GCP
The GCP plugin enables formae to manage Google Cloud Platform resources.
Configuration
Target
Configure a GCP target in your Forma file:
import "@formae/formae.pkl"
import "@gcp/gcp.pkl"
target: formae.Target = new formae.Target {
label = "gcp-target"
config = new gcp.Config {
project = "your-project-id"
region = "us-central1"
// Optional: path to service account key file
// credentialsFile = read("env:GCP_CREDENTIALS_FILE")
}
}Credentials
The plugin uses the standard GCP credential chain:
Application Default Credentials (ADC):
gcloud auth application-default loginService Account Key File:
export GCP_CREDENTIALS_FILE="/path/to/service-account-key.json"Then reference it in your target config:
config = new gcp.Config {
project = "your-project-id"
region = "us-central1"
credentialsFile = read("env:GCP_CREDENTIALS_FILE")
}Workload Identity (on GKE): When running on GKE with Workload Identity enabled, credentials are automatically provided.
OIDC (for CI/CD):
For GitHub Actions, use google-github-actions/auth with Workload Identity Federation.
| Environment Variable | Description | Required |
|---|---|---|
GCP_PROJECT_ID |
GCP project ID | Yes |
GCP_PROJECT_NUMBER |
GCP project number | For WIF |
GCP_REGION |
GCP region (e.g., europe-central2) |
Yes |
GCP_ZONE |
GCP zone (e.g., europe-central2-b) |
For zonal resources |
GCP_CREDENTIALS_FILE |
Path to service account JSON key | Local only |
Examples
Examples are bundled with formae at /opt/pel/formae/examples/formae-plugin-gcp/.
Before running any example, resolve the Pkl dependencies:
pkl project resolve /opt/pel/formae/examples/formae-plugin-gcpAvailable examples:
| Example | Description |
|---|---|
| gcp-lifeline | VPC network with subnets, firewalls, router, and compute instance |
| gcp-loadbalancer | HTTP(S) load balancer setup |
# Evaluate an example
formae eval /opt/pel/formae/examples/formae-plugin-gcp/gcp-lifeline/gcp_lifeline.pkl
# Apply resources
formae apply --mode reconcile --watch /opt/pel/formae/examples/formae-plugin-gcp/gcp-lifeline/gcp_lifeline.pklSupported Resources
| Type | Discoverable | Extractable | Comment |
|---|---|---|---|
| GCP::BigQuery::Dataset | ✅ | ✅ | |
| GCP::BigQuery::Table | ✅ | ✅ | |
| GCP::Bigtable::Backup | ✅ | ✅ | |
| GCP::Bigtable::Cluster | ✅ | ✅ | |
| GCP::Bigtable::Instance | ✅ | ✅ | |
| GCP::Bigtable::MaterializedView | ✅ | ✅ | |
| GCP::Bigtable::Table | ✅ | ✅ | |
| GCP::CloudRun::Job | ✅ | ✅ | |
| GCP::CloudRun::Service | ✅ | ✅ | |
| GCP::Compute::Address | ✅ | ✅ | |
| GCP::Compute::BackendService | ✅ | ✅ | |
| GCP::Compute::Disk | ✅ | ✅ | |
| GCP::Compute::Firewall | ✅ | ✅ | |
| GCP::Compute::ForwardingRule | ✅ | ✅ | |
| GCP::Compute::GlobalAddress | ✅ | ✅ | |
| GCP::Compute::GlobalForwardingRule | ✅ | ✅ | |
| GCP::Compute::HealthCheck | ✅ | ✅ | |
| GCP::Compute::Instance | ✅ | ✅ | |
| GCP::Compute::Network | ✅ | ✅ | |
| GCP::Compute::RegionBackendService | ✅ | ✅ | |
| GCP::Compute::RegionHealthCheck | ✅ | ✅ | |
| GCP::Compute::RegionTargetHttpProxy | ✅ | ✅ | |
| GCP::Compute::RegionTargetHttpsProxy | ✅ | ✅ | |
| GCP::Compute::RegionTargetTcpProxy | ✅ | ✅ | |
| GCP::Compute::RegionUrlMap | ✅ | ✅ | |
| GCP::Compute::Router | ✅ | ✅ | |
| GCP::Compute::Subnetwork | ✅ | ✅ | |
| GCP::Compute::TargetHttpProxy | ✅ | ✅ | |
| GCP::Compute::TargetHttpsProxy | ✅ | ✅ | |
| GCP::Compute::TargetPool | ✅ | ✅ | |
| GCP::Compute::TargetSslProxy | ✅ | ✅ | |
| GCP::Compute::TargetTcpProxy | ✅ | ✅ | |
| GCP::Compute::UrlMap | ✅ | ✅ | |
| GCP::Container::Cluster | ✅ | ✅ | |
| GCP::Container::NodePool | ✅ | ✅ | |
| GCP::SQL::DatabaseInstance | ✅ | ✅ | |
| GCP::Storage::AnywhereCache | ✅ | ✅ | |
| GCP::Storage::Bucket | ✅ | ✅ | |
| GCP::Storage::BucketAccessControl | ✅ | ✅ | |
| GCP::Storage::DefaultObjectAccessControl | ✅ | ✅ | |
| GCP::Storage::ObjectAccessControl | ✅ | ✅ |