-
Notifications
You must be signed in to change notification settings - Fork 9
/
google-storage.yml
282 lines (278 loc) · 10.6 KB
/
google-storage.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
# Copyright 2020 Pivotal Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http:#www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
version: 1
name: csb-google-storage-bucket
id: b247fcde-8a63-11ea-b945-cb26f061f70f
description: Google Cloud Storage that grants service accounts IAM permissions directly on the bucket.
display_name: Google Cloud Storage
image_url: file://service-images/csb.png
documentation_url: https://docs.vmware.com/en/Cloud-Service-Broker-for-VMware-Tanzu/index.html
provider_display_name: VMware
support_url: https://cloud.google.com/support/
tags: [gcp, storage, google-storage]
plan_updateable: true
plans: []
provision:
plan_inputs: []
user_inputs:
- field_name: name
type: string
details: |
Name of bucket.
To see the requirements the name must meet, see https://cloud.google.com/storage/docs/buckets#naming.
Names containing dots require verification, see https://cloud.google.com/storage/docs/domain-name-verification.
default: csb-${request.instance_id}
prohibit_update: true
constraints:
examples:
- my-bucket
- 0f75d593-8e7b-4418-a5ba-cb2970f0b91e
- test.example.com
pattern: ^[a-z0-9][a-z0-9_.-]{1,220}[a-z0-9]$
- field_name: storage_class
type: string
details: |
The Storage Class of the new bucket.
default: MULTI_REGIONAL
enum:
STANDARD: STANDARD
MULTI_REGIONAL: MULTI_REGIONAL
REGIONAL: REGIONAL
NEARLINE: NEARLINE
COLDLINE: COLDLINE
ARCHIVE: ARCHIVE
- field_name: region
type: string
details: |
The region where the buckets are created.
For more information about regions, see https://cloud.google.com/storage/docs/locations or https://cloud.google.com/about/locations
default: us
constraints:
examples:
- us
- us-central1
- asia-northeast1
pattern: ^[a-z][a-z0-9-]+$
prohibit_update: true
- field_name: placement_dual_region_data_locations
type: array
details: |
The list of individual regions that comprise a dual-region bucket.
Set the `storage_class` property with a valid storage class for the dual-region configuration.
The `MULTI_REGIONAL` and `REGIONAL` storage classes are not accepted to configure the bucket in dual-region.
Check the list of valid storage classes for dual-region: https://cloud.google.com/storage/docs/storage-classes.
For more information about valid regions, see https://cloud.google.com/storage/docs/locations.
default: []
constraints:
examples:
- ["us-east1", "us-east4"]
prohibit_update: true
- field_name: versioning
type: boolean
details: |
Whether the versioning configuration is enabled.
For more information about versioning, see https://cloud.google.com/storage/docs/object-versioning
default: false
- field_name: public_access_prevention
type: string
details: Prevents public access to a bucket. Acceptable values are "inherited" or "enforced". Default is "enforced".
default: "enforced"
enum:
enforced: enforced
inherited: inherited
- field_name: uniform_bucket_level_access
type: boolean
details: |
Enables Uniform bucket-level access to a bucket. When enabled, the option becomes permanent after 90 days.
Disables ACLs.
For more information about uniform bucket-level access, see https://cloud.google.com/storage/docs/uniform-bucket-level-access
default: false
- field_name: predefined_acl
type: string
details: |
The predefined ACL to apply to the bucket, for example `private`, `publicRead`.
For more information about predefined ACLs, see https://cloud.google.com/storage/docs/access-control/lists#predefined-acl
Cannot be specified with `uniform_bucket_level_access`.
default: ""
- field_name: default_kms_key_name
type: string
details: |
The `id` of a Cloud KMS key that will be used to encrypt objects inserted into this bucket.
Its default value is `""` so a Google-managed encryption key will be used instead.
For more information about encryption keys, see https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys
Note: The key ring must be in the same location as the data you intend to encrypt, in other words, the same location as the `region` property,
but it can be in a different project.
For available Cloud KMS locations, see Cloud KMS [locations](https://cloud.google.com/kms/docs/locations)
default: ""
- field_name: autoclass
type: boolean
details: |
Automatically transitions each object to hotter or colder storage based on object-level activity, to optimise for cost and latency.
Caution: Only the `STANDARD` storage class will be accepted when enabling the Autoclass feature.
Any attempt to set it using a storage class other than `STANDARD` will result in an error.
For more information about autoclass feature, see https://cloud.google.com/storage/docs/autoclass
default: false
prohibit_update: true
- field_name: retention_policy_retention_period
type: number
details: |
This configures the data retention policy for the bucket, which is the period of time in seconds
that objects in the bucket must be retained and cannot be deleted, overwritten, or archived.
The maximum value is `2147483647` (2,147,483,647 seconds).
For more information about retention policy feature, see https://cloud.google.com/storage/docs/bucket-lock
default: 0
constraints:
minimum: 0
- field_name: retention_policy_is_locked
type: boolean
details: |
The `retention_policy_is_locked` property locks a retention policy to permanently set it on the bucket.
Caution: Locking a retention policy is an irreversible action.
After you set it to true, any attempt to set it to false causes an error.
A locked retention policy means:
* It is not possible to remove the retention policy.
* It is not possible to delete a bucket unless every object in the bucket has met the retention period.
* It is not possible to reduce or increase the retention period of a locked retention policy.
* It is not possible to increase the retention period.
In order for this property to take effect, the property `retention_policy_retention_period` has to be set with a value greater than `0`.
For more information about policy locks, see https://cloud.google.com/storage/docs/bucket-lock.
default: false
- field_name: credentials
type: string
details: GCP credentials
default: ${config("gcp.credentials")}
- field_name: project
type: string
details: GCP project
default: ${config("gcp.project")}
computed_inputs:
- name: labels
default: ${json.marshal(request.default_labels)}
overwrite: true
type: object
template_refs:
provider: terraform/storage/provision/provider.tf
versions: terraform/storage/provision/versions.tf
main: terraform/storage/provision/main.tf
variables: terraform/storage/provision/variables.tf
outputs: terraform/storage/provision/outputs.tf
outputs:
- required: true
field_name: bucket_name
type: string
details: Name of the bucket this binding is for.
- required: true
field_name: id
type: string
details: The GCP ID of this bucket.
bind:
plan_inputs: []
user_inputs:
- required: true
field_name: role
type: string
default: " "
details: "The role for the account without the \"roles/\" prefix.\n\t\tSee: https://cloud.google.com/iam/docs/understanding-roles
for more details.\n\t\tNote: The default enumeration may be overridden by your
operator."
enum:
storage.objectAdmin: roles/storage.objectAdmin
storage.objectCreator: roles/storage.objectCreator
storage.objectViewer: roles/storage.objectViewer
- field_name: credentials
type: string
details: GCP credentials
default: ${config("gcp.credentials")}
- field_name: project
type: string
details: GCP project
default: ${config("gcp.project")}
computed_inputs:
- name: service_account_name
default: ${str.truncate(20, "pcf-binding-${request.binding_id}")}
overwrite: true
- name: service_account_display_name
default: ""
overwrite: true
- name: bucket
default: ${instance.details["bucket_name"]}
overwrite: true
template_refs:
main: terraform/storage/bind/main.tf
variables: terraform/storage/bind/variables.tf
provider: terraform/storage/bind/provider.tf
versions: terraform/storage/bind/versions.tf
outputs: terraform/storage/bind/outputs.tf
outputs:
- required: true
field_name: email
type: string
details: Email address of the service account.
constraints:
examples:
- pcf-binding-ex312029@my-project.iam.gserviceaccount.com
pattern: ^pcf-binding-[a-z0-9-]+@.+\.gserviceaccount\.com$
- required: true
field_name: name
type: string
details: The name of the service account.
constraints:
examples:
- pcf-binding-ex312029
- required: true
field_name: PrivateKeyData
type: string
details: Service account private key data. Base64 encoded JSON.
constraints:
minLength: 512
pattern: ^[A-Za-z0-9+/]*=*$
- required: true
field_name: ProjectId
type: string
details: ID of the project that owns the service account.
constraints:
examples:
- my-project
maxLength: 30
minLength: 6
pattern: ^[a-z0-9-]+$
- required: true
field_name: private_key_data
type: string
details: Deprecated - Service account private key data. Base64 encoded JSON.
constraints:
minLength: 512
pattern: ^[A-Za-z0-9+/]*=*$
- required: true
field_name: project_id
type: string
details: Deprecated - ID of the project that owns the service account.
constraints:
examples:
- my-project
maxLength: 30
minLength: 6
pattern: ^[a-z0-9-]+$
- required: true
field_name: unique_id
type: string
details: Unique and stable ID of the service account.
constraints:
examples:
- "112447814736626230844"
- required: true
field_name: credentials
type: string
details: Credentials of the service account.