External Application
ExternalApplication
Defines a placeholder workload that acts as an access control and routing target, similar to Application, but built from external source artifacts.
Creates the same foundational identity, networking, and mesh structures as a native Application, allowing the environment to route traffic to and grant IAM access for an image developed outside the immediate workspace.
| Property | Type | Description |
|---|---|---|
| apiVersion | string | |
| kind | string | |
| metadata | map | |
| spec | ApplicationDefinition | Houses the configuration for the external application, mirroring the structure of a native Application. Provides the execution engine with the registry coordinates, required platform parameters, and access needs for the off-site workload. |
ApplicationDefinition
ApplicationDefinition
| Property | Type | Description |
|---|---|---|
| description | string | The description of the role of the current Application/ExternalApplication |
| target | string | Defines the target compute platform where this application will be deployed (e.g., KUBERNETES, CLOUD_RUN, COMPUTE). This field determines which underlying infrastructure module is used (e.g., 'google_cloud_run_v2_service' for CLOUD_RUN) to provision and manage the application's runtime environment. |
| meshStrategy | string | Determines how the application integrates with the service mesh. - 'SIDECAR': Deploys a full proxy sidecar alongside the application for traffic management. - 'PROXYLESS': Uses gRPC libraries within the application for mesh connectivity, removing the need for a sidecar. - 'DISABLED': The application will not be part of the service mesh. This value dictates the creation of mesh-related resources. 'SIDECAR' results in a 'google_network_services_http_route' or 'grpc_route' pointing to a backend service with a 'SIDECAR_PROXY' load balancing scheme. 'PROXYLESS' configures the application to use gRPC-based service discovery. |
| source | string | The name of the 'BuildDefinition' or 'ExternalApplication' manifest that defines the source of the container image for this application. Creates a dependency to the source manifest, allowing the platform to look up the correct container image URL for deployments. |
| container | string | The specific container definition to use from the source 'BuildDefinition' or 'ExternalApplication' manifest. This is required when the source defines multiple containers. This value is used to look up the specific container image URL and tag from the source manifest, which is then used in the 'containers.image' attribute of the 'google_cloud_run_v2_service' or other compute resource. |
| project | string | The name of the 'Project' manifest where this application will be deployed. This project must be included in all environments defined in the application's parent 'ReleaseTrack'. Determines the GCP project where all underlying resources for this application (e.g., Cloud Run service, IAM bindings) will be provisioned. |
| accessControl | ApplicationAccessControlConfig | Defines the permissions this application has to other resources within the platform, such as Buckets, Databases, Pub/Sub topics, and Secrets. This block generates the necessary 'google_*_iam_binding' resources to grant the application's service account the specified permissions. |
| runMigrationJob | bool | If true, the platform will create and run a one-off job before deploying the main service. This is typically used for database schema migrations. If true, a 'google_cloud_run_v2_job' resource is created using a dedicated container image. The main 'google_cloud_run_v2_service' is configured to depend on the successful completion of this job. |
ApplicationAccessControlConfig
Aggregates all external access rules an application requires.
Computes the comprehensive list of IAM bindings, SQL grants, and secret consumptions that must be provisioned alongside the application's actual deployment.
| Property | Type | Description |
|---|---|---|
| additionalRoles | list of string | A list of additional roles to grant to the application's service account. |
| pubsub | ApplicationAccessControlPubsubConfig | Defines the application's permissions to publish or subscribe to specific Pub/Sub topics. |
| buckets | list of ApplicationAccessControlBucketConfig | A list defining the application's permissions to read from or write to specific Google Cloud Storage buckets. The key of the map is a logical name for the bucket access rule. |
| database | ApplicationAccessControlDatabaseConfig | Defines the application's permissions to a specific PostgreSQL database instance and schema. |
| secrets | list of SecretsEntry | A map defining the secrets that the application needs access to. The key of the map is the name of the 'Secret' manifest, and the value specifies how it should be exposed to the application (e.g., as an environment variable or a mounted file). |
ApplicationAccessControlPubsubConfig
Configures Pub/Sub interaction permissions for a workload.
Translates to roles/pubsub.publisher and roles/pubsub.subscriber IAM bindings assigned to the application's underlying service account.
| Property | Type | Description |
|---|---|---|
| publishTo | list of string | A list of 'PubSub' manifest names that this application is allowed to publish messages to. Grants the 'roles/pubsub.publisher' role to the application's service account for each specified topic. |
| subscribeTo | list of string | A list of 'PubSub' manifest names that this application is allowed to create subscriptions for and pull messages from. Grants the 'roles/pubsub.subscriber' role to the application's service account for each specified topic. |
ApplicationAccessControlBucketConfig
Configures Google Cloud Storage interaction permissions for a workload.
Translates to roles/storage.objectViewer or roles/storage.objectUser IAM bindings assigned to the application's service account, and can map specific paths.
| Property | Type | Description |
|---|---|---|
| name | string | The name of the 'Bucket' manifest that this application requires access to. This bucket must be present in all environments defined in the parent 'ReleaseTrack'. |
| source | string | If specified, refers to a 'GithubRepository' manifest that contains the source data to be synchronized into the bucket. This is used by the CI/CD system to set up a 'gcloud storage rsync' job. |
| permission | string | The permission level granted to the application for this bucket ('READ_ONLY' or 'WRITE'). Grants either 'roles/storage.objectViewer' (for READ_ONLY) or 'roles/storage.objectUser' (for WRITE) to the application's service account for the specified bucket. |
| mountPath | string | The absolute path where the bucket should be mounted as a file within the application's container. If omitted, permissions will be granted on the bucket but it will not be mounted as a file. |
| subPath | string | A sub-path within the bucket that the application will have access to. If omitted, access is granted to the entire bucket. This path is often used for mounting specific bucket folders into a container. |
| promote | bool | If true, the bucket content will be promoted through the ReleaseTrack alongside the application. This is typically used for storing generic application configuration data. |
SecretsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | SecretSourceConfig |
ApplicationAccessControlDatabaseConfig
Configures PostgreSQL interaction permissions for a workload.
Executes dynamic DDL (CREATE USER, GRANT) against the target SQL instance using an administrative proxy, setting up specific schema rights.
| Property | Type | Description |
|---|---|---|
| name | string | The name of the 'Database' manifest that this application requires access to. |
| schema | string | The specific database (schema) within the database instance that the application will connect to. |
| privileges | list of string | A list of SQL privileges to grant to the application's user role on the specified schema (e.g., 'USAGE', 'CREATE'). Translates into 'GRANT' statements executed against the PostgreSQL instance. |
| readOnly | bool | If true, grants the application read-only access to the database. This is typically used for connecting to a read replica. |
| skipSchemaCreation | bool | If true, this application deployment will not attempt to create the specified schema. This is useful for applications that require a specific schema to exist before they can be deployed, such as applications that use a specific database migration tool or when another application has already created the schema. |
| extensions | list of string | A list of PostgreSQL extensions to enable in the target database for the application's use. Executes 'CREATE EXTENSION IF NOT EXISTS' for each extension in the list. |
| secretSource | SecretSourceConfig | Defines how the application should retrieve the database credentials (e.g., from which 'Secret' manifest). |
SecretSourceConfig
Defines how a secret should be retrieved and mounted into a workload.
Triggers IAM bindings for Secret Manager payload access. Values are resolved JIT and passed into the container via environment variables or file mounts.
| Property | Type | Description |
|---|---|---|
| envVar | string | The name of the environment variable that will hold the secret's value. This is mutually exclusive with 'file_path'. |
| version | string | The specific version of the secret to retrieve from the backend (e.g., 'latest' or a specific version number like '1'). If omitted, 'latest' is assumed. |