Common
AccessPermissions
Core definition for assigning administrative and viewer privileges across the platform.
Used by the engine to compute the final IAM policies (google_folder_iam_binding, etc.), aggregating individual user and group definitions to role assignments.
| Property | Type | Description |
|---|---|---|
| administrators | DetailedAccessPermissions | A list of users and groups with administrative privileges on the asset. The exact permissions are resource-dependent but typically grant full control. |
| contributors | DetailedAccessPermissions | A list of users and groups with contributor privileges on the asset. The exact permissions are resource-dependent but typically grant read and write access. |
| viewers | DetailedAccessPermissions | A list of users and groups with viewer privileges on the asset. The exact permissions are resource-dependent but typically grant read-only access. |
AgentConfig
Configuration for the Ops Agent deployed on the VM.
Drives the installation and configuration of the Google Cloud Ops Agent on the instance, dictating which logs and metrics are exported to Cloud Monitoring.
| Property | Type | Description |
|---|---|---|
| logFiles | list of string | Glob pattern for log files to be collected by the OPS agent of the VirtualMachine |
| metrics | list of MetricConfig |
ApplicationAccessControlBucketConfig
Configures Google Cloud Storage interaction permissions for a workload.
Translates to roles/storage.objectViewer or roles/storage.objectUser IAM bindings assigned to the application's service account, and can map specific paths.
| Property | Type | Description |
|---|---|---|
| name | string | The name of the 'Bucket' manifest that this application requires access to. This bucket must be present in all environments defined in the parent 'ReleaseTrack'. |
| source | string | If specified, refers to a 'GithubRepository' manifest that contains the source data to be synchronized into the bucket. This is used by the CI/CD system to set up a 'gcloud storage rsync' job. |
| permission | string | The permission level granted to the application for this bucket ('READ_ONLY' or 'WRITE'). Grants either 'roles/storage.objectViewer' (for READ_ONLY) or 'roles/storage.objectUser' (for WRITE) to the application's service account for the specified bucket. |
| mountPath | string | The absolute path where the bucket should be mounted as a file within the application's container. If omitted, permissions will be granted on the bucket but it will not be mounted as a file. |
| subPath | string | A sub-path within the bucket that the application will have access to. If omitted, access is granted to the entire bucket. This path is often used for mounting specific bucket folders into a container. |
| promote | bool | If true, the bucket content will be promoted through the ReleaseTrack alongside the application. This is typically used for storing generic application configuration data. |
ApplicationAccessControlConfig
Aggregates all external access rules an application requires.
Computes the comprehensive list of IAM bindings, SQL grants, and secret consumptions that must be provisioned alongside the application's actual deployment.
| Property | Type | Description |
|---|---|---|
| additionalRoles | list of string | A list of additional roles to grant to the application's service account. |
| pubsub | ApplicationAccessControlPubsubConfig | Defines the application's permissions to publish or subscribe to specific Pub/Sub topics. |
| buckets | list of ApplicationAccessControlBucketConfig | A list defining the application's permissions to read from or write to specific Google Cloud Storage buckets. The key of the map is a logical name for the bucket access rule. |
| database | ApplicationAccessControlDatabaseConfig | Defines the application's permissions to a specific PostgreSQL database instance and schema. |
| secrets | list of SecretsEntry | A map defining the secrets that the application needs access to. The key of the map is the name of the 'Secret' manifest, and the value specifies how it should be exposed to the application (e.g., as an environment variable or a mounted file). |
SecretsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | SecretSourceConfig |
ApplicationAccessControlDatabaseConfig
Configures PostgreSQL interaction permissions for a workload.
Executes dynamic DDL (CREATE USER, GRANT) against the target SQL instance using an administrative proxy, setting up specific schema rights.
| Property | Type | Description |
|---|---|---|
| name | string | The name of the 'Database' manifest that this application requires access to. |
| schema | string | The specific database (schema) within the database instance that the application will connect to. |
| privileges | list of string | A list of SQL privileges to grant to the application's user role on the specified schema (e.g., 'USAGE', 'CREATE'). Translates into 'GRANT' statements executed against the PostgreSQL instance. |
| readOnly | bool | If true, grants the application read-only access to the database. This is typically used for connecting to a read replica. |
| skipSchemaCreation | bool | If true, this application deployment will not attempt to create the specified schema. This is useful for applications that require a specific schema to exist before they can be deployed, such as applications that use a specific database migration tool or when another application has already created the schema. |
| extensions | list of string | A list of PostgreSQL extensions to enable in the target database for the application's use. Executes 'CREATE EXTENSION IF NOT EXISTS' for each extension in the list. |
| secretSource | SecretSourceConfig | Defines how the application should retrieve the database credentials (e.g., from which 'Secret' manifest). |
ApplicationAccessControlPubsubConfig
Configures Pub/Sub interaction permissions for a workload.
Translates to roles/pubsub.publisher and roles/pubsub.subscriber IAM bindings assigned to the application's underlying service account.
| Property | Type | Description |
|---|---|---|
| publishTo | list of string | A list of 'PubSub' manifest names that this application is allowed to publish messages to. Grants the 'roles/pubsub.publisher' role to the application's service account for each specified topic. |
| subscribeTo | list of string | A list of 'PubSub' manifest names that this application is allowed to create subscriptions for and pull messages from. Grants the 'roles/pubsub.subscriber' role to the application's service account for each specified topic. |
ApplicationDefinition
ApplicationDefinition
| Property | Type | Description |
|---|---|---|
| description | string | The description of the role of the current Application/ExternalApplication |
| target | string | Defines the target compute platform where this application will be deployed (e.g., KUBERNETES, CLOUD_RUN, COMPUTE). This field determines which underlying infrastructure module is used (e.g., 'google_cloud_run_v2_service' for CLOUD_RUN) to provision and manage the application's runtime environment. |
| meshStrategy | string | Determines how the application integrates with the service mesh. - 'SIDECAR': Deploys a full proxy sidecar alongside the application for traffic management. - 'PROXYLESS': Uses gRPC libraries within the application for mesh connectivity, removing the need for a sidecar. - 'DISABLED': The application will not be part of the service mesh. This value dictates the creation of mesh-related resources. 'SIDECAR' results in a 'google_network_services_http_route' or 'grpc_route' pointing to a backend service with a 'SIDECAR_PROXY' load balancing scheme. 'PROXYLESS' configures the application to use gRPC-based service discovery. |
| source | string | The name of the 'BuildDefinition' or 'ExternalApplication' manifest that defines the source of the container image for this application. Creates a dependency to the source manifest, allowing the platform to look up the correct container image URL for deployments. |
| container | string | The specific container definition to use from the source 'BuildDefinition' or 'ExternalApplication' manifest. This is required when the source defines multiple containers. This value is used to look up the specific container image URL and tag from the source manifest, which is then used in the 'containers.image' attribute of the 'google_cloud_run_v2_service' or other compute resource. |
| project | string | The name of the 'Project' manifest where this application will be deployed. This project must be included in all environments defined in the application's parent 'ReleaseTrack'. Determines the GCP project where all underlying resources for this application (e.g., Cloud Run service, IAM bindings) will be provisioned. |
| accessControl | ApplicationAccessControlConfig | Defines the permissions this application has to other resources within the platform, such as Buckets, Databases, Pub/Sub topics, and Secrets. This block generates the necessary 'google_*_iam_binding' resources to grant the application's service account the specified permissions. |
| runMigrationJob | bool | If true, the platform will create and run a one-off job before deploying the main service. This is typically used for database schema migrations. If true, a 'google_cloud_run_v2_job' resource is created using a dedicated container image. The main 'google_cloud_run_v2_service' is configured to depend on the successful completion of this job. |
ApprovalPolicy
| Property | Type | Description |
|---|---|---|
| stakeholder | Stakeholder | A single stakeholder (User or Group) |
| anyOf | ApprovalSet | Requires any of the defined policies to be satisfied (OR logic) |
| allOf | ApprovalSet | Requires all of the defined policies to be satisfied (AND logic) |
| quorum | ApprovalSet | Requires a minimum number of the defined policies to be satisfied (Quorum logic) |
ApprovalSet
| Property | Type | Description |
|---|---|---|
| policies | list of ApprovalPolicy | |
| minApprovals | int32 | For Quorum logic: Minimum number of policies that must be satisfied. |
ArtifactRegistryAccessPermissions
Defines access levels specifically for Artifact Registry repositories.
Maps readers and writers to roles/artifactregistry.reader and roles/artifactregistry.writer respectively on the targeted google_artifact_registry_repository.
| Property | Type | Description |
|---|---|---|
| readers | DetailedAccessPermissions | A list of users and groups who are granted read-only access to the repository. Corresponds to the 'roles/artifactregistry.reader' IAM role. |
| writers | DetailedAccessPermissions | A list of users and groups who are granted read and write access to the repository. Corresponds to the 'roles/artifactregistry.writer' IAM role. |
BucketImageConverterConfig
Configures automatic image conversion operations on objects.
Instructs the associated image processing pipeline (if enabled) on how to re-encode uploaded images.
| Property | Type | Description |
|---|---|---|
| format | string | |
| maxWidth | int64 | |
| maxHeight | int64 |
BucketNotificationConfig
Links storage buckets to Pub/Sub notification pipelines.
Generates the google_storage_notification resource to push event records upon object changes.
| Property | Type | Description |
|---|---|---|
| topic | string | The name of the PubSub manifest to which notifications should be sent. Creates a google_storage_notification resource linking this bucket to the specified Pub/Sub topic. |
| events | list of string | A list of event types that will trigger a notification. For example, OBJECT_FINALIZE triggers on new object creation. This list is passed to the event_types attribute of the google_storage_notification resource. |
BucketRouteConfig
Configures authorization rules specifically for bucket backends.
Affects the associated URL map routing and attached authz extensions when a Load Balancer path serves static assets directly from GCS.
| Property | Type | Description |
|---|---|---|
| name | string | |
| authentication | list of RouteRuleAuthenticationConfig | Rule Authentication Configuration. Defines the authentication configuration for this rule. If not specified, the rule will be unauthenticated. |
| authorization | list of ComputedAuthorizationAccessRuleCheck | Rule Authorization Configuration. Defines the authorization configuration for this rule. If not specified, the rule will be open to all users. |
CodeOwnerConfig
Configuration for GitHub code ownership and repository rules.
Used during repository templating to enforce CODEOWNERS files and branch protection rules, ensuring that specific teams review changes to critical paths.
| Property | Type | Description |
|---|---|---|
| githubOwner | string | The name of the Github Organization, also referred to as Owner |
| repository | string | |
| rules | list of string |
ComputedAccessPermissions
Represents the computed access configurations for a resource.
Houses the flattened permission structure derived from an AccessPermissions block, ready for IAM provisioning.
| Property | Type | Description |
|---|---|---|
| administrators | ComputedDetailedAccessPermissions | The final, resolved list of users and groups with administrative privileges on the asset. |
| contributors | ComputedDetailedAccessPermissions | The final, resolved list of users and groups with contributor privileges on the asset. |
| viewers | ComputedDetailedAccessPermissions | The final, resolved list of users and groups with viewer privileges on the asset. |
ComputedAccessibleRegistry
Represents a computed Artifact Registry resource accessible by deployments.
Tracks the registry location and name needed to perform container image path resolution.
| Property | Type | Description |
|---|---|---|
| name | string | The name of the artifact registry. |
| location | string | The GCP region or multi-region where the registry is located. |
ComputedApplication
Represents a fully computed application deployment configuration.
Collates mesh strategy, pre-flight migration requirements, and the container image layout required by the execution engine to provision the underlying Cloud Run service or K8s Deployment.
| Property | Type | Description |
|---|---|---|
| name | string | The name of the application. |
| meshStrategy | string | The service mesh strategy used by the application (e.g., SIDECAR, PROXYLESS). |
| container | ComputedContainerDefinition | The computed definition for the application's container, including image URL, environment variables, and resource requests. |
| runMigrationJob | bool | Indicates whether a database migration job should be run before deploying the application. |
ComputedArtifactRegistry
Represents a computed Artifact Registry resource.
JIT-resolved state of an ArtifactRegistry manifest containing the definitive configuration utilized during the implementation phase.
| Property | Type | Description |
|---|---|---|
| name | string | This value is a direct reflection of 'metadata.name' from this 'ArtifactRegistry' manifest. |
| type | string | This value is a direct reflection of 'spec.type' from this 'ArtifactRegistry' manifest. |
| publishUrl | string | This URL is composed based on the 'spec.type' from this 'ArtifactRegistry' manifest. |
| region | string | This value is taken from 'spec.region' from this 'ArtifactRegistry' manifest. |
| permissions | ArtifactRegistryAccessPermissions | This block is a direct reflection of the 'spec.permissions' block from this 'ArtifactRegistry' manifest, with user and group names resolved to their full Google Cloud Identity identifiers. |
ComputedAuthorizationAccess
The full map of hostnames to authorization paths.
Acts as the primary in-memory index for the authz extensions running alongside the load balancers.
| Property | Type | Description |
|---|---|---|
| rules | list of RulesEntry | This is a map where the key is a hostname and the value is the set of authorization rules for that host, aggregated from all relevant child 'HttpRoute' and 'GrpcRoute' manifests. |
RulesEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | ComputedAuthorizationAccessRules |
ComputedAuthorizationAccessRule
Single computed authorization rule.
Part of the compiled configuration supplied to authz extension services to resolve user scopes dynamically.
| Property | Type | Description |
|---|---|---|
| identitySource | string | This value is a direct reflection of 'spec.authorization.identitySource' from a child 'HttpRoute' or 'GrpcRoute' manifest. |
| matches | list of HttpRouteRuleMatch | This list is a direct reflection of the 'spec.matches' block from a child 'HttpRoute' or 'GrpcRoute' manifest. |
| checks | list of ComputedAuthorizationAccessRuleCheck | This list is a direct reflection of the 'spec.authorization.checks' block from a child 'HttpRoute' or 'GrpcRoute' manifest. |
ComputedAuthorizationAccessRuleCheck
Represents a computed access check for a route rule.
Maps an expected identity tuple (namespace, relation, object) that the AuthZ extension must validate during the request flow.
| Property | Type | Description |
|---|---|---|
| namespace | string | This value is a direct reflection of 'spec.authorization.namespace' from a child 'HttpRoute' or 'GrpcRoute' manifest. |
| relation | string | This value is a direct reflection of 'spec.authorization.relation' from a child 'HttpRoute' or 'GrpcRoute' manifest. |
| object | string | This value is a direct reflection of 'spec.authorization.object' from a child 'HttpRoute' or 'GrpcRoute' manifest. |
ComputedAuthorizationAccessRules
Aggregation of authz rules for a specific host.
Pre-calculated list to quickly look up all applicable authorization predicates for incoming traffic bounds.
| Property | Type | Description |
|---|---|---|
| rules | list of ComputedAuthorizationAccessRule | This is a list of authorization rules, aggregated from all child 'HttpRoute' and 'GrpcRoute' manifests for a given host. |
ComputedContainerDefinition
Represents the fully resolved container image deployment source.
Fuses the registry's geographical footprint with a specific container build to provide the absolute URL for the deployment API (e.g., Cloud Run or GKE).
| Property | Type | Description |
|---|---|---|
| sourceRegistry | ComputedAccessibleRegistry | The registry where the container image is stored. |
| image | string | The full URL of the container image, including the registry and repository path. |
ComputedDeploymentPlan
Represents the comprehensive deployment sequence for a release track.
Calculates the complete path (pre-release to production stages) a container image takes through environments based on release track policies.
| Property | Type | Description |
|---|---|---|
| preReleaseStages | list of ComputedDeploymentStage | |
| releaseStages | list of ComputedDeploymentStage | |
| hotfixStages | list of ComputedDeploymentStage |
ComputedDeploymentStage
Represents a grouping of parallel deployment steps.
Aggregates environments into a cohesive deployment phase in cases like 'staging' vs 'production', which can enforce sequential rollouts.
| Property | Type | Description |
|---|---|---|
| id | string | |
| steps | list of ComputedDeploymentStep |
ComputedDeploymentStep
Represents a single step in a release progression.
Captures the deployment target environment, project, and application configuration necessary to reconcile a deployment within CI/CD.
| Property | Type | Description |
|---|---|---|
| id | string | |
| environment | string | |
| project | string | |
| container | ComputedContainerDefinition | |
| stakeholders | DetailedAccessPermissions |
ComputedDetailedAccessPermissions
Represents the computed aggregation of specific members and groups for a permission level.
Contains the resolved IDs of identities that will be bound to a target resource.
| Property | Type | Description |
|---|---|---|
| members | list of int64 | The final, resolved list of 'OrganizationUser' members for this permission set. |
| groups | list of int64 | The final, resolved list of 'OrganizationUserGroup' members for this permission set. |
ComputedDomainConfig
Represents computed fully-qualified domain names.
Used dynamically to construct the internal and external networking routes based on the current Environment's configured root domains.
| Property | Type | Description |
|---|---|---|
| internal | string | The fully-qualified internal domain name, composed from parent configurations. |
| external | string | The fully-qualified external domain name, composed from parent configurations. |
ComputedExternalRegistry
Represents a computed external container registry dependency.
Resolves the linkage between external registry configurations and the GCP / GitHub secrets containing their authentication credentials.
| Property | Type | Description |
|---|---|---|
| name | string | This value is a direct reflection of 'metadata.name' from the 'ExternalRegistry' manifest. |
| type | string | This value is a direct reflection of 'spec.type' from the 'ExternalRegistry' manifest. |
| publishUrl | string | This value is a direct reflection of 'spec.url' from the 'ExternalRegistry' manifest. |
| authentication | string | This value is a direct reflection of 'spec.authentication' from the 'ExternalRegistry' manifest. |
| usernameGcpSecretId | string | This value is populated by looking up a 'Secret' manifest with a conventional name, typically '<registryName>-username', and retrieving its fully qualified GCP resource StateID. |
| usernameSourceControlSecretId | string | This value is populated by looking up a 'GithubSecret' manifest with a conventional name, typically '<registryName>-username', and retrieving its name. |
| passwordGcpSecretId | string | This value is populated by looking up a 'Secret' manifest with a conventional name, typically '<registryName>-password', and retrieving its fully qualified GCP resource StateID. |
| passwordSourceControlSecretId | string | This value is populated by looking up a 'GithubSecret' manifest with a conventional name, typically '<registryName>-password', and retrieving its name. |
| region | string |
ComputedGithubBranchConfig
Represents computed branch protection rules for a GitHub repository.
Dictates the configuration applied to the github_branch_protection resource, enforcing review counts, status checks, and bypass roles.
| Property | Type | Description |
|---|---|---|
| id | string | The unique identifier for this set of rules (e.g., 'primary-branches', 'feature-branches'). |
| targetPatterns | list of string | A list of glob patterns for branches that these rules apply to (e.g., ['main', 'develop'] or ['feat/', 'bugfix/']). |
| requiredReviewers | int64 | The number of required approving reviews for a pull request before it can be merged. |
| canCreate | bool | Indicates whether branches matching these patterns can be created by users. |
| bypassRoles | list of string | A list of GitHub roles (e.g., 'Maintainer', 'Admin') who are allowed to bypass these rules. |
| statusChecks | list of string | A list of required status check contexts that must pass before merging. |
| releaseType | string | The type of release associated with this branch (e.g., 'major', 'minor', 'patch'), which can influence versioning automation. |
| allowedSourceBranchPatterns | list of string | A list of glob patterns for branches that are allowed to be merged into this branch (used by CI to enforce flow). |
| requiredBranchPattern | string | Optional regex pattern that branches matching the target_patterns must adhere to. |
ComputedGithubSecretRepositories
Represents the computed relationships between a GitHub secret and its target repositories.
This is an internal state object used by the engine to track which repositories a specific GithubSecret manifest has been distributed to during gitops reconciliation.
| Property | Type | Description |
|---|---|---|
| secretKey | string | The name of the secret. |
| repositories | list of string | A list of repositories where this secret is configured. |
ComputedGithubTeamConfig
Represents a computed GitHub Team and its membership state.
Direct reflection of configuration required to synchronize github_team and github_team_membership resources.
| Property | Type | Description |
|---|---|---|
| name | string | The name of the GitHub team. |
| parent | string | The name of the parent team, if this is a nested team. |
| members | list of MembersEntry | A map of team members and their roles (e.g., 'member', 'maintainer'). |
MembersEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | string |
ComputedHibernationConfig
Represents the computed hibernation schedule.
Used to translate abstract windows/exclusions into concrete cron triggers that the engine uses to start/stop underlying workloads.
| Property | Type | Description |
|---|---|---|
| enabled | bool | |
| scheduledTriggers | list of ScheduledTriggersEntry |
ScheduledTriggersEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | string |
ComputedIamServiceAccount
Represents a computed Google Cloud Service Account and its binding state.
Holds the resolved state for google_service_account resources, driving the creation of IAM bindings and establishing Kubernetes Workload Identity bindings (k8s_name).
| Property | Type | Description |
|---|---|---|
| name | string | The name of the Google Cloud Service Account. This is typically composed from the name of the corresponding 'Application' manifest. |
| create | bool | A boolean indicating whether the platform should create this service account. This is usually true unless the application is configured to use a pre-existing service account. |
| roles | ComputedIamServiceAccountPermissions | This block contains the final, resolved list of IAM roles granted to the service account, derived from the 'accessControl' block of the corresponding 'Application' manifest. |
| k8sName | string | The name of the corresponding Kubernetes Service Account that is bound to the Google Cloud Service Account. This is relevant for applications deployed to GKE. |
| k8sNamespace | string | The Kubernetes namespace where the Kubernetes Service Account is created. |
ComputedIamServiceAccountPermissions
Represents computed IAM role aggregations for a service account.
Derived from the accessControl blocks to determine the precise list of IAM roles the application's service account requires across scopes (org, project, AR).
| Property | Type | Description |
|---|---|---|
| organization | list of string | A list of computed IAM roles granted to the service account at the GCP Organization level. |
| project | list of string | A list of computed IAM roles granted to the service account at the GCP Project level. |
| artifactRegistry | list of string | A list of computed IAM roles granted to the service account for accessing specific Artifact Registry repositories. |
ComputedLoadBalancerHost
Represents a fully compiled set of paths mapped to a Load Balancer Host.
Translates down to the hostRules within a google_compute_url_map.
| Property | Type | Description |
|---|---|---|
| iapPaths | list of ComputedLoadBalancerPath | |
| gcipPaths | list of ComputedLoadBalancerPath | |
| unauthPaths | list of ComputedLoadBalancerPath | |
| bucketPaths | list of ComputedLoadBalancerPath |
ComputedLoadBalancerPath
Represents a fully compiled routing path inside a Load Balancer.
Translates down to individual URL Map path matchers within a google_compute_url_map.
| Property | Type | Description |
|---|---|---|
| matchers | list of HttpRouteRuleMatch | |
| tenant | string | Only used for IDENTITY_PROVIDER |
| hostRewrite | string | |
| pathRewrite | string | |
| bucket | string | Used for static buckets |
| complexity | int64 |
ComputedLoadBalancerRouteAuthorization
Links a backend service to its authorization context.
Extends the IAP or Cloud Service Mesh configuration to include the external authz plugin with the specified policy payload.
| Property | Type | Description |
|---|---|---|
| backendService | string | The self-link of the backend service for the authorization extension Cloud Run service. This service is conventionally named based on this 'PublicIngress' manifest's 'metadata.name' (e.g., '<name>-authz-ext'). |
| accessRules | ComputedAuthorizationAccess | This block is an aggregation of all 'spec.authorization.rules' from all child 'HttpRoute' and 'GrpcRoute' manifests associated with this ingress. |
ComputedPrivateCaPool
Represents a computed Private Certificate Authority Pool resource.
Resolves the state IDs and locations for google_privateca_ca_pool resources established within the core control plane project.
| Property | Type | Description |
|---|---|---|
| authorityId | string | The computed unique StateID for the Certificate Authority resource within the pool. |
| poolId | string | The computed unique StateID for the Certificate Authority pool. |
| location | string | The GCP region where the CA pool is located, inherited from the Organization's 'default_region'. |
| projectId | string | The GCP project StateID where the CA pool is created, specifically the 'infrastream_core_project_id'. |
| organization | string | The name of the parent Organization manifest. |
ComputedRelatedArtifactRegistry
Groups an Artifact Registry with a list of dependent repository names.
Used to correlate an environment's registry with the specific application repositories built into it, simplifying the generation of IAM and image paths.
| Property | Type | Description |
|---|---|---|
| repositories | list of string | |
| registry | ComputedArtifactRegistry |
ComputedRelatedExternalRegistry
Groups an External Registry with a list of dependent repository names.
Associates specific application repositories to a configured external registry.
| Property | Type | Description |
|---|---|---|
| repositories | list of string | |
| registry | ComputedExternalRegistry |
ComputedVirtualMachineBucketConfig
Represents a computed bucket mount for a VM.
Resolves the linkage between the VM configuration and the exact bucket resource to be mounted via Cloud Storage FUSE.
| Property | Type | Description |
|---|---|---|
| source | string | This is the name of the bucket resource, derived from the 'name' field in the 'volumes' map of the 'VirtualMachineConfiguration' manifest. |
| mountOptions | string | A string of mount options for the bucket, computed based on the 'operatingSystem' of the 'VirtualMachineConfiguration' manifest to ensure compatibility. |
ComputedVirtualMachineDiskConfig
Represents the computed specification of a VM's attached disk.
Consolidates disk sizing, snapshots, and filesystem details into a unified block for persistent disk provisioning.
| Property | Type | Description |
|---|---|---|
| name | string | This is the name of the disk resource, derived from the 'name' field in the 'volumes' map of the 'VirtualMachineConfiguration' manifest. |
| fileSystem | string | The file system for the disk, derived from the 'fileSystem' field in the 'volumes' map of the 'VirtualMachineConfiguration' manifest. |
| mountOptions | string | A string of mount options for the disk, computed based on the 'fileSystem' and 'operatingSystem' of the 'VirtualMachineConfiguration' manifest. |
| sourceSnapshot | string | The name of the source snapshot, derived from the 'sourceSnapshot' field in the 'volumeMounts' map of the 'VirtualMachine' manifest. |
| encrypted | bool | This boolean is derived from the 'encrypted' field in the 'volumes' map of the 'VirtualMachineConfiguration' manifest. |
| diskSizeGb | int64 | The size of the disk in gigabytes, derived from the 'diskSizeGb' field in the 'volumeMounts' map of the 'VirtualMachine' manifest. |
| diskType | string | The type of disk, derived from the 'diskType' field in the 'volumeMounts' map of the 'VirtualMachine' manifest. |
ContainerResource
Single resource boundary definition.
Translates to either requests or limits for CPU or memory within a container specification.
| Property | Type | Description |
|---|---|---|
| cpu | string | |
| memory | string |
ContainerResources
Defines compute requirements and constraints for a container.
Maps to the resource requests and limits in Kubernetes Pods or Cloud Run service configurations to ensure adequate scaling and scheduling semantics.
| Property | Type | Description |
|---|---|---|
| requests | ContainerResource | |
| limits | ContainerResource |
ContainerSpec
Core configuration block for defining a runtime container.
Overrides default container behavior from the base image, defining entrypoints, variables, and compute constraints. Translates directly to elements like resources and env within google_cloud_run_v2_service or Kubernetes specifications.
| Property | Type | Description |
|---|---|---|
| enabled | bool | |
| command | list of string | |
| args | list of string | |
| env | list of EnvVariableDefinition | |
| uid | string | |
| gid | string | |
| resources | ContainerResources |
ContainerVolumeMount
Maps generated files to a container volume.
Specifies the layout of files to be mounted, typically corresponding to config maps or secrets in K8s, or files written in Cloud Run.
| Property | Type | Description |
|---|---|---|
| files | list of FilesEntry |
FilesEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | VolumeMountFile |
ControlPlaneDefinition
High-level definition for the platform's control plane.
Defines the foundational GCP resources (VPCs, identity, routing) and deployment regions for the platform's central management plane. This drives the generation of core foundational modules.
| Property | Type | Description |
|---|---|---|
| description | string | A description of the GCP asset. |
| permissions | AccessPermissions | Defines the users and groups who have administrative, contributor, or viewer access to the control plane's underlying cloud project. These permissions are translated into 'google_project_iam_binding' resources on the control plane's dedicated GCP project. |
| network | ControlPlaneNetwork | Defines network-specific settings for the control plane's VPC network. |
| hibernation | HibernationConfig | Defines the schedule for automatically hibernating (scaling down to zero) the resources within this control plane to save costs. The computed schedule is used to control the active hours for underlying resources within the control plane project. |
| region | string | The primary GCP region where the control plane and its resources are deployed. This is a foundational setting that determines the location for most resources created within the control plane, including VPCs, Cloud Run services, and databases. |
| passiveRegions | list of string | A list of additional GCP regions where resources can be deployed in a passive or failover capacity. This is used for multi-region architectures. This list is used to configure regional resources like DNS peering and VPC subnets for high availability. |
| maintenance | Maintenance | Defines maintenance windows and exclusions for the resources within the control plane. This is used to configure the 'maintenance_policy' on applicable resources within the control plane project, such as 'google_container_cluster' and 'google_sql_database_instance'. |
| defaultUrlRedirect | string | A default URL to redirect to if an incoming request to an ingress does not match any other routing rules. This is used to configure the 'default_url_redirect' on 'google_compute_url_map' resources created for ingresses within the control plane. |
| allowedEgress | list of string | A list of external hostnames or IP addresses that applications within the control plane are allowed to connect to. Egress traffic to other destinations is denied. This configures a 'google_compute_router_nat' resource and associated firewall rules to enforce the specified egress policy for all network traffic originating from within the control plane. |
| identityProviderConfig | ProjectIdpConfig | Defines the project-wide identity provider configuration. This applies to all tenants within the project. |
ControlPlaneNetwork
Defines network telemetry settings at the Control Plane level.
Applies VPC flow log settings to the underlying control plane foundational network, overriding global defaults.
| Property | Type | Description |
|---|---|---|
| logs | NetworkLogs | Configures the export of VPC flow logs for the control plane's network. These settings are applied to the 'log_config' block of the 'google_compute_subnetwork' resource for the control plane's VPC. |
CorsPolicy
Defines Cross-Origin Resource Sharing logic for an endpoint.
Emitted as corsPolicy on backend services or ingress routes to inform the LB terminating proxy how to respond to OPTIONS preflight requests.
| Property | Type | Description |
|---|---|---|
| allowOrigins | list of string | |
| allowOriginRegexes | list of string | |
| allowMethods | list of string | |
| allowHeaders | list of string | |
| exposeHeaders | list of string | |
| maxAge | string | |
| allowCredentials | bool | |
| disabled | bool |
DetailedAccessPermissions
Aggregation of specific user and group access definitions.
Refers to lists of OrganizationUser and OrganizationUserGroup manifests that will be parsed to retrieve actual Google Workspace identity emails for IAM binding construction.
| Property | Type | Description |
|---|---|---|
| members | list of string | A list of 'OrganizationUser' manifest names to be included in this permission set. |
| groups | list of string | A list of 'OrganizationUserGroup' manifest names to be included in this permission set. |
DirectResponse
Details for sending an immediate, synthetic response to matching traffic.
Emitted as faultInjectionPolicy.abort or direct routeAction configured with an HTTP status and payload to bounce traffic at the proxy layer.
| Property | Type | Description |
|---|---|---|
| status | int64 | Required. Status to return as part of HTTP Response. Must be a positive integer. |
| stringBody | string | Optional. Response body as a string. Maximum body length is 1024 characters. |
| bytesBody | string | Optional. Response body as bytes. Maximum body size is 4096B. A base64-encoded string. |
DiskSnapshotConfiguration
Defines the source snapshot for a given environment.
Determines the specific google_compute_snapshot link used to provision a new compute disk for a VM within a target environment.
| Property | Type | Description |
|---|---|---|
| source | string | If the volume definition is a type BUCKET, name of the bucket to use. If used with a DISK volume, this is an optional Google Snapshot self link. |
| mountOptions | list of string | |
| diskConfig | DiskSnapshotDiskConfig |
DiskSnapshotDiskConfig
Configures properties for a disk created from a snapshot.
Sets disk size and type attributes on the resulting google_compute_disk when hydrating a snapshot.
| Property | Type | Description |
|---|---|---|
| sizeGb | int64 | Only applicable for volumes of type DISK. The size of the disk in GB |
| type | string | Only applicable for volumes of type DISK. The type of the disk. |
| snapshots | list of SnapshotsEntry |
SnapshotsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | string |
EnvVariableDefinition
Defines a static environment variable to be injected.
Appended to the environment variable array of the corresponding compute resource container definition.
| Property | Type | Description |
|---|---|---|
| name | string | |
| value | string |
EnvironmentDefinition
High-level definition of an Environment (e.g., staging, prod) within an organizational boundary.
Maps to a GCP Folder under its parent OU folder. Establishes the boundary where environment-specific IAM, hibernation, and networking defaults are defined.
| Property | Type | Description |
|---|---|---|
| displayName | string | The display name of the GCP asset. If unspecified, uses the metadata.name field of the manifest. |
| description | string | A description of the GCP asset. |
| hibernation | HibernationConfig | Defines a default hibernation schedule for this Environment, which can override the schedule from the parent 'OrganizationalUnit'. This schedule is inherited by all child 'Project' manifests. The computed schedule is used to control the active hours for underlying resources within this environment's projects to manage costs. |
| permissions | AccessPermissions | Defines the default permissions for all resources within this Environment. These permissions are inherited by child 'Project' manifests and are combined with any permissions from the parent 'OrganizationalUnit'. These permissions are translated into 'google_folder_iam_binding' resources, granting the specified roles to principals on the corresponding GCP Folder for this environment. |
| network | EnvironmentNetwork | Defines default network-specific settings for the Environment. |
EnvironmentNetwork
Defines default network settings at the Environment level.
Inherited by down-level Projects to override parent OU settings, driving the log_config of VPC subnets created within this environment.
| Property | Type | Description |
|---|---|---|
| logs | NetworkLogs | Configures the default export settings for VPC flow logs for all networks within this Environment. These settings are applied to the 'log_config' block of all 'google_compute_subnetwork' resources created under this environment's projects. |
EventArcNotificationTarget
Details the webhook destination for Eventarc triggers.
Directs where Pub/Sub or Audit Log events pushed by Eventarc should hit a deployed Cloud Run service.
| Property | Type | Description |
|---|---|---|
| deploymentConfig | string | The name of the 'DeploymentConfig' manifest that defines the target service for the notification. |
| path | string | The relative URL path on the target service where Eventarc should send the event payload. |
FaultInjectionAbort
Configures simulated failures/aborts for a route.
Translates into the abort block of the faultInjectionPolicy on a google_network_services_http_route, terminating requests early with the specified HTTP status code.
| Property | Type | Description |
|---|---|---|
| httpStatus | int64 | |
| percentage | int64 |
FaultInjectionDelay
Configures simulated latency for a route.
Translates into the delay block of the faultInjectionPolicy on a google_network_services_http_route.
| Property | Type | Description |
|---|---|---|
| fixedDelay | string | |
| percentage | int64 |
FaultInjectionPolicy
Aggregates fault injection policies for testing resilience.
Drives the stochastic or deterministic network disruption features of GCP Traffic Director or K8s Gateway APIs.
| Property | Type | Description |
|---|---|---|
| delay | FaultInjectionDelay | |
| abort | FaultInjectionAbort |
GithubConfig
Configuration for the central GitOps repository hosted on GitHub.
This determines where the engine pushes hydrated infrastructure state and application configs, establishing the source of truth for the GitOps workflow.
| Property | Type | Description |
|---|---|---|
| organization | string | The name of the GitHub Organization that owns the central GitOps repository (e.g., 'pvotal-tech'). This repository will host the organization's hydrated manifests. |
| repositoryPrefix | string | A global prefix that will be prepended to any repository managed by the platform. |
| administrators | list of string | A list of GitHub usernames to be granted admin access. This field is not currently used. |
GrpcRouteRule
GrpcRouteRule
| Property | Type | Description |
|---|---|---|
| matches | list of GrpcRouteRuleMatch | |
| authentication | list of RouteRuleAuthenticationConfig | Rule Authentication Configuration. Defines the authentication configuration for this rule. If not specified, the rule will be unauthenticated. |
| authorization | list of ComputedAuthorizationAccessRuleCheck | Rule Authorization Configuration. Defines the authorization configuration for this rule. If not specified, the rule will be open to all users. |
GrpcRouteRuleAction
GrpcRouteRuleAction
| Property | Type | Description |
|---|---|---|
| destinations | list of HttpRouteRuleActionDestination | |
| faultInjectionPolicy | FaultInjectionPolicy | |
| timeout | string | |
| retryPolicy | RetryPolicy | |
| idleTimeout | string |
GrpcRouteRuleMatch
GrpcRouteRuleMatch
| Property | Type | Description |
|---|---|---|
| headers | list of GrpcRouteRuleMatchHeader | |
| method | MethodMatch |
GrpcRouteRuleMatchHeader
Matches gRPC metadata equivalent to HTTP headers.
Appended to a grpc_route to define rules based on custom gRPC metadata sent by the client.
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | string | |
| type | string |
HeaderModifier
Directs transformations on HTTP headers.
Configured as custom request or response headers added/removed by the HTTP(S) Load Balancer.
| Property | Type | Description |
|---|---|---|
| set | list of SetEntry | |
| add | list of AddEntry | |
| remove | list of string |
AddEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | string |
SetEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | string |
HibernationConfig
Consolidates hibernation scheduling logic.
Used by the orchestrator to aggregate windows and exclusions across OU, Environment, and Project inheritance chains into a final deployment state.
| Property | Type | Description |
|---|---|---|
| hibernate | bool | When set to 'true', forces the resource into hibernation immediately, overriding any active 'windows' or 'exclusions'. Defaults to 'false'. |
| windows | list of WindowsEntry | A map of recurring time windows during which the resource will be hibernated. The key of the map provides a unique name for each window. |
| exclusions | list of ExclusionsEntry | A map of specific, non-recurring time windows during which hibernation will be suspended, even if a 'window' is active. Use this for planned maintenance or high-traffic periods. The key of the map provides a unique name for each exclusion. |
ExclusionsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | HibernationExclusion |
WindowsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | HibernationWindow |
HibernationExclusion
Defines a specific suspension of the hibernation schedule.
Prevents down-scaling operations during the specified timeframe, ensuring workloads remain active for special events or maintenance.
| Property | Type | Description |
|---|---|---|
| start | string | The start date and time for the exclusion window in RFC3339 format. |
RFC3339 | | end | string | The end date and time for the exclusion window in RFC3339 format.
RFC3339 |
HibernationWindow
Defines a recurring period when an asset should be scaled down.
Scheduled cron strings used by the control plane's orchestration tools to dynamically stop virtual machines or scale Cloud Run instances to zero.
| Property | Type | Description |
|---|---|---|
| start | string | A cron expression defining when the hibernation window begins. |
| end | string | A cron expression defining when the hibernation window ends. |
HostHealthConfig
Configuration for uptime and health checks on host endpoints.
Translates into google_compute_health_check and backend service parameters, driving routing decisions within GCP load balancers.
| Property | Type | Description |
|---|---|---|
| protocol | string | |
| port | int64 | |
| checkIntervalSec | int64 | Default 30 |
| timeoutSec | int64 | Default 5 |
| healthyThreshold | int64 | Default 1 |
| unhealthyThreshold | int64 | Default 2 |
| enableLogs | bool | |
| path | string | Default "/" |
HostRoutePortConfig
Port-specific routing configurations.
Defines protocols (HTTP, gRPC, TCP) and binds them to the namespace logic to correctly route load balancer traffic.
| Property | Type | Description |
|---|---|---|
| protocol | string | |
| namespace | string | |
| routes | list of RoutesEntry |
RoutesEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | RouteConfig |
HttpRouteRedirect
Defines an immediate HTTP redirect response.
Instructs the load balancer to intercept the request and issue an HTTP 3xx redirect to the specified host or path.
| Property | Type | Description |
|---|---|---|
| hostRedirect | string | |
| pathRedirect | string | |
| prefixRewrite | string | |
| responseCode | string | |
| httpsRedirect | bool | |
| stripQuery | bool | |
| portRedirect | string |
HttpRouteRule
Combines a match condition with an execution action for HTTP traffic.
The fundamental building block of a traffic routing table for google_network_services_http_route.
| Property | Type | Description |
|---|---|---|
| matches | list of HttpRouteRuleMatch | |
| authentication | list of RouteRuleAuthenticationConfig | Rule Authentication Configuration. Defines the authentication configuration for this rule. If not specified, the rule will be unauthenticated. |
| authorization | list of ComputedAuthorizationAccessRuleCheck | Rule Authorization Configuration. Defines the authorization configuration for this rule. If not specified, the rule will be open to all users. |
HttpRouteRuleAction
Encapsulates the execution logic when a route match occurs.
Binds the RouteMatch to its target backend services or redirects within the cloud load balancing framework.
| Property | Type | Description |
|---|---|---|
| destinations | list of HttpRouteRuleActionDestination | |
| redirect | HttpRouteRedirect | |
| faultInjectionPolicy | FaultInjectionPolicy | |
| requestHeaderModifier | HeaderModifier | |
| responseHeaderModifier | HeaderModifier | |
| urlRewrite | UrlRewrite | |
| timeout | string | |
| retryPolicy | RetryPolicy | |
| requestMirrorPolicy | RequestMirrorPolicy | |
| corsPolicy | CorsPolicy | |
| directResponse | DirectResponse | |
| idleTimeout | string |
HttpRouteRuleActionDestination
Defines an upstream target for a routed request.
References the canonical backend service ID where traffic matching the rule should be sent, governing the weight distribution.
| Property | Type | Description |
|---|---|---|
| deploymentConfig | string | |
| virtualMachine | string | |
| port | int64 | |
| weight | int64 |
HttpRouteRuleMatch
Comprehensive matching criteria for an HTTP request.
Forms the crucial conditional backbone of a network services route, steering traffic based on path, headers, or query contents.
| Property | Type | Description |
|---|---|---|
| ignoreCase | bool | |
| fullPathMatch | string | |
| prefixMatch | string | |
| regexMatch | string | |
| headers | list of HttpRouteRuleMatchHeader | |
| queryParameters | list of QueryParameterMatch |
HttpRouteRuleMatchHeader
Defines a condition to match against HTTP headers.
Creates the evaluating rule within a routeMatch.headers block inside a GCP HttpRoute, aiding in granular traffic splitting.
| Property | Type | Description |
|---|---|---|
| header | string | |
| invertMatch | bool | |
| exactMatch | string | |
| regexMatch | string | |
| prefixMatch | string | |
| presentMatch | bool | |
| suffixMatch | string | |
| rangeMatch | RangeMatch |
IdentityProviderConfig
Configures how a tenant uses an identity provider's container.
Points to a pre-defined source image and configuration layout representing a specific Identity Provider solution (like Keycloak), driving its deployment within the boundary of an IAP configuration.
| Property | Type | Description |
|---|---|---|
| source | string | The name of the 'BuildDefinition' manifest that defines the source of the container image for this application. |
| container | string | The specific container definition to use from the source 'BuildDefinition' manifest. This is required when the source defines multiple containers. |
| version | string | The version (tag) of the container image to deploy. |
| spec | ContainerSpec | The container specification for the container image. |
Jwks
JSON Web Key Set configuration for verifying tokens.
Used directly within JWT verification configurations or OAuth clients where the public key must be known offline.
| Property | Type | Description |
|---|---|---|
| kid | string | |
| type | string | |
| alg | string | |
| pem | string |
Maintenance
Defines the recurring weekly maintenance window and any explicit exclusions for resource upgrades.
Translates into maintenance_policy blocks on GCP resources like google_container_cluster (GKE) and google_sql_database_instance (Cloud SQL), dictating when Google Cloud can perform infrastructure upgrades.
| Property | Type | Description |
|---|---|---|
| start | string | The start time for the recurring weekly maintenance window, provided in RFC3339 format. The time-of-day and day-of-week are used to establish the schedule. This is used to configure the 'maintenance_policy' on resources like 'google_container_cluster' and 'google_sql_database_instance'. |
RFC3339 | | end | string | The end time for the recurring weekly maintenance window, provided in RFC3339 format. This defines the duration of the maintenance window for applicable GCP resources.
RFC3339 | | exclusions | list of MaintenanceExclusion | A list of specific, non-recurring time windows during which maintenance should not occur, even if it falls within the recurring weekly window. Use this to prevent updates during business-critical periods. Creates 'maintenance_exclusion' blocks on applicable GCP resources. |
MaintenanceExclusion
Defines a specific, non-recurring time window where platform maintenance should not occur.
Translates into maintenance_exclusion blocks on underlying GCP resources, overriding regular weekly maintenance windows during critical business periods.
| Property | Type | Description |
|---|---|---|
| name | string | A unique name to identify the reason for this exclusion (e.g., 'black-friday-freeze'). |
| start | string | The start date and time for a specific, non-recurring exclusion from the maintenance window. |
RFC3339 | | end | string | The end date and time for the non-recurring exclusion window.
RFC3339 |
MethodMatch
Matches gRPC traffic by canonical service or method name.
Primary routing discriminator in google_network_services_grpc_route, replacing URL path matches found in HTTP.
| Property | Type | Description |
|---|---|---|
| grpcService | string | |
| grpcMethod | string | |
| caseSensitive | bool |
MetricConfig
Configures custom metric collection for the Ops Agent.
Adds custom receivers to the Ops Agent configuration file running within the virtual machine.
| Property | Type | Description |
|---|---|---|
| type | string | |
| prometheus | PrometheusConfig |
MfaConfig
Configures Multi-Factor Authentication (MFA) requirements for users.
Modifies Identity Platform tenant configurations to enforce MFA policies based on the selected mode and geographical region restrictions.
| Property | Type | Description |
|---|---|---|
| mode | string | The MFA mode for multi-factor authentication. This can be set to 'DISABLED' to disable multi-factor authentication, 'ENABLED' to enable multi-factor authentication, or 'MANDATORY' to require multi-factor authentication for all users. |
| testPhoneNumbers | list of TestPhoneNumbersEntry | A map of phone numbers that will be used for testing multi-factor authentication. The key is the phone number and the value is the expected 6-digits OTP code. |
| allowedRegions | list of string | A list of regions where multi-factor authentication is allowed. Two letter unicode region codes to disallow as defined by https://cldr.unicode.org/ The full list of these region codes is here: https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json |
TestPhoneNumbersEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | string |
NetworkLogs
Configures the export settings for VPC Flow Logs.
Translates to the log_config block of google_compute_subnetwork, determining aggregation intervals and volume sampling rates for network telemetry.
| Property | Type | Description |
|---|---|---|
| interval | string | The time window for which VPC flow logs are aggregated before being exported. A shorter interval provides more immediate data, while a longer interval reduces the volume of logs generated. This value is passed to the aggregation_interval field of the google_compute_subnetwork_log_config resource. |
| sampling | double | The fraction of network connections for which VPC flow logs will be generated and exported. The value must be between 0.0 (no logs) and 1.0 (all logs). This value is passed to the flow_sampling field of the google_compute_subnetwork_log_config resource. |
OauthClientConfig
Defines the configuration of an OAuth 2.0 client.
Used to register standard OAuth/OIDC clients in Identity Providers or Gateway surfaces.
| Property | Type | Description |
|---|---|---|
| grantTypes | list of string | |
| responseTypes | list of string | |
| scopes | list of string | |
| redirectUris | list of string | |
| postLogoutRedirectUris | list of string | |
| audience | list of string | |
| jwks | Jwks |
OidcProviderConfig
Configures an external OIDC provider for identity federation.
Plumbs the OIDC connection details into Identity Platform configurations or other federated authentication components.
| Property | Type | Description |
|---|---|---|
| source | string | |
| clientId | string | |
| mapper | string | |
| scopes | list of string |
OrganizationalUnitDefinition
High-level definition of an Organizational Unit used to group environments and govern policies.
Maps to a GCP Folder hierarchy (google_folder), acting as an administrative boundary where IAM permissions and default network/hibernation policies are applied and propagated.
| Property | Type | Description |
|---|---|---|
| displayName | string | The display name of the GCP asset. If unspecified, uses the metadata.name field of the manifest. |
| description | string | A description of the GCP asset. |
| hibernation | HibernationConfig | Defines a default schedule for automatically hibernating all resources within this Organizational Unit. This schedule can be overridden by child 'Environment' or 'Project' manifests. The computed schedule is used to control the active hours for underlying resources like 'google_compute_instance' and 'google_cloud_run_service' to manage costs. |
| permissions | AccessPermissions | Defines the default permissions for all resources within this Organizational Unit. These permissions are inherited by child 'Environment' and 'Project' manifests. These permissions are translated into 'google_folder_iam_binding' resources, granting the specified roles to principals on the corresponding GCP Folder. |
| network | OrganizationalUnitNetwork | Defines default network-specific settings for the Organizational Unit. |
OrganizationalUnitNetwork
Defines default network settings at the Organizational Unit (OU) level.
Inherited by any Environment or Project within this OU, determining default VPC flow log configurations for generated subnetworks.
| Property | Type | Description |
|---|---|---|
| logs | NetworkLogs | Configures the default export settings for VPC flow logs for all networks within this Organizational Unit. These settings are applied to the 'log_config' block of all 'google_compute_subnetwork' resources created under this unit. |
ProjectDefinition
High-level definition of a workload-bearing Project.
Maps to a google_project in GCP. Sets the fundamental boundaries for deployed applications, defining the target region, IAM identity bindings, maintenance windows, and default routing rules.
| Property | Type | Description |
|---|---|---|
| displayName | string | The display name of the GCP asset. If unspecified, uses the metadata.name field of the manifest. |
| description | string | A description of the GCP asset. |
| permissions | AccessPermissions | Defines specific permissions for this Project, which are merged with inherited permissions from the parent 'Environment' and 'OrganizationalUnit'. These permissions are translated into 'google_project_iam_binding' resources, granting the specified roles to principals on this specific GCP Project. |
| network | ProjectNetwork | Defines network-specific settings for the Project. |
| hibernation | HibernationConfig | Defines a specific hibernation schedule for this Project, which can override any schedules inherited from parent manifests. The computed schedule is used to control the active hours for underlying resources within this Project to manage costs. |
| region | string | The primary GCP region for the Project and its resources. If unspecified, it inherits the region from its parent 'Environment'. Sets the 'region' for many of the resources provisioned within this project, such as 'google_sql_database_instance' or 'google_redis_instance'. |
| maintenance | Maintenance | Defines the recurring weekly maintenance windows and specific exclusions for resources within this Project. This is used to configure the 'maintenance_policy' on resources like 'google_container_cluster' and 'google_sql_database_instance'. |
| defaultUrlRedirect | string | A default URL to redirect to if a request does not match any other routing rules. |
| allowedEgress | list of string | A list of external hostnames or IP ranges that applications within the project are allowed to connect to. |
| identityProviderConfig | ProjectIdpConfig | Defines the project-wide identity provider configuration. This applies to all tenants within the project. |
ProjectIdpConfig
Project-wide Identity Provider (IdP) configuration.
Applies identity and MFA settings globally to all Identity Platform tenants operating within this project's boundary.
| Property | Type | Description |
|---|---|---|
| mfa | MfaConfig | Defines the project-wide for multi-factor authentication (MFA) configurations. This applies to all tenants within the project. |
ProjectNetwork
Defines specific network telemetry and routing settings for a Project.
Directly overrides defaults for determining VPC flow log configurations applied to the google_compute_subnetwork resources created within this project.
| Property | Type | Description |
|---|---|---|
| logs | NetworkLogs | Configures the export of VPC flow logs for this Project's network, overriding any settings from parent manifests. These settings are applied to the 'log_config' block of all 'google_compute_subnetwork' resources created within this Project. |
PrometheusConfig
Configures a Prometheus receiver for the Ops Agent.
Instructs the Ops Agent to scrape Prometheus metrics from the specified endpoint and port on the VM localhost loopback.
| Property | Type | Description |
|---|---|---|
| scheme | string | |
| endpoint | string | |
| port | int64 |
QueryParameterMatch
Defines a condition to match against HTTP query parameters.
Populates the routeMatch.queryParameters block within a GCP HttpRoute resource.
| Property | Type | Description |
|---|---|---|
| queryParameter | string | |
| exactMatch | string | |
| regexMatch | string | |
| presentMatch | string |
RangeMatch
Tests a header value against an integer scale.
Adds a numeric rangeMatch parameter to a header matching rule in the underlying network service map.
| Property | Type | Description |
|---|---|---|
| start | int64 | |
| end | int64 |
RequestMirrorDestination
Specifies a destination to mirror traffic to without waiting for a response.
Configured in the requestMirrorPolicy of a route, duplicating identical requests to a secondary backend service id for asynchronous analysis or testing.
| Property | Type | Description |
|---|---|---|
| deploymentConfig | string | |
| port | int64 | |
| weight | int64 | |
| requestHeaderModifier | HeaderModifier | |
| responseHeaderModifier | HeaderModifier |
RequestMirrorPolicy
Defines traffic mirroring policies for out-of-band request duplicating.
Configures the requestMirrorPolicy inside a load-balancing route rule, commonly used for sending shadowed production traffic to a staging backend.
| Property | Type | Description |
|---|---|---|
| destination | RequestMirrorDestination | |
| mirrorPercent | int64 |
RetryPolicy
Configures automatic retry mechanisms for failed requests.
Configured on the retryPolicy map for a network services route, determining backoff and condition behaviors when upstream services fail.
| Property | Type | Description |
|---|---|---|
| retryConditions | list of string | |
| numRetries | int64 | |
| perTryTimeout | string |
RouteAuthentication
Configures the edge authentication requirements for a specific route.
Integrates the ingress component with Identity-Aware Proxy (IAP) or internal Organization IAM rules, enforcing identity before traffic hits the backend service.
| Property | Type | Description |
|---|---|---|
| enabled | bool | |
| type | string | |
| providerName | string |
RouteConfig
Wrapper for additional routing configuration settings.
Encapsulates the RouteAuthentication parameters for processing by the Ingress controllers or Gateway rules.
| Property | Type | Description |
|---|---|---|
| authentication | RouteAuthentication |
RouteRuleAuthenticationConfig
Configures authentication exceptions or specifics for a route rule.
Translates into localized Gateway or Load Balancer configurations dictating how auth assertions are evaluated for specific matched paths.
| Property | Type | Description |
|---|---|---|
| type | string | |
| tenants | list of string | Tenant-specific authentication configuration. A list of IdentityProvider names allowed to access this route. Only applicable if type is IDENTITY_PROVIDER. |
Scaling
Defines autoscaling boundaries for compute workloads or replica sets.
Dictates min_replicas and max_replicas configuration for underlying autoscaling resources like google_compute_instance_group_manager or Kubernetes HorizontalPodAutoscaler.
| Property | Type | Description |
|---|---|---|
| min | int64 | The minimum number of instances to maintain in an instance group or replica set. Must be at least 1. This value is typically passed to the 'min_replicas' field of an underlying autoscaling resource like 'google_compute_instance_group_manager'. |
| max | int64 | The maximum number of instances the autoscaler can create in an instance group or replica set. This value is typically passed to the 'max_replicas' field of an underlying autoscaling resource like 'google_compute_instance_group_manager'. |
SecretSourceConfig
Defines how a secret should be retrieved and mounted into a workload.
Triggers IAM bindings for Secret Manager payload access. Values are resolved JIT and passed into the container via environment variables or file mounts.
| Property | Type | Description |
|---|---|---|
| envVar | string | The name of the environment variable that will hold the secret's value. This is mutually exclusive with 'file_path'. |
| version | string | The specific version of the secret to retrieve from the backend (e.g., 'latest' or a specific version number like '1'). If omitted, 'latest' is assumed. |
SmtpConfig
Configuration for outbound email delivery via SMTP.
Typically injected as environment configurations for services requiring email dispatch capabilities (like Identity Providers sending password reset links).
| Property | Type | Description |
|---|---|---|
| fromAddress | string | |
| fromName | string |
SourceProjectReference
Fully qualified reference to a specific Project manifest.
Specifies the environment and OU coordinate of the intended project, needed since projects aren't globally unique by name alone.
| Property | Type | Description |
|---|---|---|
| name | string | The 'metadata.name' of the target 'Project' manifest being referenced. |
| environment | string | The 'metadata.name' of the 'Environment' manifest that is the parent of the target project. If omitted, it defaults to the current 'Environment'. |
| organizationalUnit | string | The 'metadata.name' of the 'OrganizationalUnit' manifest that is the parent of the target environment. If omitted, it defaults to the current 'OrganizationalUnit'. |
Stage
Defines a phase within a deployment strategy.
Maps out which application environments must be deployed to concurrently before proceeding, establishing the approval gates.
| Property | Type | Description |
|---|---|---|
| environments | list of string | A list of 'Environment' manifest names that are part of this deployment stage. An application must be successfully deployed to all environments in a stage before it can be promoted to the next. |
| stakeholders | DetailedAccessPermissions | Deprecated. A list of users and groups who are considered stakeholders for this stage. This can be used by CI/CD systems to require approvals before promoting an application to the environments in this stage. Deprecated: Use approval_policy instead. |
| approvalPolicy | ApprovalPolicy | The approval policy required to proceed with this stage. |
Stakeholder
| Property | Type | Description |
|---|---|---|
| userEmail | string | |
| groupEmail | string |
StartupConfig
Configuration for VM startup scripting.
Populates the metadata.startup-script field of the google_compute_instance, executing specified logic and injecting templated variables on boot.
| Property | Type | Description |
|---|---|---|
| script | string | |
| variables | list of VariablesEntry |
VariablesEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | VariableConfig |
UrlRewrite
Defines URL mutation logic before forwarding to a destination.
Populates the urlRewrite field of a routing action, altering the request path before it reaches the backend.
| Property | Type | Description |
|---|---|---|
| pathPrefixRewrite | string | |
| hostRewrite | string |
UserBasedAccessPermissions
Defines access permissions strictly assigned to individual users, used when group-based authorization is unsupported or inappropriate.
Directly binds specific users to IAM roles or system privileges without an intermediary group resolution layer.
| Property | Type | Description |
|---|---|---|
| administrators | list of string | A list of users and groups with administrative privileges on the asset. The exact permissions are resource-dependent but typically grant full control. |
| contributors | list of string | A list of users and groups with contributor privileges on the asset. The exact permissions are resource-dependent but typically grant read and write access. |
| viewers | list of string | A list of users and groups with viewer privileges on the asset. The exact permissions are resource-dependent but typically grant read-only access. |
UserExternalAccount
Maps a platform user to an external identity system.
Facilitates adding users to GitHub Orgs/Teams and maintaining synchronicity between internal user definition and external SSO representations.
| Property | Type | Description |
|---|---|---|
| sourceType | string | The type of the external system where the account is located. Currently, only 'GITHUB' is supported. |
| sourceName | string | The name of the 'GithubConnection' manifest that this account belongs to. |
| username | string | The user's login name or username in the external system. |
VariableConfig
Defines a template variable for the startup script.
Resolved variables are injected into the VM's startup script execution context.
| Property | Type | Description |
|---|---|---|
| defaultValue | string | |
| required | bool |
VirtualMachineConfigurationDefinition
Defines the core configuration for a virtual machine blueprint.
Acts as a templatable base for VirtualMachine manifests, establishing OS images, agent specs, and baseline secrets for google_compute_instance creation.
| Property | Type | Description |
|---|---|---|
| operatingSystem | string | The operating system to be installed on the virtual machine. Determines the boot disk's source image for the 'google_compute_instance' resource. |
| secrets | list of SecretsEntry | A map of secrets to be made available to the virtual machine. The key is the name of the 'Secret' manifest, and the value defines how it should be exposed (e.g., as a file or environment variable). The platform fetches the specified secrets from Google Secret Manager and uses the startup script to inject them into the VM's environment or file system. |
| agent | AgentConfig | Configuration for the monitoring and logging agent to be installed on the virtual machine. |
| volumes | list of VolumesEntry | Defines volumes to be mounted into the VM. The key of this map is the absolute mount path inside the VM (e.g., /data). |
| startup | StartupConfig | Configuration for the virtual machine's startup process. |
SecretsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | VirtualMachineSecretConfig |
VolumesEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | VirtualMachineVolumeConfig |
VirtualMachineSecretConfig
Configures how secrets are provisioned directly to a Virtual Machine.
Intercepts Google Secret Manager payloads and drives startup scripts to write them out as files or variables prior to VM application startup.
| Property | Type | Description |
|---|---|---|
| type | string | Defines how the secret should be exposed to the virtual machine. Can be 'ENV_VAR' to set it as an environment variable or 'FILE' to write it to a file. |
| target | string | If type is 'FILE', this is the absolute path where the secret file will be created. If type is 'ENV_VAR', this is the name of the environment variable. |
VirtualMachineVolumeConfig
Defines a storage volume to be attached to a virtual machine.
Translates into google_compute_disk or bucket mount instructions, attaching physical or logical storage media to the google_compute_instance.
| Property | Type | Description |
|---|---|---|
| name | string | |
| type | string | |
| fileSystem | string | Only applicable for DISK volumes. Defines the file system format. Must be compatible with the operating system. |
| encrypted | bool | Only applicable for DISK volumes. Defines whether the disk should be encrypted or not. |
VirtualMachineVolumeMount
Connects a VM application to a specific backing volume.
Defines the runtime mounting instructions (like fstab entries or Fuse attachments) within the google_compute_instance.
| Property | Type | Description |
|---|---|---|
| source | string | If the volume definition is a type BUCKET, name of the bucket to use. If used with a DISK volume, this is an optional Google Snapshot self link. |
| mountOptions | list of string | |
| diskConfig | VirtualMachineVolumeMountDiskConfig |
VirtualMachineVolumeMountDiskConfig
Configures the specification of an attached disk volume.
Parameters translate into the size and type of google_compute_disk created to back the attached volume mount.
| Property | Type | Description |
|---|---|---|
| sizeGb | int64 | Only applicable for volumes of type DISK. The size of the disk in GB |
| type | string | Only applicable for volumes of type DISK. The type of the disk. |
| snapshots | list of DiskSnapshotConfiguration |
VolumeMountBucketRef
References an external bucket for volume mounting.
Indicates Cloud Storage FUSE parameters and IAM permissions needed to attach the bucket.
| Property | Type | Description |
|---|---|---|
| name | string | |
| path | string | |
| canWrite | bool |
VolumeMountFile
Defines a synthesized file content within a volume mount.
Handled by startup scripts to create physical files on disk with the necessary text or binary payloads.
| Property | Type | Description |
|---|---|---|
| mimeType | string | |
| content | string | |
| base64Encoded | bool |