{% set PROJECT = env["project"] %} {% set GCP_ORGANIZATION_ID = properties["OrganizationId"] | default("") | string %} {% if GCP_ORGANIZATION_ID != "" %} {% set BINDING_TYPE = "organizations" %} {% set ROLE_BINDING = BINDING_TYPE + "/" + GCP_ORGANIZATION_ID %} {% else %} {% set BINDING_TYPE = "projects" %} {% set ROLE_BINDING = BINDING_TYPE + "/" + PROJECT %} {% endif %} resources: - name: vega-service-account type: gcp-types/iam-v1:projects.serviceAccounts properties: accountId: vega-sa displayName: Vega Inform Service Account description: | Service Account for Vega to collect resource metadata and metrics for recommendations as well as collect Billing Data for display in the Vega Platform. - name: vega-inform-custom-role type: gcp-types/iam-v1:{{ BINDING_TYPE }}.roles properties: parent: {{ ROLE_BINDING }} roleId: vegaInformRole role: title: Vega Inform Role description: | A GCP Role that provides least privileged access to Vega for the Inform product stage: GA includedPermissions: - appengine.applications.get - appengine.services.get - appengine.services.list - appengine.versions.get - appengine.versions.list - bigquery.datasets.get - bigquery.jobs.create - bigquery.jobs.list - bigquery.jobs.listAll - bigquery.readsessions.create - bigquery.readsessions.getData - bigquery.tables.export - bigquery.tables.get - bigquery.tables.getData - bigquery.tables.list - bigtable.backups.get - bigtable.backups.list - bigtable.clusters.list - bigtable.instances.get - bigtable.instances.list - bigtable.tables.get - bigtable.tables.list - cloudfunctions.functions.get - cloudfunctions.functions.list - cloudfunctions.locations.get - cloudfunctions.locations.list - cloudkms.cryptoKeys.get - cloudkms.cryptoKeys.list - cloudkms.cryptoKeyVersions.list - cloudkms.keyRings.get - cloudkms.keyRings.list - cloudkms.locations.list - cloudsql.instances.get - cloudsql.instances.list - compute.addresses.list - compute.commitments.get - compute.commitments.list - compute.disks.get - compute.disks.list - compute.images.get - compute.images.list - compute.instanceGroupManagers.list - compute.instanceGroups.get - compute.instanceGroups.list - compute.instances.get - compute.instances.list - compute.instanceTemplates.get - compute.instanceTemplates.list - compute.machineTypes.get - compute.projects.get - compute.regions.get - compute.regions.list - compute.routers.get - compute.routers.list - compute.snapshots.get - compute.snapshots.list - compute.vpnGateways.get - compute.vpnGateways.list - compute.zones.get - compute.zones.list - container.clusters.get - container.clusters.list - dataproc.clusters.list - dns.managedZones.get - dns.managedZones.list - dns.resourceRecordSets.list - logging.buckets.get - logging.buckets.list - monitoring.timeSeries.list - recommender.bigqueryCapacityCommitmentsInsights.get - recommender.bigqueryCapacityCommitmentsInsights.list - recommender.bigqueryCapacityCommitmentsRecommendations.get - recommender.bigqueryCapacityCommitmentsRecommendations.list - recommender.bigqueryPartitionClusterRecommendations.get - recommender.bigqueryPartitionClusterRecommendations.list - recommender.bigqueryTableStatsInsights.get - recommender.bigqueryTableStatsInsights.list - recommender.cloudAssetInsights.get - recommender.cloudAssetInsights.list - recommender.cloudCostGeneralInsights.get - recommender.cloudCostGeneralInsights.list - recommender.cloudCostGeneralRecommendations.get - recommender.cloudCostGeneralRecommendations.list - recommender.cloudDeprecationGeneralInsights.get - recommender.cloudDeprecationGeneralInsights.list - recommender.cloudDeprecationGeneralRecommendations.get - recommender.cloudDeprecationGeneralRecommendations.list - recommender.cloudFunctionsPerformanceInsights.get - recommender.cloudFunctionsPerformanceInsights.list - recommender.cloudFunctionsPerformanceRecommendations.get - recommender.cloudFunctionsPerformanceRecommendations.list - recommender.cloudManageabilityGeneralInsights.get - recommender.cloudManageabilityGeneralInsights.list - recommender.cloudManageabilityGeneralRecommendations.get - recommender.cloudManageabilityGeneralRecommendations.list - recommender.cloudPerformanceGeneralInsights.get - recommender.cloudPerformanceGeneralInsights.list - recommender.cloudPerformanceGeneralRecommendations.get - recommender.cloudPerformanceGeneralRecommendations.list - recommender.cloudReliabilityGeneralInsights.get - recommender.cloudReliabilityGeneralInsights.list - recommender.cloudReliabilityGeneralRecommendations.get - recommender.cloudReliabilityGeneralRecommendations.list - recommender.cloudSecurityGeneralInsights.get - recommender.cloudSecurityGeneralInsights.list - recommender.cloudSecurityGeneralRecommendations.get - recommender.cloudSecurityGeneralRecommendations.list - recommender.cloudsqlIdleInstanceRecommendations.get - recommender.cloudsqlIdleInstanceRecommendations.list - recommender.cloudsqlInstanceActivityInsights.get - recommender.cloudsqlInstanceActivityInsights.list - recommender.cloudsqlInstanceCpuUsageInsights.get - recommender.cloudsqlInstanceCpuUsageInsights.list - recommender.cloudsqlInstanceDiskUsageTrendInsights.get - recommender.cloudsqlInstanceDiskUsageTrendInsights.list - recommender.cloudsqlInstanceMemoryUsageInsights.get - recommender.cloudsqlInstanceMemoryUsageInsights.list - recommender.cloudsqlInstanceOomProbabilityInsights.get - recommender.cloudsqlInstanceOomProbabilityInsights.list - recommender.cloudsqlInstanceOutOfDiskRecommendations.get - recommender.cloudsqlInstanceOutOfDiskRecommendations.list - recommender.cloudsqlInstancePerformanceInsights.get - recommender.cloudsqlInstancePerformanceInsights.list - recommender.cloudsqlInstancePerformanceRecommendations.get - recommender.cloudsqlInstancePerformanceRecommendations.list - recommender.cloudsqlInstanceReliabilityInsights.get - recommender.cloudsqlInstanceReliabilityInsights.list - recommender.cloudsqlInstanceReliabilityRecommendations.get - recommender.cloudsqlInstanceReliabilityRecommendations.list - recommender.cloudsqlInstanceSecurityInsights.get - recommender.cloudsqlInstanceSecurityInsights.list - recommender.cloudsqlInstanceSecurityRecommendations.get - recommender.cloudsqlInstanceSecurityRecommendations.list - recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.get - recommender.cloudsqlInstanceUnderprovisionedCpuUsageInsights.list - recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.get - recommender.cloudsqlInstanceUnderprovisionedMemoryUsageInsights.list - recommender.cloudsqlOverprovisionedInstanceRecommendations.get - recommender.cloudsqlOverprovisionedInstanceRecommendations.list - recommender.cloudsqlUnderProvisionedInstanceRecommendations.get - recommender.cloudsqlUnderProvisionedInstanceRecommendations.list - recommender.commitmentUtilizationInsights.get - recommender.commitmentUtilizationInsights.list - recommender.computeAddressIdleResourceInsights.get - recommender.computeAddressIdleResourceInsights.list - recommender.computeAddressIdleResourceRecommendations.get - recommender.computeAddressIdleResourceRecommendations.list - recommender.computeDiskIdleResourceInsights.get - recommender.computeDiskIdleResourceInsights.list - recommender.computeDiskIdleResourceRecommendations.get - recommender.computeDiskIdleResourceRecommendations.list - recommender.computeFirewallInsights.get - recommender.computeFirewallInsights.list - recommender.computeFirewallInsightTypeConfigs.get - recommender.computeImageIdleResourceInsights.get - recommender.computeImageIdleResourceInsights.list - recommender.computeImageIdleResourceRecommendations.get - recommender.computeImageIdleResourceRecommendations.list - recommender.computeInstanceCpuUsageInsights.get - recommender.computeInstanceCpuUsageInsights.list - recommender.computeInstanceCpuUsagePredictionInsights.get - recommender.computeInstanceCpuUsagePredictionInsights.list - recommender.computeInstanceCpuUsageTrendInsights.get - recommender.computeInstanceCpuUsageTrendInsights.list - recommender.computeInstanceGroupManagerCpuUsageInsights.get - recommender.computeInstanceGroupManagerCpuUsageInsights.list - recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.get - recommender.computeInstanceGroupManagerCpuUsagePredictionInsights.list - recommender.computeInstanceGroupManagerCpuUsageTrendInsights.get - recommender.computeInstanceGroupManagerCpuUsageTrendInsights.list - recommender.computeInstanceGroupManagerMachineTypeRecommendations.get - recommender.computeInstanceGroupManagerMachineTypeRecommendations.list - recommender.computeInstanceGroupManagerMemoryUsageInsights.get - recommender.computeInstanceGroupManagerMemoryUsageInsights.list - recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.get - recommender.computeInstanceGroupManagerMemoryUsagePredictionInsights.list - recommender.computeInstanceIdleResourceRecommendations.get - recommender.computeInstanceIdleResourceRecommendations.list - recommender.computeInstanceIdleResourceRecommenderConfig.get - recommender.computeInstanceMachineTypeRecommendations.get - recommender.computeInstanceMachineTypeRecommendations.list - recommender.computeInstanceMachineTypeRecommendations.update - recommender.computeInstanceMemoryUsageInsights.get - recommender.computeInstanceMemoryUsageInsights.list - recommender.computeInstanceMemoryUsagePredictionInsights.get - recommender.computeInstanceMemoryUsagePredictionInsights.list - recommender.computeInstanceNetworkThroughputInsights.get - recommender.computeInstanceNetworkThroughputInsights.list - recommender.containerDiagnosisInsights.get - recommender.containerDiagnosisInsights.list - recommender.containerDiagnosisRecommendations.get - recommender.containerDiagnosisRecommendations.list - recommender.costInsights.get - recommender.costInsights.list - recommender.dataflowDiagnosticsInsights.get - recommender.dataflowDiagnosticsInsights.list - recommender.errorReportingInsights.get - recommender.errorReportingInsights.list - recommender.errorReportingRecommendations.get - recommender.errorReportingRecommendations.list - recommender.gmpGuidedExperienceInsights.get - recommender.gmpGuidedExperienceInsights.list - recommender.gmpGuidedExperienceRecommendations.get - recommender.gmpGuidedExperienceRecommendations.list - recommender.gmpProjectManagementInsights.get - recommender.gmpProjectManagementInsights.list - recommender.gmpProjectManagementRecommendations.get - recommender.gmpProjectManagementRecommendations.list - recommender.gmpProjectProductSuggestionsInsights.get - recommender.gmpProjectProductSuggestionsInsights.list - recommender.gmpProjectProductSuggestionsRecommendations.get - recommender.gmpProjectProductSuggestionsRecommendations.list - recommender.gmpProjectQuotaInsights.get - recommender.gmpProjectQuotaInsights.list - recommender.gmpProjectQuotaRecommendations.get - recommender.gmpProjectQuotaRecommendations.list - recommender.iamPolicyChangeRiskInsights.get - recommender.iamPolicyChangeRiskInsights.list - recommender.iamPolicyChangeRiskRecommendations.get - recommender.iamPolicyChangeRiskRecommendations.list - recommender.iamPolicyInsights.get - recommender.iamPolicyInsights.list - recommender.iamPolicyLateralMovementInsights.get - recommender.iamPolicyLateralMovementInsights.list - recommender.iamPolicyRecommendations.get - recommender.iamPolicyRecommendations.list - recommender.iamPolicyRecommenderConfig.get - recommender.iamServiceAccountChangeRiskInsights.get - recommender.iamServiceAccountChangeRiskInsights.list - recommender.iamServiceAccountChangeRiskRecommendations.get - recommender.iamServiceAccountChangeRiskRecommendations.list - recommender.iamServiceAccountInsights.get - recommender.iamServiceAccountInsights.list - recommender.locations.get - recommender.locations.list - recommender.loggingProductSuggestionContainerInsights.get - recommender.loggingProductSuggestionContainerInsights.list - recommender.loggingProductSuggestionContainerRecommendations.get - recommender.loggingProductSuggestionContainerRecommendations.list - recommender.monitoringProductSuggestionComputeInsights.get - recommender.monitoringProductSuggestionComputeInsights.list - recommender.monitoringProductSuggestionComputeRecommendations.get - recommender.monitoringProductSuggestionComputeRecommendations.list - recommender.networkAnalyzerCloudSqlInsights.get - recommender.networkAnalyzerCloudSqlInsights.list - recommender.networkAnalyzerDynamicRouteInsights.get - recommender.networkAnalyzerDynamicRouteInsights.list - recommender.networkAnalyzerGkeConnectivityInsights.get - recommender.networkAnalyzerGkeConnectivityInsights.list - recommender.networkAnalyzerGkeIpAddressInsights.get - recommender.networkAnalyzerGkeIpAddressInsights.list - recommender.networkAnalyzerGkeServiceAccountInsights.get - recommender.networkAnalyzerGkeServiceAccountInsights.list - recommender.networkAnalyzerIpAddressInsights.get - recommender.networkAnalyzerIpAddressInsights.list - recommender.networkAnalyzerLoadBalancerInsights.get - recommender.networkAnalyzerLoadBalancerInsights.list - recommender.networkAnalyzerVpcConnectivityInsights.get - recommender.networkAnalyzerVpcConnectivityInsights.list - recommender.resourcemanagerProjectChangeRiskInsights.get - recommender.resourcemanagerProjectChangeRiskInsights.list - recommender.resourcemanagerProjectChangeRiskRecommendations.get - recommender.resourcemanagerProjectChangeRiskRecommendations.list - recommender.resourcemanagerProjectUtilizationInsights.get - recommender.resourcemanagerProjectUtilizationInsights.list - recommender.resourcemanagerProjectUtilizationInsightTypeConfigs.get - recommender.resourcemanagerProjectUtilizationRecommendations.get - recommender.resourcemanagerProjectUtilizationRecommendations.list - recommender.resourcemanagerProjectUtilizationRecommenderConfigs.get - recommender.resourcemanagerServiceLimitInsights.get - recommender.resourcemanagerServiceLimitInsights.list - recommender.resourcemanagerServiceLimitRecommendations.get - recommender.resourcemanagerServiceLimitRecommendations.list - recommender.runServiceCostInsights.get - recommender.runServiceCostInsights.list - recommender.runServiceCostRecommendations.get - recommender.runServiceCostRecommendations.list - recommender.runServiceIdentityInsights.get - recommender.runServiceIdentityInsights.list - recommender.runServiceIdentityRecommendations.get - recommender.runServiceIdentityRecommendations.list - recommender.runServiceSecurityInsights.get - recommender.runServiceSecurityInsights.list - recommender.runServiceSecurityRecommendations.get - recommender.runServiceSecurityRecommendations.list - recommender.spendBasedCommitmentInsights.get - recommender.spendBasedCommitmentInsights.list - recommender.spendBasedCommitmentRecommendations.get - recommender.spendBasedCommitmentRecommendations.list - recommender.spendBasedCommitmentRecommenderConfig.get - recommender.usageCommitmentRecommendations.get - recommender.usageCommitmentRecommendations.list - resourcemanager.projects.get - run.revisions.list - run.services.list - storage.buckets.get - storage.buckets.list - name: vega-inform-custom-role-binding type: gcp-types/cloudresourcemanager-v1:virtual.{{ BINDING_TYPE }}.iamMemberBinding properties: resource: {{ PROJECT if GCP_ORGANIZATION_ID == "" else "organizations/" + GCP_ORGANIZATION_ID }} role: $(ref.vega-inform-custom-role.name) member: "serviceAccount:$(ref.vega-service-account.email)" outputs: - name: VegaServiceAccount value: "$(ref.vega-service-account.email)" - name: VegaInformRole value: "$(ref.vega-inform-custom-role.name)" - name: BindingType value: "{{ BINDING_TYPE }}" - name: RoleBindingParent value: "{{ ROLE_BINDING }}"