> ## Documentation Index
> Fetch the complete documentation index at: https://docs.controlplane.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> Reference section navigation and resource hierarchy. Covers org-level resources, GVC structure, principals, infrastructure, and asset relationships.

The Reference section provides detailed documentation for all Control Plane resources. Each resource type has specific properties, permissions, and relationships that enable you to build secure, scalable applications across multiple cloud providers.

***

## Resource Hierarchy

Control Plane uses a hierarchical structure where resources are scoped to provide isolation and governance:

```text theme={null}
Org (Organization)
├── Principals: Users, Groups, Service Accounts
├── Governance: Policies, Quotas
├── Infrastructure: Cloud Accounts, Agents, Locations
├── Assets: Secrets, Images, Domains
└── GVC (Global Virtual Cloud)
    ├── Workloads
    ├── Identities
    └── Volume Sets
```

***

## Organization

<Card title="Org" icon="building" href="/reference/org" horizontal>
  Isolated environment and top-level container for all resources. Configure external logging, threat detection, tracing, and organization-wide settings.
</Card>

***

## Access Control

Resources that control who can access what within your organization.

<CardGroup cols={2}>
  <Card title="Policy" icon="shield-check" href="/reference/policy">
    Grant permissions to principals (users, groups, service accounts, identities) for resources in your organization.
  </Card>

  <Card title="Group" icon="users" href="/reference/group">
    Collections of users and service accounts. Supports dynamic membership via tag-based queries.
  </Card>

  <Card title="User" icon="user" href="/reference/user">
    Organization members who access Control Plane via the Console, CLI, API, Terraform, or Pulumi.
  </Card>

  <Card title="Service Account" icon="robot" href="/reference/serviceaccount">
    Programmatic access for CI/CD pipelines, automation, and API integrations.
  </Card>

  <Card title="Quota" icon="gauge" href="/reference/quota">
    Resource limits for your organization including agents, domains, and workloads.
  </Card>
</CardGroup>

***

## Compute & Storage

Core resources for running and managing your applications.

<CardGroup cols={2}>
  <Card title="GVC" icon="globe" href="/reference/gvc">
    Global Virtual Cloud - container for workloads deployed across multiple cloud locations with shared configuration.
  </Card>

  <Card title="Workload" icon="server" href="/reference/workload/general">
    Your applications running as standard, stateful, cron, or serverless deployments with autoscaling and load balancing.
  </Card>

  <Card title="Location" icon="location-dot" href="/reference/location">
    Geographic regions across AWS, GCP, and Azure where your workloads can be deployed.
  </Card>

  <Card title="Volume Set" icon="hard-drive" href="/reference/volumeset">
    Persistent storage for workloads with snapshots, autoscaling, and encryption.
  </Card>
</CardGroup>

***

## Networking & Domains

Resources for routing traffic and connecting your services.

<CardGroup cols={2}>
  <Card title="Domain" icon="globe" href="/reference/domain">
    Custom domain mapping with TLS certificates, CORS configuration, and path-based routing to workloads.
  </Card>

  <Card title="IP Set" icon="network-wired" href="/reference/ipset">
    Reserve static public IPs per location for DNS configuration and firewall rules.
  </Card>

  <Card title="Agent" icon="tower-broadcast" href="/reference/agent">
    Secure tunneling to private networks, on-premises systems, and cloud VPCs without exposing them to the internet.
  </Card>
</CardGroup>

***

## Cloud Integration

Resources that connect Control Plane to your cloud providers and private networks.

<CardGroup cols={2}>
  <Card title="Cloud Account" icon="cloud" href="/reference/cloudaccount">
    Bridge to AWS, GCP, Azure, or NATS for identity-based access to cloud services.
  </Card>

  <Card title="Identity" icon="fingerprint" href="/reference/identity">
    Credential-free access to cloud resources and private networks via workload identity federation with AWS, GCP, Azure, and NGS.
  </Card>
</CardGroup>

***

## Secrets, Images & Audit

Resources for managing credentials, container images, and audit trails.

<CardGroup cols={2}>
  <Card title="Secret" icon="key" href="/reference/secret">
    Encrypted storage for credentials including AWS keys, Docker registries, TLS certificates, and more.
  </Card>

  <Card title="Image" icon="docker" href="/reference/image">
    Container images in Control Plane's private registry or references to external registries.
  </Card>

  <Card title="Audit Context" icon="scroll" href="/reference/auditctx">
    Tamper-proof audit trails for Control Plane actions and custom external events from your workloads.
  </Card>
</CardGroup>

***

## Workload Configuration

The Workload resource has extensive configuration options documented across multiple pages:

<CardGroup cols={3}>
  <Card title="General" icon="gear" href="/reference/workload/general">
    Endpoints, environment variables, and debug mode
  </Card>

  <Card title="Types" icon="shapes" href="/reference/workload/types">
    Standard, stateful, cron, and serverless workloads
  </Card>

  <Card title="Containers" icon="box" href="/reference/workload/containers">
    Image references, ports, CPU, memory, and GPU
  </Card>

  <Card title="Autoscaling" icon="arrows-up-down" href="/reference/workload/autoscaling">
    Metric-based scaling, scale-to-zero, and KEDA event-driven scaling
  </Card>

  <Card title="Capacity" icon="microchip" href="/reference/workload/capacity">
    Capacity AI and resource optimization
  </Card>

  <Card title="Load Balancing" icon="scale-balanced" href="/reference/workload/load-balancing">
    Direct load balancer and IP Sets
  </Card>

  <Card title="Firewall" icon="fire" href="/reference/workload/firewall">
    Ingress and egress rules
  </Card>

  <Card title="Security" icon="user-shield" href="/reference/workload/security">
    mTLS and external authorization
  </Card>

  <Card title="JWT Auth" icon="shield-halved" href="/reference/workload/jwt-auth">
    Token-based authentication
  </Card>

  <Card title="Volumes" icon="database" href="/reference/workload/volumes">
    Mount secrets, cloud storage, and volume sets
  </Card>

  <Card title="Custom Metrics" icon="chart-line" href="/reference/workload/custom-metrics">
    Prometheus-based metrics for advanced scaling
  </Card>

  <Card title="Termination" icon="power-off" href="/reference/workload/termination">
    Grace periods and shutdown behavior
  </Card>
</CardGroup>

***

## Key Concepts

<AccordionGroup>
  <Accordion title="Permission Model">
    Control Plane uses a role-based access control model where **Policies** grant specific permissions to **Principals** (users, groups, service accounts, identities) for target resources. Permissions follow hierarchical "implies" relationships - for example, `manage` implies `create`, `delete`, and `edit`.
  </Accordion>

  <Accordion title="Multi-Cloud Deployment">
    A single **GVC** can deploy workloads across multiple **Locations** spanning AWS, GCP, and Azure regions simultaneously. Traffic is automatically routed to the nearest healthy instance.
  </Accordion>

  <Accordion title="Workload Identity">
    **Identities** provide credential-free access to cloud resources and private networks. Instead of embedding secrets in your code, workloads assume cloud-native identities (AWS IAM roles, GCP service accounts, Azure managed identities) at runtime.
  </Accordion>

  <Accordion title="Private Network Access">
    **Agents** create secure tunnels to private networks without exposing them to the internet. Combined with **Identities**, workloads can access databases, APIs, and services in your VPCs.
  </Accordion>
</AccordionGroup>