@intentius/chant-lexicon-gcp 0.0.22 → 0.1.0

package/src/composites/secure-project.ts

@@ -2,6 +2,15 @@
  * SecureProject composite — Project + IAMAuditConfig + Service enablement + owner IAM + LoggingSink.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import {
+  ResourcemanagerProject,
+  IAMAuditConfig,
+  ServiceusageService,
+  IAMPolicyMember,
+  LogSink,
+} from "../generated";
+
 export interface SecureProjectProps {
   /** Project name (also used as project ID). */
   name: string;
@@ -23,17 +32,16 @@ export interface SecureProjectProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    project?: Partial<ConstructorParameters<typeof ResourcemanagerProject>[0]>;
+    auditConfig?: Partial<ConstructorParameters<typeof IAMAuditConfig>[0]>;
+    ownerIam?: Partial<ConstructorParameters<typeof IAMPolicyMember>[0]>;
+    loggingSink?: Partial<ConstructorParameters<typeof LogSink>[0]>;
+  };
 }
 
-export interface SecureProjectResult {
-  project: Record<string, unknown>;
-  auditConfig: Record<string, unknown>;
-  services: Record<string, unknown>[];
-  ownerIam?: Record<string, unknown>;
-  loggingSink?: Record<string, unknown>;
-}
-
-export function SecureProject(props: SecureProjectProps): SecureProjectResult {
+export const SecureProject = Composite<SecureProjectProps>((props) => {
   const {
     name,
     orgId,
@@ -51,6 +59,7 @@ export function SecureProject(props: SecureProjectProps): SecureProjectResult {
     loggingSinkFilter = 'logName:"cloudaudit.googleapis.com"',
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -59,7 +68,7 @@ export function SecureProject(props: SecureProjectProps): SecureProjectResult {
     ...extraLabels,
   };
 
-  const project: Record<string, unknown> = {
+  const project = new ResourcemanagerProject(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -68,9 +77,9 @@ export function SecureProject(props: SecureProjectProps): SecureProjectResult {
     ...(orgId && { organizationRef: { external: orgId } }),
     ...(folderId && { folderRef: { external: folderId } }),
     ...(billingAccountRef && { billingAccountRef: { external: billingAccountRef } }),
-  };
+  } as Record<string, unknown>, defs?.project));
 
-  const auditConfig: Record<string, unknown> = {
+  const auditConfig = new IAMAuditConfig(mergeDefaults({
     metadata: {
       name: `${name}-audit`,
       ...(namespace && { namespace }),
@@ -82,21 +91,27 @@ export function SecureProject(props: SecureProjectProps): SecureProjectResult {
       { logType: "DATA_READ" },
       { logType: "DATA_WRITE" },
     ],
-  };
+  } as Record<string, unknown>, defs?.auditConfig));
 
-  const services = enabledApis.map((api) => ({
-    metadata: {
-      name: `${name}-${api.split(".")[0]}`,
-      ...(namespace && { namespace }),
-      labels: { ...commonLabels, "app.kubernetes.io/component": "service" },
-    },
-    resourceID: api,
-  }));
+  // Spread services into named members (service_compute, service_container, etc.)
+  // so the Composite validator accepts them as individual Declarables.
+  const serviceEntries: Record<string, any> = {};
+  for (const api of enabledApis) {
+    const key = `service_${api.split(".")[0]}`;
+    serviceEntries[key] = new ServiceusageService({
+      metadata: {
+        name: `${name}-${api.split(".")[0]}`,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "service" },
+      },
+      resourceID: api,
+    } as Record<string, unknown>);
+  }
 
-  const result: SecureProjectResult = { project, auditConfig, services };
+  const result: Record<string, any> = { project, auditConfig, ...serviceEntries };
 
   if (owner) {
-    result.ownerIam = {
+    result.ownerIam = new IAMPolicyMember(mergeDefaults({
       metadata: {
         name: `${name}-owner`,
         ...(namespace && { namespace }),
@@ -109,11 +124,11 @@ export function SecureProject(props: SecureProjectProps): SecureProjectResult {
         kind: "Project",
         name,
       },
-    };
+    } as Record<string, unknown>, defs?.ownerIam));
   }
 
   if (loggingSinkDestination) {
-    result.loggingSink = {
+    result.loggingSink = new LogSink(mergeDefaults({
       metadata: {
         name: `${name}-audit-sink`,
         ...(namespace && { namespace }),
@@ -121,8 +136,8 @@ export function SecureProject(props: SecureProjectProps): SecureProjectResult {
       },
       destination: loggingSinkDestination,
       filter: loggingSinkFilter,
-    };
+    } as Record<string, unknown>, defs?.loggingSink));
   }
 
   return result;
-}
+}, "SecureProject");

package/src/composites/vpc-network.ts

@@ -2,6 +2,14 @@
  * VpcNetwork composite — ComputeNetwork + ComputeSubnetwork + ComputeFirewall + ComputeRouterNAT.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { VPCNetwork, Subnetwork, Firewall, Router, RouterNAT } from "../generated";
+
+export interface VpcSubnetSecondaryRange {
+  rangeName: string;
+  ipCidrRange: string;
+}
+
 export interface VpcSubnet {
   /** Subnet name suffix. */
   name: string;
@@ -11,6 +19,8 @@ export interface VpcSubnet {
   region: string;
   /** Enable private Google access (default: true). */
   privateIpGoogleAccess?: boolean;
+  /** Secondary IP ranges for VPC-native GKE pods/services. */
+  secondaryIpRanges?: VpcSubnetSecondaryRange[];
 }
 
 export interface VpcNetworkProps {
@@ -32,14 +42,12 @@ export interface VpcNetworkProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
-}
-
-export interface VpcNetworkResult {
-  network: Record<string, unknown>;
-  subnets: Record<string, unknown>[];
-  firewalls: Record<string, unknown>[];
-  router?: Record<string, unknown>;
-  routerNat?: Record<string, unknown>;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    network?: Partial<ConstructorParameters<typeof VPCNetwork>[0]>;
+    router?: Partial<ConstructorParameters<typeof Router>[0]>;
+    routerNat?: Partial<ConstructorParameters<typeof RouterNAT>[0]>;
+  };
 }
 
 /**
@@ -60,7 +68,7 @@ export interface VpcNetworkResult {
  * });
  * ```
  */
-export function VpcNetwork(props: VpcNetworkProps): VpcNetworkResult {
+export const VpcNetwork = Composite<VpcNetworkProps>((props) => {
   const {
     name,
     autoCreateSubnetworks = false,
@@ -71,6 +79,7 @@ export function VpcNetwork(props: VpcNetworkProps): VpcNetworkResult {
     allowIapSsh = false,
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -79,7 +88,7 @@ export function VpcNetwork(props: VpcNetworkProps): VpcNetworkResult {
     ...extraLabels,
   };
 
-  const network: Record<string, unknown> = {
+  const network = new VPCNetwork(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -87,58 +96,66 @@ export function VpcNetwork(props: VpcNetworkProps): VpcNetworkResult {
     },
     autoCreateSubnetworks,
     routingMode: "REGIONAL",
-  };
+  } as Record<string, unknown>, defs?.network));
 
-  const subnets: Record<string, unknown>[] = subnetDefs.map((sub) => ({
-    metadata: {
-      name: `${name}-${sub.name}`,
-      ...(namespace && { namespace }),
-      labels: { ...commonLabels, "app.kubernetes.io/component": "subnet" },
-    },
-    networkRef: { name },
-    ipCidrRange: sub.ipCidrRange,
-    region: sub.region,
-    privateIpGoogleAccess: sub.privateIpGoogleAccess ?? true,
-  }));
+  // Spread subnets into named members (subnet_<name>) for Composite validation.
+  const subnetEntries: Record<string, any> = {};
+  for (const sub of subnetDefs) {
+    subnetEntries[`subnet_${sub.name}`] = new Subnetwork({
+      metadata: {
+        name: `${name}-${sub.name}`,
+        ...(namespace && { namespace }),
+        labels: { ...commonLabels, "app.kubernetes.io/component": "subnet" },
+      },
+      networkRef: { name },
+      ipCidrRange: sub.ipCidrRange,
+      region: sub.region,
+      privateIpGoogleAccess: sub.privateIpGoogleAccess ?? true,
+      ...(sub.secondaryIpRanges && sub.secondaryIpRanges.length > 0 && {
+        secondaryIpRange: sub.secondaryIpRanges,
+      }),
+    } as Record<string, unknown>);
+  }
 
-  const firewalls: Record<string, unknown>[] = [];
+  // Spread firewalls into named members for Composite validation.
+  const firewallEntries: Record<string, any> = {};
 
   if (allowInternalTraffic) {
-    firewalls.push({
+    firewallEntries.firewallAllowInternal = new Firewall({
       metadata: {
         name: `${name}-allow-internal`,
         ...(namespace && { namespace }),
         labels: { ...commonLabels, "app.kubernetes.io/component": "firewall" },
       },
       networkRef: { name },
-      allowed: [
+      allow: [
         { protocol: "tcp", ports: ["0-65535"] },
         { protocol: "udp", ports: ["0-65535"] },
         { protocol: "icmp" },
       ],
       sourceRanges: subnetDefs.map((s) => s.ipCidrRange),
-    });
+    } as Record<string, unknown>);
   }
 
   if (allowIapSsh) {
-    firewalls.push({
+    firewallEntries.firewallAllowIapSsh = new Firewall({
       metadata: {
         name: `${name}-allow-iap-ssh`,
         ...(namespace && { namespace }),
         labels: { ...commonLabels, "app.kubernetes.io/component": "firewall" },
       },
       networkRef: { name },
-      allowed: [{ protocol: "tcp", ports: ["22"] }],
+      allow: [{ protocol: "tcp", ports: ["22"] }],
       sourceRanges: ["35.235.240.0/20"], // IAP IP range
-    });
+    } as Record<string, unknown>);
   }
 
-  const result: VpcNetworkResult = { network, subnets, firewalls };
+  const result: Record<string, any> = { network, ...subnetEntries, ...firewallEntries };
 
   if (enableNat && natRegion) {
     const routerName = `${name}-router`;
 
-    result.router = {
+    result.router = new Router(mergeDefaults({
       metadata: {
         name: routerName,
         ...(namespace && { namespace }),
@@ -146,9 +163,9 @@ export function VpcNetwork(props: VpcNetworkProps): VpcNetworkResult {
       },
       networkRef: { name },
       region: natRegion,
-    };
+    } as Record<string, unknown>, defs?.router));
 
-    result.routerNat = {
+    result.routerNat = new RouterNAT(mergeDefaults({
       metadata: {
         name: `${name}-nat`,
         ...(namespace && { namespace }),
@@ -158,8 +175,8 @@ export function VpcNetwork(props: VpcNetworkProps): VpcNetworkResult {
       region: natRegion,
       natIpAllocateOption: "AUTO_ONLY",
       sourceSubnetworkIpRangesToNat: "ALL_SUBNETWORKS_ALL_IP_RANGES",
-    };
+    } as Record<string, unknown>, defs?.routerNat));
   }
 
   return result;
-}
+}, "VpcNetwork");

package/src/index.ts

@@ -20,20 +20,22 @@ export * from "./generated/index";
 
 // Composites
 export {
-  GkeCluster, CloudRunService, CloudSqlInstance, GcsBucket, VpcNetwork,
+  GkeCluster, CloudRunServiceComposite, CloudSqlInstance, GcsBucket, VpcNetwork,
   PubSubPipeline, CloudFunctionWithTrigger, PrivateService, ManagedCertificate, SecureProject,
+  MemorystoreRedis,
 } from "./composites/index";
 export type {
-  GkeClusterProps, GkeClusterResult,
-  CloudRunServiceProps, CloudRunServiceResult,
-  CloudSqlInstanceProps, CloudSqlInstanceResult,
-  GcsBucketProps, GcsBucketResult,
-  VpcNetworkProps, VpcNetworkResult, VpcSubnet,
-  PubSubPipelineProps, PubSubPipelineResult,
-  CloudFunctionWithTriggerProps, CloudFunctionWithTriggerResult,
-  PrivateServiceProps, PrivateServiceResult,
-  ManagedCertificateProps, ManagedCertificateResult,
-  SecureProjectProps, SecureProjectResult,
+  GkeClusterProps,
+  CloudRunServiceProps,
+  CloudSqlInstanceProps,
+  GcsBucketProps,
+  VpcNetworkProps, VpcSubnet,
+  PubSubPipelineProps,
+  CloudFunctionWithTriggerProps,
+  PrivateServiceProps,
+  ManagedCertificateProps,
+  SecureProjectProps,
+  MemorystoreRedisProps,
 } from "./composites/index";
 
 // IAM role constants

package/src/lint/post-synth/post-synth.test.ts

@@ -54,7 +54,8 @@ metadata:
 spec:
   location: US
   encryption:
-    defaultKmsKeyName: projects/p/locations/l/keyRings/kr/cryptoKeys/k
+    kmsKeyRef:
+      external: projects/p/locations/l/keyRings/kr/cryptoKeys/k
 `;
     const diags = wgc101.check(makeCtx(yaml));
     const bucketDiags = diags.filter(d => d.entity === "my-bucket");

package/src/lint/post-synth/wgc101.test.ts

@@ -30,7 +30,8 @@ metadata:
 spec:
   location: US
   encryption:
-    defaultKmsKeyName: projects/p/locations/l/keyRings/kr/cryptoKeys/k
+    kmsKeyRef:
+      external: projects/p/locations/l/keyRings/kr/cryptoKeys/k
 `;
     const diags = wgc101.check(makeCtx(yaml));
     const bucketDiags = diags.filter(d => d.entity === "my-bucket");

package/src/lint/post-synth/wgc101.ts

@@ -30,7 +30,7 @@ export const wgc101: PostSynthCheck = {
           diagnostics.push({
             checkId: "WGC101",
             severity: "warning",
-            message: `StorageBucket "${name}" has no encryption configuration — consider adding spec.encryption.defaultKmsKeyName`,
+            message: `StorageBucket "${name}" has no encryption configuration — consider adding spec.encryption.kmsKeyRef`,
             entity: name,
             lexicon: "gcp",
           });