Artifact Registry
ArtifactRegistry
ArtifactRegistry defines the high-level intent for a private Artifact Registry repository. It allows users to manage container images, language packages (Maven, Python, etc.), and other build artifacts.
From a technical perspective, the engine translates this declarative manifest into a google_artifact_registry_repository
GCP resource and explicitly manages its scoped IAM permissions and upstream visibility via bindings.
It supports establishing trust relationships through lowops.manifests.v1.children enabling deterministic provisioning sequences.
| Property | Type | Description |
|---|---|---|
| apiVersion | string | The API version of the manifest, enforcing backward compatibility contracts. |
| kind | string | The resource type discriminator, explicitly defining this block as an ArtifactRegistry object. |
| metadata | map | Custom metadata for labeling and classifying the resource within the control plane. |
| spec | Spec | The concrete structural inputs mapping the desired user configuration. |
Spec
Spec defines the user's desired configuration for the Artifact Registry repository. It provides variables such as format type (Docker, Maven) and IAM access, which are passed directly to the GCP resource definitions during execution planning.
| Property | Type | Description |
|---|---|---|
| enabled | bool | Determines the operational status of the artifact registry repository configuration. If true, this repository is evaluated and actively mapped by the engine. If false, it is entirely omitted from the execution graph, scheduling existing infrastructure for destruction. |
| description | string | Provides a localized, natural-language explanation of this registry's role. This description is optional but will drastically improve the understanding of the AI assistant mapping organizational elements to repositories. |
| public | bool | Explicit toggle to expose the registry to unauthenticated global reads. When asserted true, this injects an IAM binding that maps the repository reader role to all users, bypassing standard authentication checks for artifact retrieval. |
| type | string | The upstream package format standard to enforce on the repository. Mapped immutably to the underlying platform's format attribute, ensuring type-safety and protocol compliance at the cloud provider edge. |
| region | string | The geographic region topology block where data locality will reside. Injected into the location property of the underlying storage resource, dictating strict data residency and access latency. |
| permissions | ArtifactRegistryAccessPermissions | Maps defined principals (users, groups, service accounts) to read and write scopes. Resolved into fine-grained IAM bindings targeting specific upstream roles to securely bridge authentication models and enforce least privilege. |
ArtifactRegistryAccessPermissions
Defines access levels specifically for Artifact Registry repositories.
Maps readers and writers to roles/artifactregistry.reader and roles/artifactregistry.writer respectively on the targeted google_artifact_registry_repository.
| Property | Type | Description |
|---|---|---|
| readers | DetailedAccessPermissions | A list of users and groups who are granted read-only access to the repository. Corresponds to the 'roles/artifactregistry.reader' IAM role. |
| writers | DetailedAccessPermissions | A list of users and groups who are granted read and write access to the repository. Corresponds to the 'roles/artifactregistry.writer' IAM role. |
DetailedAccessPermissions
Aggregation of specific user and group access definitions.
Refers to lists of OrganizationUser and OrganizationUserGroup manifests that will be parsed to retrieve actual Google Workspace identity emails for IAM binding construction.
| Property | Type | Description |
|---|---|---|
| members | list of string | A list of 'OrganizationUser' manifest names to be included in this permission set. |
| groups | list of string | A list of 'OrganizationUserGroup' manifest names to be included in this permission set. |