Project
Project
Defines the high-level intent for a logical project within the Infrastream platform.
Serves as a fundamental boundary for resource isolation, IAM permissions, and network segmentation. It anchors infrastructure deployments including compute workloads, data stores, and ingress routing topologies.
| Property | Type | Description |
|---|---|---|
| apiVersion | string | |
| kind | string | |
| metadata | map | |
| spec | ProjectDefinition | Contains the user-defined configuration for the project. Encapsulates configuration parameters for billing assignment, regional execution, egress policies, and cross-resource access controls. Spec uses the shared ProjectDefinition from common.proto. |
AccessibleRegistries
| Property | Type | Description |
|---|---|---|
| cloudrun | list of ComputedAccessibleRegistry | |
| compute | list of ComputedAccessibleRegistry |
CloudrunApplicationsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | ComputedApplication |
ComputeApplicationsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | ComputedApplication |
IdentityProviderAuthorizedDomainsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | string |
VpcSpokesEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | string |
ComputedApplication
Represents a fully computed application deployment configuration.
Collates mesh strategy, pre-flight migration requirements, and the container image layout required by the execution engine to provision the underlying Cloud Run service or K8s Deployment.
| Property | Type | Description |
|---|---|---|
| name | string | The name of the application. |
| meshStrategy | string | The service mesh strategy used by the application (e.g., SIDECAR, PROXYLESS). |
| container | ComputedContainerDefinition | The computed definition for the application's container, including image URL, environment variables, and resource requests. |
| runMigrationJob | bool | Indicates whether a database migration job should be run before deploying the application. |
ComputedAccessibleRegistry
Represents a computed Artifact Registry resource accessible by deployments.
Tracks the registry location and name needed to perform container image path resolution.
| Property | Type | Description |
|---|---|---|
| name | string | The name of the artifact registry. |
| location | string | The GCP region or multi-region where the registry is located. |
ProjectDefinition
High-level definition of a workload-bearing Project.
Maps to a google_project in GCP. Sets the fundamental boundaries for deployed applications, defining the target region, IAM identity bindings, maintenance windows, and default routing rules.
| Property | Type | Description |
|---|---|---|
| displayName | string | The display name of the GCP asset. If unspecified, uses the metadata.name field of the manifest. |
| description | string | A description of the GCP asset. |
| permissions | AccessPermissions | Defines specific permissions for this Project, which are merged with inherited permissions from the parent 'Environment' and 'OrganizationalUnit'. These permissions are translated into 'google_project_iam_binding' resources, granting the specified roles to principals on this specific GCP Project. |
| network | ProjectNetwork | Defines network-specific settings for the Project. |
| hibernation | HibernationConfig | Defines a specific hibernation schedule for this Project, which can override any schedules inherited from parent manifests. The computed schedule is used to control the active hours for underlying resources within this Project to manage costs. |
| region | string | The primary GCP region for the Project and its resources. If unspecified, it inherits the region from its parent 'Environment'. Sets the 'region' for many of the resources provisioned within this project, such as 'google_sql_database_instance' or 'google_redis_instance'. |
| maintenance | Maintenance | Defines the recurring weekly maintenance windows and specific exclusions for resources within this Project. This is used to configure the 'maintenance_policy' on resources like 'google_container_cluster' and 'google_sql_database_instance'. |
| defaultUrlRedirect | string | A default URL to redirect to if a request does not match any other routing rules. |
| allowedEgress | list of string | A list of external hostnames or IP ranges that applications within the project are allowed to connect to. |
| identityProviderConfig | ProjectIdpConfig | Defines the project-wide identity provider configuration. This applies to all tenants within the project. |
HibernationConfig
Consolidates hibernation scheduling logic.
Used by the orchestrator to aggregate windows and exclusions across OU, Environment, and Project inheritance chains into a final deployment state.
| Property | Type | Description |
|---|---|---|
| hibernate | bool | When set to 'true', forces the resource into hibernation immediately, overriding any active 'windows' or 'exclusions'. Defaults to 'false'. |
| windows | list of WindowsEntry | A map of recurring time windows during which the resource will be hibernated. The key of the map provides a unique name for each window. |
| exclusions | list of ExclusionsEntry | A map of specific, non-recurring time windows during which hibernation will be suspended, even if a 'window' is active. Use this for planned maintenance or high-traffic periods. The key of the map provides a unique name for each exclusion. |
AccessPermissions
Core definition for assigning administrative and viewer privileges across the platform.
Used by the engine to compute the final IAM policies (google_folder_iam_binding, etc.), aggregating individual user and group definitions to role assignments.
| Property | Type | Description |
|---|---|---|
| administrators | DetailedAccessPermissions | A list of users and groups with administrative privileges on the asset. The exact permissions are resource-dependent but typically grant full control. |
| contributors | DetailedAccessPermissions | A list of users and groups with contributor privileges on the asset. The exact permissions are resource-dependent but typically grant read and write access. |
| viewers | DetailedAccessPermissions | A list of users and groups with viewer privileges on the asset. The exact permissions are resource-dependent but typically grant read-only access. |
ProjectIdpConfig
Project-wide Identity Provider (IdP) configuration.
Applies identity and MFA settings globally to all Identity Platform tenants operating within this project's boundary.
| Property | Type | Description |
|---|---|---|
| mfa | MfaConfig | Defines the project-wide for multi-factor authentication (MFA) configurations. This applies to all tenants within the project. |
ProjectNetwork
Defines specific network telemetry and routing settings for a Project.
Directly overrides defaults for determining VPC flow log configurations applied to the google_compute_subnetwork resources created within this project.
| Property | Type | Description |
|---|---|---|
| logs | NetworkLogs | Configures the export of VPC flow logs for this Project's network, overriding any settings from parent manifests. These settings are applied to the 'log_config' block of all 'google_compute_subnetwork' resources created within this Project. |
Maintenance
Defines the recurring weekly maintenance window and any explicit exclusions for resource upgrades.
Translates into maintenance_policy blocks on GCP resources like google_container_cluster (GKE) and google_sql_database_instance (Cloud SQL), dictating when Google Cloud can perform infrastructure upgrades.
| Property | Type | Description |
|---|---|---|
| start | string | The start time for the recurring weekly maintenance window, provided in RFC3339 format. The time-of-day and day-of-week are used to establish the schedule. This is used to configure the 'maintenance_policy' on resources like 'google_container_cluster' and 'google_sql_database_instance'. |
RFC3339 | | end | string | The end time for the recurring weekly maintenance window, provided in RFC3339 format. This defines the duration of the maintenance window for applicable GCP resources.
RFC3339 | | exclusions | list of MaintenanceExclusion | A list of specific, non-recurring time windows during which maintenance should not occur, even if it falls within the recurring weekly window. Use this to prevent updates during business-critical periods. Creates 'maintenance_exclusion' blocks on applicable GCP resources. |
ComputedContainerDefinition
Represents the fully resolved container image deployment source.
Fuses the registry's geographical footprint with a specific container build to provide the absolute URL for the deployment API (e.g., Cloud Run or GKE).
| Property | Type | Description |
|---|---|---|
| sourceRegistry | ComputedAccessibleRegistry | The registry where the container image is stored. |
| image | string | The full URL of the container image, including the registry and repository path. |
DetailedAccessPermissions
Aggregation of specific user and group access definitions.
Refers to lists of OrganizationUser and OrganizationUserGroup manifests that will be parsed to retrieve actual Google Workspace identity emails for IAM binding construction.
| Property | Type | Description |
|---|---|---|
| members | list of string | A list of 'OrganizationUser' manifest names to be included in this permission set. |
| groups | list of string | A list of 'OrganizationUserGroup' manifest names to be included in this permission set. |
NetworkLogs
Configures the export settings for VPC Flow Logs.
Translates to the log_config block of google_compute_subnetwork, determining aggregation intervals and volume sampling rates for network telemetry.
| Property | Type | Description |
|---|---|---|
| interval | string | The time window for which VPC flow logs are aggregated before being exported. A shorter interval provides more immediate data, while a longer interval reduces the volume of logs generated. This value is passed to the aggregation_interval field of the google_compute_subnetwork_log_config resource. |
| sampling | double | The fraction of network connections for which VPC flow logs will be generated and exported. The value must be between 0.0 (no logs) and 1.0 (all logs). This value is passed to the flow_sampling field of the google_compute_subnetwork_log_config resource. |
ExclusionsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | HibernationExclusion |
MfaConfig
Configures Multi-Factor Authentication (MFA) requirements for users.
Modifies Identity Platform tenant configurations to enforce MFA policies based on the selected mode and geographical region restrictions.
| Property | Type | Description |
|---|---|---|
| mode | string | The MFA mode for multi-factor authentication. This can be set to 'DISABLED' to disable multi-factor authentication, 'ENABLED' to enable multi-factor authentication, or 'MANDATORY' to require multi-factor authentication for all users. |
| testPhoneNumbers | list of TestPhoneNumbersEntry | A map of phone numbers that will be used for testing multi-factor authentication. The key is the phone number and the value is the expected 6-digits OTP code. |
| allowedRegions | list of string | A list of regions where multi-factor authentication is allowed. Two letter unicode region codes to disallow as defined by https://cldr.unicode.org/ The full list of these region codes is here: https://github.com/unicode-cldr/cldr-localenames-full/blob/master/main/en/territories.json |
WindowsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | HibernationWindow |
MaintenanceExclusion
Defines a specific, non-recurring time window where platform maintenance should not occur.
Translates into maintenance_exclusion blocks on underlying GCP resources, overriding regular weekly maintenance windows during critical business periods.
| Property | Type | Description |
|---|---|---|
| name | string | A unique name to identify the reason for this exclusion (e.g., 'black-friday-freeze'). |
| start | string | The start date and time for a specific, non-recurring exclusion from the maintenance window. |
RFC3339 | | end | string | The end date and time for the non-recurring exclusion window.
RFC3339 |
TestPhoneNumbersEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | string |
HibernationWindow
Defines a recurring period when an asset should be scaled down.
Scheduled cron strings used by the control plane's orchestration tools to dynamically stop virtual machines or scale Cloud Run instances to zero.
| Property | Type | Description |
|---|---|---|
| start | string | A cron expression defining when the hibernation window begins. |
| end | string | A cron expression defining when the hibernation window ends. |
HibernationExclusion
Defines a specific suspension of the hibernation schedule.
Prevents down-scaling operations during the specified timeframe, ensuring workloads remain active for special events or maintenance.
| Property | Type | Description |
|---|---|---|
| start | string | The start date and time for the exclusion window in RFC3339 format. |
RFC3339 | | end | string | The end date and time for the exclusion window in RFC3339 format.
RFC3339 |