zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/fast/stages/3-project-factory/dev/data/projects/dev-zebra.yaml

134 lines
3.8 KiB
YAML
Raw Blame History

# skip boilerplate check
# [opt] Billing alerts config - overrides default if set
billing_alert:
amount: 5000
thresholds:
current:
- 0.8
- 1.0
forecasted: []
credit_treatment: INCLUDE_ALL_CREDITS
# [opt] DNS zones to be created as children of the environment_dns_zone defined in defaults
dns_zones: []
# [opt] Contacts for billing alerts and important notifications
essential_contacts:
- devops@zfnd.org
# Folder the project will be created as children of
folder_id: folders/319341746722
# [opt] Authoritative IAM bindings in group => [roles] format
group_iam:
engineers@zfnd.org:
- roles/editor
# [opt] Authoritative IAM bindings in role => [principals] format
# Generally used to grant roles to service accounts external to the project
iam:
roles/iam.workloadIdentityUser:
- principalSet://iam.googleapis.com/projects/771011584009/locations/global/workloadIdentityPools/zfnd-bootstrap/*
roles/editor:
- serviceAccount:1059680692020@cloudservices.gserviceaccount.com
# [opt] Service robots and keys they will be assigned as cryptoKeyEncrypterDecrypter
# in service => [keys] format
# kms_service_agents:
# compute: [key1, key2]
# storage: [key1, key2]
# [opt] Labels for the project - merged with the ones defined in defaults
labels:
environment: dev
application: zebra
# [opt] Org policy overrides defined at project level
org_policies:
compute.disableGuestAttributesAccess:
rules:
- enforce: false
compute.trustedImageProjects:
rules:
- allow:
all: true
# values:
# - projects/zfnd-prod-iac-core-0
# - projects/zebra-zealous
# - projects/cos-cloud
# - projects/dataflow-service-producer-prod
# - projects/serverless-vpc-access-images
# - projects/windows-cloud
compute.vmExternalIpAccess:
rules:
- allow:
all: true
compute.requireOsLogin:
rules:
- enforce: false
iam.allowServiceAccountCredentialLifetimeExtension:
rules:
- allow:
all: true
iam.allowedPolicyMemberDomains:
rules:
- allow:
all: true
# [opt] Service account to create for the project and their roles on the project
# in name => [roles] format
service_accounts:
instance-deployer:
- roles/compute.instanceAdmin
- roles/compute.storageAdmin
- roles/compute.loadBalancerAdmin
- roles/errorreporting.user
- roles/logging.logWriter
- roles/monitoring.metricWriter
- roles/artifactregistry.reader
- roles/iam.serviceAccountUser
- roles/iam.workloadIdentityUser
artifact-publisher:
- roles/artifactregistry.writer
- roles/iam.workloadIdentityUser
# [opt] APIs to enable on the project.
services:
- artifactregistry.googleapis.com
- compute.googleapis.com
# - clouddebugger.googleapis.com # Deprecated API
- clouderrorreporting.googleapis.com
- cloudresourcemanager.googleapis.com
- containeranalysis.googleapis.com
- logging.googleapis.com
- monitoring.googleapis.com
- osconfig.googleapis.com
- networkmanagement.googleapis.com
- stackdriver.googleapis.com
- storage.googleapis.com
- iap.googleapis.com
# [opt] Roles to assign to the service identities in service => [roles] format
service_identities_iam:
compute:
- roles/storage.objectViewer
# [opt] VPC setup.
# If set enables the `compute.googleapis.com` service and configures
# service project attachment
vpc:
# [opt] If set, enables the container API
gke_setup: null
# Host project the project will be service project of
host_project: zfnd-dev-net-spoke-0
# [opt] Subnets in the host project where principals will be granted networkUser
# in region/subnet-name => [principals]
subnets_iam:
us-east1/dev-default-ue1:
- user:gustavo@zfnd.org
- serviceAccount:instance-deployer@zfnd-dev-zebra.iam.gserviceaccount.com
Reference in New Issue View Git Blame Copy Permalink