@intentius/chant-lexicon-gcp 0.0.22 → 0.0.24

package/src/composites/gke-cluster.ts

@@ -5,9 +5,14 @@
  * workload identity and autoscaling.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { GKECluster, NodePool } from "../generated";
+
 export interface GkeClusterProps {
   /** Cluster name. */
   name: string;
+  /** GCP project ID for workload identity pool. Falls back to GCP_PROJECT_ID env var. */
+  projectId?: string;
   /** GCP region for regional cluster (default: uses GCP.Region). */
   location?: string;
   /** Initial node count per zone (default: 1). */
@@ -22,21 +27,46 @@ export interface GkeClusterProps {
   workloadIdentity?: boolean;
   /** Disk size in GB for nodes (default: 100). */
   diskSizeGb?: number;
+  /** Boot disk type for nodes (default: "pd-standard"). */
+  diskType?: string;
+  /** VPC network name (if omitted, uses default network). */
+  network?: string;
+  /** Subnetwork name for the cluster nodes. */
+  subnetwork?: string;
+  /**
+   * Enable private nodes — nodes have only internal IPs, no external IPs.
+   * Requires Cloud NAT for egress. Keeps master endpoint public so kubectl works from outside.
+   * Requires masterCidr when enabled.
+   */
+  privateNodes?: boolean;
+  /**
+   * CIDR block for the master's private endpoint (e.g. "172.16.0.0/28").
+   * Must be /28, unique per cluster, and not overlap with node/pod CIDRs.
+   * Required when privateNodes is true.
+   */
+  masterCidr?: string;
+  /**
+   * Restrict node pools to specific zones within the region.
+   * Useful when a region has capacity issues in some zones.
+   * E.g. ["us-east4-b"] to use only zone b of us-east4.
+   */
+  nodeLocations?: string[];
   /** GKE release channel (default: "REGULAR"). */
   releaseChannel?: "RAPID" | "REGULAR" | "STABLE";
   /** Additional labels. */
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
-}
-
-export interface GkeClusterResult {
-  cluster: Record<string, unknown>;
-  nodePool: Record<string, unknown>;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    cluster?: Partial<ConstructorParameters<typeof GKECluster>[0]>;
+    nodePool?: Partial<ConstructorParameters<typeof NodePool>[0]>;
+    defaultPool?: Partial<ConstructorParameters<typeof NodePool>[0]>;
+  };
 }
 
 /**
- * Create a GkeCluster composite — returns prop objects for
+ * Create a GkeCluster composite — returns declarable instances for
  * a ContainerCluster and ContainerNodePool.
  *
  * @example
@@ -50,9 +80,10 @@ export interface GkeClusterResult {
  * });
  * ```
  */
-export function GkeCluster(props: GkeClusterProps): GkeClusterResult {
+export const GkeCluster = Composite<GkeClusterProps>((props) => {
   const {
     name,
+    projectId: rawProjectId,
     location,
     initialNodeCount = 1,
     machineType = "e2-medium",
@@ -60,11 +91,20 @@ export function GkeCluster(props: GkeClusterProps): GkeClusterResult {
     maxNodeCount = 5,
     workloadIdentity = true,
     diskSizeGb = 100,
+    diskType = "pd-standard",
+    network: networkName,
+    subnetwork: subnetworkName,
+    privateNodes = false,
+    masterCidr,
+    nodeLocations,
     releaseChannel = "REGULAR",
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
+  const projectId = rawProjectId ?? process.env.GCP_PROJECT_ID ?? "PROJECT_ID";
+
   const commonLabels: Record<string, string> = {
     "app.kubernetes.io/name": name,
     "app.kubernetes.io/managed-by": "chant",
@@ -72,29 +112,47 @@ export function GkeCluster(props: GkeClusterProps): GkeClusterResult {
   };
 
   const clusterSpec: Record<string, unknown> = {
-    initialNodeCount: 1, // Minimal default pool, real nodes in separate pool
-    removeDefaultNodePool: true,
+    // GKE API requires initialNodeCount > 0 even when using a separate
+    // ContainerNodePool. Force pd-standard so the default pool doesn't
+    // consume SSD_TOTAL_GB quota (pd-balanced counts as SSD).
+    initialNodeCount: 1,
+    nodeConfig: {
+      machineType,
+      diskType: "pd-standard",
+      diskSizeGb: 50,
+    },
     releaseChannel: { channel: releaseChannel },
     ...(location && { location }),
+    ...(networkName && { networkRef: { name: networkName } }),
+    ...(subnetworkName && { subnetworkRef: { name: subnetworkName } }),
+    ...(nodeLocations && { nodeLocations }),
+    ...(privateNodes && {
+      privateClusterConfig: {
+        enablePrivateNodes: true,
+        // Keep master endpoint public so kubectl works from outside the VPC.
+        enablePrivateEndpoint: false,
+        ...(masterCidr && { masterIpv4CidrBlock: masterCidr }),
+      },
+    }),
   };
 
   if (workloadIdentity) {
     clusterSpec.workloadIdentityConfig = {
-      workloadPool: `PROJECT_ID.svc.id.goog`,
+      workloadPool: `${projectId}.svc.id.goog`,
     };
   }
 
-  const cluster: Record<string, unknown> = {
+  const cluster = new GKECluster(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
       labels: { ...commonLabels, "app.kubernetes.io/component": "cluster" },
     },
     ...clusterSpec,
-  };
+  } as Record<string, unknown>, defs?.cluster));
 
   const nodePoolName = `${name}-nodes`;
-  const nodePool: Record<string, unknown> = {
+  const nodePool = new NodePool(mergeDefaults({
     metadata: {
       name: nodePoolName,
       ...(namespace && { namespace }),
@@ -109,6 +167,7 @@ export function GkeCluster(props: GkeClusterProps): GkeClusterResult {
     nodeConfig: {
       machineType,
       diskSizeGb,
+      diskType,
       oauthScopes: ["https://www.googleapis.com/auth/cloud-platform"],
       ...(workloadIdentity && {
         workloadMetadataConfig: { mode: "GKE_METADATA" },
@@ -119,7 +178,23 @@ export function GkeCluster(props: GkeClusterProps): GkeClusterResult {
       autoUpgrade: true,
     },
     ...(location && { location }),
-  };
+  } as Record<string, unknown>, defs?.nodePool));
 
-  return { cluster, nodePool };
-}
+  // Adopt and scale the GKE-required default pool to 0.
+  // resourceID maps this K8s resource to the GCP pool named "default-pool".
+  // Config Connector retries until the workload pool has nodes, at which
+  // point GKE accepts the resize-to-zero.
+  const defaultPool = new NodePool(mergeDefaults({
+    metadata: {
+      name: `${name}-default-pool`,
+      ...(namespace && { namespace }),
+      labels: { ...commonLabels, "app.kubernetes.io/component": "default-pool" },
+    },
+    resourceID: "default-pool",
+    clusterRef: { name },
+    nodeCount: 0,
+    ...(location && { location }),
+  } as Record<string, unknown>, defs?.defaultPool));
+
+  return { cluster, nodePool, defaultPool };
+}, "GkeCluster");

package/src/composites/index.ts

@@ -1,20 +1,20 @@
 export { GkeCluster } from "./gke-cluster";
-export type { GkeClusterProps, GkeClusterResult } from "./gke-cluster";
-export { CloudRunService } from "./cloud-run-service";
-export type { CloudRunServiceProps, CloudRunServiceResult } from "./cloud-run-service";
+export type { GkeClusterProps } from "./gke-cluster";
+export { CloudRunServiceComposite } from "./cloud-run-service";
+export type { CloudRunServiceProps } from "./cloud-run-service";
 export { CloudSqlInstance } from "./cloud-sql-instance";
-export type { CloudSqlInstanceProps, CloudSqlInstanceResult } from "./cloud-sql-instance";
+export type { CloudSqlInstanceProps } from "./cloud-sql-instance";
 export { GcsBucket } from "./gcs-bucket";
-export type { GcsBucketProps, GcsBucketResult } from "./gcs-bucket";
+export type { GcsBucketProps } from "./gcs-bucket";
 export { VpcNetwork } from "./vpc-network";
-export type { VpcNetworkProps, VpcNetworkResult, VpcSubnet } from "./vpc-network";
+export type { VpcNetworkProps, VpcSubnet } from "./vpc-network";
 export { PubSubPipeline } from "./pubsub-pipeline";
-export type { PubSubPipelineProps, PubSubPipelineResult } from "./pubsub-pipeline";
+export type { PubSubPipelineProps } from "./pubsub-pipeline";
 export { CloudFunctionWithTrigger } from "./cloud-function";
-export type { CloudFunctionWithTriggerProps, CloudFunctionWithTriggerResult } from "./cloud-function";
+export type { CloudFunctionWithTriggerProps } from "./cloud-function";
 export { PrivateService } from "./private-service";
-export type { PrivateServiceProps, PrivateServiceResult } from "./private-service";
+export type { PrivateServiceProps } from "./private-service";
 export { ManagedCertificate } from "./managed-certificate";
-export type { ManagedCertificateProps, ManagedCertificateResult } from "./managed-certificate";
+export type { ManagedCertificateProps } from "./managed-certificate";
 export { SecureProject } from "./secure-project";
-export type { SecureProjectProps, SecureProjectResult } from "./secure-project";
+export type { SecureProjectProps } from "./secure-project";

package/src/composites/managed-certificate.ts

@@ -2,6 +2,9 @@
  * ManagedCertificate composite — ManagedSslCertificate + optional TargetHttpsProxy + UrlMap.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { ManagedSSLCertificate, TargetHTTPSProxy, URLMap } from "../generated";
+
 export interface ManagedCertificateProps {
   /** Certificate name. */
   name: string;
@@ -15,15 +18,15 @@ export interface ManagedCertificateProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    certificate?: Partial<ConstructorParameters<typeof ManagedSSLCertificate>[0]>;
+    targetHttpsProxy?: Partial<ConstructorParameters<typeof TargetHTTPSProxy>[0]>;
+    urlMap?: Partial<ConstructorParameters<typeof URLMap>[0]>;
+  };
 }
 
-export interface ManagedCertificateResult {
-  certificate: Record<string, unknown>;
-  targetHttpsProxy?: Record<string, unknown>;
-  urlMap?: Record<string, unknown>;
-}
-
-export function ManagedCertificate(props: ManagedCertificateProps): ManagedCertificateResult {
+export const ManagedCertificate = Composite<ManagedCertificateProps>((props) => {
   const {
     name,
     domains,
@@ -31,6 +34,7 @@ export function ManagedCertificate(props: ManagedCertificateProps): ManagedCerti
     backendServiceName,
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -39,7 +43,7 @@ export function ManagedCertificate(props: ManagedCertificateProps): ManagedCerti
     ...extraLabels,
   };
 
-  const certificate: Record<string, unknown> = {
+  const certificate = new ManagedSSLCertificate(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -48,12 +52,12 @@ export function ManagedCertificate(props: ManagedCertificateProps): ManagedCerti
     managed: {
       domains,
     },
-  };
+  } as Record<string, unknown>, defs?.certificate));
 
-  const result: ManagedCertificateResult = { certificate };
+  const result: Record<string, any> = { certificate };
 
   if (createProxy && backendServiceName) {
-    result.urlMap = {
+    result.urlMap = new URLMap(mergeDefaults({
       metadata: {
         name: `${name}-url-map`,
         ...(namespace && { namespace }),
@@ -62,9 +66,9 @@ export function ManagedCertificate(props: ManagedCertificateProps): ManagedCerti
       defaultService: {
         backendServiceRef: { name: backendServiceName },
       },
-    };
+    } as Record<string, unknown>, defs?.urlMap));
 
-    result.targetHttpsProxy = {
+    result.targetHttpsProxy = new TargetHTTPSProxy(mergeDefaults({
       metadata: {
         name: `${name}-proxy`,
         ...(namespace && { namespace }),
@@ -72,8 +76,8 @@ export function ManagedCertificate(props: ManagedCertificateProps): ManagedCerti
       },
       urlMapRef: { name: `${name}-url-map` },
       sslCertificates: [{ name }],
-    };
+    } as Record<string, unknown>, defs?.targetHttpsProxy));
   }
 
   return result;
-}
+}, "ManagedCertificate");

package/src/composites/private-service.ts

@@ -2,6 +2,13 @@
  * PrivateService composite — GlobalAddress + ServiceNetworkingConnection + optional DNS.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import {
+  ComputeAddress,
+  ServicenetworkingConnection,
+  DNSManagedZone,
+} from "../generated";
+
 export interface PrivateServiceProps {
   /** Service name. */
   name: string;
@@ -23,15 +30,15 @@ export interface PrivateServiceProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    globalAddress?: Partial<ConstructorParameters<typeof ComputeAddress>[0]>;
+    serviceConnection?: Partial<ConstructorParameters<typeof ServicenetworkingConnection>[0]>;
+    dnsZone?: Partial<ConstructorParameters<typeof DNSManagedZone>[0]>;
+  };
 }
 
-export interface PrivateServiceResult {
-  globalAddress: Record<string, unknown>;
-  serviceConnection: Record<string, unknown>;
-  dnsZone?: Record<string, unknown>;
-}
-
-export function PrivateService(props: PrivateServiceProps): PrivateServiceResult {
+export const PrivateService = Composite<PrivateServiceProps>((props) => {
   const {
     name,
     networkName,
@@ -43,6 +50,7 @@ export function PrivateService(props: PrivateServiceProps): PrivateServiceResult
     dnsSuffix = "internal.",
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -51,7 +59,7 @@ export function PrivateService(props: PrivateServiceProps): PrivateServiceResult
     ...extraLabels,
   };
 
-  const globalAddress: Record<string, unknown> = {
+  const globalAddress = new ComputeAddress(mergeDefaults({
     metadata: {
       name: `${name}-address`,
       ...(namespace && { namespace }),
@@ -61,9 +69,9 @@ export function PrivateService(props: PrivateServiceProps): PrivateServiceResult
     purpose,
     prefixLength,
     networkRef: { name: networkName },
-  };
+  } as Record<string, unknown>, defs?.globalAddress));
 
-  const serviceConnection: Record<string, unknown> = {
+  const serviceConnection = new ServicenetworkingConnection(mergeDefaults({
     metadata: {
       name: `${name}-connection`,
       ...(namespace && { namespace }),
@@ -72,12 +80,12 @@ export function PrivateService(props: PrivateServiceProps): PrivateServiceResult
     networkRef: { name: networkName },
     service: "servicenetworking.googleapis.com",
     reservedPeeringRanges: [{ name: `${name}-address` }],
-  };
+  } as Record<string, unknown>, defs?.serviceConnection));
 
-  const result: PrivateServiceResult = { globalAddress, serviceConnection };
+  const result: Record<string, any> = { globalAddress, serviceConnection };
 
   if (enableDns) {
-    result.dnsZone = {
+    result.dnsZone = new DNSManagedZone(mergeDefaults({
       metadata: {
         name: dnsZoneName ?? `${name}-dns`,
         ...(namespace && { namespace }),
@@ -88,8 +96,8 @@ export function PrivateService(props: PrivateServiceProps): PrivateServiceResult
       privateVisibilityConfig: {
         networks: [{ networkRef: { name: networkName } }],
       },
-    };
+    } as Record<string, unknown>, defs?.dnsZone));
   }
 
   return result;
-}
+}, "PrivateService");

package/src/composites/pubsub-pipeline.ts

@@ -2,6 +2,9 @@
  * PubSubPipeline composite — Topic + Subscription + optional DLQ topic + subscriber IAM binding.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { PubSubTopic, PubSubSubscription, IAMPolicyMember } from "../generated";
+
 export interface PubSubPipelineProps {
   /** Pipeline name. */
   name: string;
@@ -19,16 +22,16 @@ export interface PubSubPipelineProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    topic?: Partial<ConstructorParameters<typeof PubSubTopic>[0]>;
+    subscription?: Partial<ConstructorParameters<typeof PubSubSubscription>[0]>;
+    deadLetterTopic?: Partial<ConstructorParameters<typeof PubSubTopic>[0]>;
+    subscriberIam?: Partial<ConstructorParameters<typeof IAMPolicyMember>[0]>;
+  };
 }
 
-export interface PubSubPipelineResult {
-  topic: Record<string, unknown>;
-  subscription: Record<string, unknown>;
-  deadLetterTopic?: Record<string, unknown>;
-  subscriberIam?: Record<string, unknown>;
-}
-
-export function PubSubPipeline(props: PubSubPipelineProps): PubSubPipelineResult {
+export const PubSubPipeline = Composite<PubSubPipelineProps>((props) => {
   const {
     name,
     ackDeadlineSeconds = 10,
@@ -38,6 +41,7 @@ export function PubSubPipeline(props: PubSubPipelineProps): PubSubPipelineResult
     subscriberServiceAccount,
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -46,15 +50,15 @@ export function PubSubPipeline(props: PubSubPipelineProps): PubSubPipelineResult
     ...extraLabels,
   };
 
-  const topic: Record<string, unknown> = {
+  const topic = new PubSubTopic(mergeDefaults({
     metadata: {
       name: `${name}-topic`,
       ...(namespace && { namespace }),
       labels: { ...commonLabels, "app.kubernetes.io/component": "topic" },
     },
-  };
+  } as Record<string, unknown>, defs?.topic));
 
-  const subscription: Record<string, unknown> = {
+  const subscriptionProps: Record<string, unknown> = {
     metadata: {
       name: `${name}-subscription`,
       ...(namespace && { namespace }),
@@ -65,24 +69,32 @@ export function PubSubPipeline(props: PubSubPipelineProps): PubSubPipelineResult
     messageRetentionDuration,
   };
 
-  const result: PubSubPipelineResult = { topic, subscription };
+  const result: Record<string, any> = { topic };
 
   if (enableDeadLetterQueue) {
-    result.deadLetterTopic = {
+    result.deadLetterTopic = new PubSubTopic(mergeDefaults({
       metadata: {
         name: `${name}-dlq`,
         ...(namespace && { namespace }),
         labels: { ...commonLabels, "app.kubernetes.io/component": "dead-letter" },
       },
-    };
-    subscription.deadLetterPolicy = {
+    } as Record<string, unknown>, defs?.deadLetterTopic));
+
+    subscriptionProps.deadLetterPolicy = {
       deadLetterTopicRef: { name: `${name}-dlq` },
       maxDeliveryAttempts,
     };
   }
 
+  const subscription = new PubSubSubscription(mergeDefaults(
+    subscriptionProps,
+    defs?.subscription,
+  ));
+
+  result.subscription = subscription;
+
   if (subscriberServiceAccount) {
-    result.subscriberIam = {
+    result.subscriberIam = new IAMPolicyMember(mergeDefaults({
       metadata: {
         name: `${name}-subscriber`,
         ...(namespace && { namespace }),
@@ -95,8 +107,8 @@ export function PubSubPipeline(props: PubSubPipelineProps): PubSubPipelineResult
         kind: "PubSubSubscription",
         name: `${name}-subscription`,
       },
-    };
+    } as Record<string, unknown>, defs?.subscriberIam));
   }
 
   return result;
-}
+}, "PubSubPipeline");

package/src/composites/secure-project.ts

@@ -2,6 +2,15 @@
  * SecureProject composite — Project + IAMAuditConfig + Service enablement + owner IAM + LoggingSink.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import {
+  ResourcemanagerProject,
+  IAMAuditConfig,
+  ServiceusageService,
+  IAMPolicyMember,
+  LogSink,
+} from "../generated";
+
 export interface SecureProjectProps {
   /** Project name (also used as project ID). */
   name: string;
@@ -23,17 +32,16 @@ export interface SecureProjectProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    project?: Partial<ConstructorParameters<typeof ResourcemanagerProject>[0]>;
+    auditConfig?: Partial<ConstructorParameters<typeof IAMAuditConfig>[0]>;
+    ownerIam?: Partial<ConstructorParameters<typeof IAMPolicyMember>[0]>;
+    loggingSink?: Partial<ConstructorParameters<typeof LogSink>[0]>;
+  };
 }
 
-export interface SecureProjectResult {
-  project: Record<string, unknown>;
-  auditConfig: Record<string, unknown>;
-  services: Record<string, unknown>[];
-  ownerIam?: Record<string, unknown>;
-  loggingSink?: Record<string, unknown>;
-}
-
-export function SecureProject(props: SecureProjectProps): SecureProjectResult {
+export const SecureProject = Composite<SecureProjectProps>((props) => {
   const {
     name,
     orgId,
@@ -51,6 +59,7 @@ export function SecureProject(props: SecureProjectProps): SecureProjectResult {
     loggingSinkFilter = 'logName:"cloudaudit.googleapis.com"',
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -59,7 +68,7 @@ export function SecureProject(props: SecureProjectProps): SecureProjectResult {
     ...extraLabels,
   };
 
-  const project: Record<string, unknown> = {
+  const project = new ResourcemanagerProject(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -68,9 +77,9 @@ export function SecureProject(props: SecureProjectProps): SecureProjectResult {
     ...(orgId && { organizationRef: { external: orgId } }),
     ...(folderId && { folderRef: { external: folderId } }),
     ...(billingAccountRef && { billingAccountRef: { external: billingAccountRef } }),
-  };
+  } as Record<string, unknown>, defs?.project));
 
-  const auditConfig: Record<string, unknown> = {
+  const auditConfig = new IAMAuditConfig(mergeDefaults({
     metadata: {
       name: `${name}-audit`,
       ...(namespace && { namespace }),
@@ -82,21 +91,27 @@ export function SecureProject(props: SecureProjectProps): SecureProjectResult {
       { logType: "DATA_READ" },
       { logType: "DATA_WRITE" },
     ],
-  };
+  } as Record<string, unknown>, defs?.auditConfig));
 
-  const services = enabledApis.map((api) => ({
-    metadata: {
-      name: `${name}-${api.split(".")[0]}`,
-      ...(namespace && { namespace }),
-      labels: { ...commonLabels, "app.kubernetes.io/component": "service" },
-    },
-    resourceID: api,
-  }));
+  // Spread services into named members (service_compute, service_container, etc.)
+  // so the Composite validator accepts them as individual Declarables.
+  const serviceEntries: Record<string, any> = {};
+  for (const api of enabledApis) {
+    const key = `service_${api.split(".")[0]}`;
+    serviceEntries[key] = new ServiceusageService({
+      metadata: {
+        name: `${name}-${api.split(".")[0]}`,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "service" },
+      },
+      resourceID: api,
+    } as Record<string, unknown>);
+  }
 
-  const result: SecureProjectResult = { project, auditConfig, services };
+  const result: Record<string, any> = { project, auditConfig, ...serviceEntries };
 
   if (owner) {
-    result.ownerIam = {
+    result.ownerIam = new IAMPolicyMember(mergeDefaults({
       metadata: {
         name: `${name}-owner`,
         ...(namespace && { namespace }),
@@ -109,11 +124,11 @@ export function SecureProject(props: SecureProjectProps): SecureProjectResult {
         kind: "Project",
         name,
       },
-    };
+    } as Record<string, unknown>, defs?.ownerIam));
   }
 
   if (loggingSinkDestination) {
-    result.loggingSink = {
+    result.loggingSink = new LogSink(mergeDefaults({
       metadata: {
         name: `${name}-audit-sink`,
         ...(namespace && { namespace }),
@@ -121,8 +136,8 @@ export function SecureProject(props: SecureProjectProps): SecureProjectResult {
       },
       destination: loggingSinkDestination,
       filter: loggingSinkFilter,
-    };
+    } as Record<string, unknown>, defs?.loggingSink));
   }
 
   return result;
-}
+}, "SecureProject");