Merge branch 'master' into dns-data-dependency

.github/workflows/tests.yml

@@ -151,7 +151,7 @@ jobs:
       - name: Run tests on documentation examples
         env:
           TERRAFORM: ${{ matrix.flavour }}
-        run: pytest -vv ${{ matrix.flavour == 'terraform' && '-n4' || '-n4' }} --tb=line --junit-xml=test-results-raw.xml -k modules/ tests/examples
+        run: pytest -vv ${{ matrix.flavour == 'terraform' && '-n4' || '-n4' }} --tb=line --junit-xml=test-results-raw.xml -k "terraform and modules/" tests/examples
 
       - name: Create report
         uses: ./.github/actions/post-fabric-tests
@@ -238,3 +238,25 @@ jobs:
         if: always()
         with:
           MODULE: FAST
+
+  schemas:
+    runs-on: ubuntu-latest
+    needs: setup-tf-providers
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Call composite action fabric-tests
+        uses: ./.github/actions/fabric-tests
+        with:
+          PYTHON_VERSION: ${{ env.PYTHON_VERSION }}
+          TERRAFORM_VERSION: ${{ env.DEFAULT_TERRAFORM_VERSION }}
+          TERRAFORM_FLAVOUR: ${{ env.DEFAULT_TERRAFORM_FLAVOUR }}
+
+      - name: Run schema tests
+        run: pytest -vv --tb=line --junit-xml=test-results-raw.xml -k "(tests and schemas) or (fast and schema) or (examples and yaml)"
+
+      - name: Create report
+        uses: ./.github/actions/post-fabric-tests
+        if: always()
+        with:
+          MODULE: Schemas

CHANGELOG.md

@@ -13,6 +13,7 @@ All notable changes to this project will be documented in this file.
 
 ### FAST
 
+- [[#2491](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2491)] Organization module factory schemas ([ludoo](https://github.com/ludoo)) <!-- 2024-08-09 10:22:57+00:00 -->
 - [[#2483](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2483)] Add boostrap output with log destination ids ([juliocc](https://github.com/juliocc)) <!-- 2024-08-08 14:23:38+00:00 -->
 - [[#2482](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2482)] [FAST] Rename netsec stage to nsec ([LucaPrete](https://github.com/LucaPrete)) <!-- 2024-08-08 12:30:09+00:00 -->
 - [[#2477](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2477)] VPC-SC factory JSON Schemas ([ludoo](https://github.com/ludoo)) <!-- 2024-08-07 12:09:38+00:00 -->
@@ -24,6 +25,9 @@ All notable changes to this project will be documented in this file.
 
 ### MODULES
 
+- [[#2491](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2491)] Organization module factory schemas ([ludoo](https://github.com/ludoo)) <!-- 2024-08-09 10:22:57+00:00 -->
+- [[#2490](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2490)] Bind schemas to factory files, add support for groups in VPC-SC schema ([wiktorn](https://github.com/wiktorn)) <!-- 2024-08-09 10:08:22+00:00 -->
+- [[#2489](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2489)] Extend test collector to include yaml files under tests/schemas/ and fast data files ([juliocc](https://github.com/juliocc)) <!-- 2024-08-09 08:59:00+00:00 -->
 - [[#2486](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2486)] Fix failing tests for CloudSQL ([wiktorn](https://github.com/wiktorn)) <!-- 2024-08-08 18:16:53+00:00 -->
 - [[#2485](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2485)] Project factory module JSON schemas ([ludoo](https://github.com/ludoo)) <!-- 2024-08-08 16:43:11+00:00 -->
 - [[#2481](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2481)] Adds a new certification authority service (CAS) module ([LucaPrete](https://github.com/LucaPrete)) <!-- 2024-08-08 07:55:49+00:00 -->
@@ -38,6 +42,7 @@ All notable changes to this project will be documented in this file.
 
 ### TOOLS
 
+- [[#2488](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2488)] Introduce YAML schema validation for YAML examples ([juliocc](https://github.com/juliocc)) <!-- 2024-08-08 21:09:22+00:00 -->
 - [[#2487](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/2487)] Example testing improvements ([juliocc](https://github.com/juliocc)) <!-- 2024-08-08 19:22:27+00:00 -->
 
 ## [33.0.0] - 2024-08-01

fast/stages/0-bootstrap/data/custom-roles/gcve_network_admin.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 
 name: gcveNetworkAdmin
 includedPermissions:

fast/stages/0-bootstrap/data/custom-roles/network_firewall_policies_admin.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 
 name: networkFirewallPoliciesAdmin
 includedPermissions:

fast/stages/0-bootstrap/data/custom-roles/ngfw_enterprise_admin.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 
 name: ngfwEnterpriseAdmin
 includedPermissions:

fast/stages/0-bootstrap/data/custom-roles/organization_admin_viewer.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 # this is used by the plan-only admin SA
 
 name: organizationAdminViewer

fast/stages/0-bootstrap/data/custom-roles/organization_iam_admin.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 # this is needed for use in additive IAM bindings, to avoid conflicts
 
 name: organizationIamAdmin

fast/stages/0-bootstrap/data/custom-roles/service_project_network_admin.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 
 name: serviceProjectNetworkAdmin
 includedPermissions:

fast/stages/0-bootstrap/data/custom-roles/storage_viewer.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 # the following permissions are a descoped version of storage.admin
 
 name: storageViewer

fast/stages/0-bootstrap/data/custom-roles/tag_viewer.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 # the following permissions are a descoped version of tagAdm
 
 name: tagViewer

fast/stages/0-bootstrap/data/custom-roles/tenant_network_admin.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/custom-role.schema.json
+# yaml-language-server: $schema=../../schemas/custom-role.schema.json
 
 name: tenantNetworkAdmin
 includedPermissions:

fast/stages/0-bootstrap/data/org-policies/compute.yaml

@@ -16,7 +16,7 @@
 # sample subset of useful organization policies, edit to suit requirements
 # start of document (---) avoids errors if the file only contains comments
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json
+# yaml-language-server: $schema=../../schemas/org-policies.schema.json
 
 compute.disableGuestAttributesAccess:
   rules:

fast/stages/0-bootstrap/data/org-policies/gcp.yaml

@@ -16,7 +16,7 @@
 # sample subset of useful organization policies, edit to suit requirements
 # start of document (---) avoids errors if the file only contains comments
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json
+# yaml-language-server: $schema=../../schemas/org-policies.schema.json
 
 # gcp.resourceLocations:
 #   rules:

fast/stages/0-bootstrap/data/org-policies/iam.yaml

@@ -16,7 +16,7 @@
 # sample subset of useful organization policies, edit to suit requirements
 # start of document (---) avoids errors if the file only contains comments
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json
+# yaml-language-server: $schema=../../schemas/org-policies.schema.json
 
 iam.automaticIamGrantsForDefaultServiceAccounts:
   rules:

fast/stages/0-bootstrap/data/org-policies/serverless.yaml

@@ -16,7 +16,7 @@
 # sample subset of useful organization policies, edit to suit requirements
 # start of document (---) avoids errors if the file only contains comments
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json
+# yaml-language-server: $schema=../../schemas/org-policies.schema.json
 
 run.allowedIngress:
   rules:

fast/stages/0-bootstrap/data/org-policies/sql.yaml

@@ -16,7 +16,7 @@
 # sample subset of useful organization policies, edit to suit requirements
 # start of document (---) avoids errors if the file only contains comments
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json
+# yaml-language-server: $schema=../../schemas/org-policies.schema.json
 
 sql.restrictAuthorizedNetworks:
   rules:

fast/stages/0-bootstrap/data/org-policies/storage.yaml

@@ -16,7 +16,7 @@
 # sample subset of useful organization policies, edit to suit requirements
 # start of document (---) avoids errors if the file only contains comments
 
-# yaml-language-server: $schema=../../../../../modules/organization/schemas/org-policies.schema.json
+# yaml-language-server: $schema=../../schemas/org-policies.schema.json
 
 storage.uniformBucketLevelAccess:
   rules:

fast/stages/0-bootstrap/schemas/custom-role.schema.json

@@ -0,0 +1 @@
+../../../../modules/organization/schemas/custom-role.schema.json

fast/stages/0-bootstrap/schemas/org-policies.schema.json

@@ -0,0 +1 @@
+../../../../modules/organization/schemas/org-policies.schema.json

fast/stages/1-resman/data/org-policies/sandbox/compute.yaml

@@ -6,6 +6,8 @@
 # Terraform will be unable to decode this file if it does not contain valid YAML
 # You can retain `---` (start of the document) to indicate an empty document.
 
+# yaml-language-server: $schema=../../../schemas/org-policies.schema.json
+
 compute.vmExternalIpAccess:
   rules:
     - allow:

fast/stages/1-resman/data/org-policies/sandbox/sql.yaml

@@ -6,6 +6,8 @@
 # Terraform will be unable to decode this file if it does not contain valid YAML
 # You can retain `---` (start of the document) to indicate an empty document.
 
+# yaml-language-server: $schema=../../../schemas/org-policies.schema.json
+
 sql.restrictPublicIp:
   rules:
     - enforce: true

fast/stages/1-resman/schemas/org-policies.schema.json

@@ -0,0 +1 @@
+../../../../modules/organization/schemas/org-policies.schema.json

fast/stages/1-vpcsc/data/access-levels/geo.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yaml-language-server: $schema=../../../../../modules/vpc-sc/schemas/access-level.schema.json
+# yaml-language-server: $schema=../../schemas/access-level.schema.json
 
 # this is just an example that reflects the FAST core team members' locations
 # and needs to be edited, or not referenced in the perimeter variable

fast/stages/1-vpcsc/schemas/access-level.schema.json

@@ -0,0 +1 @@
+../../../../modules/vpc-sc/schemas/access-level.schema.json

fast/stages/1-vpcsc/schemas/egress-policy.schema.json

@@ -0,0 +1 @@
+../../../../modules/vpc-sc/schemas/egress-policy.schema.json

fast/stages/1-vpcsc/schemas/ingress-policy.schema.json

@@ -0,0 +1 @@
+../../../../modules/vpc-sc/schemas/ingress-policy.schema.json

fast/stages/2-networking-a-simple/data/subnets/dev/dev-dataplatform.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-dataplatform
 region: primary
 description: Default subnet for dev Data Platform

fast/stages/2-networking-a-simple/data/subnets/dev/dev-default.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-default
 region: primary
 ip_cidr_range: 10.68.0.0/24

fast/stages/2-networking-a-simple/data/subnets/dev/dev-gke-nodes.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-gke-nodes
 region: primary
 description: Default subnet for prod gke nodes

fast/stages/2-networking-a-simple/data/subnets/landing/landing-default.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: landing-default
 region: primary
 ip_cidr_range: 10.64.0.0/24

fast/stages/2-networking-a-simple/data/subnets/prod/prod-default.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: prod-default
 region: primary
 ip_cidr_range: 10.72.0.0/24

fast/stages/2-networking-a-simple/schemas/subnet.schema.json

@@ -0,0 +1 @@
+../../../../modules/net-vpc/schemas/subnet.schema.json

fast/stages/2-networking-b-nva/data/subnets/dev/dev-dataplatform.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-dataplatform
 region: primary
 description: Default subnet for dev Data Platform

fast/stages/2-networking-b-nva/data/subnets/dev/dev-default-pri.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-default
 region: primary
 ip_cidr_range: 10.68.0.0/24

fast/stages/2-networking-b-nva/data/subnets/dev/dev-default-sec.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-default
 region: secondary
 ip_cidr_range: 10.84.0.0/24

fast/stages/2-networking-b-nva/data/subnets/dev/dev-gke-nodes.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-gke-nodes
 region: primary
 description: Default subnet for prod gke nodes

fast/stages/2-networking-b-nva/data/subnets/dmz/dmz-default-pri.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dmz-default
 region: primary
 ip_cidr_range: 10.64.128.0/24

fast/stages/2-networking-b-nva/data/subnets/dmz/dmz-default-sec.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dmz-default
 region: secondary
 ip_cidr_range: 10.80.128.0/24

fast/stages/2-networking-b-nva/data/subnets/landing/landing-default-pri.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: landing-default
 region: primary
 ip_cidr_range: 10.64.0.0/24

fast/stages/2-networking-b-nva/data/subnets/landing/landing-default-sec.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: landing-default
 region: secondary
 ip_cidr_range: 10.80.0.0/24

fast/stages/2-networking-b-nva/data/subnets/prod/prod-default-ew1.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: prod-default
 region: primary
 ip_cidr_range: 10.72.0.0/24

fast/stages/2-networking-b-nva/data/subnets/prod/prod-default-ew4.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: prod-default
 region: secondary
 ip_cidr_range: 10.88.0.0/24

fast/stages/2-networking-b-nva/schemas/subnet.schema.json

@@ -0,0 +1 @@
+../../../../modules/net-vpc/schemas/subnet.schema.json

fast/stages/2-networking-c-separate-envs/data/subnets/dev/dev-dataplatform.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-dataplatform
 region: primary
 description: Default subnet for dev Data Platform

fast/stages/2-networking-c-separate-envs/data/subnets/dev/dev-default.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-default
 region: europe-west1
 ip_cidr_range: 10.68.0.0/24

fast/stages/2-networking-c-separate-envs/data/subnets/dev/dev-gke-nodes.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: dev-gke-nodes
 region: primary
 description: Default subnet for prod gke nodes

fast/stages/2-networking-c-separate-envs/data/subnets/prod/prod-default.yaml

@@ -1,5 +1,7 @@
 # skip boilerplate check
 
+# yaml-language-server: $schema=../../../schemas/subnet.schema.json
+
 name: prod-default
 region: primary
 ip_cidr_range: 10.72.0.0/24