118 lines
3.2 KiB
YAML
118 lines
3.2 KiB
YAML
# skip boilerplate check
|
|
|
|
# [opt] Billing account id - overrides default if set
|
|
billing_account_id: 012345-67890A-BCDEF0
|
|
|
|
# [opt] Billing alerts config - overrides default if set
|
|
billing_alert:
|
|
amount: 10
|
|
thresholds:
|
|
current:
|
|
- 0.5
|
|
- 0.8
|
|
forecasted: []
|
|
credit_treatment: INCLUDE_ALL_CREDITS
|
|
|
|
# [opt] DNS zones to be created as children of the environment_dns_zone defined in defaults
|
|
dns_zones:
|
|
- lorem
|
|
- ipsum
|
|
|
|
# [opt] Contacts for billing alerts and important notifications
|
|
essential_contacts:
|
|
- team-a-contacts@example.com
|
|
|
|
# Folder the project will be created as children of
|
|
folder_id: folders/012345678901
|
|
|
|
# [opt] Authoritative IAM bindings in group => [roles] format
|
|
group_iam:
|
|
test-team-foobar@fast-lab-0.gcp-pso-italy.net:
|
|
- roles/compute.admin
|
|
|
|
# [opt] Authoritative IAM bindings in role => [principals] format
|
|
# Generally used to grant roles to service accounts external to the project
|
|
iam:
|
|
roles/compute.admin:
|
|
- serviceAccount:service-account
|
|
|
|
# [opt] Service robots and keys they will be assigned as cryptoKeyEncrypterDecrypter
|
|
# in service => [keys] format
|
|
kms_service_agents:
|
|
compute: [key1, key2]
|
|
storage: [key1, key2]
|
|
|
|
# [opt] Labels for the project - merged with the ones defined in defaults
|
|
labels:
|
|
environment: dev2
|
|
costcenter: apps
|
|
|
|
# [opt] Org policy overrides defined at project level
|
|
org_policies:
|
|
compute.disableGuestAttributesAccess:
|
|
rules:
|
|
- enforce: true
|
|
compute.trustedImageProjects:
|
|
rules:
|
|
- allow:
|
|
values:
|
|
- projects/fast-dev-iac-core-0
|
|
compute.vmExternalIpAccess:
|
|
rules:
|
|
- deny:
|
|
all: true
|
|
|
|
# [opt] Prefix - overrides default if set
|
|
prefix: test1
|
|
|
|
# [opt] Service account to create for the project and their roles on the project
|
|
# in name => [roles] format
|
|
service_accounts:
|
|
another-service-account:
|
|
- roles/compute.admin
|
|
my-service-account:
|
|
- roles/compute.adminv1
|
|
|
|
# [opt] APIs to enable on the project.
|
|
services:
|
|
- storage.googleapis.com
|
|
- stackdriver.googleapis.com
|
|
- compute.googleapis.com
|
|
|
|
# [opt] Roles to assign to the service identities in service => [roles] format
|
|
service_identities_iam:
|
|
compute:
|
|
- roles/storage.objectViewer
|
|
|
|
# [opt] VPC setup.
|
|
# If set enables the `compute.googleapis.com` service and configures
|
|
# service project attachment
|
|
vpc:
|
|
# [opt] If set, enables the container API
|
|
gke_setup:
|
|
# Grants "roles/container.hostServiceAgentUser" to the container robot if set
|
|
enable_host_service_agent: false
|
|
|
|
# Grants "roles/compute.securityAdmin" to the container robot if set
|
|
enable_security_admin: true
|
|
|
|
# Host project the project will be service project of
|
|
host_project: fast-dev-net-spoke-0
|
|
|
|
# [opt] Services for which set up the IAM in the host project
|
|
service_iam_grants:
|
|
- dataproc.googleapis.com
|
|
|
|
# [opt] Roles to rant service project service identities in host project
|
|
service_identity_iam:
|
|
"roles/compute.networkUser":
|
|
- cloudservices
|
|
- container-engine
|
|
|
|
# [opt] Subnets in the host project where principals will be granted networkUser
|
|
# in region/subnet-name => [principals]
|
|
subnets_iam:
|
|
europe-west1/dev-default-ew1:
|
|
- user:foobar@example.com
|
|
- serviceAccount:my-service-account
|