External Application
ExternalApplication
Defines a placeholder workload that acts as an access control and routing target, similar to Application, but built from external source artifacts.
Creates the same foundational identity, networking, and mesh structures as a native Application, allowing the environment to route traffic to and grant IAM access for an image developed outside the immediate workspace.
| Property | Type | Description |
|---|---|---|
| apiVersion | string | |
| kind | string | |
| metadata | map | |
| spec | ApplicationDefinition | Houses the configuration for the external application, mirroring the structure of a native Application. Provides the execution engine with the registry coordinates, required platform parameters, and access needs for the off-site workload. |
ApplicationDefinition
ApplicationDefinition
| Property | Type | Description |
|---|---|---|
| description | string | The description of the role of the current Application/ExternalApplication |
| target | string | Defines the target compute platform where this application will be deployed (e.g., KUBERNETES, CLOUD_RUN, COMPUTE). This field determines which underlying infrastructure module is used (e.g., 'google_cloud_run_v2_service' for CLOUD_RUN) to provision and manage the application's runtime environment. |
| meshStrategy | string | Determines how the application integrates with the service mesh. - 'SIDECAR': Deploys a full proxy sidecar alongside the application for traffic management. - 'PROXYLESS': Uses gRPC libraries within the application for mesh connectivity, removing the need for a sidecar. - 'DISABLED': The application will not be part of the service mesh. This value dictates the creation of mesh-related resources. 'SIDECAR' results in a 'google_network_services_http_route' or 'grpc_route' pointing to a backend service with a 'SIDECAR_PROXY' load balancing scheme. 'PROXYLESS' configures the application to use gRPC-based service discovery. |
| source | string | The name of the 'BuildDefinition' or 'ExternalApplication' manifest that defines the source of the container image for this application. Creates a dependency to the source manifest, allowing the platform to look up the correct container image URL for deployments. |
| container | string | The specific container definition to use from the source 'BuildDefinition' or 'ExternalApplication' manifest. This is required when the source defines multiple containers. This value is used to look up the specific container image URL and tag from the source manifest, which is then used in the 'containers.image' attribute of the 'google_cloud_run_v2_service' or other compute resource. |
| project | string | The name of the 'Project' manifest where this application will be deployed. This project must be included in all environments defined in the application's parent 'ReleaseTrack'. Determines the GCP project where all underlying resources for this application (e.g., Cloud Run service, IAM bindings) will be provisioned. |
| accessControl | ApplicationAccessControlConfig | Defines the permissions this application has to other resources within the platform, such as Buckets, Databases, Pub/Sub topics, and Secrets. This block generates the necessary 'google_*_iam_binding' resources to grant the application's service account the specified permissions. |
| runMigrationJob | bool | If true, the platform will create and run a one-off job before deploying the main service. This is typically used for database schema migrations. If true, a 'google_cloud_run_v2_job' resource is created using a dedicated container image. The main 'google_cloud_run_v2_service' is configured to depend on the successful completion of this job. |
| bundleOnly | bool | If true, this application will not be deployed through pre-release tracks. Its build versions are stored directly as successful deployments, making them available for inclusion in release track bundles without going through staged rollouts. |
ApplicationAccessControlConfig
Aggregates all external access rules an application requires.
Computes the comprehensive list of IAM bindings, SQL grants, and secret consumptions that must be provisioned alongside the application's actual deployment.
| Property | Type | Description |
|---|---|---|
| additionalRoles | list of string | A list of additional roles to grant to the application's service account. |
| pubsub | ApplicationAccessControlPubsubConfig | Defines the application's permissions to publish or subscribe to specific Pub/Sub topics. |
| buckets | list of ApplicationAccessControlBucketConfig | A list defining the application's permissions to read from or write to specific Google Cloud Storage buckets. The key of the map is a logical name for the bucket access rule. |
| database | ApplicationAccessControlDatabaseConfig | Defines the application's permissions to a specific PostgreSQL database instance and schema. |
| secrets | list of SecretsEntry | A map defining the secrets that the application needs access to. The key of the map is the name of the 'Secret' manifest, and the value specifies how it should be exposed to the application (e.g., as an environment variable or a mounted file). |
| redis | list of ApplicationAccessControlRedisConfig | Defines the application's access to Redis cache instances. Injects the Redis URL as an environment variable and creates a deployment dependency on the Redis DNS record. |
ApplicationAccessControlPubsubConfig
Configures Pub/Sub interaction permissions for a workload.
Translates to roles/pubsub.publisher and roles/pubsub.subscriber IAM bindings assigned to the application's underlying service account.
| Property | Type | Description |
|---|---|---|
| publishTo | list of string | A list of 'PubSub' manifest names that this application is allowed to publish messages to. Grants the 'roles/pubsub.publisher' role to the application's service account for each specified topic. |
| subscribeTo | list of string | A list of 'PubSub' manifest names that this application is allowed to create subscriptions for and pull messages from. Grants the 'roles/pubsub.subscriber' role to the application's service account for each specified topic. |
SecretsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | SecretSourceConfig |
ApplicationAccessControlBucketConfig
Configures Google Cloud Storage interaction permissions for a workload.
Translates to roles/storage.objectViewer or roles/storage.objectUser IAM bindings assigned to the application's service account, and can map specific paths.
| Property | Type | Description |
|---|---|---|
| name | string | The name of the 'Bucket' manifest that this application requires access to. This bucket must be present in all environments defined in the parent 'ReleaseTrack'. |
| source | string | If specified, refers to a 'GithubRepository' manifest that contains the source data to be synchronized into the bucket. This is used by the CI/CD system to set up a 'gcloud storage rsync' job. |
| permission | string | The permission level granted to the application for this bucket ('READ_ONLY' or 'WRITE'). Grants either 'roles/storage.objectViewer' (for READ_ONLY) or 'roles/storage.objectUser' (for WRITE) to the application's service account for the specified bucket. |
| mountPath | string | The absolute path where the bucket should be mounted as a file within the application's container. If omitted, permissions will be granted on the bucket but it will not be mounted as a file. |
| subPath | string | A sub-path within the bucket that the application will have access to. If omitted, access is granted to the entire bucket. This path is often used for mounting specific bucket folders into a container. |
| promote | bool | If true, the bucket content will be promoted through the ReleaseTrack alongside the application. This is typically used for storing generic application configuration data. |
| envVar | string | The name of the environment variable that will hold the resolved bucket name. This is mutually exclusive with 'mount_path'. When set, the application will receive the bucket name as a plain environment variable instead of a file mount. |
ApplicationAccessControlDatabaseConfig
Configures PostgreSQL interaction permissions for a workload.
Executes dynamic DDL (CREATE USER, GRANT) against the target SQL instance using an administrative proxy, setting up specific schema rights.
| Property | Type | Description |
|---|---|---|
| name | string | The name of the 'Database' manifest that this application requires access to. |
| schema | string | The specific database (schema) within the database instance that the application will connect to. |
| privileges | list of string | A list of SQL privileges to grant to the application's user role on the specified schema (e.g., 'USAGE', 'CREATE'). Translates into 'GRANT' statements executed against the PostgreSQL instance. |
| readOnly | bool | If true, grants the application read-only access to the database. This is typically used for connecting to a read replica. |
| extensions | list of string | A list of PostgreSQL extensions to enable in the target database for the application's use. Executes 'CREATE EXTENSION IF NOT EXISTS' for each extension in the list. |
| secretSource | SecretSourceConfig | Defines how the application should retrieve the database credentials (e.g., from which 'Secret' manifest). |
ApplicationAccessControlRedisConfig
Configures Redis cache access for a workload.
Injects the Redis connection URL as an environment variable and establishes a graph dependency on the Redis manifest's DNS record to ensure the stable FQDN is resolvable before the application deploys.
All Memorystore Redis instances are provisioned with SERVER_AUTHENTICATION transit encryption (TLS). The CA certificate is extracted from the instance state and mounted as a volume in the container so the application can configure its TLS trust pool.
| Property | Type | Description |
|---|---|---|
| name | string | The name of the 'Redis' manifest that this application requires access to. |
| envVar | string | The name of the environment variable that will hold the Redis connection URL. The URL follows the format: redis[s]://memory-<redis-name>.<internal-domain>:<port> Meshed (SIDECAR/PROXYLESS) uses redis:// on port 6380; direct (DISABLED) uses rediss:// on port 6379. |
| caCertPath | string | The absolute file path inside the container where the Redis server CA certificate will be mounted. The application must load this PEM file into its TLS configuration to validate the Memorystore server's identity. |
SecretSourceConfig
Defines how a secret should be retrieved and mounted into a workload.
Triggers IAM bindings for Secret Manager payload access. Values are resolved JIT and passed into the container via environment variables or file mounts.
| Property | Type | Description |
|---|---|---|
| envVar | string | The name of the environment variable that will hold the secret's value. This is mutually exclusive with 'file_path'. |
| version | string | The specific version of the secret to retrieve from the backend (e.g., 'latest' or a specific version number like '1'). If omitted, 'latest' is assumed. |