# skip boilerplate check

# [opt] Billing account id - overrides default if set
billing_account_id: 012345-67890A-BCDEF0

# [opt] Billing alerts config - overrides default if set
billing_alert:
  amount: 10
  thresholds:
    current:
      - 0.5
      - 0.8
    forecasted: []
  credit_treatment: INCLUDE_ALL_CREDITS

# [opt] DNS zones to be created as children of the environment_dns_zone defined in defaults
dns_zones:
  - lorem
  - ipsum

# [opt] Contacts for billing alerts and important notifications
essential_contacts:
  - team-a-contacts@example.com

# Folder the project will be created as children of
folder_id: folders/012345678901

# [opt] Authoritative IAM bindings in group => [roles] format
group_iam:
  test-team-foobar@fast-lab-0.gcp-pso-italy.net:
    - roles/compute.admin

# [opt] Authoritative IAM bindings in role => [principals] format
# Generally used to grant roles to service accounts external to the project
iam:
  roles/compute.admin:
    - serviceAccount:service-account

# [opt] Service robots and keys they will be assigned as cryptoKeyEncrypterDecrypter
# in service => [keys] format
kms_service_agents:
  compute: [key1, key2]
  storage: [key1, key2]

# [opt] Labels for the project - merged with the ones defined in defaults
labels:
  environment: dev

# [opt] Org policy overrides defined at project level
org_policies:
  compute.disableGuestAttributesAccess:
    rules:
    - enforce: true
  compute.trustedImageProjects:
    rules:
    - allow:
        values:
        - projects/fast-dev-iac-core-0
  compute.vmExternalIpAccess:
    rules:
      - deny:
          all: true

# [opt] Service account to create for the project and their roles on the project
# in name => [roles] format
service_accounts:
  another-service-account:
    - roles/compute.admin
  my-service-account:
    - roles/compute.admin

# [opt] APIs to enable on the project.
services:
  - storage.googleapis.com
  - stackdriver.googleapis.com
  - compute.googleapis.com

# [opt] Roles to assign to the service identities in service => [roles] format
service_identities_iam:
  compute:
    - roles/storage.objectViewer

  # [opt] VPC setup.
  # If set enables the `compute.googleapis.com` service and configures
  # service project attachment
vpc:
  # [opt] If set, enables the container API
  gke_setup:
    # Grants "roles/container.hostServiceAgentUser" to the container robot if set
    enable_host_service_agent: false

    # Grants  "roles/compute.securityAdmin" to the container robot if set
    enable_security_admin: true

  # Host project the project will be service project of
  host_project: fast-dev-net-spoke-0

  # [opt] Subnets in the host project where principals will be granted networkUser
  # in region/subnet-name => [principals]
  subnets_iam:
    europe-west1/dev-default-ew1:
      - user:foobar@example.com
      - serviceAccount:service-account1