Organizational Unit
OrganizationalUnit
Defines a middle-tier container within the Infrastream resource hierarchy.
Groups related Environments and Release Tracks, providing a logical structure that reflects a core business unit or product area. It serves as a primary hub for configuration inheritance, dictating cascading permissions, regional parameters, and hibernation logic across child environments.
| Property | Type | Description |
|---|---|---|
| apiVersion | string | |
| kind | string | |
| metadata | map | |
| spec | OrganizationalUnitDefinition | Spec contains the user-defined configuration for the organizational unit. Spec uses the shared OrganizationalUnitDefinition from common.proto |
OrganizationalUnitDefinition
High-level definition of an Organizational Unit used to group environments and govern policies.
Maps to a GCP Folder hierarchy (google_folder), acting as an administrative boundary where IAM permissions and default network/hibernation policies are applied and propagated.
| Property | Type | Description |
|---|---|---|
| displayName | string | The display name of the GCP asset. If unspecified, uses the metadata.name field of the manifest. |
| description | string | A description of the GCP asset. |
| hibernation | HibernationConfig | Defines a default schedule for automatically hibernating all resources within this Organizational Unit. This schedule can be overridden by child 'Environment' or 'Project' manifests. The computed schedule is used to control the active hours for underlying resources like 'google_compute_instance' and 'google_cloud_run_service' to manage costs. |
| permissions | AccessPermissions | Defines the default permissions for all resources within this Organizational Unit. These permissions are inherited by child 'Environment' and 'Project' manifests. These permissions are translated into 'google_folder_iam_binding' resources, granting the specified roles to principals on the corresponding GCP Folder. |
| network | OrganizationalUnitNetwork | Defines default network-specific settings for the Organizational Unit. |
HibernationConfig
Consolidates hibernation scheduling logic.
Used by the orchestrator to aggregate windows and exclusions across OU, Environment, and Project inheritance chains into a final deployment state.
| Property | Type | Description |
|---|---|---|
| hibernate | bool | When set to 'true', forces the resource into hibernation immediately, overriding any active 'windows' or 'exclusions'. Defaults to 'false'. |
| windows | list of WindowsEntry | A map of recurring time windows during which the resource will be hibernated. The key of the map provides a unique name for each window. |
| exclusions | list of ExclusionsEntry | A map of specific, non-recurring time windows during which hibernation will be suspended, even if a 'window' is active. Use this for planned maintenance or high-traffic periods. The key of the map provides a unique name for each exclusion. |
AccessPermissions
Core definition for assigning administrative and viewer privileges across the platform.
Used by the engine to compute the final IAM policies (google_folder_iam_binding, etc.), aggregating individual user and group definitions to role assignments.
| Property | Type | Description |
|---|---|---|
| administrators | DetailedAccessPermissions | A list of users and groups with administrative privileges on the asset. The exact permissions are resource-dependent but typically grant full control. |
| contributors | DetailedAccessPermissions | A list of users and groups with contributor privileges on the asset. The exact permissions are resource-dependent but typically grant read and write access. |
| viewers | DetailedAccessPermissions | A list of users and groups with viewer privileges on the asset. The exact permissions are resource-dependent but typically grant read-only access. |
OrganizationalUnitNetwork
Defines default network settings at the Organizational Unit (OU) level.
Inherited by any Environment or Project within this OU, determining default VPC flow log configurations for generated subnetworks.
| Property | Type | Description |
|---|---|---|
| logs | NetworkLogs | Configures the default export settings for VPC flow logs for all networks within this Organizational Unit. These settings are applied to the 'log_config' block of all 'google_compute_subnetwork' resources created under this unit. |
DetailedAccessPermissions
Aggregation of specific user and group access definitions.
Refers to lists of OrganizationUser and OrganizationUserGroup manifests that will be parsed to retrieve actual Google Workspace identity emails for IAM binding construction.
| Property | Type | Description |
|---|---|---|
| members | list of string | A list of 'OrganizationUser' manifest names to be included in this permission set. |
| groups | list of string | A list of 'OrganizationUserGroup' manifest names to be included in this permission set. |
NetworkLogs
Configures the export settings for VPC Flow Logs.
Translates to the log_config block of google_compute_subnetwork, determining aggregation intervals and volume sampling rates for network telemetry.
| Property | Type | Description |
|---|---|---|
| interval | string | The time window for which VPC flow logs are aggregated before being exported. A shorter interval provides more immediate data, while a longer interval reduces the volume of logs generated. This value is passed to the aggregation_interval field of the google_compute_subnetwork_log_config resource. |
| sampling | double | The fraction of network connections for which VPC flow logs will be generated and exported. The value must be between 0.0 (no logs) and 1.0 (all logs). This value is passed to the flow_sampling field of the google_compute_subnetwork_log_config resource. |
ExclusionsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | HibernationExclusion |
WindowsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | HibernationWindow |
HibernationExclusion
Defines a specific suspension of the hibernation schedule.
Prevents down-scaling operations during the specified timeframe, ensuring workloads remain active for special events or maintenance.
| Property | Type | Description |
|---|---|---|
| start | string | The start date and time for the exclusion window in RFC3339 format. |
RFC3339 | | end | string | The end date and time for the exclusion window in RFC3339 format.
RFC3339 |
HibernationWindow
Defines a recurring period when an asset should be scaled down.
Scheduled cron strings used by the control plane's orchestration tools to dynamically stop virtual machines or scale Cloud Run instances to zero.
| Property | Type | Description |
|---|---|---|
| start | string | A cron expression defining when the hibernation window begins. |
| end | string | A cron expression defining when the hibernation window ends. |