Cloud.gov Workshop Configuration

Configuration for IaC managed resources in Cloud.gov Workshop

Type object
File match cg-workshop.yml **/cg-workshop/*.yml
Schema URL https://catalog.lintel.tools/schemas/schemastore/cloud-gov-workshop-configuration/latest.json
Source https://workshop.cloud.gov/workshop/workshop-schemas/-/raw/main/cg-workshop.schema.json

Validate with Lintel

npx @lintel/lintel check
Type: object

Schema for the Cloud.gov Workshop configuration files. Top level keys subgroups and projects are valid for Customer configs. Top level keys namespaces and users are valid for the Workshop-controlled configurations.

Properties

namespaces object

Workshop top level groups. This key is invalid in customer config files.

projects object

Workshop customer projects.

subgroups object

Workshop customer sub-groups.

teams object

Team groups to provision. These groups are used specifically for role management.

users object

Workshop users to provision. This key is invalid in customer config files.

Definitions

namespace object

Namespace (top level group) - The key can use any sequence of letters, numbers, underscores, hypens, and dots

name string

Friendly name for the group

description string

Friendly description for the group

path string

Path (slug) for group - Defaults to the group key name

pattern=^([\w\-\.]+)$
config_project object

Optional overrides for the related customer configuration project

4 nested properties
approvals_required number

Number of approvals needed for a MR to the config project

min=0
merge_method string

Default merge method

Values: "merge" "rebase_merge" "ff"
require_owner_approval boolean

Require at least one approval from a namespace owner before merging

squash_option string

Squash commits on merge request merge

Values: "always" "default_off" "default_on" "never"
custom_attributes object

[Optional] Key/value pairs to set as custom attributes (Requires admin permission)

dr_group boolean

Group is required to bootstrap Workshop

visibility string

Namespace visibility - private (members only), public (including anonymous), or internal (visible to other Workshop users)

Values: "internal" "private" "public"
use_custom_template boolean

Use a custom project template

owners string[]

List of owners for the group

minItems=1uniqueItems=true
wiki_access_level string

Whether the namespace group wiki is enabled, disabled, or private

Values: "disabled" "enabled" "private"
runner object

Runner pool configuration

18 nested properties
allow_ssh boolean

Allow SSH access to manager and egress spaces. Defaults to false

cg_emails string[]

List of Cloug.gov operators allowed to interact with the group runner spaces

minItems=1uniqueItems=true
concurrency integer

Maximum concurrent jobs to run per-worker manager

exclusiveMin=0exclusiveMax=100
docker_hub_user string

Docker Hub username for runner workers to pull images

docker_hub_token_env_var string

Name of the environment variable holding the token for the Docker Hub user

egress_https_mode string

Egress HTTPS proxy mode for runner workers and services

Values: "http" "https" "both"
grant_workers_developer_role boolean

Allow runner workers to SSH to runner services

instances integer

Number of worker managers to run

exclusiveMin=0exclusiveMax=2
pool_size string

Size of the runner worker pool

Values: "small" "medium" "large" "extra_large"
register boolean

Register the runner pool to the group

service_egress_ports number[]

List of TCP ports the egress proxy will allow outbound connection to for job services

minItems=1uniqueItems=true
service_egress_allowlist string[]

List of additional fully qualified domain names to allow outbound to the Internet by runner job services over HTTPS

minItems=1uniqueItems=true
service_egress_denylist string[]

List of fully qualified domain names to block outbound to the Internet by runner job services over HTTPS

minItems=1uniqueItems=true
technologies string[]

List of technologies used under the group requiring egress allowance over HTTPS byrunner workers

minItems=1uniqueItems=true
worker_allowlist string[]

List of additional fully qualified domain names to allow outbound to the Internet by runner workers over HTTPS

minItems=1uniqueItems=true
worker_denylist string[]

List of fully qualified domain names to block outbound to the Internet by runner workers over HTTPS

minItems=1uniqueItems=true
worker_egress_ports number[]

List of TCP ports the egress proxy will allow outbound connection to for runner workers

minItems=1uniqueItems=true
unsafe_egress boolean

Allow unfettered outbound Internet access [DANGER!]

project object

Project - The key can use any sequence of letters, numbers, underscores, hypens, and dots

name string

Friendly name for the project

description string

Friendly description for the project

visibility string

Project visibility - private (members only), public (including anonymous), or internal (visible to other Workshop users)

Values: "internal" "private" "public"
subgroup_key string

Subgroup project is under - Defaults to the namespace

pattern=^([\w\-\.\/]+)$
archived boolean

Archive - When true sets repository to read-only state

approvals_required number

Number of approvals needed for a MR

min=0
allow_mr_committers_to_approve_merge_requests boolean

Allow merge request committers to approve their own merge requests. Defaults to false. A merge request committer is a user who has added commits to the merge request's source branch.

auto_cancel_pending_pipelines boolean
auto_devops_enabled boolean
ci_pipeline_variables_minimum_override_role string
Values: "developer" "maintainer" "owner"
ci_separated_caches boolean
compliance_frameworks string[]

List of compliance framework names to apply to the project. Names must exist in the namespace already. See https://workshop.cloud.gov/help/user/compliance/compliance_center/compliance_frameworks_report/#create-a-new-compliance-framework for more details.

minItems=1uniqueItems=true
container_expiration_policy object
3 nested properties
cadence string
enabled boolean
older_than string
container_registry_access_level string
Values: "disabled" "enabled"
default_branch string
pattern=^([\w\-\.\/]+)$
import_id number

Existing project ID to import as a new IaC managed resource

initialize_with_readme boolean
lfs_enabled boolean
model_registry_access_level string
Values: "disabled" "enabled"
namespace string

[DEPRECATING] Namespace path project is under - Defaults to the namespace / subgroup_key

pattern=^([\w\-\.\/]+)$
allow_merge_on_skipped_pipeline boolean

Whether to treat skipped pipelines as successful when merging. Defaults to false

only_allow_merge_if_all_discussions_are_resolved boolean

Whether merge requests can be merged only after all discussions are resolved. Defaults to true

only_allow_merge_if_pipeline_succeeds boolean

Whether merge requests can be merged only if the pipeline succeeds. Defaults to true

path string

Project path (slug name) - Overrides the default path derived from the key name

pattern=^([\w\-\.]+)$
packages_enabled boolean
protected_tags object[]

Project tags that are protected

public_jobs boolean
remove_source_branch_after_merge boolean
resolve_outdated_diff_discussions boolean
group_roles object

Additional groups outside of the inheritence structure to share the project with, giving the group's members access to the project - Supports default roles docs.gitlab.com/user/permissions/#default-roles with a key of lower cased plural role name (e.g. The key developers will share the project with the group and give members the developer role)

shared_runners_enabled boolean
snippets_enabled boolean

Whether project code snippets are enabled. Deprecated in favor of snippets_access_level

snippets_access_level string

Whether project code snippets are enabled, disabled, or private.

Values: "disabled" "enabled" "private"
wiki_access_level string

Whether the project wiki is enabled, disabled, or private

Values: "disabled" "enabled" "private"
avatar string
avatar_hash string
forked_from_project_id number
import_url string

https url to import repository from. Use with mirror: true to set up a pull mirror to keep the repository up to date.

import_url_password_env_var string

Name of the environment variable holding the import_url_password value. Used with import_url_username.

import_url_username string

Username that can access import_url. Required for private repositories. Optional for public repositories.

mirror boolean
push_rules object

Rules for pushing to the repository

12 nested properties
commit_committer_check boolean

Users can only push commits to this repository that were committed with one of their own verified emails.

member_check boolean

Restrict commits by author (email) to existing GitLab users.

deny_delete_tag boolean

Do not allow deleting tags with a push

max_file_size number
prevent_secrets boolean

Reject any files that are likely to contain secrets

reject_unsigned_commits boolean
reject_non_dco_commits boolean

Reject commits that do not have a valid DCO sign-off

author_email_regex string
branch_name_regex string
commit_message_negative_regex string
commit_message_regex string
file_name_regex string
subgroup object

Subgroup (any group other than a top level namespace) - The key can use any sequence of letters, numbers, underscores, hypens, and dots

name string required

Friendly name for the group

visibility string required

Subgroup visibility - private (members only), public (including anonymous), or internal (visible to other Workshop users)

Values: "internal" "private" "public"
path string

Path (slug) for group - Defaults to the group key name

pattern=^([\w\-\.]+)$
parent_path string

Parent group full path for the subgroup. Defaults to the top level namespace

pattern=^([\w\-\.\/]+)$
description string

Friendly description of the group

import_id number

Existing subgroup ID to import as a new IaC managed resource

members object

Roles and their memberships under the subgroup - Supports both default roles docs.gitlab.com/user/permissions/#default-roles and custom roles https://docs.gitlab.com/user/custom_roles/ with a key of lower cased plural role name (e.g. The key developers will create a group Developers that give members the developer role)

group_roles object

Additional groups outside of the inheritance structure to grant a role on the subgroup. This gives the group's members access to the subgroup and all of its projects. Supports default roles https://docs.gitlab.com/user/permissions/#default-roles by matching the key to lowercased and pluralized role names (e.g. The key 'developers' will share the project with the group and give members the developer role)

wiki_access_level string

Whether the group wiki is enabled, disabled, or private

Values: "disabled" "enabled" "private"
team object

Team group - used to create groups for easy @mentions and group-based assignments — not necessarily for role-based access control. The key can use any sequence of letters, numbers, underscores, hyphens, and dots.

name string required

Friendly name for the team

members string[] required

List of users to assign as team members.

minItems=1uniqueItems=true
description string

Friendly description of the team

namespace_role string

Role to assign the team on the full namespace. Defaults to none (no access)

managed_projects_role string

Role to assign the team for Workshop's configuration projects — i.e., the configuration project this schema applies to, the templates project, and other Workshop-generated config projects. Defaults to developer, set to none to remove access

user object

User object - The key must be the user's US government email address under a .gov domain

name string required

Full name of user

pattern=^([\w'\- ]+)$
custom_attributes object

[Optional] Key/value pairs to set as custom attributes (Requires admin permission)

import_id integer

[Optional] Existing GitLab user ID on the system to import

note string

[Optional] Additional notes about the user

projects_limit integer

[Optional] Personal project limit

state string

[Optional] Forced state of the user account

Values: "active" "blocked" "deactivated"
username string

[Optional] Custom username - Overrides the default username from the user email address

pattern=^([a-zA-Z0-9][\w\-\.]{1,254})$