@mutinex/cloud-infra is a comprehensive Pulumi library designed to streamline the management of Google Cloud Platform (GCP) infrastructure. It provides a suite of foundational helpers and resource components that enforce consistency, simplify complex tasks like IAM and cross-stack dependencies, and promote best practices for building scalable and maintainable cloud environments.
By standardizing resource naming, metadata, outputs, and access policies, this library helps accelerate development and reduce configuration errors across all your organization's projects.
The library is designed with an "infrastructure as software" philosophy, favoring strongly-typed, reusable components over raw resource definitions. This approach not only improves developer experience by providing clear APIs and reducing boilerplate, but also enhances security and compliance by embedding organizational policies directly into the building blocks of the infrastructure. The result is a more robust, predictable, and secure cloud foundation.
The core of the library consists of foundational helpers that provide the building blocks for all other components.
- Core: Meta: Manages standardized resource naming, regionality, and metadata.
- Core: Output: Provides structured recording and organization of Pulumi resource outputs for cross-stack consumption.
- Core: Reference: Simplifies consuming outputs from other Pulumi stacks with type-safe accessors and resource aliasing. Now includes domain-optional resolution (
ReferenceWithoutDomain) for direct stack access without domain scoping, enabling simplified principal configuration in access matrices. - Core: Access Matrix: Offers a declarative, case-based system for managing complex GCP IAM policies.
Reusable, opinionated components that wrap one or more GCP resources and apply your organization's conventions.
| Category | Component | Description |
|---|---|---|
| IAM | Account | Create GCP service-accounts (single & bulk). |
| IAM | Role | Project-/org-level custom IAM roles with smart permission validation. |
| IAM | Workload Identity Pool | Workload Identity Pools and OIDC Providers for external identities. |
| IAM | Entitlement | Privileged Access Manager entitlement with smart defaults. |
| Data | Bucket | Regional, multi-regional & dual-regional Cloud Storage buckets (single & bulk). |
| Data | Database | Cloud SQL instance, database and users |
| Data | Secret | Secret Manager secret + version (regional or global). |
| Data | Repository | Artifact Registry repository with naming/location helpers. |
| Compute | Cloud Run Service | Cloud Run service plus regional NEG. |
| Compute | Cloud Run Job | One-off/background Cloud Run jobs. |
| Compute | Compute Instance | Compute Engine instance with zonal naming and meta integration. |
| Network | Application Load Balancer | HTTP(S) Application Load Balancer (global or regional). |
| Network | Backend Service | (Regional / global) backend service for load-balancers. |
| Organization | NAT Gateway | NAT Gateway with Router and RouterNat for outbound internet access from private subnets. |
| Organization | Project | Host & service projects with Shared VPC and API bootstrapping. |
| Organization | Network | VPC subnet, Serverless VPC Connector & Private Service Connect helpers. |
(More Components are Coming)
Note on Forwarding Rule Targets:
GlobalForwardingRule.target and ForwardingRule.target must use the full in-project URL (selfLink) of the TargetHttpsProxy resource, not just its ID.
To address Pulumi’s unhandled promise-leak diagnostics, getters and output exports now unwrap pulumi.Output<T> values using .apply before returning or recording them:
All public getters wrap raw Outputs to hide the thenable interface. For example:
public getName(): pulumi.Output<string> {
return this.service.name.apply((n: string) => n);
}Always use these getters instead of exposing raw Output properties directly.
The exportOutputs method defers recording until all Outputs resolve via pulumi.all([...]).apply(...). For example:
public exportOutputs(manager: CloudInfraOutput): void {
pulumi
.all([this.service.id, this.service.name, this.service.uri])
.apply(() => {
manager.record(
"gcp:cloudrunv2:Service",
grouping,
this.meta,
this.service as ServiceWithExtras,
);
});
}This pattern suppresses thenable-leak warnings and ensures Pulumi tracks dependencies correctly.