Environment
Environment
Defines a logical boundary mapping to a deployment lifecycle phase (e.g., Development, Staging, Production).
Acts as an IAM boundary and a variable propagation anchor (like domains and regional constraints) for child Projects, but does not directly provision a GCP Resource itself.
| Property | Type | Description |
|---|---|---|
| apiVersion | string | |
| kind | string | |
| metadata | map | |
| spec | EnvironmentDefinition | Houses the environment configuration traits. Injects baseline permissions, hibernation schedules, and domain segments into its child projects. |
EnvironmentDefinition
High-level definition of an Environment (e.g., staging, prod) within an organizational boundary.
Maps to a GCP Folder under its parent OU folder. Establishes the boundary where environment-specific IAM, hibernation, and networking defaults are defined.
| Property | Type | Description |
|---|---|---|
| displayName | string | The display name of the GCP asset. If unspecified, uses the metadata.name field of the manifest. |
| description | string | A description of the GCP asset. |
| hibernation | HibernationConfig | Defines a default hibernation schedule for this Environment, which can override the schedule from the parent 'OrganizationalUnit'. This schedule is inherited by all child 'Project' manifests. The computed schedule is used to control the active hours for underlying resources within this environment's projects to manage costs. |
| permissions | AccessPermissions | Defines the default permissions for all resources within this Environment. These permissions are inherited by child 'Project' manifests and are combined with any permissions from the parent 'OrganizationalUnit'. These permissions are translated into 'google_folder_iam_binding' resources, granting the specified roles to principals on the corresponding GCP Folder for this environment. |
| network | EnvironmentNetwork | Defines default network-specific settings for the Environment. |
HibernationConfig
Consolidates hibernation scheduling logic.
Used by the orchestrator to aggregate windows and exclusions across OU, Environment, and Project inheritance chains into a final deployment state.
| Property | Type | Description |
|---|---|---|
| hibernate | bool | When set to 'true', forces the resource into hibernation immediately, overriding any active 'windows' or 'exclusions'. Defaults to 'false'. |
| windows | list of WindowsEntry | A map of recurring time windows during which the resource will be hibernated. The key of the map provides a unique name for each window. |
| exclusions | list of ExclusionsEntry | A map of specific, non-recurring time windows during which hibernation will be suspended, even if a 'window' is active. Use this for planned maintenance or high-traffic periods. The key of the map provides a unique name for each exclusion. |
AccessPermissions
Core definition for assigning administrative and viewer privileges across the platform.
Used by the engine to compute the final IAM policies (google_folder_iam_binding, etc.), aggregating individual user and group definitions to role assignments.
| Property | Type | Description |
|---|---|---|
| administrators | DetailedAccessPermissions | A list of users and groups with administrative privileges on the asset. The exact permissions are resource-dependent but typically grant full control. |
| contributors | DetailedAccessPermissions | A list of users and groups with contributor privileges on the asset. The exact permissions are resource-dependent but typically grant read and write access. |
| viewers | DetailedAccessPermissions | A list of users and groups with viewer privileges on the asset. The exact permissions are resource-dependent but typically grant read-only access. |
EnvironmentNetwork
Defines default network settings at the Environment level.
Inherited by down-level Projects to override parent OU settings, driving the log_config of VPC subnets created within this environment.
| Property | Type | Description |
|---|---|---|
| logs | NetworkLogs | Configures the default export settings for VPC flow logs for all networks within this Environment. These settings are applied to the 'log_config' block of all 'google_compute_subnetwork' resources created under this environment's projects. |
DetailedAccessPermissions
Aggregation of specific user and group access definitions.
Refers to lists of OrganizationUser and OrganizationUserGroup manifests that will be parsed to retrieve actual Google Workspace identity emails for IAM binding construction.
| Property | Type | Description |
|---|---|---|
| members | list of string | A list of 'OrganizationUser' manifest names to be included in this permission set. |
| groups | list of string | A list of 'OrganizationUserGroup' manifest names to be included in this permission set. |
NetworkLogs
Configures the export settings for VPC Flow Logs.
Translates to the log_config block of google_compute_subnetwork, determining aggregation intervals and volume sampling rates for network telemetry.
| Property | Type | Description |
|---|---|---|
| interval | string | The time window for which VPC flow logs are aggregated before being exported. A shorter interval provides more immediate data, while a longer interval reduces the volume of logs generated. This value is passed to the aggregation_interval field of the google_compute_subnetwork_log_config resource. |
| sampling | double | The fraction of network connections for which VPC flow logs will be generated and exported. The value must be between 0.0 (no logs) and 1.0 (all logs). This value is passed to the flow_sampling field of the google_compute_subnetwork_log_config resource. |
ExclusionsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | HibernationExclusion |
WindowsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | HibernationWindow |
HibernationExclusion
Defines a specific suspension of the hibernation schedule.
Prevents down-scaling operations during the specified timeframe, ensuring workloads remain active for special events or maintenance.
| Property | Type | Description |
|---|---|---|
| start | string | The start date and time for the exclusion window in RFC3339 format. |
RFC3339 | | end | string | The end date and time for the exclusion window in RFC3339 format.
RFC3339 |
HibernationWindow
Defines a recurring period when an asset should be scaled down.
Scheduled cron strings used by the control plane's orchestration tools to dynamically stop virtual machines or scale Cloud Run instances to zero.
| Property | Type | Description |
|---|---|---|
| start | string | A cron expression defining when the hibernation window begins. |
| end | string | A cron expression defining when the hibernation window ends. |