string"
}
},
"unavailable_services": {
"type": "array",
"items": {
"type": "string"
}
},
"unavailable_service_identities": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"vpc_sc": { "vpc_sc": {
"type": "object", "type": "object",
"additionalItems": false, "additionalItems": false,
@@ -506,6 +587,10 @@
"name": { "name": {
"type": "string" "type": "string"
}, },
"create": {
"type": "boolean",
"default": true
},
"description": { "description": {
"type": "string" "type": "string"
}, },
@@ -565,6 +650,21 @@
}, },
"versioning": { "versioning": {
"type": "boolean" "type": "boolean"
},
"retention_policy": {
"type": "object",
"additionalProperties": false,
"properties": {
"retention_period": {
"type": "number"
},
"is_locked": {
"type": "boolean"
}
}
},
"enable_object_retention": {
"type": "boolean"
} }
} }
}, },
@@ -789,6 +889,120 @@
"type": "number" "type": "number"
} }
} }
},
"pam_entitlements": {
"type": "object",
"additionalProperties": false,
"patternProperties": {
"^[a-z][a-z0-9-]{0,61}[a-z0-9]$": {
"type": "object",
"properties": {
"max_request_duration": {
"type": "string"
},
"eligible_users": {
"type": "array",
"items": {
"type": "string"
}
},
"privileged_access": {
"type": "array",
"items": {
"type": "object",
"properties": {
"role": {
"type": "string"
},
"condition": {
"type": "string"
}
},
"required": [
"role"
],
"additionalProperties": false
}
},
"requester_justification_config": {
"type": "object",
"properties": {
"not_mandatory": {
"type": "boolean"
},
"unstructured": {
"type": "boolean"
}
},
"additionalProperties": false
},
"manual_approvals": {
"type": "object",
"properties": {
"require_approver_justification": {
"type": "boolean"
},
"steps": {
"type": "array",
"items": {
"type": "object",
"properties": {
"approvers": {
"type": "array",
"items": {
"type": "string"
}
},
"approvals_needed": {
"type": "number"
},
"approver_email_recipients": {
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"approvers"
],
"additionalProperties": false
}
}
},
"required": [
"require_approver_justification",
"steps"
],
"additionalProperties": false
},
"additional_notification_targets": {
"type": "object",
"properties": {
"admin_email_recipients": {
"type": "array",
"items": {
"type": "string"
}
},
"requester_email_recipients": {
"type": "array",
"items": {
"type": "string"
}
}
},
"additionalProperties": false
}
},
"required": [
"max_request_duration",
"eligible_users",
"privileged_access"
],
"additionalProperties": false
}
}
} }
} }
} }

6
modules/organization/schemas/tags.schema.json
View File

@@ -65,7 +65,7 @@
"type": "array", "type": "array",
"items": { "items": {
"type": "string", "type": "string",
"pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:[a-z0-9_-]+)"
} }
} }
} }
@@ -82,7 +82,7 @@
"type": "array", "type": "array",
"items": { "items": {
"type": "string", "type": "string",
"pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:[a-z0-9_-]+)"
} }
}, },
"role": { "role": {
@@ -122,7 +122,7 @@
"properties": { "properties": {
"member": { "member": {
"type": "string", "type": "string",
"pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])" "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\\$iam_principals:[a-z0-9_-]+)"
}, },
"role": { "role": {
"type": "string", "type": "string",

6
modules/organization/schemas/tags.schema.md
View File

@@ -30,14 +30,14 @@
<br>*additional properties: false* <br>*additional properties: false*
- **`^roles/`**: *array* - **`^roles/`**: *array*
- items: *string* - items: *string*
<br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* <br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:[a-z0-9_-]+)*
- **iam_bindings**<a name="refs-iam_bindings"></a>: *object* - **iam_bindings**<a name="refs-iam_bindings"></a>: *object*
<br>*additional properties: false* <br>*additional properties: false*
- **`^[a-z0-9_-]+$`**: *object* - **`^[a-z0-9_-]+$`**: *object*
<br>*additional properties: false* <br>*additional properties: false*
- **members**: *array* - **members**: *array*
- items: *string* - items: *string*
<br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* <br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:[a-z0-9_-]+)*
- **role**: *string* - **role**: *string*
<br>*pattern: ^roles/* <br>*pattern: ^roles/*
- **condition**: *object* - **condition**: *object*
@@ -50,7 +50,7 @@
- **`^[a-z0-9_-]+$`**: *object* - **`^[a-z0-9_-]+$`**: *object*
<br>*additional properties: false* <br>*additional properties: false*
- **member**: *string* - **member**: *string*
<br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|[a-z])* <br>*pattern: ^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|\$iam_principals:[a-z0-9_-]+)*
- **role**: *string* - **role**: *string*
<br>*pattern: ^[a-zA-Z0-9_/]+$* <br>*pattern: ^[a-zA-Z0-9_/]+$*
- **condition**: *object* - **condition**: *object*

4
modules/vpc-sc/README.md
View File

@@ -286,7 +286,7 @@ status:
- "storage.googleapis.com" - "storage.googleapis.com"
enable_restriction: yes enable_restriction: yes
# tftest-file id=p1 path=data/perimeters/perimeter-north.yaml schema=perimeters.schema.json # tftest-file id=p1 path=data/perimeters/perimeter-north.yaml schema=perimeter.schema.json
``` ```
```yaml ```yaml
@@ -309,7 +309,7 @@ status:
allowed_services: allowed_services:
- storage.googleapis.com - storage.googleapis.com
enable_restriction: true enable_restriction: true
# tftest-file id=p1 path=data/perimeters/perimeter-north.yaml schema=perimeters.schema.json # tftest-file id=p1 path=data/perimeters/perimeter-north.yaml schema=perimeter.schema.json
``` ```
```yaml ```yaml

0
modules/vpc-sc/schemas/perimeters.schema.json → modules/vpc-sc/schemas/perimeter.schema.json
View File

90
tools/duplicate-diff.py
View File

@@ -21,7 +21,7 @@ import os
# List of folders and files that are expected to have same content # List of folders and files that are expected to have same content
duplicates = [ duplicates = [
# File comparison # file comparison
[ [
"fast/stages/0-org-setup/datasets/classic/defaults.yaml", "fast/stages/0-org-setup/datasets/classic/defaults.yaml",
"fast/stages/0-org-setup/datasets/hardened/defaults.yaml", "fast/stages/0-org-setup/datasets/hardened/defaults.yaml",
@@ -40,7 +40,7 @@ duplicates = [
"fast/stages/2-networking-b-nva/data/cidrs.yaml", "fast/stages/2-networking-b-nva/data/cidrs.yaml",
"fast/stages/2-networking-c-separate-envs/data/cidrs.yaml", "fast/stages/2-networking-c-separate-envs/data/cidrs.yaml",
], ],
# Deep recursive folder comparison # deep recursive folder comparison
[ [
"fast/stages/0-org-setup/datasets/classic/organization/custom-roles", "fast/stages/0-org-setup/datasets/classic/organization/custom-roles",
"fast/stages/0-org-setup/datasets/hardened/organization/custom-roles", "fast/stages/0-org-setup/datasets/hardened/organization/custom-roles",
@@ -49,6 +49,92 @@ duplicates = [
"fast/stages/0-org-setup/datasets/classic/organization/tags", "fast/stages/0-org-setup/datasets/classic/organization/tags",
"fast/stages/0-org-setup/datasets/hardened/organization/tags", "fast/stages/0-org-setup/datasets/hardened/organization/tags",
], ],
# schemas
[
"fast/stages/1-vpcsc/schemas/access-level.schema.json",
"modules/vpc-sc/schemas/access-level.schema.json",
],
[
"fast/stages/3-data-platform-dev/schemas/aspect-type.schema.json",
"modules/dataplex-aspect-types/schemas/aspect-type.schema.json",
],
[
"fast/stages/2-project-factory/schemas/budget.schema.json",
"fast/stages/0-org-setup/schemas/budget.schema.json",
"modules/billing-account/schemas/budget.schema.json",
"modules/project-factory/schemas/budget.schema.json",
],
[
"fast/stages/0-org-setup/schemas/custom-constraint.schema.json",
"modules/organization/schemas/org-policy-custom-constraint.schema.json",
],
[
"fast/stages/0-org-setup/schemas/custom-role.schema.json",
"modules/project/schemas/custom-role.schema.json",
"modules/organization/schemas/custom-role.schema.json",
],
[
"fast/stages/1-vpcsc/schemas/egress-policy.schema.json",
"modules/vpc-sc/schemas/egress-policy.schema.json",
],
[
"fast/stages/2-networking-a-simple/schemas/firewall-policy-rules.schema.json",
"fast/stages/2-networking-c-separate-envs/schemas/firewall-policy-rules.schema.json",
"fast/stages/2-networking-b-nva/schemas/firewall-policy-rules.schema.json",
"modules/net-firewall-policy/schemas/firewall-policy-rules.schema.json",
],
[
"fast/stages/2-networking-a-simple/schemas/firewall-rules.schema.json",
"fast/stages/2-networking-c-separate-envs/schemas/firewall-rules.schema.json",
"fast/stages/2-networking-b-nva/schemas/firewall-rules.schema.json",
"modules/net-vpc-firewall/schemas/firewall-rules.schema.json",
],
[
"fast/stages/2-project-factory/schemas/folder.schema.json",
"fast/stages/0-org-setup/schemas/folder.schema.json",
"modules/project-factory/schemas/folder.schema.json",
],
[
"fast/stages/1-vpcsc/schemas/ingress-policy.schema.json",
"modules/vpc-sc/schemas/ingress-policy.schema.json",
],
[
"fast/stages/0-org-setup/schemas/org-policies.schema.json",
"modules/folder/schemas/org-policies.schema.json",
"modules/project/schemas/org-policies.schema.json",
"modules/organization/schemas/org-policies.schema.json",
],
[
"modules/folder/schemas/pam-entitlements.schema.json",
"modules/project/schemas/pam-entitlements.schema.json",
"modules/organization/schemas/pam-entitlements.schema.json",
],
[
"fast/stages/1-vpcsc/schemas/perimeter.schema.json",
"modules/vpc-sc/schemas/perimeter.schema.json",
],
[
"fast/stages/2-project-factory/schemas/project.schema.json",
"fast/stages/0-org-setup/schemas/project.schema.json",
"fast/stages/2-security/schemas/project.schema.json",
"modules/project-factory/schemas/project.schema.json",
],
[
"modules/folder/schemas/scc-sha-custom-modules.schema.json",
"modules/project/schemas/scc-sha-custom-modules.schema.json",
"modules/organization/schemas/scc-sha-custom-modules.schema.json",
],
[
"fast/stages/2-networking-a-simple/schemas/subnet.schema.json",
"fast/stages/2-networking-c-separate-envs/schemas/subnet.schema.json",
"fast/stages/2-networking-b-nva/schemas/subnet.schema.json",
"modules/net-vpc/schemas/subnet.schema.json",
],
[
"fast/stages/0-org-setup/schemas/tags.schema.json",
"modules/project/schemas/tags.schema.json",
"modules/organization/schemas/tags.schema.json",
],
] ]