As a cloud administrator, you can leverage the Google Cloud Platform (GCP) plug-in to provision plug-in based storage buckets as you build out your infrastructure. You can also use allocation helpers to provide allocation logic for your storage buckets. Plug-in based storage bucket support includes the creation of multi-region or dual-region bucket resources, restricted public access, and encryption.

To learn more about plug-ins and allocation in VMware Aria Automation, see Plug-in based designs and deployments in Automation Assembler

Storage bucket properties

The following properties are required for plug-in based storage bucket resources. See the Google Cloud REST documentation for a full list of instance properties. Resource properties in the GCP documentation are written in camelCase, where as resource properties in Automation Assembler are written in snake case.

Property Description
name The name for your storage bucket. The name associated with the bucket cannot be changed after creation, so the name must be unique and human-readable.

See Bucket names in the Google Cloud documentation for bucket name requirements.

account The GCP cloud account for account regions to which your team deploys cloud templates.

See Create a Google Cloud Platform cloud account in VMware Aria Automation for more information.

The following section contains some example cloud templates for provisioning plug-in based storage buckets in Automation Assembler.

Provisioning single-region storage buckets

You can provision a single-region storage bucket by hardcoding the region in the cloud template as the following example shows.

formatVersion: 1
inputs: {}
resources:
  Idem_GCP_STORAGE_BUCKET_1:
    type: Idem.GCP.STORAGE.BUCKET
    metadata:
      layoutPosition:
        - 0
        - 0
    properties:
      name: bucket-test
      account: gcp-account
      location: us-central1

Optionally, you can use the enum property to build a list of regions for users to choose from. In this example, you also enable versioning for the bucket, use bucket labels, and allow users to choose a storage class.

formatVersion: 1
inputs:
  region:
    type: string
    title: Region
    description: Google region
    # This enumeration is used to simplify the choosing of a region. You can just hardcode the region in the "region" section.
    enum:
      - europe-central2
      - europe-north1
      - europe-southwest1
      - europe-west1
      - europe-west2
      - europe-west3
      - europe-west4
      - europe-west6
      - europe-west8
      - europe-west9
      - europe-west12
  loc:
    type: string
    title: Location label
  bucket:
    type: string
    title: Bucket name
  storage_class:
    type: string
    title: Storage class
    enum:
      - STANDARD
      - NEARLINE
      - COLDLINE
      - ARCHIVE
  versioning:
    type: string
    title: Enable versioning
    enum:
      - 'Yes'
      - 'No'
resources:
  Idem_GCP_STORAGE_BUCKET_1:
    type: Idem.GCP.STORAGE.BUCKET
    metadata:
      layoutPosition:
        - 0
        - 0
    properties:
      name: ${input.bucket}
      account: gcp-account
      labels:
        location: ${input.loc}
      location: ${input.region}
      storage_class: ${input.storage_class}
      versioning:
        enabled: ${input.versioning=="Yes"?true:false}

Provisioning dual-region storage buckets

The following cloud template shows how you might create a dual-region storage bucket. To use this template, complete the following steps:
  1. Create a GCP cloud account with at least two cloud zones that correspond to the regions where the bucket will be deployed. In this example, the zones are europe-central2 and europe-north1.
  2. Create a new project and add the cloud zones.
  3. Tag the zones using capability tags. In this example, the tags are location:eu1 for europe-central2 and location:eu2 for europe-north1.
  4. Deploy the blueprint.
inputs: {}
resources:
  Idem_GCP_STORAGE_BUCKET_1:
    type: Idem.GCP.STORAGE.BUCKET
    metadata:
      layoutPosition:
        - 0
        - 1
    properties:
      name: bucket-dual-region-idem
      account: ${resource.Allocations_Compute_1.selectedCloudAccount.name}
      labels:
        a: b
        c: d
      custom_placement_config:
        data_locations: ${[resource.Allocations_Compute_1.selectedRegion.name, resource.Allocations_Compute_2.selectedRegion.name]}
      location: EU
  Allocations_Compute_1:
    type: Allocations.Compute
    metadata:
      layoutPosition:
        - 1
        - 0
    properties:
      groupId: 1
      constraints:
        - tag: location:eu1
  Allocations_Compute_2:
    type: Allocations.Compute
    metadata:
      layoutPosition:
        - 1
        - 2
    properties:
      groupId: 2
      constraints:
        - tag: location:eu2
Note: If you need to remove a bucket label, change the label's value to null and re-deploy the template. You can verify that the label was removed in the Google Cloud Console.

Provisioning multi-region storage buckets

The following cloud template shows how you might create a multi-region storage bucket. By default, buckets are multi-region, and include regions in the US location.
formatVersion: 1
inputs: {}
resources:
  Idem_GCP_STORAGE_BUCKET_1:
    type: Idem.GCP.STORAGE.BUCKET
    metadata:
      layoutPosition:
        - 0
        - 0
    properties:
      name: bucket-test-1
      account: gcp-account
The following cloud template shows how you might create a multi-region storage bucket with encryption.
formatVersion: 1
inputs: {}
resources:
  Idem_GCP_STORAGE_BUCKET_1:
    type: Idem.GCP.STORAGE.BUCKET
    metadata:
      layoutPosition:
        - 0
        - 0
    properties:
      name: bucket-test-0
      account: gcp-account
      labels:
        a: b
        c: d
      encryption:
        default_kms_key_name: projects/gcp-account/locations/us/keyRings/gcp-test-1/cryptoKeys/key-2
If you want to create storage buckets with restricted public access and that are encrypted by CMEK, there are some prerequisites described in the following link: https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys.
Note: The customer-managed encryption key must be located in the same region as the storage bucket.