@intentius/chant-lexicon-gcp 0.0.15

package/src/composites/gcs-bucket.ts

@@ -0,0 +1,111 @@
+/**
+ * GcsBucket composite — StorageBucket with encryption, uniform access, and lifecycle.
+ */
+
+export interface GcsBucketProps {
+  /** Bucket name. */
+  name: string;
+  /** GCS location (default: "US"). */
+  location?: string;
+  /** Storage class (default: "STANDARD"). */
+  storageClass?: "STANDARD" | "NEARLINE" | "COLDLINE" | "ARCHIVE";
+  /** Enable uniform bucket-level access (default: true). */
+  uniformBucketLevelAccess?: boolean;
+  /** Enable versioning (default: false). */
+  versioning?: boolean;
+  /** KMS key name for encryption. */
+  kmsKeyName?: string;
+  /** Lifecycle rule: delete objects older than N days. */
+  lifecycleDeleteAfterDays?: number;
+  /** Lifecycle rule: transition to Nearline after N days. */
+  lifecycleNearlineAfterDays?: number;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface GcsBucketResult {
+  bucket: Record<string, unknown>;
+}
+
+/**
+ * Create a GcsBucket composite.
+ *
+ * @example
+ * ```ts
+ * import { GcsBucket } from "@intentius/chant-lexicon-gcp";
+ *
+ * const { bucket } = GcsBucket({
+ *   name: "my-data-bucket",
+ *   location: "US",
+ *   versioning: true,
+ *   lifecycleDeleteAfterDays: 365,
+ * });
+ * ```
+ */
+export function GcsBucket(props: GcsBucketProps): GcsBucketResult {
+  const {
+    name,
+    location = "US",
+    storageClass = "STANDARD",
+    uniformBucketLevelAccess = true,
+    versioning = false,
+    kmsKeyName,
+    lifecycleDeleteAfterDays,
+    lifecycleNearlineAfterDays,
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const spec: Record<string, unknown> = {
+    location,
+    storageClass,
+    uniformBucketLevelAccess,
+  };
+
+  if (versioning) {
+    spec.versioning = { enabled: true };
+  }
+
+  if (kmsKeyName) {
+    spec.encryption = { defaultKmsKeyName: kmsKeyName };
+  }
+
+  const lifecycleRules: Array<Record<string, unknown>> = [];
+
+  if (lifecycleDeleteAfterDays) {
+    lifecycleRules.push({
+      action: { type: "Delete" },
+      condition: { age: lifecycleDeleteAfterDays },
+    });
+  }
+
+  if (lifecycleNearlineAfterDays) {
+    lifecycleRules.push({
+      action: { type: "SetStorageClass", storageClass: "NEARLINE" },
+      condition: { age: lifecycleNearlineAfterDays },
+    });
+  }
+
+  if (lifecycleRules.length > 0) {
+    spec.lifecycleRule = lifecycleRules;
+  }
+
+  const bucket: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "storage" },
+    },
+    ...spec,
+  };
+
+  return { bucket };
+}

package/src/composites/gke-cluster.ts

@@ -0,0 +1,125 @@
+/**
+ * GkeCluster composite — ContainerCluster + ContainerNodePool.
+ *
+ * Creates a GKE cluster with a default node pool configured for
+ * workload identity and autoscaling.
+ */
+
+export interface GkeClusterProps {
+  /** Cluster name. */
+  name: string;
+  /** GCP region for regional cluster (default: uses GCP.Region). */
+  location?: string;
+  /** Initial node count per zone (default: 1). */
+  initialNodeCount?: number;
+  /** Machine type for nodes (default: "e2-medium"). */
+  machineType?: string;
+  /** Minimum nodes for autoscaling (default: 1). */
+  minNodeCount?: number;
+  /** Maximum nodes for autoscaling (default: 5). */
+  maxNodeCount?: number;
+  /** Enable workload identity (default: true). */
+  workloadIdentity?: boolean;
+  /** Disk size in GB for nodes (default: 100). */
+  diskSizeGb?: number;
+  /** GKE release channel (default: "REGULAR"). */
+  releaseChannel?: "RAPID" | "REGULAR" | "STABLE";
+  /** Additional labels. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface GkeClusterResult {
+  cluster: Record<string, unknown>;
+  nodePool: Record<string, unknown>;
+}
+
+/**
+ * Create a GkeCluster composite — returns prop objects for
+ * a ContainerCluster and ContainerNodePool.
+ *
+ * @example
+ * ```ts
+ * import { GkeCluster } from "@intentius/chant-lexicon-gcp";
+ *
+ * const { cluster, nodePool } = GkeCluster({
+ *   name: "my-cluster",
+ *   location: "us-central1",
+ *   maxNodeCount: 10,
+ * });
+ * ```
+ */
+export function GkeCluster(props: GkeClusterProps): GkeClusterResult {
+  const {
+    name,
+    location,
+    initialNodeCount = 1,
+    machineType = "e2-medium",
+    minNodeCount = 1,
+    maxNodeCount = 5,
+    workloadIdentity = true,
+    diskSizeGb = 100,
+    releaseChannel = "REGULAR",
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const clusterSpec: Record<string, unknown> = {
+    initialNodeCount: 1, // Minimal default pool, real nodes in separate pool
+    removeDefaultNodePool: true,
+    releaseChannel: { channel: releaseChannel },
+    ...(location && { location }),
+  };
+
+  if (workloadIdentity) {
+    clusterSpec.workloadIdentityConfig = {
+      workloadPool: `PROJECT_ID.svc.id.goog`,
+    };
+  }
+
+  const cluster: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "cluster" },
+    },
+    ...clusterSpec,
+  };
+
+  const nodePoolName = `${name}-nodes`;
+  const nodePool: Record<string, unknown> = {
+    metadata: {
+      name: nodePoolName,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "node-pool" },
+    },
+    clusterRef: { name },
+    initialNodeCount,
+    autoscaling: {
+      minNodeCount,
+      maxNodeCount,
+    },
+    nodeConfig: {
+      machineType,
+      diskSizeGb,
+      oauthScopes: ["https://www.googleapis.com/auth/cloud-platform"],
+      ...(workloadIdentity && {
+        workloadMetadataConfig: { mode: "GKE_METADATA" },
+      }),
+    },
+    management: {
+      autoRepair: true,
+      autoUpgrade: true,
+    },
+    ...(location && { location }),
+  };
+
+  return { cluster, nodePool };
+}

package/src/composites/index.ts

@@ -0,0 +1,20 @@
+export { GkeCluster } from "./gke-cluster";
+export type { GkeClusterProps, GkeClusterResult } from "./gke-cluster";
+export { CloudRunService } from "./cloud-run-service";
+export type { CloudRunServiceProps, CloudRunServiceResult } from "./cloud-run-service";
+export { CloudSqlInstance } from "./cloud-sql-instance";
+export type { CloudSqlInstanceProps, CloudSqlInstanceResult } from "./cloud-sql-instance";
+export { GcsBucket } from "./gcs-bucket";
+export type { GcsBucketProps, GcsBucketResult } from "./gcs-bucket";
+export { VpcNetwork } from "./vpc-network";
+export type { VpcNetworkProps, VpcNetworkResult, VpcSubnet } from "./vpc-network";
+export { PubSubPipeline } from "./pubsub-pipeline";
+export type { PubSubPipelineProps, PubSubPipelineResult } from "./pubsub-pipeline";
+export { CloudFunctionWithTrigger } from "./cloud-function";
+export type { CloudFunctionWithTriggerProps, CloudFunctionWithTriggerResult } from "./cloud-function";
+export { PrivateService } from "./private-service";
+export type { PrivateServiceProps, PrivateServiceResult } from "./private-service";
+export { ManagedCertificate } from "./managed-certificate";
+export type { ManagedCertificateProps, ManagedCertificateResult } from "./managed-certificate";
+export { SecureProject } from "./secure-project";
+export type { SecureProjectProps, SecureProjectResult } from "./secure-project";

package/src/composites/managed-certificate.ts

@@ -0,0 +1,79 @@
+/**
+ * ManagedCertificate composite — ManagedSslCertificate + optional TargetHttpsProxy + UrlMap.
+ */
+
+export interface ManagedCertificateProps {
+  /** Certificate name. */
+  name: string;
+  /** Domains for the managed SSL certificate. */
+  domains: string[];
+  /** Create a TargetHttpsProxy and UrlMap (default: false). */
+  createProxy?: boolean;
+  /** Backend service name (required if createProxy is true). */
+  backendServiceName?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface ManagedCertificateResult {
+  certificate: Record<string, unknown>;
+  targetHttpsProxy?: Record<string, unknown>;
+  urlMap?: Record<string, unknown>;
+}
+
+export function ManagedCertificate(props: ManagedCertificateProps): ManagedCertificateResult {
+  const {
+    name,
+    domains,
+    createProxy = false,
+    backendServiceName,
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const certificate: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "certificate" },
+    },
+    managed: {
+      domains,
+    },
+  };
+
+  const result: ManagedCertificateResult = { certificate };
+
+  if (createProxy && backendServiceName) {
+    result.urlMap = {
+      metadata: {
+        name: `${name}-url-map`,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "url-map" },
+      },
+      defaultService: {
+        backendServiceRef: { name: backendServiceName },
+      },
+    };
+
+    result.targetHttpsProxy = {
+      metadata: {
+        name: `${name}-proxy`,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "proxy" },
+      },
+      urlMapRef: { name: `${name}-url-map` },
+      sslCertificates: [{ name }],
+    };
+  }
+
+  return result;
+}

package/src/composites/private-service.ts

@@ -0,0 +1,95 @@
+/**
+ * PrivateService composite — GlobalAddress + ServiceNetworkingConnection + optional DNS.
+ */
+
+export interface PrivateServiceProps {
+  /** Service name. */
+  name: string;
+  /** VPC network name to peer with. */
+  networkName: string;
+  /** IP address prefix length (default: 16). */
+  prefixLength?: number;
+  /** Address type (default: "INTERNAL"). */
+  addressType?: string;
+  /** Purpose (default: "VPC_PEERING"). */
+  purpose?: string;
+  /** Enable a DNS zone for the private service (default: false). */
+  enableDns?: boolean;
+  /** DNS zone name (default: "{name}-dns"). */
+  dnsZoneName?: string;
+  /** DNS name suffix (default: "internal."). */
+  dnsSuffix?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface PrivateServiceResult {
+  globalAddress: Record<string, unknown>;
+  serviceConnection: Record<string, unknown>;
+  dnsZone?: Record<string, unknown>;
+}
+
+export function PrivateService(props: PrivateServiceProps): PrivateServiceResult {
+  const {
+    name,
+    networkName,
+    prefixLength = 16,
+    addressType = "INTERNAL",
+    purpose = "VPC_PEERING",
+    enableDns = false,
+    dnsZoneName,
+    dnsSuffix = "internal.",
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const globalAddress: Record<string, unknown> = {
+    metadata: {
+      name: `${name}-address`,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "address" },
+    },
+    addressType,
+    purpose,
+    prefixLength,
+    networkRef: { name: networkName },
+  };
+
+  const serviceConnection: Record<string, unknown> = {
+    metadata: {
+      name: `${name}-connection`,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "connection" },
+    },
+    networkRef: { name: networkName },
+    service: "servicenetworking.googleapis.com",
+    reservedPeeringRanges: [{ name: `${name}-address` }],
+  };
+
+  const result: PrivateServiceResult = { globalAddress, serviceConnection };
+
+  if (enableDns) {
+    result.dnsZone = {
+      metadata: {
+        name: dnsZoneName ?? `${name}-dns`,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "dns" },
+      },
+      dnsName: dnsSuffix,
+      visibility: "private",
+      privateVisibilityConfig: {
+        networks: [{ networkRef: { name: networkName } }],
+      },
+    };
+  }
+
+  return result;
+}

package/src/composites/pubsub-pipeline.ts

@@ -0,0 +1,102 @@
+/**
+ * PubSubPipeline composite — Topic + Subscription + optional DLQ topic + subscriber IAM binding.
+ */
+
+export interface PubSubPipelineProps {
+  /** Pipeline name. */
+  name: string;
+  /** Subscription ack deadline in seconds (default: 10). */
+  ackDeadlineSeconds?: number;
+  /** Message retention duration (default: "604800s" = 7 days). */
+  messageRetentionDuration?: string;
+  /** Enable dead-letter queue (default: false). */
+  enableDeadLetterQueue?: boolean;
+  /** Max delivery attempts before sending to DLQ (default: 5). */
+  maxDeliveryAttempts?: number;
+  /** Service account email for subscriber IAM binding. */
+  subscriberServiceAccount?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface PubSubPipelineResult {
+  topic: Record<string, unknown>;
+  subscription: Record<string, unknown>;
+  deadLetterTopic?: Record<string, unknown>;
+  subscriberIam?: Record<string, unknown>;
+}
+
+export function PubSubPipeline(props: PubSubPipelineProps): PubSubPipelineResult {
+  const {
+    name,
+    ackDeadlineSeconds = 10,
+    messageRetentionDuration = "604800s",
+    enableDeadLetterQueue = false,
+    maxDeliveryAttempts = 5,
+    subscriberServiceAccount,
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const topic: Record<string, unknown> = {
+    metadata: {
+      name: `${name}-topic`,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "topic" },
+    },
+  };
+
+  const subscription: Record<string, unknown> = {
+    metadata: {
+      name: `${name}-subscription`,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "subscription" },
+    },
+    topicRef: { name: `${name}-topic` },
+    ackDeadlineSeconds,
+    messageRetentionDuration,
+  };
+
+  const result: PubSubPipelineResult = { topic, subscription };
+
+  if (enableDeadLetterQueue) {
+    result.deadLetterTopic = {
+      metadata: {
+        name: `${name}-dlq`,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "dead-letter" },
+      },
+    };
+    subscription.deadLetterPolicy = {
+      deadLetterTopicRef: { name: `${name}-dlq` },
+      maxDeliveryAttempts,
+    };
+  }
+
+  if (subscriberServiceAccount) {
+    result.subscriberIam = {
+      metadata: {
+        name: `${name}-subscriber`,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "iam" },
+      },
+      member: `serviceAccount:${subscriberServiceAccount}`,
+      role: "roles/pubsub.subscriber",
+      resourceRef: {
+        apiVersion: "pubsub.cnrm.cloud.google.com/v1beta1",
+        kind: "PubSubSubscription",
+        name: `${name}-subscription`,
+      },
+    };
+  }
+
+  return result;
+}

package/src/composites/secure-project.ts

@@ -0,0 +1,128 @@
+/**
+ * SecureProject composite — Project + IAMAuditConfig + Service enablement + owner IAM + LoggingSink.
+ */
+
+export interface SecureProjectProps {
+  /** Project name (also used as project ID). */
+  name: string;
+  /** Organization ID or folder ID for the parent. */
+  orgId?: string;
+  /** Folder ID for the parent (alternative to orgId). */
+  folderId?: string;
+  /** Billing account ID. */
+  billingAccountRef?: string;
+  /** Owner email (IAM member format, e.g., "user:admin@example.com"). */
+  owner?: string;
+  /** GCP APIs to enable (default: common APIs). */
+  enabledApis?: string[];
+  /** Logging sink destination (e.g., BigQuery dataset or Cloud Storage bucket). */
+  loggingSinkDestination?: string;
+  /** Logging sink filter (default: all audit logs). */
+  loggingSinkFilter?: string;
+  /** Additional labels. */
+  labels?: Record<string, string>;
+  /** Namespace for all resources. */
+  namespace?: string;
+}
+
+export interface SecureProjectResult {
+  project: Record<string, unknown>;
+  auditConfig: Record<string, unknown>;
+  services: Record<string, unknown>[];
+  ownerIam?: Record<string, unknown>;
+  loggingSink?: Record<string, unknown>;
+}
+
+export function SecureProject(props: SecureProjectProps): SecureProjectResult {
+  const {
+    name,
+    orgId,
+    folderId,
+    billingAccountRef,
+    owner,
+    enabledApis = [
+      "compute.googleapis.com",
+      "container.googleapis.com",
+      "iam.googleapis.com",
+      "logging.googleapis.com",
+      "monitoring.googleapis.com",
+    ],
+    loggingSinkDestination,
+    loggingSinkFilter = 'logName:"cloudaudit.googleapis.com"',
+    labels: extraLabels = {},
+    namespace,
+  } = props;
+
+  const commonLabels: Record<string, string> = {
+    "app.kubernetes.io/name": name,
+    "app.kubernetes.io/managed-by": "chant",
+    ...extraLabels,
+  };
+
+  const project: Record<string, unknown> = {
+    metadata: {
+      name,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "project" },
+    },
+    ...(orgId && { organizationRef: { external: orgId } }),
+    ...(folderId && { folderRef: { external: folderId } }),
+    ...(billingAccountRef && { billingAccountRef: { external: billingAccountRef } }),
+  };
+
+  const auditConfig: Record<string, unknown> = {
+    metadata: {
+      name: `${name}-audit`,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "audit" },
+    },
+    service: "allServices",
+    auditLogConfigs: [
+      { logType: "ADMIN_READ" },
+      { logType: "DATA_READ" },
+      { logType: "DATA_WRITE" },
+    ],
+  };
+
+  const services = enabledApis.map((api) => ({
+    metadata: {
+      name: `${name}-${api.split(".")[0]}`,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "service" },
+    },
+    resourceID: api,
+  }));
+
+  const result: SecureProjectResult = { project, auditConfig, services };
+
+  if (owner) {
+    result.ownerIam = {
+      metadata: {
+        name: `${name}-owner`,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "iam" },
+      },
+      member: owner,
+      role: "roles/owner",
+      resourceRef: {
+        apiVersion: "resourcemanager.cnrm.cloud.google.com/v1beta1",
+        kind: "Project",
+        name,
+      },
+    };
+  }
+
+  if (loggingSinkDestination) {
+    result.loggingSink = {
+      metadata: {
+        name: `${name}-audit-sink`,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "logging" },
+      },
+      destination: loggingSinkDestination,
+      filter: loggingSinkFilter,
+    };
+  }
+
+  return result;
+}