GCP Project Organization
The infrastructure follows Google’s Cloud Foundation Toolkit layered architecture, with a clear separation between bootstrap, shared, and application-layer projects.
This document indexes the important projects so developers can quickly find what they need. Note that project IDs include a 4-character hex suffix that is auto-generated at project creation time. Terraform resolves projects dynamically via labels at plan time, so these IDs are primarily for reference and lookup — you rarely need to hardcode them.
Organization Structure
thehelperbees.com
├── fldr-bootstrap
│ └── Seed, Bootstrap CI/CD projects
├── fldr-common
│ └── General CI/CD, Org-wide services, shared services
├── fldr-development
│ └── All dev environment projects
├── fldr-non-production
│ └── All staging/UAT projects
├── fldr-production
│ └── All production projects
├── system-gsuite
│ └── apps-script
│ └── ~105 auto-generated sys-* projects (not indexed)
└── thb-root-folder
└── Legacy bootstrap projectsProject Naming Convention
Pattern: prj-{scope}-{environment}-{name}-{suffix}
| Component | Values | Description |
|---|---|---|
| scope | b, c, bu1,
bu2 |
Bootstrap, common, business unit 1, business unit 2 |
| environment | d, n, p, c,
b, z |
dev, non-prod, prod, common, bootstrap, misc |
| name | e.g., hb-infra, bees-infra |
Application or service name |
| suffix | 4-char hex (e.g., 1da6) |
Auto-generated unique identifier |
Examples:
prj-bu1-p-hb-infra-1da6→ Business Unit 1, Production, HB Infrastructureprj-c-secrets-a7cc→ Common, Org-wide Secrets
Quick Reference: App Infrastructure Projects
This is the primary lookup table for developers making infrastructure changes.
All app infrastructure follows predictable patterns:
- Local path:
infra/{infra-name}/business_unit_1/{environment}/ - Terraform command:
./zig/zig build plan -- {infra-name} {environment}
HB (default)
Infra name: hb-infra
| Env | GCP Project ID | Command |
|---|---|---|
| dev | prj-bu1-d-hb-infra-9b59 |
./zig/zig build plan -- hb-infra development |
| non-prod | prj-bu1-n-hb-infra-5381 |
./zig/zig build plan -- hb-infra non-production |
| prod | prj-bu1-p-hb-infra-1da6 |
./zig/zig build plan -- hb-infra production |
Bees (Yellow)
Infra name: bees-infra
| Env | GCP Project ID | Command |
|---|---|---|
| dev | prj-bu1-d-bees-infra-8329 |
./zig/zig build plan -- bees-infra development |
| non-prod | prj-bu1-n-bees-infra-8350 |
./zig/zig build plan -- bees-infra non-production |
| prod | prj-bu1-p-bees-infra-8bed |
./zig/zig build plan -- bees-infra production |
HomeAlign (HA)
Infra name: ha-infra
| Env | GCP Project ID | Command |
|---|---|---|
| dev | prj-bu1-d-homealign-infra-3789 |
./zig/zig build plan -- ha-infra development |
| non-prod | prj-bu1-n-homealign-infra-075c |
./zig/zig build plan -- ha-infra non-production |
| prod | prj-bu1-p-homealign-infra-2b1b |
./zig/zig build plan -- ha-infra production |
PD (Partner Dashboard & Resources)
Infra name: pd-infra
| Env | GCP Project ID | Command |
|---|---|---|
| dev | prj-bu1-d-pd-infra-7c6d |
./zig/zig build plan -- pd-infra development |
| non-prod | prj-bu1-n-pd-infra-fee5 |
./zig/zig build plan -- pd-infra non-production |
| prod | prj-bu1-p-pd-infra-b355 |
./zig/zig build plan -- pd-infra production |
Common (Shared)
Infra name: common-infra
| Env | GCP Project ID | Command |
|---|---|---|
| shared | prj-bu1-c-common-infra-c4aa |
./zig/zig build plan -- common-infra shared |
Supporting Projects
Vault (Secrets & Keys)
Vault is split into two projects per environment: one for encryption keys (KMS) and one for secrets storage.
| Project ID | Env | Purpose |
|---|---|---|
prj-bu1-d-vault-keys-1fef |
dev | Vault encryption keys |
prj-bu1-d-vault-secrets-e189 |
dev | Vault secrets storage |
prj-bu1-n-vault-keys-c405 |
non-prod | Vault encryption keys |
prj-bu1-n-vault-secrets-9d03 |
non-prod | Vault secrets storage |
prj-bu1-p-vault-keys-cfcb |
prod | Vault encryption keys |
prj-bu1-p-vault-secrets-8d4a |
prod | Vault secrets storage |
BU1 Shared Services
These projects provide shared infrastructure consumed by all BU1 application projects.
| Project ID | Purpose |
|---|---|
prj-bu1-c-infra-pipeline-5327 |
Cloud Build Terraform runners (active) |
prj-bu1-c-pkg-registry-f6f2 |
Artifact Registry (package registry) |
prj-bu1-c-app-infra-98a6 |
App infra common project |
prj-bu1-c-app-cicd-886d |
App CI/CD pipeline |
prj-bu1-c-papertrail-aa37 |
Papertrail logging integration |
prj-bu1-c-gplay-store-a7fd |
Google Play Store integration |
Ansible (Configuration Management)
| Project ID | Env |
|---|---|
prj-bu1-d-ansible-706a |
development |
prj-bu1-n-ansible-27b7 |
non-production |
prj-bu1-p-ansible-f050 |
production |
Foundation Projects
These projects are managed by the foundation repositories
(gcp-org, gcp-environments,
gcp-networks, gcp-projects), not by infrahive.
Developers rarely interact with these directly but may see them
referenced in configs or backend state.
Bootstrap & Seed
| Project ID | Purpose | Managed By |
|---|---|---|
prj-b-seed-c80c |
Terraform service account impersonation (all dev SAs live here) | gcp-org |
prj-b-cicd-1639 |
Cloud Build bootstrap CI/CD | gcp-org |
Org-Wide Shared Services
| Project ID | Purpose | Managed By |
|---|---|---|
prj-c-secrets-a7cc |
Org-wide secrets (Secret Manager) | gcp-org |
prj-c-logging-3c47 |
Centralized org logging | gcp-org |
prj-c-scc-4fba |
Security Command Center | gcp-org |
prj-c-billing-logs-6c3b |
Billing export & logs | gcp-org |
prj-c-dns-hub-3145 |
Global DNS hub | gcp-networks |
prj-c-base-net-hub-6087 |
Base shared VPC hub | gcp-networks |
prj-c-restricted-net-hub-9c4c |
Restricted shared VPC hub | gcp-networks |
prj-c-interconnect-8de9 |
Dedicated/Partner Interconnect | gcp-networks |
Per-Environment Shared Services
| Project ID | Env | Purpose |
|---|---|---|
prj-d-secrets-cd63 |
dev | Environment-level secrets |
prj-n-secrets-817e |
non-prod | Environment-level secrets |
prj-p-secrets-3c7d |
prod | Environment-level secrets |
prj-d-monitoring-a1c3 |
dev | Environment monitoring |
prj-n-monitoring-2577 |
non-prod | Environment monitoring |
prj-p-monitoring-3fb1 |
prod | Environment monitoring |
prj-d-shared-base-6522 |
dev | Base shared VPC host |
prj-n-shared-base-cb89 |
non-prod | Base shared VPC host |
prj-p-shared-base-11f6 |
prod | Base shared VPC host |
prj-d-shared-restricted-c208 |
dev | Restricted shared VPC host |
prj-n-shared-restricted-fa0b |
non-prod | Restricted shared VPC host |
prj-p-shared-restricted-df35 |
prod | Restricted shared VPC host |
Legacy Projects
These projects sit at the organization root (not in folders), predate the Cloud Foundation Toolkit, and are generally not Terraform-managed. They are included here for reference when tracing data flows or access patterns.
| Project ID | Purpose | Team |
|---|---|---|
the-helper-bees |
Original THB project (Firebase) | Engineering |
helper-app-8a8aa |
Helper App (Firebase) | Engineering |
bq-data-lake |
BigQuery data lake | Data |
bq-reports |
BigQuery reporting | Data |
anonymized-dw |
Anonymized data warehouse | Data |
anonymized-external-dw |
External anonymized data warehouse | Data |
identified-dw |
Identified data warehouse | Data |
segment-dw |
Segment data warehouse | Data |
thb-fivetran-dw |
Fivetran data warehouse | Data |
thb-contivio-dw |
Contivio data warehouse | Data |
airflow-prod-325420 |
Airflow production (data pipelines) | Data |
invoicing-data |
Invoicing data project | Finance |
thb-algo-vpn |
Algo VPN | DevOps |
private-gsuite-admin-reporting |
GSuite admin reporting | IT |
private-thb-account-audit |
Account auditing | IT |
How Projects Are Referenced in Terraform
Dynamic Resolution via Labels (Primary)
Most Terraform directories resolve the GCP project at plan time using label-based data sources. This is why developers rarely need to know the exact hex suffix of a project ID.
data "google_projects" "environment_projects" {
filter = "parent.id:${folder_id} labels.application_name=${var.application_name} labels.environment=${var.environment} lifecycleState=ACTIVE"
}Cross-Project
References (.auto.tfvars)
When one project references another, IDs are hardcoded in
.auto.tfvars files scoped to that environment. This is the
primary place where full project IDs with hex suffixes appear.
# infra/pd-infra/production.auto.tfvars
hb_project_id = "prj-bu1-p-hb-infra-1da6"
vault_keys_project_id = "prj-bu1-p-vault-keys-cfcb"Service Account Impersonation
Each infra project uses a dedicated service account
from the seed project (prj-b-seed-c80c) for all Terraform
operations. The build system handles impersonation automatically; this
table is for reference when debugging IAM issues.
| Project | Service Account |
|---|---|
hb-infra |
hb-infra-dev-sa@prj-b-seed-c80c.iam.gserviceaccount.com |
bees-infra |
bees-infra-dev-sa@prj-b-seed-c80c.iam.gserviceaccount.com |
ha-infra |
homealign-infra-dev-sa@prj-b-seed-c80c.iam.gserviceaccount.com |
pd-infra |
pd-infra-dev-sa@prj-b-seed-c80c.iam.gserviceaccount.com |
common-infra |
common-infra-dev-sa@prj-b-seed-c80c.iam.gserviceaccount.com |
Related Repositories
| Repo | Layer | Purpose |
|---|---|---|
gcp-policies |
0.5 | Rego-based policy constraints for Terraform Validator |
gcp-org |
1 | Org policies, logging, security baselines |
gcp-environments |
2 | Dev/non-prod/prod environment segregation |
gcp-networks |
3 | Shared VPCs, DNS, NAT, firewall rules |
gcp-projects |
4 | GCP project creation per business unit |
infrahive |
5 | Application infrastructure (this repo) |
terraform-modules |
– | Reusable Terraform modules consumed by infrahive |
Excluded From This Index
The following project categories exist in the organization but are intentionally excluded from this document:
- ~105
sys-*projects: Auto-generated by Google Workspace/Apps Script; live in the Apps Script folder (388964465723) gam-project-*(4 projects): GAM automation projects managed by IT- Personal test projects (~10): Individual developer sandboxes at the org root
billing-model-*(3 projects): Billing configuration projects managed externally