Creating resource references

A Google Cloud resource created with Config Connector can reference other resources. Config Connector defines these relationships through resource references . This topic explains how to create resources with references.

Types of references

In Config Connector, references can be dependencies or links .

Dependencies: A dependency reference refers to an existing Google Cloud resource necessary for the Config Connector resource. For example, a firewall rule cannot exist without a network
Links: A link reference ties independent resources together. For example, a Project can be associated with a Billing Account.

Specifying resource references

You specify resource references in the resource's spec . The field's name is the resource's short name followed by Ref . For example:

The reference to a PubSubTopic named topic is topicRef .
The reference to a StorageBucket named bucket is bucketRef .

The reference is an object with a single field ( name ). The resource in resourceRef is replaced with the reference's name.

The following YAML file describes a Pub/Sub PubSubSubscription that references a PubSubTopic named myTopic .

  apiVersion 
 : 
  
 pubsub.cnrm.cloud.google.com/v1beta1 
 kind 
 : 
  
 PubSubSubscription 
 metadata 
 : 
  
 name 
 : 
  
 pubsubsubscription-referencing-topic 
 spec 
 : 
  
 topicRef 
 : 
  
 name 
 : 
  
 myTopic

Pub/Sub example

Create a PubSubTopic

In this example, you create a PubSubSubscription that depends on a PubSubTopic .

Copy the following into a file named pubsub-topic.yaml :

  apiVersion 
 : 
  
 pubsub.cnrm.cloud.google.com/v1beta1 
 kind 
 : 
  
 PubSubTopic 
 metadata 
 : 
 name 
 : 
  
  TOPIC_NAME

Replace TOPIC_NAME with your desired PubSubTopic name

For example, to create a topic named myTopic you could use the following YAML file:

  apiVersion 
 : 
  
 pubsub.cnrm.cloud.google.com/v1beta1 
 kind 
 : 
  
 PubSubTopic 
 metadata 
 : 
  
 name 
 : 
  
 myTopic

Create the PubSubTopic with kubectl apply .
```
kubectl --namespace CC_NAMESPACE 
apply -f pubsub-topic.yaml
```
Replace CC_NAMESPACE with the namespace Config Connector manages resources from.

Create a PubSubSubscription

Copy the following into a file named `pubsub-subscription.yaml:

  apiVersion 
 : 
  
 pubsub.cnrm.cloud.google.com/v1beta1 
 kind 
 : 
  
 PubSubSubscription 
 metadata 
 : 
  
 name 
 : 
  
 pubsubsubscription-referencing-topic 
 spec 
 : 
  
 topicRef 
 : 
  
 name 
 : 
  
  TOPIC_NAME

Replace TOPIC_NAME with the PubSubTopic name you used in step 1. For example, the YAML referencing the topic myTopic you created earlier is:

  apiVersion 
 : 
  
 pubsub.cnrm.cloud.google.com/v1beta1 
 kind 
 : 
  
 PubSubSubscription 
 metadata 
 : 
  
 name 
 : 
  
 pubsubsubscription-referencing-topic 
 spec 
 : 
  
 topicRef 
 : 
  
 name 
 : 
  
 myTopic

Create the PubSubSubscription with kubectl apply .
```
kubectl --namespace CC_NAMESPACE 
apply -f pubsub-subscription.yaml
```
Replace CC_NAMESPACE with the namespace Config Connector manages resources from.

External references

Config Connector can reference resources that it does not manage. These are known as External References. For example, the ComputeURLMap below references a BackendService named test-backendservice .

  apiVersion 
 : 
  
 compute.cnrm.cloud.google.com/v1beta1 
 kind 
 : 
  
 ComputeURLMap 
 metadata 
 : 
  
 name 
 : 
  
 test-urlmap 
 spec 
 : 
  
 location 
 : 
  
 global 
  
 defaultService 
 : 
  
 backendServiceRef 
 : 
  
 external 
 : 
  
 https://www.googleapis.com/compute/v1/projects/ PROJECT_ID 
/global/backendServices/test-backendservice

The format of values accepted by external depends on the resource. Consult the documentation for particular resources in the Resource reference . You can find out what values external accepts by reading the descriptions of the resource's external fields.

IAMPolicy, IAMPartialPolicy and IAMPolicyMember

IAMPolicy , IAMPartialPolicy and IAMPolicyMember also supports External References. For example, the IAMPolicyMember below references a Project with the project ID test-project .

  apiVersion 
 : 
  
 iam.cnrm.cloud.google.com/v1beta1 
 kind 
 : 
  
 IAMPolicyMember 
 metadata 
 : 
  
 name 
 : 
  
 test-iampolicymember 
 spec 
 : 
  
 member 
 : 
  
 serviceAccount:test-serviceaccount@test-project. 
iam.gserviceaccount.com  
 role 
 : 
  
 roles/storage.admin 
  
 resourceRef 
 : 
  
 kind 
 : 
  
 Project 
  
 external 
 : 
  
 projects/test-project

You can find out what format the external field accepts by reading the reference documentation . The IAMPolicy , IAMPartialPolicy and IAMPolicyMember pages list the accepted format for all supported resources. The formats are listed in the "External Reference Formats" column of the Supported Resources table. You can also go to an individual resource's reference page (for example, PubSubTopic ) and look at the value listed in the "IAM External Reference Format" row of the resource's summary table.

Cross-namespace references

Config Connector allows resources to reference resources in other namespaces. However, if Config Connector is installed in namespaced-mode , you need to grant Config Connector additional permissions to allow for cross-namespace references.

For example, if you want to create resources in NAMESPACE_A that reference resources in NAMESPACE_B , you need create the following RoleBinding :

  apiVersion 
 : 
  
 rbac.authorization.k8s.io/v1 
 kind 
 : 
  
 RoleBinding 
 metadata 
 : 
  
 namespace 
 : 
  
  NAMESPACE_B 
 
  
 name 
 : 
  
 allow-references-from- NAMESPACE_A 
 
 roleRef 
 : 
  
 apiGroup 
 : 
  
 rbac.authorization.k8s.io 
  
 kind 
 : 
  
 ClusterRole 
  
 name 
 : 
  
 cnrm-viewer 
 subjects 
 : 
 - 
  
 kind 
 : 
  
 ServiceAccount 
  
 name 
 : 
  
 cnrm-controller-manager- NAMESPACE_A 
 
  
 namespace 
 : 
  
 cnrm-system

What's next

Review the Resource reference to learn about the resources Config Connector supports.
See how you can use a resource reference to a Secret in your Config Connector cluster.