Skip to main content

GCP Orchestrator Agent

Status: In Development

The GCP Orchestrator is currently in active development. This page outlines the planned architecture and capabilities. We'll update it as features ship.

What we're building

Google Cloud Platform offers incredibly powerful primitives for scaling applications — but wiring together VPC networks, GKE clusters, Cloud IAM bindings, and service accounts requires deep platform expertise and careful attention to GCP's unique identity and networking model.

The GCP Orchestrator Agent will bridge that gap. Built on the same proven Deep Agent architecture as the AWS Orchestrator, this agent will specialize exclusively in Google Cloud. You'll describe what you need in plain language, and the agent pipeline will handle dependency mapping, Terraform generation, security validation, and GitHub commit.

Planned architecture

The GCP Orchestrator will use the same Supervisor → Coordinator → Sub-agent hierarchy, adapted for GCP's provider and security model:

Key differences from AWS

AspectAWS OrchestratorGCP Orchestrator (Planned)
Providerhashicorp/awshashicorp/google + hashicorp/google-beta
Research sourceTerraform Registry (AWS provider docs)Terraform Registry (Google provider docs)
Security standardsCIS AWS BenchmarksCIS GCP Benchmarks, GCP Security Best Practices
Identity modelIAM roles + policiesService Accounts, Workload Identity, IAM bindings
NetworkingVPC, subnets, SGsVPC, subnets, firewall rules, Shared VPC
Project modelSingle accountProject-based with organization hierarchy

Shared components

The GCP Orchestrator will reuse the same battle-tested infrastructure:

  • Same Deep Agent pattern — Supervisor → Coordinator → Sub-agents
  • Same Terraform MCP Server — queries live provider docs for google resources
  • Same GitHub MCP Server — commits modules via API
  • Same HITL governance — mandatory commit gates, optional cost gates
  • Same skill system — per-service blueprints that prevent hallucinated configs
  • Same sandbox validationterraform init, fmt, validate

Planned capabilities

GCP services (initial target)

CategoryServices
ComputeGKE, Compute Engine, Cloud Run, Cloud Functions
NetworkingVPC, Subnets, Firewall Rules, Cloud NAT, Cloud Load Balancing, Cloud Armor
StorageCloud Storage (GCS), Persistent Disk, Filestore
DatabaseCloud SQL, Cloud Spanner, Firestore, Memorystore
IdentityService Accounts, Workload Identity, IAM Bindings, Organization Policies
SecuritySecret Manager, KMS, VPC Service Controls
MonitoringCloud Monitoring, Cloud Logging, Error Reporting

Example requests (what you'll be able to do)

"Provision a regional GKE cluster with Workload Identity enabled and a Cloud SQL PostgreSQL database with private IP."
"Create a Cloud Run service module with Cloud Load Balancing, Cloud Armor WAF rules, and a custom domain mapping."
"Set up a Shared VPC with host project and two service projects. Include firewall rules for inter-project communication."

GCP-specific considerations

The GCP Orchestrator will handle several patterns unique to Google Cloud:

Project & Organization Hierarchy

Unlike AWS (single account), GCP uses a project-based model. The agent will handle:

  • Project-level resource scoping
  • Organization policy constraints
  • Folder-based IAM inheritance

Dual Provider Pattern

Many GCP features require the google-beta provider. The agent will automatically detect when beta resources are needed and configure both providers in versions.tf.

Workload Identity

GCP's recommended identity model for GKE (replacing service account key files). The agent will generate Workload Identity configurations as the default pattern for GKE-related modules.

Roadmap

PhaseTargetStatus
Phase 1Core module generation (GKE, VPC, Cloud Storage)🔨 In development
Phase 2Security hardening (CIS GCP Benchmarks, Workload Identity)📋 Planned
Phase 3Module updates via GitHub MCP📋 Planned
Phase 4Cross-cloud modules (GCP + AWS in one request)📋 Planned

Stay updated