github.com/crossplane/upjet@v1.3.0/pkg/registry/testdata/gcp/pm.yaml (about) 1 # SPDX-FileCopyrightText: 2023 The Crossplane Authors <https://crossplane.io> 2 # 3 # SPDX-License-Identifier: Apache-2.0 4 5 name: test-provider 6 resources: 7 google_access_context_manager_access_level: 8 subCategory: Access Context Manager (VPC Service Controls) 9 description: An AccessLevel is a label that can be applied to requests to GCP services, along with a list of requirements necessary for the label to be applied. 10 name: google_access_context_manager_access_level 11 title: google_access_context_manager_access_level 12 examples: 13 - name: access-level 14 manifest: |- 15 { 16 "basic": [ 17 { 18 "conditions": [ 19 { 20 "device_policy": [ 21 { 22 "os_constraints": [ 23 { 24 "os_type": "DESKTOP_CHROME_OS" 25 } 26 ], 27 "require_screen_lock": true 28 } 29 ], 30 "regions": [ 31 "CH", 32 "IT", 33 "US" 34 ] 35 } 36 ] 37 } 38 ], 39 "name": "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/accessLevels/chromeos_no_lock", 40 "parent": "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}", 41 "title": "chromeos_no_lock" 42 } 43 dependencies: 44 google_access_context_manager_access_policy.access-policy: |- 45 { 46 "parent": "organizations/123456789", 47 "title": "my policy" 48 } 49 argumentDocs: 50 basic: |- 51 - 52 (Optional) 53 A set of predefined conditions for the access level and a combining function. 54 Structure is documented below. 55 basic.combining_function: |- 56 - 57 (Optional) 58 How the conditions list should be combined to determine if a request 59 is granted this AccessLevel. If AND is used, each Condition in 60 conditions must be satisfied for the AccessLevel to be applied. If 61 OR is used, at least one Condition in conditions must be satisfied 62 for the AccessLevel to be applied. 63 Default value is AND. 64 Possible values are AND and OR. 65 basic.conditions: |- 66 - 67 (Required) 68 A set of requirements for the AccessLevel to be granted. 69 Structure is documented below. 70 conditions.device_policy: |- 71 - 72 (Optional) 73 Device specific restrictions, all restrictions must hold for 74 the Condition to be true. If not specified, all devices are 75 allowed. 76 Structure is documented below. 77 conditions.ip_subnetworks: |- 78 - 79 (Optional) 80 A list of CIDR block IP subnetwork specification. May be IPv4 81 or IPv6. 82 Note that for a CIDR IP address block, the specified IP address 83 portion must be properly truncated (i.e. all the host bits must 84 be zero) or the input is considered malformed. For example, 85 "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, 86 for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" 87 is not. The originating IP of a request must be in one of the 88 listed subnets in order for this Condition to be true. 89 If empty, all IP addresses are allowed. 90 conditions.members: |- 91 - 92 (Optional) 93 An allowed list of members (users, service accounts). 94 Using groups is not supported yet. 95 The signed-in user originating the request must be a part of one 96 of the provided members. If not specified, a request may come 97 from any user (logged in/not logged in, not present in any 98 groups, etc.). 99 Formats: user:{emailid}, serviceAccount:{emailid} 100 conditions.negate: |- 101 - 102 (Optional) 103 Whether to negate the Condition. If true, the Condition becomes 104 a NAND over its non-empty fields, each field must be false for 105 the Condition overall to be satisfied. Defaults to false. 106 conditions.regions: |- 107 - 108 (Optional) 109 The request must originate from one of the provided 110 countries/regions. 111 Format: A valid ISO 3166-1 alpha-2 code. 112 conditions.required_access_levels: |- 113 - 114 (Optional) 115 A list of other access levels defined in the same Policy, 116 referenced by resource name. Referencing an AccessLevel which 117 does not exist is an error. All access levels listed must be 118 granted for the Condition to be true. 119 Format: accessPolicies/{policy_id}/accessLevels/{short_name} 120 create: '- Default is 20 minutes.' 121 custom: |- 122 - 123 (Optional) 124 Custom access level conditions are set using the Cloud Common Expression Language to represent the necessary conditions for the level to apply to a request. 125 See CEL spec at: https://github.com/google/cel-spec. 126 Structure is documented below. 127 custom.expr: |- 128 - 129 (Required) 130 Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. 131 This page details the objects and attributes that are used to the build the CEL expressions for 132 custom access levels - https://cloud.google.com/access-context-manager/docs/custom-access-level-spec. 133 Structure is documented below. 134 custom.expr.description: |- 135 - 136 (Optional) 137 Description of the expression 138 custom.expr.expression: |- 139 - 140 (Required) 141 Textual representation of an expression in Common Expression Language syntax. 142 custom.expr.location: |- 143 - 144 (Optional) 145 String indicating the location of the expression for error reporting, e.g. a file name and a position in the file 146 custom.expr.title: |- 147 - 148 (Optional) 149 Title for the expression, i.e. a short string describing its purpose. 150 delete: '- Default is 20 minutes.' 151 description: |- 152 - 153 (Optional) 154 Description of the AccessLevel and its use. Does not affect behavior. 155 device_policy.allowed_device_management_levels: |- 156 - 157 (Optional) 158 A list of allowed device management levels. 159 An empty list allows all management levels. 160 Each value may be one of MANAGEMENT_UNSPECIFIED, NONE, BASIC, and COMPLETE. 161 device_policy.allowed_encryption_statuses: |- 162 - 163 (Optional) 164 A list of allowed encryptions statuses. 165 An empty list allows all statuses. 166 Each value may be one of ENCRYPTION_UNSPECIFIED, ENCRYPTION_UNSUPPORTED, UNENCRYPTED, and ENCRYPTED. 167 device_policy.os_constraints: |- 168 - 169 (Optional) 170 A list of allowed OS versions. 171 An empty list allows all types and all versions. 172 Structure is documented below. 173 device_policy.require_admin_approval: |- 174 - 175 (Optional) 176 Whether the device needs to be approved by the customer admin. 177 device_policy.require_corp_owned: |- 178 - 179 (Optional) 180 Whether the device needs to be corp owned. 181 device_policy.require_screen_lock: |- 182 - 183 (Optional) 184 Whether or not screenlock is required for the DevicePolicy 185 to be true. Defaults to false. 186 id: '- an identifier for the resource with format {{name}}' 187 name: |- 188 - 189 (Required) 190 Resource name for the Access Level. The short_name component must begin 191 with a letter and only include alphanumeric and '_'. 192 Format: accessPolicies/{policy_id}/accessLevels/{short_name} 193 os_constraints.minimum_version: |- 194 - 195 (Optional) 196 The minimum allowed OS version. If not set, any version 197 of this OS satisfies the constraint. 198 Format: "major.minor.patch" such as "10.5.301", "9.2.1". 199 os_constraints.os_type: |- 200 - 201 (Required) 202 The operating system type of the device. 203 Possible values are OS_UNSPECIFIED, DESKTOP_MAC, DESKTOP_WINDOWS, DESKTOP_LINUX, DESKTOP_CHROME_OS, ANDROID, and IOS. 204 os_constraints.require_verified_chrome_os: |- 205 - 206 (Optional) 207 If you specify DESKTOP_CHROME_OS for osType, you can optionally include requireVerifiedChromeOs to require Chrome Verified Access. 208 parent: |- 209 - 210 (Required) 211 The AccessPolicy this AccessLevel lives in. 212 Format: accessPolicies/{policy_id} 213 title: |- 214 - 215 (Required) 216 Human readable title. Must be unique within the Policy. 217 update: '- Default is 20 minutes.' 218 importStatements: [] 219 google_container_cluster: 220 subCategory: Kubernetes (Container) Engine 221 description: Creates a Google Kubernetes Engine (GKE) cluster. 222 name: google_container_cluster 223 title: google_container_cluster 224 examples: 225 - name: primary 226 manifest: |- 227 { 228 "initial_node_count": 1, 229 "location": "us-central1", 230 "name": "my-gke-cluster", 231 "remove_default_node_pool": true 232 } 233 dependencies: 234 google_container_node_pool.primary_preemptible_nodes: |- 235 { 236 "cluster": "${google_container_cluster.primary.name}", 237 "location": "us-central1", 238 "name": "my-node-pool", 239 "node_config": [ 240 { 241 "machine_type": "e2-medium", 242 "oauth_scopes": [ 243 "https://www.googleapis.com/auth/cloud-platform" 244 ], 245 "preemptible": true, 246 "service_account": "${google_service_account.default.email}" 247 } 248 ], 249 "node_count": 1 250 } 251 google_service_account.default: |- 252 { 253 "account_id": "service-account-id", 254 "display_name": "Service Account" 255 } 256 - name: primary 257 manifest: |- 258 { 259 "initial_node_count": 3, 260 "location": "us-central1-a", 261 "name": "marcellus-wallace", 262 "node_config": [ 263 { 264 "labels": { 265 "foo": "bar" 266 }, 267 "oauth_scopes": [ 268 "https://www.googleapis.com/auth/cloud-platform" 269 ], 270 "service_account": "${google_service_account.default.email}", 271 "tags": [ 272 "foo", 273 "bar" 274 ] 275 } 276 ], 277 "timeouts": [ 278 { 279 "create": "30m", 280 "update": "40m" 281 } 282 ] 283 } 284 references: 285 node_config.service_account: google_service_account.default.email 286 dependencies: 287 google_service_account.default: |- 288 { 289 "account_id": "service-account-id", 290 "display_name": "Service Account" 291 } 292 argumentDocs: 293 '"gvisor"': ': Pods run within a gVisor sandbox.' 294 addons_config: |- 295 - (Optional) The configuration for addons supported by GKE. 296 Structure is documented below. 297 addons_config.cloudrun_config: '- (Optional). Structure is documented below.' 298 addons_config.config_connector_config: |- 299 - (Optional, Beta). 300 The status of the ConfigConnector addon. It is disabled by default; Set enabled = true to enable. 301 addons_config.dns_cache_config: |- 302 - (Optional, Beta). 303 The status of the NodeLocal DNSCache addon. It is disabled by default. 304 Set enabled = true to enable. 305 addons_config.gce_persistent_disk_csi_driver_config: |- 306 - (Optional, Beta). 307 Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. Defaults to disabled; set enabled = true to enable. 308 addons_config.gcp_filestore_csi_driver_config: |- 309 - (Optional) The status of the Filestore CSI driver addon, 310 which allows the usage of filestore instance as volumes. 311 It is disabled by default; set enabled = true to enable. 312 addons_config.gke_backup_agent_config: |- 313 - (Optional, Beta). 314 The status of the Backup for GKE agent addon. It is disabled by default; Set enabled = true to enable. 315 addons_config.horizontal_pod_autoscaling: |- 316 - (Optional) The status of the Horizontal Pod Autoscaling 317 addon, which increases or decreases the number of replica pods a replication controller 318 has based on the resource usage of the existing pods. 319 It is enabled by default; 320 set disabled = true to disable. 321 addons_config.http_load_balancing: |- 322 - (Optional) The status of the HTTP (L7) load balancing 323 controller addon, which makes it easy to set up HTTP load balancers for services in a 324 cluster. It is enabled by default; set disabled = true to disable. 325 addons_config.identity_service_config: '- (Optional, Beta). Structure is documented below.' 326 addons_config.istio_config: |- 327 - (Optional, Beta). 328 Structure is documented below. 329 addons_config.kalm_config: |- 330 - (Optional, Beta). 331 Configuration for the KALM addon, which manages the lifecycle of k8s. It is disabled by default; Set enabled = true to enable. 332 addons_config.network_policy_config: |- 333 - (Optional) Whether we should enable the network policy addon 334 for the master. This must be enabled in order to enable network policy for the nodes. 335 To enable this, you must also define a network_policy block, 336 otherwise nothing will happen. 337 It can only be disabled if the nodes already do not have network policies enabled. 338 Defaults to disabled; set disabled = false to enable. 339 authenticator_groups_config: |- 340 - (Optional) Configuration for the 341 Google Groups for GKE feature. 342 Structure is documented below. 343 authenticator_groups_config.security_group: '- (Required) The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com.' 344 auto_provisioning_defaults.image_type: '- (Optional) The default image type used by NAP once a new node pool is being created. Please note that according to the official documentation the value must be one of the [COS_CONTAINERD, COS, UBUNTU_CONTAINERD, UBUNTU]. NOTE : COS AND UBUNTU are deprecated as of GKE 1.24' 345 auto_provisioning_defaults.min_cpu_platform: |- 346 - (Optional, Beta) 347 Minimum CPU platform to be used for NAP created node pools. The instance may be scheduled on the 348 specified or newer CPU platform. Applicable values are the friendly names of CPU platforms, such 349 as "Intel Haswell" or "Intel Sandy Bridge". 350 auto_provisioning_defaults.oauth_scopes: '- (Optional) Scopes that are used by NAP when creating node pools. Use the "https://www.googleapis.com/auth/cloud-platform" scope to grant access to all APIs. It is recommended that you set service_account to a non-default service account and grant IAM roles to that service account for only the resources that it needs.' 351 auto_provisioning_defaults.service_account: '- (Optional) The Google Cloud Platform Service Account to be used by the node VMs.' 352 cloudrun_config.disabled: '- (Optional) The status of the CloudRun addon. It is disabled by default. Set disabled=false to enable.' 353 cloudrun_config.load_balancer_type: |- 354 - (Optional) The load balancer type of CloudRun ingress service. It is external load balancer by default. 355 Set load_balancer_type=LOAD_BALANCER_TYPE_INTERNAL to configure it as internal load balancer. 356 cluster_autoscaling: |- 357 - (Optional) 358 Per-cluster configuration of Node Auto-Provisioning with Cluster Autoscaler to 359 automatically adjust the size of the cluster and create/delete node pools based 360 on the current needs of the cluster's workload. See the 361 guide to using Node Auto-Provisioning 362 for more details. Structure is documented below. 363 cluster_autoscaling.auto_provisioning_defaults: |- 364 - (Optional) Contains defaults for a node pool created by NAP. 365 Structure is documented below. 366 cluster_autoscaling.autoscaling_profile: |- 367 - (Optional, Beta) Configuration 368 options for the Autoscaling profile 369 feature, which lets you choose whether the cluster autoscaler should optimize for resource utilization or resource availability 370 when deciding to remove nodes from a cluster. Can be BALANCED or OPTIMIZE_UTILIZATION. Defaults to BALANCED. 371 cluster_autoscaling.enabled: |- 372 - (Required) Whether node auto-provisioning is enabled. Resource 373 limits for cpu and memory must be defined to enable node auto-provisioning. 374 cluster_autoscaling.resource_limits: |- 375 - (Optional) Global constraints for machine resources in the 376 cluster. Configuring the cpu and memory types is required if node 377 auto-provisioning is enabled. These limits will apply to node pool autoscaling 378 in addition to node auto-provisioning. Structure is documented below. 379 cluster_ipv4_cidr: |- 380 - (Optional) The IP address range of the Kubernetes pods 381 in this cluster in CIDR notation (e.g. 10.96.0.0/14). Leave blank to have one 382 automatically chosen or specify a /14 block in 10.0.0.0/8. This field will 383 only work for routes-based clusters, where ip_allocation_policy is not defined. 384 cluster_telemetry: |- 385 - (Optional, Beta) Configuration for 386 ClusterTelemetry feature, 387 Structure is documented below. 388 cluster_telemetry.type: |- 389 - Telemetry integration for the cluster. Supported values (ENABLED, DISABLED, SYSTEM_ONLY); 390 SYSTEM_ONLY (Only system components are monitored and logged) is only available in GKE versions 1.15 and later. 391 confidential_nodes: '- Configuration for Confidential Nodes feature. Structure is documented below documented below.' 392 confidential_nodes.enabled: (Required) - Enable Confidential Nodes for this cluster. 393 create: '- Default is 40 minutes.' 394 database_encryption: |- 395 - (Optional) 396 Structure is documented below. 397 database_encryption.key_name: '- (Required) the key to use to encrypt/decrypt secrets. See the DatabaseEncryption definition for more information.' 398 database_encryption.state: '- (Required) ENCRYPTED or DECRYPTED' 399 datapath_provider: |- 400 - (Optional) 401 The desired datapath provider for this cluster. By default, uses the IPTables-based kube-proxy implementation. 402 default_max_pods_per_node: |- 403 - (Optional) The default maximum number of pods 404 per node in this cluster. This doesn't work on "routes-based" clusters, clusters 405 that don't have IP Aliasing enabled. See the official documentation 406 for more information. 407 default_snat_status: |- 408 - (Optional) 409 GKE SNAT DefaultSnatStatus contains the desired state of whether default sNAT should be disabled on the cluster, API doc. Structure is documented below 410 default_snat_status.disabled: '- (Required) Whether the cluster disables default in-node sNAT rules. In-node sNAT rules will be disabled when defaultSnatStatus is disabled.When disabled is set to false, default IP masquerade rules will be applied to the nodes to prevent sNAT on cluster internal traffic' 411 delete: '- Default is 40 minutes.' 412 description: '- (Optional) Description of the cluster.' 413 dns_config: |- 414 - (Optional) 415 Configuration for Using Cloud DNS for GKE. Structure is documented below. 416 dns_config.cluster_dns: '- (Optional) Which in-cluster DNS provider should be used. PROVIDER_UNSPECIFIED (default) or PLATFORM_DEFAULT or CLOUD_DNS.' 417 dns_config.cluster_dns_domain: '- (Optional) The suffix used for all cluster service records.' 418 dns_config.cluster_dns_scope: '- (Optional) The scope of access to cluster DNS records. DNS_SCOPE_UNSPECIFIED (default) or CLUSTER_SCOPE or VPC_SCOPE.' 419 enable_autopilot: |- 420 - (Optional) Enable Autopilot for this cluster. Defaults to false. 421 Note that when this option is enabled, certain features of Standard GKE are not available. 422 See the official documentation 423 for available features. 424 enable_binary_authorization: |- 425 - (Optional) Enable Binary Authorization for this cluster. 426 If enabled, all container images will be validated by Google Binary Authorization. 427 enable_intranode_visibility: |- 428 - (Optional) 429 Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network. 430 enable_kubernetes_alpha: |- 431 - (Optional) Whether to enable Kubernetes Alpha features for 432 this cluster. Note that when this option is enabled, the cluster cannot be upgraded 433 and will be automatically deleted after 30 days. 434 enable_l4_ilb_subsetting: |- 435 - (Optional, Beta) 436 Whether L4ILB Subsetting is enabled for this cluster. 437 enable_legacy_abac: |- 438 - (Optional) Whether the ABAC authorizer is enabled for this cluster. 439 When enabled, identities in the system, including service accounts, nodes, and controllers, 440 will have statically granted permissions beyond those provided by the RBAC configuration or IAM. 441 Defaults to false 442 enable_shielded_nodes: '- (Optional) Enable Shielded Nodes features on all nodes in this cluster. Defaults to true.' 443 enable_tpu: |- 444 - (Optional) Whether to enable Cloud TPU resources in this cluster. 445 See the official documentation. 446 endpoint: '- The IP address of this cluster''s Kubernetes master.' 447 ephemeral_storage_config.local_ssd_count: (Required) - Number of local SSDs to use to back ephemeral storage. Uses NVMe interfaces. Each local SSD is 375 GB in size. If zero, it means to disable using local SSDs as ephemeral storage. 448 gcfs_config.enabled: (Required) - Whether or not the Google Container Filesystem (GCFS) is enabled 449 guest_accelerator.count: (Required) - The number of the guest accelerator cards exposed to this instance. 450 guest_accelerator.gpu_partition_size: (Optional) - Size of partitions to create on the GPU. Valid values are described in the NVIDIA mig user guide. 451 guest_accelerator.type: (Required) - The accelerator type resource to expose to this instance. E.g. nvidia-tesla-k80. 452 gvnic.enabled: (Required) - Whether or not the Google Virtual NIC (gVNIC) is enabled 453 id: '- an identifier for the resource with format projects/{{project}}/locations/{{zone}}/clusters/{{name}}' 454 identity_service_config.enabled: '- (Optional) Whether to enable the Identity Service component. It is disabled by default. Set enabled=true to enable.' 455 initial_node_count: |- 456 - (Optional) The number of nodes to create in this 457 cluster's default node pool. In regional or multi-zonal clusters, this is the 458 number of nodes per zone. Must be set if node_pool is not set. If you're using 459 google_container_node_pool objects with no default node pool, you'll need to 460 set this to a value of at least 1, alongside setting 461 remove_default_node_pool to true. 462 ip_allocation_policy: |- 463 - (Optional) Configuration of cluster IP allocation for 464 VPC-native clusters. Adding this block enables IP aliasing, 465 making the cluster VPC-native instead of routes-based. Structure is documented 466 below. 467 ip_allocation_policy.cluster_ipv4_cidr_block: |- 468 - (Optional) The IP address range for the cluster pod IPs. 469 Set to blank to have a range chosen with the default size. Set to /netmask (e.g. /14) 470 to have a range chosen with a specific netmask. Set to a CIDR notation (e.g. 10.96.0.0/14) 471 from the RFC-1918 private networks (e.g. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to 472 pick a specific range to use. 473 ip_allocation_policy.cluster_secondary_range_name: |- 474 - (Optional) The name of the existing secondary 475 range in the cluster's subnetwork to use for pod IP addresses. Alternatively, 476 cluster_ipv4_cidr_block can be used to automatically create a GKE-managed one. 477 ip_allocation_policy.services_ipv4_cidr_block: |- 478 - (Optional) The IP address range of the services IPs in this cluster. 479 Set to blank to have a range chosen with the default size. Set to /netmask (e.g. /14) 480 to have a range chosen with a specific netmask. Set to a CIDR notation (e.g. 10.96.0.0/14) 481 from the RFC-1918 private networks (e.g. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to 482 pick a specific range to use. 483 ip_allocation_policy.services_secondary_range_name: |- 484 - (Optional) The name of the existing 485 secondary range in the cluster's subnetwork to use for service ClusterIPs. 486 Alternatively, services_ipv4_cidr_block can be used to automatically create a 487 GKE-managed one. 488 istio_config.auth: '- (Optional) The authentication type between services in Istio. Available options include AUTH_MUTUAL_TLS.' 489 istio_config.disabled: |- 490 - (Optional) The status of the Istio addon, which makes it easy to set up Istio for services in a 491 cluster. It is disabled by default. Set disabled = false to enable. 492 kubelet_config.cpu_cfs_quota: |- 493 - (Optional) If true, enables CPU CFS quota enforcement for 494 containers that specify CPU limits. 495 kubelet_config.cpu_cfs_quota_period: |- 496 - (Optional) The CPU CFS quota period value. Specified 497 as a sequence of decimal numbers, each with optional fraction and a unit suffix, 498 such as "300ms". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", 499 "h". The value must be a positive duration. 500 kubelet_config.cpu_manager_policy: |- 501 - (Required) The CPU management policy on the node. See 502 K8S CPU Management Policies. 503 One of "none" or "static". Defaults to none when kubelet_config is unset. 504 label_fingerprint: '- The fingerprint of the set of labels for this cluster.' 505 linux_node_config.sysctls: |- 506 - (Required) The Linux kernel parameters to be applied to the nodes 507 and all pods running on the nodes. Specified as a map from the key, such as 508 net.core.wmem_max, to a string value. 509 location: |- 510 - (Optional) The location (region or zone) in which the cluster 511 master will be created, as well as the default node location. If you specify a 512 zone (such as us-central1-a), the cluster will be a zonal cluster with a 513 single cluster master. If you specify a region (such as us-west1), the 514 cluster will be a regional cluster with multiple masters spread across zones in 515 the region, and with default node locations in those zones as well 516 logging_config: |- 517 - (Optional) Logging configuration for the cluster. 518 Structure is documented below. 519 logging_config.enable_components: |- 520 - (Required) The GKE components exposing logs. Supported values include: 521 SYSTEM_COMPONENTS and WORKLOADS. 522 logging_service: |- 523 - (Optional) The logging service that the cluster should 524 write logs to. Available options include logging.googleapis.com(Legacy Stackdriver), 525 logging.googleapis.com/kubernetes(Stackdriver Kubernetes Engine Logging), and none. Defaults to logging.googleapis.com/kubernetes 526 maintenance_policy: |- 527 - (Optional) The maintenance policy to use for the cluster. Structure is 528 documented below. 529 maintenance_policy.0.daily_maintenance_window.0.duration: |- 530 - Duration of the time window, automatically chosen to be 531 smallest possible in the given scenario. 532 Duration will be in RFC3339 format "PTnHnMnS". 533 maintenance_policy.daily_maintenance_window: '- (Optional) structure documented below.' 534 maintenance_policy.maintenance_exclusion: '- (Optional) structure documented below' 535 maintenance_policy.recurring_window: '- (Optional) structure documented below' 536 maintenance_policy.recurring_window.daily_maintenance_window: |- 537 - Time window specified for daily maintenance operations. 538 Specify start_time in RFC3339 format "HH:MM”, 539 where HH : [00-23] and MM : [00-59] GMT. For example: 540 maintenance_policy.recurring_window.maintenance_exclusion: '- Exceptions to maintenance window. Non-emergency maintenance should not occur in these windows. A cluster can have up to three maintenance exclusions at a time Maintenance Window and Exclusions' 541 maintenance_policy.recurring_window.maintenance_exclusion.exclusion_options: '- (Optional) MaintenanceExclusionOptions provides maintenance exclusion related options.' 542 maintenance_policy.recurring_window.maintenance_exclusion.exclusion_options.scope: '- (Required) The scope of automatic upgrades to restrict in the exclusion window. One of: NO_UPGRADES | NO_MINOR_UPGRADES | NO_MINOR_OR_NODE_UPGRADES' 543 maintenance_policy.recurring_window.recurring_window: '- Time window for recurring maintenance operations.' 544 master_auth: |- 545 - (Optional) The authentication information for accessing the 546 Kubernetes master. Some values in this block are only returned by the API if 547 your service account has permission to get credentials for your GKE cluster. If 548 you see an unexpected diff unsetting your client cert, ensure you have the 549 container.clusters.getCredentials permission. 550 Structure is documented below. 551 master_auth.0.client_certificate: |- 552 - Base64 encoded public certificate 553 used by clients to authenticate to the cluster endpoint. 554 master_auth.0.client_key: |- 555 - Base64 encoded private key used by clients 556 to authenticate to the cluster endpoint. 557 master_auth.0.cluster_ca_certificate: |- 558 - Base64 encoded public certificate 559 that is the root certificate of the cluster. 560 master_auth.client_certificate_config: '- (Required) Whether client certificate authorization is enabled for this cluster. For example:' 561 master_authorized_networks_config: |- 562 - (Optional) The desired 563 configuration options for master authorized networks. Omit the 564 nested cidr_blocks attribute to disallow external access (except 565 the cluster node IPs, which GKE automatically whitelists). 566 Structure is documented below. 567 master_authorized_networks_config.cidr_blocks: |- 568 - (Optional) External networks that can access the 569 Kubernetes cluster master through HTTPS. 570 master_authorized_networks_config.cidr_blocks.cidr_block: |- 571 - (Optional) External network that can access Kubernetes master through HTTPS. 572 Must be specified in CIDR notation. 573 master_authorized_networks_config.cidr_blocks.display_name: '- (Optional) Field for users to identify CIDR blocks.' 574 master_version: |- 575 - The current version of the master in the cluster. This may 576 be different than the min_master_version set in the config if the master 577 has been updated by GKE. 578 min_master_version: |- 579 - (Optional) The minimum version of the master. GKE 580 will auto-update the master to new versions, so this does not guarantee the 581 current master version--use the read-only master_version field to obtain that. 582 If unset, the cluster's version will be set by GKE to the version of the most recent 583 official release (which is not necessarily the latest version). Most users will find 584 the google_container_engine_versions data source useful - it indicates which versions 585 are available, and can be use to approximate fuzzy versions in a 586 Terraform-compatible way. If you intend to specify versions manually, 587 the docs 588 describe the various acceptable formats for this field. 589 monitoring_config: |- 590 - (Optional) Monitoring configuration for the cluster. 591 Structure is documented below. 592 monitoring_config.enable_components: '- (Required) The GKE components exposing logs. SYSTEM_COMPONENTS and in beta provider, both SYSTEM_COMPONENTS and WORKLOADS are supported.' 593 monitoring_service: |- 594 - (Optional) The monitoring service that the cluster 595 should write metrics to. 596 Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. 597 VM metrics will be collected by Google Compute Engine regardless of this setting 598 Available options include 599 monitoring.googleapis.com(Legacy Stackdriver), monitoring.googleapis.com/kubernetes(Stackdriver Kubernetes Engine Monitoring), and none. 600 Defaults to monitoring.googleapis.com/kubernetes 601 name: |- 602 - (Required) The name of the cluster, unique within the project and 603 location. 604 network: |- 605 - (Optional) The name or self_link of the Google Compute Engine 606 network to which the cluster is connected. For Shared VPC, set this to the self link of the 607 shared network. 608 network_config: |- 609 - (Optional, Beta) Configuration for 610 Adding Pod IP address ranges) to the node pool. Structure is documented below 611 network_config.create_pod_range: '- (Optional, Beta) Whether to create a new range for pod IPs in this node pool. Defaults are provided for pod_range and pod_ipv4_cidr_block if they are not specified.' 612 network_config.pod_ipv4_cidr_block: '- (Optional, Beta) The IP address range for pod IPs in this node pool. Only applicable if createPodRange is true. Set to blank to have a range chosen with the default size. Set to /netmask (e.g. /14) to have a range chosen with a specific netmask. Set to a CIDR notation (e.g. 10.96.0.0/14) to pick a specific range to use.' 613 network_config.pod_range: '- (Optional, Beta) The ID of the secondary range for pod IPs. If create_pod_range is true, this ID is used for the new range. If create_pod_range is false, uses an existing secondary range with this ID.' 614 network_policy: |- 615 - (Optional) Configuration options for the 616 NetworkPolicy 617 feature. Structure is documented below. 618 network_policy.enabled: '- (Required) Whether network policy is enabled on the cluster.' 619 network_policy.provider: '- (Optional) The selected network policy provider. Defaults to PROVIDER_UNSPECIFIED.' 620 networking_mode: |- 621 - (Optional) Determines whether alias IPs or routes will be used for pod IPs in the cluster. 622 Options are VPC_NATIVE or ROUTES. VPC_NATIVE enables IP aliasing, 623 and requires the ip_allocation_policy block to be defined. By default, when this field is unspecified and no ip_allocation_policy blocks are set, GKE will create a ROUTES-based cluster. 624 node_config: |- 625 - (Optional) Parameters used in creating the default node pool. 626 Generally, this field should not be used at the same time as a 627 google_container_node_pool or a node_pool block; this configuration 628 manages the default node pool, which isn't recommended to be used with 629 Terraform. Structure is documented below. 630 node_config.boot_disk_kms_key: '- (Optional) The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption' 631 node_config.disk_size_gb: |- 632 - (Optional) Size of the disk attached to each node, specified 633 in GB. The smallest allowed disk size is 10GB. Defaults to 100GB. 634 node_config.disk_type: |- 635 - (Optional) Type of the disk attached to each node 636 (e.g. 'pd-standard', 'pd-balanced' or 'pd-ssd'). If unspecified, the default disk type is 'pd-standard' 637 node_config.ephemeral_storage_config: '- (Optional, [Beta]) Parameters for the ephemeral storage filesystem. If unspecified, ephemeral storage is backed by the boot disk. Structure is documented below.' 638 node_config.gcfs_config: |- 639 - (Optional) Parameters for the Google Container Filesystem (GCFS). 640 If unspecified, GCFS will not be enabled on the node pool. When enabling this feature you must specify image_type = "COS_CONTAINERD" and node_version from GKE versions 1.19 or later to use it. 641 For GKE versions 1.19, 1.20, and 1.21, the recommended minimum node_version would be 1.19.15-gke.1300, 1.20.11-gke.1300, and 1.21.5-gke.1300 respectively. 642 A machine_type that has more than 16 GiB of memory is also recommended. 643 GCFS must be enabled in order to use image streaming. 644 Structure is documented below. 645 node_config.guest_accelerator: |- 646 - (Optional) List of the type and count of accelerator cards attached to the instance. 647 Structure documented below. 648 To support removal of guest_accelerators in Terraform 0.12 this field is an 649 Attribute as Block 650 node_config.gvnic: |- 651 - (Optional) Google Virtual NIC (gVNIC) is a virtual network interface. 652 Installing the gVNIC driver allows for more efficient traffic transmission across the Google network infrastructure. 653 gVNIC is an alternative to the virtIO-based ethernet driver. GKE nodes must use a Container-Optimized OS node image. 654 GKE node version 1.15.11-gke.15 or later 655 Structure is documented below. 656 node_config.image_type: |- 657 - (Optional) The image type to use for this node. Note that changing the image type 658 will delete and recreate all nodes in the node pool. 659 node_config.kubelet_config: |- 660 - (Optional, Beta) 661 Kubelet configuration, currently supported attributes can be found here. 662 Structure is documented below. 663 node_config.labels: |- 664 - (Optional) The Kubernetes labels (key/value pairs) to be applied to each node. The kubernetes.io/ and k8s.io/ prefixes are 665 reserved by Kubernetes Core components and cannot be specified. 666 node_config.linux_node_config: |- 667 - (Optional, Beta) 668 Linux node configuration, currently supported attributes can be found here. 669 Note that validations happen all server side. All attributes are optional. 670 Structure is documented below. 671 node_config.local_ssd_count: |- 672 - (Optional) The amount of local SSD disks that will be 673 attached to each cluster node. Defaults to 0. 674 node_config.machine_type: |- 675 - (Optional) The name of a Google Compute Engine machine type. 676 Defaults to e2-medium. To create a custom machine type, value should be set as specified 677 here. 678 node_config.metadata: |- 679 - (Optional) The metadata key/value pairs assigned to instances in 680 the cluster. From GKE 1.12 onwards, disable-legacy-endpoints is set to 681 true by the API; if metadata is set but that default value is not 682 included, Terraform will attempt to unset the value. To avoid this, set the 683 value in your config. 684 node_config.min_cpu_platform: |- 685 - (Optional) Minimum CPU platform to be used by this instance. 686 The instance may be scheduled on the specified or newer CPU platform. Applicable 687 values are the friendly names of CPU platforms, such as Intel Haswell. See the 688 official documentation 689 for more information. 690 node_config.node_group: '- (Optional) Setting this field will assign instances of this pool to run on the specified node group. This is useful for running workloads on sole tenant nodes.' 691 node_config.oauth_scopes: |- 692 - (Optional) The set of Google API scopes to be made available 693 on all of the node VMs under the "default" service account. 694 Use the "https://www.googleapis.com/auth/cloud-platform" scope to grant access to all APIs. It is recommended that you set service_account to a non-default service account and grant IAM roles to that service account for only the resources that it needs. 695 node_config.preemptible: |- 696 - (Optional) A boolean that represents whether or not the underlying node VMs 697 are preemptible. See the official documentation 698 for more information. Defaults to false. 699 node_config.sandbox_config: |- 700 - (Optional, Beta) GKE Sandbox configuration. When enabling this feature you must specify image_type = "COS_CONTAINERD" and node_version = "1.12.7-gke.17" or later to use it. 701 Structure is documented below. 702 node_config.service_account: |- 703 - (Optional) The service account to be used by the Node VMs. 704 If not specified, the "default" service account is used. 705 node_config.shielded_instance_config: '- (Optional) Shielded Instance options. Structure is documented below.' 706 node_config.spot: |- 707 - (Optional, Beta) A boolean 708 that represents whether the underlying node VMs are spot. See the official documentation 709 for more information. Defaults to false. 710 node_config.tags: |- 711 - (Optional) The list of instance tags applied to all nodes. Tags are used to identify 712 valid sources or targets for network firewalls. 713 node_config.taint: |- 714 - (Optional) A list of Kubernetes taints 715 to apply to nodes. GKE's API can only set this field on cluster creation. 716 However, GKE will add taints to your nodes if you enable certain features such 717 as GPUs. If this field is set, any diffs on this field will cause Terraform to 718 recreate the underlying resource. Taint values can be updated safely in 719 Kubernetes (eg. through kubectl), and it's recommended that you do not use 720 this field to manage taints. If you do, lifecycle.ignore_changes is 721 recommended. Structure is documented below. 722 node_config.workload_metadata_config: |- 723 - (Optional) Metadata configuration to expose to workloads on the node pool. 724 Structure is documented below. 725 node_locations: |- 726 - (Optional) The list of zones in which the cluster's nodes 727 are located. Nodes must be in the region of their regional cluster or in the 728 same region as their cluster's zone for zonal clusters. If this is specified for 729 a zonal cluster, omit the cluster's zone. 730 node_pool: |- 731 - (Optional) List of node pools associated with this cluster. 732 See google_container_node_pool for schema. 733 Warning: node pools defined inside a cluster can't be changed (or added/removed) after 734 cluster creation without deleting and recreating the entire cluster. Unless you absolutely need the ability 735 to say "these are the only node pools associated with this cluster", use the 736 google_container_node_pool resource instead of this property. 737 node_version: |- 738 - (Optional) The Kubernetes version on the nodes. Must either be unset 739 or set to the same value as min_master_version on create. Defaults to the default 740 version set by GKE which is not necessarily the latest version. This only affects 741 nodes in the default node pool. While a fuzzy version can be specified, it's 742 recommended that you specify explicit versions as Terraform will see spurious diffs 743 when fuzzy versions are used. See the google_container_engine_versions data source's 744 version_prefix field to approximate fuzzy versions in a Terraform-compatible way. 745 To update nodes in other node pools, use the version attribute on the node pool. 746 notification_config: '- (Optional, Beta) Configuration for the cluster upgrade notifications feature. Structure is documented below.' 747 notification_config.pubsub: (Required) - The pubsub config for the cluster's upgrade notifications. 748 notification_config.pubsub.enabled: (Required) - Whether or not the notification config is enabled 749 notification_config.pubsub.topic: '(Optional) - The pubsub topic to push upgrade notifications to. Must be in the same project as the cluster. Must be in the format: projects/{project}/topics/{topic}.' 750 pod_security_policy_config: |- 751 - (Optional, Beta) Configuration for the 752 PodSecurityPolicy feature. 753 Structure is documented below. 754 pod_security_policy_config.enabled: |- 755 (Required) - Enable the PodSecurityPolicy controller for this cluster. 756 If enabled, pods must be valid under a PodSecurityPolicy to be created. 757 private_cluster_config: |- 758 - (Optional) Configuration for private clusters, 759 clusters with private nodes. Structure is documented below. 760 private_cluster_config.enable_private_endpoint: |- 761 (Optional) - When true, the cluster's private 762 endpoint is used as the cluster endpoint and access through the public endpoint 763 is disabled. When false, either endpoint can be used. This field only applies 764 to private clusters, when enable_private_nodes is true. 765 private_cluster_config.enable_private_nodes: |- 766 (Optional) - Enables the private cluster feature, 767 creating a private endpoint on the cluster. In a private cluster, nodes only 768 have RFC 1918 private addresses and communicate with the master's private 769 endpoint via private networking. 770 private_cluster_config.master_global_access_config: |- 771 (Optional) - Controls cluster master global 772 access settings. If unset, Terraform will no longer manage this field and will 773 not modify the previously-set value. Structure is documented below. 774 private_cluster_config.master_global_access_config.enabled: |- 775 (Optional) - Whether the cluster master is accessible globally or 776 not. 777 private_cluster_config.master_ipv4_cidr_block: |- 778 (Optional) - The IP range in CIDR notation to use for 779 the hosted master network. This range will be used for assigning private IP 780 addresses to the cluster master(s) and the ILB VIP. This range must not overlap 781 with any other ranges in use within the cluster's network, and it must be a /28 782 subnet. See Private Cluster Limitations 783 for more details. This field only applies to private clusters, when 784 enable_private_nodes is true. 785 private_cluster_config.peering_name: '- The name of the peering between this cluster and the Google owned VPC.' 786 private_cluster_config.private_endpoint: '- The internal IP address of this cluster''s master endpoint.' 787 private_cluster_config.public_endpoint: '- The external IP address of this cluster''s master endpoint.' 788 private_ipv6_google_access: |- 789 - (Optional) 790 The desired state of IPv6 connectivity to Google Services. By default, no private IPv6 access to or from Google Services (all access will be via IPv4). 791 project: |- 792 - (Optional) The ID of the project in which the resource belongs. If it 793 is not provided, the provider project is used. 794 read: '- Default is 40 minutes.' 795 release_channel: |- 796 - (Optional) 797 Configuration options for the Release channel 798 feature, which provide more control over automatic upgrades of your GKE clusters. 799 When updating this field, GKE imposes specific version requirements. See 800 Selecting a new release channel 801 for more details; the google_container_engine_versions datasource can provide 802 the default version for a channel. Note that removing the release_channel 803 field from your config will cause Terraform to stop managing your cluster's 804 release channel, but will not unenroll it. Instead, use the "UNSPECIFIED" 805 channel. Structure is documented below. 806 release_channel.channel: |- 807 - (Required) The selected release channel. 808 Accepted values are: 809 remove_default_node_pool: |- 810 - (Optional) If true, deletes the default node 811 pool upon cluster creation. If you're using google_container_node_pool 812 resources with no default node pool, this should be set to true, alongside 813 setting initial_node_count to at least 1. 814 resource_labels: '- (Optional) The GCE resource labels (a map of key/value pairs) to be applied to the cluster.' 815 resource_limits.maximum: '- (Optional) Maximum amount of the resource in the cluster.' 816 resource_limits.minimum: '- (Optional) Minimum amount of the resource in the cluster.' 817 resource_limits.resource_type: |- 818 - (Required) The type of the resource. For example, cpu and 819 memory. See the guide to using Node Auto-Provisioning 820 for a list of types. 821 resource_usage_export_config: |- 822 - (Optional) Configuration for the 823 ResourceUsageExportConfig feature. 824 Structure is documented below. 825 resource_usage_export_config.bigquery_destination: (Required) - Parameters for using BigQuery as the destination of resource usage export. 826 resource_usage_export_config.bigquery_destination.dataset_id: '(Required) - The ID of a BigQuery Dataset. For Example:' 827 resource_usage_export_config.enable_network_egress_metering: |- 828 (Optional) - Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created 829 in the cluster to meter network egress traffic. 830 resource_usage_export_config.enable_resource_consumption_metering: |- 831 (Optional) - Whether to enable resource 832 consumption metering on this cluster. When enabled, a table will be created in 833 the resource export BigQuery dataset to store resource consumption data. The 834 resulting table can be joined with the resource usage table or with BigQuery 835 billing export. Defaults to true. 836 sandbox_config.sandbox_type: |- 837 (Required) Which sandbox to use for pods in the node pool. 838 Accepted values are: 839 self_link: '- The server-defined URL for the resource.' 840 services_ipv4_cidr: |- 841 - The IP address range of the Kubernetes services in this 842 cluster, in CIDR 843 notation (e.g. 1.2.3.4/29). Service addresses are typically put in the last 844 /16 from the container CIDR. 845 shielded_instance_config.enable_integrity_monitoring: (Optional) - Defines if the instance has integrity monitoring enabled. 846 shielded_instance_config.enable_secure_boot: (Optional) - Defines if the instance has Secure Boot enabled. 847 subnetwork: |- 848 - (Optional) The name or self_link of the Google Compute Engine 849 subnetwork in which the cluster's instances are launched. 850 taint.effect: (Required) Effect for taint. Accepted values are NO_SCHEDULE, PREFER_NO_SCHEDULE, and NO_EXECUTE. 851 taint.key: (Required) Key for taint. 852 taint.value: (Required) Value for taint. 853 tpu_ipv4_cidr_block: |- 854 - The IP address range of the Cloud TPUs in this cluster, in 855 CIDR 856 notation (e.g. 1.2.3.4/29). 857 update: '- Default is 60 minutes.' 858 vertical_pod_autoscaling: |- 859 - (Optional, Beta) 860 Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it. 861 Structure is documented below. 862 vertical_pod_autoscaling.enabled: (Required) - Enables vertical pod autoscaling 863 workload_identity_config: |- 864 - (Optional) 865 Workload Identity allows Kubernetes service accounts to act as a user-managed 866 Google IAM Service Account. 867 Structure is documented below. 868 workload_identity_config.workload_pool: (Optional) - The workload pool to attach all Kubernetes service accounts to. 869 workload_metadata_config.mode: |- 870 (Required) How to expose the node metadata to the workload running on the node. 871 Accepted values are: 872 importStatements: [] 873 google_storage_bucket: 874 subCategory: Cloud Storage 875 description: Creates a new bucket in Google Cloud Storage. 876 name: google_storage_bucket 877 title: google_storage_bucket 878 examples: 879 - name: static-site 880 manifest: |- 881 { 882 "cors": [ 883 { 884 "max_age_seconds": 3600, 885 "method": [ 886 "GET", 887 "HEAD", 888 "PUT", 889 "POST", 890 "DELETE" 891 ], 892 "origin": [ 893 "http://image-store.com" 894 ], 895 "response_header": [ 896 "*" 897 ] 898 } 899 ], 900 "force_destroy": true, 901 "location": "EU", 902 "name": "image-store.com", 903 "uniform_bucket_level_access": true, 904 "website": [ 905 { 906 "main_page_suffix": "index.html", 907 "not_found_page": "404.html" 908 } 909 ] 910 } 911 - name: auto-expire 912 manifest: |- 913 { 914 "force_destroy": true, 915 "lifecycle_rule": [ 916 { 917 "action": [ 918 { 919 "type": "Delete" 920 } 921 ], 922 "condition": [ 923 { 924 "age": 3 925 } 926 ] 927 } 928 ], 929 "location": "US", 930 "name": "auto-expiring-bucket" 931 } 932 argumentDocs: 933 action.storage_class: '- (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule. Supported values include: STANDARD, MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE.' 934 action.type: '- The type of the action of this Lifecycle Rule. Supported values include: Delete and SetStorageClass.' 935 condition.age: '- (Optional) Minimum age of an object in days to satisfy this condition.' 936 condition.created_before: '- (Optional) A date in the RFC 3339 format YYYY-MM-DD. This condition is satisfied when an object is created before midnight of the specified date in UTC.' 937 condition.custom_time_before: '- (Optional) A date in the RFC 3339 format YYYY-MM-DD. This condition is satisfied when the customTime metadata for the object is set to an earlier date than the date used in this lifecycle condition.' 938 condition.days_since_custom_time: "- (Optional)\tDays since the date set in the customTime metadata for the object. This condition is satisfied when the current date and time is at least the specified number of days after the customTime." 939 condition.days_since_noncurrent_time: '- (Optional) Relevant only for versioned objects. Number of days elapsed since the noncurrent timestamp of an object.' 940 condition.matches_storage_class: '- (Optional) Storage Class of objects to satisfy this condition. Supported values include: STANDARD, MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE, DURABLE_REDUCED_AVAILABILITY.' 941 condition.noncurrent_time_before: '- (Optional) Relevant only for versioned objects. The date in RFC 3339 (e.g. 2017-06-13) when the object became nonconcurrent.' 942 condition.num_newer_versions: '- (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.' 943 condition.with_state: '- (Optional) Match to live and/or archived objects. Unversioned buckets have only live objects. Supported values include: "LIVE", "ARCHIVED", "ANY".' 944 cors: '- (Optional) The bucket''s Cross-Origin Resource Sharing (CORS) configuration. Multiple blocks of this type are permitted. Structure is documented below.' 945 cors.max_age_seconds: '- (Optional) The value, in seconds, to return in the Access-Control-Max-Age header used in preflight responses.' 946 cors.method: '- (Optional) The list of HTTP methods on which to include CORS response headers, (GET, OPTIONS, POST, etc) Note: "*" is permitted in the list of methods, and means "any method".' 947 cors.origin: '- (Optional) The list of Origins eligible to receive CORS response headers. Note: "*" is permitted in the list of origins, and means "any Origin".' 948 cors.response_header: '- (Optional) The list of HTTP headers other than the simple response headers to give permission for the user-agent to share across domains.' 949 create: '- Default is 4 minutes.' 950 default_event_based_hold: '- (Optional) Whether or not to automatically apply an eventBasedHold to new objects added to the bucket.' 951 encryption: '- (Optional) The bucket''s encryption configuration. Structure is documented below.' 952 encryption.default_kms_key_name: |- 953 : The id of a Cloud KMS key that will be used to encrypt objects inserted into this bucket, if no encryption method is specified. 954 You must pay attention to whether the crypto key is available in the location that this bucket is created in. 955 See the docs for more details. 956 force_destroy: |- 957 - (Optional, Default: false) When deleting a bucket, this 958 boolean option will delete all contained objects. If you try to delete a 959 bucket that contains objects, Terraform will fail that run. 960 labels: '- (Optional) A map of key/value label pairs to assign to the bucket.' 961 lifecycle_rule: '- (Optional) The bucket''s Lifecycle Rules configuration. Multiple blocks of this type are permitted. Structure is documented below.' 962 lifecycle_rule.action: '- (Required) The Lifecycle Rule''s action configuration. A single block of this type is supported. Structure is documented below.' 963 lifecycle_rule.condition: '- (Required) The Lifecycle Rule''s condition configuration. A single block of this type is supported. Structure is documented below.' 964 location: '- (Required) The GCS location' 965 logging: '- (Optional) The bucket''s Access & Storage Logs configuration. Structure is documented below.' 966 logging.log_bucket: '- (Required) The bucket that will receive log objects.' 967 logging.log_object_prefix: |- 968 - (Optional, Computed) The object prefix for log objects. If it's not provided, 969 by default GCS sets this to this bucket's name. 970 name: '- (Required) The name of the bucket.' 971 project: |- 972 - (Optional) The ID of the project in which the resource belongs. If it 973 is not provided, the provider project is used. 974 read: '- Default is 4 minutes.' 975 requester_pays: '- (Optional, Default: false) Enables Requester Pays on a storage bucket.' 976 retention_policy: '- (Optional) Configuration of the bucket''s data retention policy for how long objects in the bucket should be retained. Structure is documented below.' 977 retention_policy.is_locked: '- (Optional) If set to true, the bucket will be locked and permanently restrict edits to the bucket''s retention policy. Caution: Locking a bucket is an irreversible action.' 978 retention_policy.retention_period: '- (Required) The period of time, in seconds, that objects in the bucket must be retained and cannot be deleted, overwritten, or archived. The value must be less than 2,147,483,647 seconds.' 979 self_link: '- The URI of the created resource.' 980 storage_class: '- (Optional, Default: ''STANDARD'') The Storage Class of the new bucket. Supported values include: STANDARD, MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, ARCHIVE.' 981 uniform_bucket_level_access: '- (Optional, Default: false) Enables Uniform bucket-level access access to a bucket.' 982 update: '- Default is 4 minutes.' 983 url: '- The base URL of the bucket, in the format gs://<bucket-name>.' 984 versioning: '- (Optional) The bucket''s Versioning configuration. Structure is documented below.' 985 versioning.enabled: '- (Required) While set to true, versioning is fully enabled for this bucket.' 986 website: '- (Optional) Configuration if the bucket acts as a website. Structure is documented below.' 987 website.main_page_suffix: |- 988 - (Optional) Behaves as the bucket's directory index where 989 missing objects are treated as potential directories. 990 website.not_found_page: |- 991 - (Optional) The custom object to return when a requested 992 resource is not found. 993 importStatements: []