Additional module schemas (#2494)

* resman modules

* billing account

* net-vpc subnets

* fast schemas and subnet validation

fast/stages/0-bootstrap/data/custom-roles/gcve_network_admin.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 
 name: gcveNetworkAdmin
 includedPermissions:

fast/stages/0-bootstrap/data/custom-roles/network_firewall_policies_admin.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 
 name: networkFirewallPoliciesAdmin
 includedPermissions:

fast/stages/0-bootstrap/data/custom-roles/ngfw_enterprise_admin.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 
 name: ngfwEnterpriseAdmin
 includedPermissions:

fast/stages/0-bootstrap/data/custom-roles/organization_admin_viewer.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 # this is used by the plan-only admin SA
 
 name: organizationAdminViewer

fast/stages/0-bootstrap/data/custom-roles/organization_iam_admin.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 # this is needed for use in additive IAM bindings, to avoid conflicts
 
 name: organizationIamAdmin

fast/stages/0-bootstrap/data/custom-roles/service_project_network_admin.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 
 name: serviceProjectNetworkAdmin
 includedPermissions:

fast/stages/0-bootstrap/data/custom-roles/storage_viewer.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 # the following permissions are a descoped version of storage.admin
 
 name: storageViewer

fast/stages/0-bootstrap/data/custom-roles/tag_viewer.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 # the following permissions are a descoped version of tagAdm
 
 name: tagViewer

fast/stages/0-bootstrap/data/custom-roles/tenant_network_admin.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 
 name: tenantNetworkAdmin
 includedPermissions:

fast/stages/0-bootstrap/data/org-policies/compute.yaml

@@ -16,7 +16,7 @@
 # sample subset of useful organization policies, edit to suit requirements
 # start of document (---) avoids errors if the file only contains comments
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json
+# yaml-language-server: $schema=../../schemas/org-policies.schema.json
 
 compute.disableGuestAttributesAccess:
   rules:

fast/stages/0-bootstrap/data/org-policies/gcp.yaml

@@ -16,7 +16,7 @@
 # sample subset of useful organization policies, edit to suit requirements
 # start of document (---) avoids errors if the file only contains comments
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json
+# yaml-language-server: $schema=../../schemas/org-policies.schema.json
 
 # gcp.resourceLocations:
 #   rules:

fast/stages/0-bootstrap/data/org-policies/iam.yaml

@@ -16,7 +16,7 @@
 # sample subset of useful organization policies, edit to suit requirements
 # start of document (---) avoids errors if the file only contains comments
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json
+# yaml-language-server: $schema=../../schemas/org-policies.schema.json
 
 iam.automaticIamGrantsForDefaultServiceAccounts:
   rules:

fast/stages/0-bootstrap/data/org-policies/serverless.yaml

@@ -16,7 +16,7 @@
 # sample subset of useful organization policies, edit to suit requirements
 # start of document (---) avoids errors if the file only contains comments
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json
+# yaml-language-server: $schema=../../schemas/org-policies.schema.json
 
 run.allowedIngress:
   rules:

fast/stages/0-bootstrap/data/org-policies/sql.yaml

@@ -16,7 +16,7 @@
 # sample subset of useful organization policies, edit to suit requirements
 # start of document (---) avoids errors if the file only contains comments
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json
+# yaml-language-server: $schema=../../schemas/org-policies.schema.json
 
 sql.restrictAuthorizedNetworks:
   rules:

fast/stages/0-bootstrap/data/org-policies/storage.yaml

@@ -16,7 +16,7 @@
 # sample subset of useful organization policies, edit to suit requirements
 # start of document (---) avoids errors if the file only contains comments
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json
+# yaml-language-server: $schema=../../schemas/org-policies.schema.json
 
 storage.uniformBucketLevelAccess:
   rules:

fast/stages/0-bootstrap/schemas/custom-role.schema.json

@@ -0,0 +1 @@
+../../../../modules/organization/schemas/custom-role.schema.json

fast/stages/0-bootstrap/schemas/org-policies.schema.json

@@ -0,0 +1 @@
+../../../../modules/organization/schemas/org-policies.schema.json

fast/stages/1-resman/data/org-policies/sandbox/compute.yaml

@@ -6,6 +6,8 @@
 # Terraform will be unable to decode this file if it does not contain valid YAML
 # You can retain `---` (start of the document) to indicate an empty document.
 
+# yaml-language-server: $schema=../../../schemas/org-policies.schema.json
+
 compute.vmExternalIpAccess:
   rules:
     - allow:

fast/stages/1-resman/data/org-policies/sandbox/sql.yaml

@@ -6,6 +6,8 @@
 # Terraform will be unable to decode this file if it does not contain valid YAML
 # You can retain `---` (start of the document) to indicate an empty document.
 
+# yaml-language-server: $schema=../../../schemas/org-policies.schema.json
+
 sql.restrictPublicIp:
   rules:
     - enforce: true

fast/stages/1-resman/schemas/org-policies.schema.json

@@ -0,0 +1 @@
+../../../../modules/organization/schemas/org-policies.schema.json

fast/stages/1-vpcsc/data/access-levels/geo.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/vpc-sc/schemas/access-level.schema.json
+# yaml-language-server: $schema=../../schemas/access-level.schema.json
 
 # this is just an example that reflects the FAST core team members' locations
 # and needs to be edited, or not referenced in the perimeter variable

fast/stages/1-vpcsc/schemas/access-level.schema.json

@@ -0,0 +1 @@
+../../../../modules/vpc-sc/schemas/access-level.schema.json

fast/stages/1-vpcsc/schemas/egress-policy.schema.json

@@ -0,0 +1 @@
+../../../../modules/vpc-sc/schemas/egress-policy.schema.json

fast/stages/1-vpcsc/schemas/ingress-policy.schema.json

@@ -0,0 +1 @@
+../../../../modules/vpc-sc/schemas/ingress-policy.schema.json

fast/stages/2-networking-a-simple/data/subnets/dev/dev-dataplatform.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-dataplatform
 region: primary
 description: Default subnet for dev Data Platform

fast/stages/2-networking-a-simple/data/subnets/dev/dev-default.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-default
 region: primary
 ip_cidr_range: 10.68.0.0/24

fast/stages/2-networking-a-simple/data/subnets/dev/dev-gke-nodes.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-gke-nodes
 region: primary
 description: Default subnet for prod gke nodes

fast/stages/2-networking-a-simple/data/subnets/landing/landing-default.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: landing-default
 region: primary
 ip_cidr_range: 10.64.0.0/24

fast/stages/2-networking-a-simple/data/subnets/prod/prod-default.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: prod-default
 region: primary
 ip_cidr_range: 10.72.0.0/24

fast/stages/2-networking-a-simple/schemas/subnet.schema.json

@@ -0,0 +1 @@
+../../../../modules/net-vpc/schemas/subnet.schema.json

fast/stages/2-networking-b-nva/data/subnets/dev/dev-dataplatform.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-dataplatform
 region: primary
 description: Default subnet for dev Data Platform

fast/stages/2-networking-b-nva/data/subnets/dev/dev-default-pri.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-default
 region: primary
 ip_cidr_range: 10.68.0.0/24

fast/stages/2-networking-b-nva/data/subnets/dev/dev-default-sec.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-default
 region: secondary
 ip_cidr_range: 10.84.0.0/24

fast/stages/2-networking-b-nva/data/subnets/dev/dev-gke-nodes.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-gke-nodes
 region: primary
 description: Default subnet for prod gke nodes

fast/stages/2-networking-b-nva/data/subnets/dmz/dmz-default-pri.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dmz-default
 region: primary
 ip_cidr_range: 10.64.128.0/24

fast/stages/2-networking-b-nva/data/subnets/dmz/dmz-default-sec.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dmz-default
 region: secondary
 ip_cidr_range: 10.80.128.0/24

fast/stages/2-networking-b-nva/data/subnets/landing/landing-default-pri.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: landing-default
 region: primary
 ip_cidr_range: 10.64.0.0/24

fast/stages/2-networking-b-nva/data/subnets/landing/landing-default-sec.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: landing-default
 region: secondary
 ip_cidr_range: 10.80.0.0/24

fast/stages/2-networking-b-nva/data/subnets/prod/prod-default-ew1.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: prod-default
 region: primary
 ip_cidr_range: 10.72.0.0/24

fast/stages/2-networking-b-nva/data/subnets/prod/prod-default-ew4.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: prod-default
 region: secondary
 ip_cidr_range: 10.88.0.0/24

fast/stages/2-networking-b-nva/schemas/subnet.schema.json

@@ -0,0 +1 @@
+../../../../modules/net-vpc/schemas/subnet.schema.json

fast/stages/2-networking-c-separate-envs/data/subnets/dev/dev-dataplatform.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-dataplatform
 region: primary
 description: Default subnet for dev Data Platform

fast/stages/2-networking-c-separate-envs/data/subnets/dev/dev-default.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-default
 region: europe-west1
 ip_cidr_range: 10.68.0.0/24

fast/stages/2-networking-c-separate-envs/data/subnets/dev/dev-gke-nodes.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-gke-nodes
 region: primary
 description: Default subnet for prod gke nodes

fast/stages/2-networking-c-separate-envs/data/subnets/prod/prod-default.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: prod-default
 region: primary
 ip_cidr_range: 10.72.0.0/24

fast/stages/2-networking-c-separate-envs/schemas/subnet.schema.json

@@ -0,0 +1 @@
+../../../../modules/net-vpc/schemas/subnet.schema.json

modules/billing-account/README.md

@@ -238,7 +238,6 @@ module "billing-account" {
 ```
 
 ```yaml
-# tftest-file id=test-1 path=data/billing-budgets/folder-net-month-current-100.yaml
 display_name: 100 dollars in current spend
 amount:
   units: 100
@@ -255,6 +254,8 @@ update_rules:
     disable_default_iam_recipients: true
     monitoring_notification_channels:
     - billing-default
+
+# tftest-file id=test-1 path=data/billing-budgets/folder-net-month-current-100.yaml schema=budget.schema.json
 ```
 
 <!-- markdownlint-enable -->

modules/billing-account/schemas/budget.schema.json

@@ -0,0 +1,169 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Project",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "amount"
+  ],
+  "properties": {
+    "amount": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "currency_code": {
+          "type": "string"
+        },
+        "nanos": {
+          "type": "number"
+        },
+        "units": {
+          "type": "number"
+        },
+        "use_last_period": {
+          "type": "boolean"
+        }
+      }
+    },
+    "display_name": {
+      "type": "string"
+    },
+    "filter": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "credit_types_treatment": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "exclude_all": {
+              "type": "boolean"
+            },
+            "include_specified": {
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            }
+          }
+        },
+        "label": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "key": {
+              "type": "string"
+            },
+            "value": {
+              "type": "string"
+            }
+          }
+        },
+        "period": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "calendar": {
+              "type": "string"
+            },
+            "custom": {
+              "type": "object",
+              "additionalProperties": false,
+              "properties": {
+                "start_date": {
+                  "$ref": "#/$defs/date"
+                },
+                "end_date": {
+                  "$ref": "#/$defs/date"
+                }
+              }
+            }
+          }
+        },
+        "projects": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "resource_ancestors": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "services": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "subaccounts": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
+    "threshold_rules": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": [
+          "percent"
+        ],
+        "properties": {
+          "percent": {
+            "type": "number"
+          },
+          "forecasted_spend": {
+            "type": "boolean"
+          }
+        }
+      }
+    },
+    "update_rules": {
+      "type": "object",
+      "additionalProperties": false,
+      "patternProperties": {
+        "^[a-z0-9_-]+$": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "disable_default_iam_recipients": {
+              "type": "boolean"
+            },
+            "monitoring_notification_channels": {
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            },
+            "pubsub_topic": {
+              "type": "string"
+            }
+          }
+        }
+      }
+    }
+  },
+  "$defs": {
+    "date": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "day": {
+          "type": "number"
+        },
+        "month": {
+          "type": "number"
+        },
+        "year": {
+          "type": "number"
+        }
+      }
+    }
+  }
+}

modules/folder/README.md

@@ -165,7 +165,6 @@ module "folder" {
 ```
 
 ```yaml
-# tftest-file id=boolean path=configs/org-policies/boolean.yaml
 compute.disableGuestAttributesAccess:
   rules:
   - enforce: true
@@ -184,10 +183,11 @@ iam.disableServiceAccountKeyUpload:
       title: condition
     enforce: true
   - enforce: false
+
+# tftest-file id=boolean path=configs/org-policies/boolean.yaml schema=org-policies.schema.json
 ```
 
 ```yaml
-# tftest-file id=list path=configs/org-policies/list.yaml
 compute.trustedImageProjects:
   rules:
   - allow:
@@ -203,6 +203,8 @@ iam.allowedPolicyMemberDomains:
       values:
       - C0xxxxxxx
       - C0yyyyyyy
+
+# tftest-file id=list path=configs/org-policies/list.yaml schema=org-policies.schema.json
 ```
 
 ## Hierarchical Firewall Policy Attachments

modules/folder/schemas/org-policies.schema.json

@@ -0,0 +1 @@
+../../organization/schemas/org-policies.schema.json

modules/net-vpc/README.md

@@ -435,21 +435,22 @@ module "vpc" {
 ```
 
 ```yaml
-# tftest-file id=subnet-simple path=config/subnets/subnet-simple.yaml
 name: simple
 region: primary 
 ip_cidr_range: 10.0.1.0/24
+
+# tftest-file id=subnet-simple path=config/subnets/subnet-simple.yaml schema=subnet.schema.json
 ```
 
 ```yaml
-# tftest-file id=subnet-simple-2 path=config/subnets/subnet-simple-2.yaml
 name: simple
 region: europe-west8
 ip_cidr_range: 10.0.2.0/24
+
+# tftest-file id=subnet-simple-2 path=config/subnets/subnet-simple-2.yaml schema=subnet.schema.json
 ```
 
 ```yaml
-# tftest-file id=subnet-detailed path=config/subnets/subnet-detailed.yaml
 region: europe-west1
 description: Sample description
 ip_cidr_range: 10.0.0.0/24
@@ -466,28 +467,33 @@ flow_logs_config:             # enable, set to empty map to use defaults
   aggregation_interval: "INTERVAL_5_SEC"
   flow_sampling: 0.5
   metadata: "INCLUDE_ALL_METADATA"
+
+# tftest-file id=subnet-detailed path=config/subnets/subnet-detailed.yaml schema=subnet.schema.json
 ```
 
 ```yaml
-# tftest-file id=subnet-proxy path=config/subnets/subnet-proxy.yaml
 region: europe-west4
 ip_cidr_range: 10.1.0.0/24
 proxy_only: true
+
+# tftest-file id=subnet-proxy path=config/subnets/subnet-proxy.yaml schema=subnet.schema.json
 ```
 
 ```yaml
-# tftest-file id=subnet-proxy-global path=config/subnets/subnet-proxy-global.yaml
 region: australia-southeast2
 ip_cidr_range: 10.4.0.0/24
 proxy_only: true
 global: true
+
+# tftest-file id=subnet-proxy-global path=config/subnets/subnet-proxy-global.yaml schema=subnet.schema.json
 ```
 
 ```yaml
-# tftest-file id=subnet-psc path=config/subnets/subnet-psc.yaml
 region: europe-west4
 ip_cidr_range: 10.2.0.0/24
 psc: true
+
+# tftest-file id=subnet-psc path=config/subnets/subnet-psc.yaml schema=subnet.schema.json
 ```
 
 ### Custom Routes

modules/net-vpc/schemas/subnet.schema.json

@@ -0,0 +1,183 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Subnet",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "ip_cidr_range",
+    "region"
+  ],
+  "properties": {
+    "active": {
+      "type": "boolean"
+    },
+    "description": {
+      "type": "string"
+    },
+    "enable_private_access": {
+      "type": "boolean"
+    },
+    "flow_logs_config": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "aggregation_interval": {
+          "type": "string"
+        },
+        "filter_expression": {
+          "type": "string"
+        },
+        "flow_sampling": {
+          "type": "number"
+        },
+        "metadata": {
+          "type": "string"
+        },
+        "metadata_fields": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
+    "global": {
+      "type": "boolean"
+    },
+    "ip_cidr_range": {
+      "type": "string"
+    },
+    "ipv6": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "access_type": {
+          "type": "string"
+        }
+      }
+    },
+    "name": {
+      "type": "string"
+    },
+    "region": {
+      "type": "string"
+    },
+    "psc": {
+      "type": "boolean"
+    },
+    "proxy_only": {
+      "type": "boolean"
+    },
+    "secondary_ip_ranges": {
+      "type": "object",
+      "additionalProperties": {
+        "type": "string"
+      }
+    },
+    "iam": {
+      "$ref": "#/$defs/iam"
+    },
+    "iam_bindings": {
+      "$ref": "#/$defs/iam_bindings"
+    },
+    "iam_bindings_additive": {
+      "$ref": "#/$defs/iam_bindings_additive"
+    }
+  },
+  "$defs": {
+    "iam": {
+      "type": "object",
+      "additionalProperties": false,
+      "patternProperties": {
+        "^roles/": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|ro|rw)"
+          }
+        }
+      }
+    },
+    "iam_bindings": {
+      "type": "object",
+      "additionalProperties": false,
+      "patternProperties": {
+        "^[a-z0-9_-]+$": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "members": {
+              "type": "array",
+              "items": {
+                "type": "string",
+                "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|ro|rw)"
+              }
+            },
+            "role": {
+              "type": "string",
+              "pattern": "^roles/"
+            },
+            "condition": {
+              "type": "object",
+              "additionalProperties": false,
+              "required": [
+                "expression",
+                "title"
+              ],
+              "properties": {
+                "expression": {
+                  "type": "string"
+                },
+                "title": {
+                  "type": "string"
+                },
+                "description": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "iam_bindings_additive": {
+      "type": "object",
+      "additionalProperties": false,
+      "patternProperties": {
+        "^[a-z0-9_-]+$": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "member": {
+              "type": "string",
+              "pattern": "^(?:domain:|group:|serviceAccount:|user:|principal:|principalSet:|ro|rw)"
+            },
+            "role": {
+              "type": "string",
+              "pattern": "^roles/"
+            },
+            "condition": {
+              "type": "object",
+              "additionalProperties": false,
+              "required": [
+                "expression",
+                "title"
+              ],
+              "properties": {
+                "expression": {
+                  "type": "string"
+                },
+                "title": {
+                  "type": "string"
+                },
+                "description": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}

modules/project-factory/schemas/budget.schema.json

@@ -1,169 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "title": "Project",
-  "type": "object",
-  "additionalProperties": false,
-  "required": [
-    "amount"
-  ],
-  "properties": {
-    "amount": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "currency_code": {
-          "type": "string"
-        },
-        "nanos": {
-          "type": "number"
-        },
-        "units": {
-          "type": "number"
-        },
-        "use_last_period": {
-          "type": "boolean"
-        }
-      }
-    },
-    "display_name": {
-      "type": "string"
-    },
-    "filter": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "credit_types_treatment": {
-          "type": "object",
-          "additionalProperties": false,
-          "properties": {
-            "exclude_all": {
-              "type": "boolean"
-            },
-            "include_specified": {
-              "type": "array",
-              "items": {
-                "type": "string"
-              }
-            }
-          }
-        },
-        "label": {
-          "type": "object",
-          "additionalProperties": false,
-          "properties": {
-            "key": {
-              "type": "string"
-            },
-            "value": {
-              "type": "string"
-            }
-          }
-        },
-        "period": {
-          "type": "object",
-          "additionalProperties": false,
-          "properties": {
-            "calendar": {
-              "type": "string"
-            },
-            "custom": {
-              "type": "object",
-              "additionalProperties": false,
-              "properties": {
-                "start_date": {
-                  "$ref": "#/$defs/date"
-                },
-                "end_date": {
-                  "$ref": "#/$defs/date"
-                }
-              }
-            }
-          }
-        },
-        "projects": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
-        },
-        "resource_ancestors": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
-        },
-        "services": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
-        },
-        "subaccounts": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
-        }
-      }
-    },
-    "threshold_rules": {
-      "type": "array",
-      "items": {
-        "type": "object",
-        "additionalProperties": false,
-        "required": [
-          "percent"
-        ],
-        "properties": {
-          "percent": {
-            "type": "number"
-          },
-          "forecasted_spend": {
-            "type": "boolean"
-          }
-        }
-      }
-    },
-    "update_rules": {
-      "type": "object",
-      "additionalProperties": false,
-      "patternProperties": {
-        "^[a-z0-9_-]+$": {
-          "type": "object",
-          "additionalProperties": false,
-          "properties": {
-            "disable_default_iam_recipients": {
-              "type": "boolean"
-            },
-            "monitoring_notification_channels": {
-              "type": "array",
-              "items": {
-                "type": "string"
-              }
-            },
-            "pubsub_topic": {
-              "type": "string"
-            }
-          }
-        }
-      }
-    }
-  },
-  "$defs": {
-    "date": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "day": {
-          "type": "number"
-        },
-        "month": {
-          "type": "number"
-        },
-        "year": {
-          "type": "number"
-        }
-      }
-    }
-  }
-}

modules/project-factory/schemas/budget.schema.json

@@ -0,0 +1 @@
+../../billing-account/schemas/budget.schema.json

modules/project/README.md

@@ -542,12 +542,6 @@ module "project" {
 ```
 
 ```yaml
-# tftest-file id=boolean path=configs/org-policies/boolean.yaml
-
----
-# Terraform will be unable to decode this file if it does not contain valid YAML
-# You can retain `---` (start of the document) to indicate an empty document.
-
 compute.disableGuestAttributesAccess:
   rules:
   - enforce: true
@@ -566,15 +560,11 @@ iam.disableServiceAccountKeyUpload:
       title: condition
     enforce: true
   - enforce: false
+
+# tftest-file id=boolean path=configs/org-policies/boolean.yaml schema=org-policies.schema.json
 ```
 
 ```yaml
-# tftest-file id=list path=configs/org-policies/list.yaml
-
----
-# Terraform will be unable to decode this file if it does not contain valid YAML
-# You can retain `---` (start of the document) to indicate an empty document.
-
 compute.trustedImageProjects:
   rules:
   - allow:
@@ -590,6 +580,8 @@ iam.allowedPolicyMemberDomains:
       values:
       - C0xxxxxxx
       - C0yyyyyyy
+
+# tftest-file id=list path=configs/org-policies/list.yaml schema=org-policies.schema.json
 ```
 
 ### Dry-Run Mode
@@ -962,20 +954,20 @@ module "project" {
 ```
 
 ```yaml
-# tftest-file id=custom-role-1 path=data/custom_roles/test_1.yaml
-
 includedPermissions:
  - compute.globalOperations.get
+
+# tftest-file id=custom-role-1 path=data/custom_roles/test_1.yaml schema=custom-role.schema.json
 ```
 
 ```yaml
-# tftest-file id=custom-role-2 path=data/custom_roles/test_2.yaml
-
 name: projectViewer
 includedPermissions:
   - resourcemanager.projects.get
   - resourcemanager.projects.getIamPolicy
   - resourcemanager.projects.list
+
+# tftest-file id=custom-role-2 path=data/custom_roles/test_2.yaml schema=custom-role.schema.json
 ```
 
 ## Quotas
@@ -1039,12 +1031,6 @@ module "project" {
 ```
 
 ```yaml
-# tftest-file id=quota-cpus-ew8 path=data/quotas/cpus-ew8.yaml
-
----
-# Terraform will be unable to decode this file if it does not contain valid YAML
-# You can retain `---` (start of the document) to indicate an empty document.
-
 cpus-ew8:
   service: compute.googleapis.com
   quota_id: CPUS-per-project-region
@@ -1052,6 +1038,8 @@ cpus-ew8:
   preferred_value: 751
   dimensions:
     region: europe-west8
+
+# tftest-file id=quota-cpus-ew8 path=data/quotas/cpus-ew8.yaml schema=quotas.schema.json
 ```
 
 ## VPC Service Controls

modules/project/schemas/custom-role.schema.json

@@ -0,0 +1 @@
+../../organization/schemas/custom-role.schema.json

modules/project/schemas/org-policies.schema.json

@@ -0,0 +1 @@
+../../organization/schemas/org-policies.schema.json

modules/project/schemas/quotas.schema.json

@@ -0,0 +1,53 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Organization Policies",
+  "type": "object",
+  "additionalProperties": false,
+  "patternProperties": {
+    "^[a-zA-Z0-9_-]+$": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "service",
+        "quota_id",
+        "preferred_value"
+      ],
+      "properties": {
+        "service": {
+          "type": "string"
+        },
+        "quota_id": {
+          "type": "string"
+        },
+        "preferred_value": {
+          "type": "number"
+        },
+        "dimensions": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          }
+        },
+        "justification": {
+          "type": "string"
+        },
+        "contact_email": {
+          "type": "string"
+        },
+        "annotations": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          }
+        },
+        "ignore_safety_checks": {
+          "enum": [
+            "QUOTA_DECREASE_BELOW_USAGE",
+            "QUOTA_DECREASE_PERCENTAGE_TOO_HIGH",
+            "QUOTA_SAFETY_CHECK_UNSPECIFIED"
+          ]
+        }
+      }
+    }
+  }
+}