provisioning/schemas/platform/schemas/control-center.ncl

# Control Center Service Schema
# Policy management, RBAC, and compliance configuration

let workspace_schema = import "./common/workspace.ncl" in
let server_schema = import "./common/server.ncl" in
let database_schema = import "./common/database.ncl" in
let security_schema = import "./common/security.ncl" in
let monitoring_schema = import "./common/monitoring.ncl" in
let logging_schema = import "./common/logging.ncl" in

{
  ControlCenterConfig = {
    # Workspace configuration
    workspace | workspace_schema.WorkspaceConfig,

    # HTTP server settings
    server | server_schema.ServerConfig,

    # Database configuration (policy storage)
    database | database_schema.DatabaseConfig,

    # Security configuration (JWT, RBAC, encryption, MFA)
    security | security_schema.SecurityConfig,

    # Policy Engine Configuration
    policy | {
      # Enable policy engine
      enabled | Bool | default = true,

      # Policy evaluation mode (sync, async)

      # Policy cache
      cache | {
        enabled | Bool | default = true,
        ttl | Number | optional,
        max_policies | Number | optional,
      } | optional,

      # Policy versioning
      versioning | {
        enabled | Bool | default = true,
        max_versions | Number | optional,
      } | optional,

      # Policy conflict resolution
    },

    # RBAC Configuration
    rbac | {
      # Enable RBAC
      enabled | Bool | default = true,

      # Role hierarchy/inheritance
      hierarchy | Bool | default = true,

      # Dynamic role assignment
      dynamic_roles | Bool | default = false,

      # Default role for new users
      default_role | String | optional,

      # Pre-defined roles
      roles | {
        admin | Bool | default = true,
        operator | Bool | default = true,
        viewer | Bool | default = true,
      } | optional,

      # Role-based attribute (ABAC)
      attribute_based | Bool | default = false,
    },

    # User Management
    users | {
      # Enable user management
      enabled | Bool | default = true,

      # User registration
      registration | {
        enabled | Bool | default = true,
        requires_approval | Bool | default = false,
        auto_assign_role | String | optional,
      } | optional,

      # User session management
      sessions | {
        max_active | Number | optional,
        idle_timeout | Number | optional,
        absolute_timeout | Number | optional,
      } | optional,

      # User audit trail
      audit_enabled | Bool | default = false,
    },

    # Audit Logging Configuration
    audit | {
      # Enable audit logging
      enabled | Bool | default = false,

      # Audit events to log
      events | Array String | optional,

      # Audit storage
      storage | {
        retention_days | Number | optional,
        immutable | Bool | default = false,
      } | optional,

      # Sensitive data redaction in logs
      redact_sensitive | Bool | default = true,
    } | optional,

    # Compliance Configuration
    compliance | {
      # Enable compliance checks
      enabled | Bool | default = false,

      # Compliance frameworks

      # Compliance validation
      validation | {
        enabled | Bool | default = false,
        interval_hours | Number | optional,
      } | optional,

      # Data retention policies
      data_retention | {
        policy_years | Number | optional,
        audit_log_days | Number | optional,
      } | optional,

      # Encryption requirements
      encryption_required | Bool | default = false,
    } | optional,

    # Integration with External Services
    integrations | {
      # LDAP/Active Directory integration
      ldap | {
        enabled | Bool | default = false,
        server_url | String | optional,
        base_dn | String | optional,
      } | optional,

      # OAuth2/OIDC providers
      oauth2 | {
        enabled | Bool | default = false,
        providers | Array String | optional,
      } | optional,

      # Webhook notifications
      webhooks | {
        enabled | Bool | default = false,
        endpoints | Array String | optional,
      } | optional,
    } | optional,

    # Monitoring configuration
    monitoring | monitoring_schema.MonitoringConfig | optional,

    # Logging configuration
    logging | logging_schema.LoggingConfig | optional,
  },
}