Configuring plug-in based storage bucket resources

As a cloud administrator, you can leverage the Google Cloud Platform (GCP) plug-in to provision plug-in based storage buckets as you build out your infrastructure. You can also use allocation helpers to provide allocation logic for your storage buckets. Plug-in based storage bucket support includes the creation of multi-region or dual-region bucket resources, restricted public access, and encryption.

To learn more about plug-ins and allocation in VMware Aria Automation, see Plug-in based designs and deployments in Automation Assembler.

Storage bucket properties

The following properties are required for plug-in based storage bucket resources. See the Google Cloud REST documentation for a full list of instance properties. Resource properties in the GCP documentation are written in camelCase, where as resource properties in Automation Assembler are written in snake case.

Property	Description
`name`	The name for your storage bucket. The name associated with the bucket cannot be changed after creation, so the name must be unique and human-readable. See Bucket names in the Google Cloud documentation for bucket name requirements.
`account`	The GCP cloud account for account regions to which your team deploys cloud templates. See Create a Google Cloud Platform cloud account in VMware Aria Automation for more information.

The following section contains some example cloud templates for provisioning plug-in based storage buckets in Automation Assembler.

Provisioning single-region storage buckets

You can provision a single-region storage bucket by hardcoding the region in the cloud template as the following example shows.

formatVersion: 1
inputs: {}
resources:
  Idem_GCP_STORAGE_BUCKET_1:
    type: Idem.GCP.STORAGE.BUCKET
    metadata:
      layoutPosition:
        - 0
        - 0
    properties:
      name: bucket-test
      account: gcp-account
      location: us-central1

Optionally, you can use the enum property to build a list of regions for users to choose from. In this example, you also enable versioning for the bucket, use bucket labels, and allow users to choose a storage class.

formatVersion: 1
inputs:
  region:
    type: string
    title: Region
    description: Google region
    # This enumeration is used to simplify the choosing of a region. You can just hardcode the region in the "region" section.
    enum:
      - europe-central2
      - europe-north1
      - europe-southwest1
      - europe-west1
      - europe-west2
      - europe-west3
      - europe-west4
      - europe-west6
      - europe-west8
      - europe-west9
      - europe-west12
  loc:
    type: string
    title: Location label
  bucket:
    type: string
    title: Bucket name
  storage_class:
    type: string
    title: Storage class
    enum:
      - STANDARD
      - NEARLINE
      - COLDLINE
      - ARCHIVE
  versioning:
    type: string
    title: Enable versioning
    enum:
      - 'Yes'
      - 'No'
resources:
  Idem_GCP_STORAGE_BUCKET_1:
    type: Idem.GCP.STORAGE.BUCKET
    properties:
      name: ${input.bucket}
      account: gcp-account
      labels:
        location: ${input.loc}
      location: ${input.region}
      storage_class: ${input.storage_class}
      versioning:
        enabled: ${input.versioning=="Yes"?true:false}

Provisioning dual-region storage buckets

The following cloud template shows how you might create a dual-region storage bucket. To use this template, complete the following steps:

Create a GCP cloud account with at least two cloud zones that correspond to the regions where the bucket will be deployed. In this example, the zones are europe-central2 and europe-north1.
Create a new project and add the cloud zones.
Tag the zones using capability tags. In this example, the tags are location:eu1 for europe-central2 and location:eu2 for europe-north1.
Deploy the blueprint.

inputs: {}
resources:
  Idem_GCP_STORAGE_BUCKET_1:
    type: Idem.GCP.STORAGE.BUCKET
    metadata:
      layoutPosition:
        - 0
        - 1
    properties:
      name: bucket-dual-region-idem
      account: ${resource.Allocations_Compute_1.selectedCloudAccount.name}
      labels:
        a: b
        c: d
      custom_placement_config:
        data_locations: ${[resource.Allocations_Compute_1.selectedRegion.name, resource.Allocations_Compute_2.selectedRegion.name]}
      location: EU
  Allocations_Compute_1:
    type: Allocations.Compute
    metadata:
      layoutPosition:
        - 1
        - 0
    properties:
      groupId: 1
      constraints:
        - tag: location:eu1
  Allocations_Compute_2:
    type: Allocations.Compute
    metadata:
      layoutPosition:
        - 1
        - 2
    properties:
      groupId: 2
      constraints:
        - tag: location:eu2

Note: If you need to remove a bucket label, change the label's value to null and re-deploy the template. You can verify that the label was removed in the Google Cloud Console.

Provisioning multi-region storage buckets

The following cloud template shows how you might create a multi-region storage bucket. By default, buckets are multi-region, and include regions in the US location.

formatVersion: 1
inputs: {}
resources:
  Idem_GCP_STORAGE_BUCKET_1:
    type: Idem.GCP.STORAGE.BUCKET
    metadata:
      layoutPosition:
        - 0
        - 0
    properties:
      name: bucket-test-1
      account: gcp-account

The following cloud template shows how you might create a multi-region storage bucket with encryption.

formatVersion: 1
inputs: {}
resources:
  Idem_GCP_STORAGE_BUCKET_1:
    type: Idem.GCP.STORAGE.BUCKET
    metadata:
      layoutPosition:
        - 0
        - 0
    properties:
      name: bucket-test-0
      account: gcp-account
      labels:
        a: b
        c: d
      encryption:
        default_kms_key_name: projects/gcp-account/locations/us/keyRings/gcp-test-1/cryptoKeys/key-2

If you want to create storage buckets with restricted public access and that are encrypted by CMEK, there are some prerequisites described in the following link: https://cloud.google.com/storage/docs/encryption/using-customer-managed-keys.

Note: The customer-managed encryption key must be located in the same region as the storage bucket.