The gcp:parametermanager/parameter:Parameter resource, part of the Pulumi GCP provider, defines a Parameter Manager parameter container: its identifier, format validation rules, labels, and encryption settings. This guide focuses on three capabilities: basic parameter creation, format validation for structured data, and labeling with KMS encryption.
Parameters are containers for versioned configuration values. The examples create the parameter resource itself but don’t populate it with actual values. Combine them with parameter version resources to store and retrieve configuration data.
Create a parameter with minimal configuration
Most deployments start with a parameter ID, letting GCP assign defaults for format and encryption.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const parameter_basic = new gcp.parametermanager.Parameter("parameter-basic", {parameterId: "parameter"});
import pulumi
import pulumi_gcp as gcp
parameter_basic = gcp.parametermanager.Parameter("parameter-basic", parameter_id="parameter")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/parametermanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := parametermanager.NewParameter(ctx, "parameter-basic", ¶metermanager.ParameterArgs{
ParameterId: pulumi.String("parameter"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var parameter_basic = new Gcp.ParameterManager.Parameter("parameter-basic", new()
{
ParameterId = "parameter",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.parametermanager.Parameter;
import com.pulumi.gcp.parametermanager.ParameterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var parameter_basic = new Parameter("parameter-basic", ParameterArgs.builder()
.parameterId("parameter")
.build());
}
}
resources:
parameter-basic:
type: gcp:parametermanager:Parameter
properties:
parameterId: parameter
The parameterId property sets a unique identifier within your project. Without additional configuration, the parameter uses UNFORMATTED format (no validation) and Google-managed encryption. The parameter container is ready to receive versioned values.
Specify format for structured data validation
Applications storing JSON or YAML configuration benefit from format validation to catch syntax errors.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const parameter_with_format = new gcp.parametermanager.Parameter("parameter-with-format", {
parameterId: "parameter",
format: "JSON",
});
import pulumi
import pulumi_gcp as gcp
parameter_with_format = gcp.parametermanager.Parameter("parameter-with-format",
parameter_id="parameter",
format="JSON")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/parametermanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := parametermanager.NewParameter(ctx, "parameter-with-format", ¶metermanager.ParameterArgs{
ParameterId: pulumi.String("parameter"),
Format: pulumi.String("JSON"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var parameter_with_format = new Gcp.ParameterManager.Parameter("parameter-with-format", new()
{
ParameterId = "parameter",
Format = "JSON",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.parametermanager.Parameter;
import com.pulumi.gcp.parametermanager.ParameterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var parameter_with_format = new Parameter("parameter-with-format", ParameterArgs.builder()
.parameterId("parameter")
.format("JSON")
.build());
}
}
resources:
parameter-with-format:
type: gcp:parametermanager:Parameter
properties:
parameterId: parameter
format: JSON
The format property enables validation when parameter versions are created. Setting it to JSON or YAML ensures that stored values conform to the specified structure, rejecting malformed data at write time.
Tag parameters for organization and filtering
Teams managing many parameters use labels to group them by environment, application, or cost center.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const parameter_with_labels = new gcp.parametermanager.Parameter("parameter-with-labels", {
parameterId: "parameter",
labels: {
key1: "val1",
key2: "val2",
key3: "val3",
key4: "val4",
key5: "val5",
},
});
import pulumi
import pulumi_gcp as gcp
parameter_with_labels = gcp.parametermanager.Parameter("parameter-with-labels",
parameter_id="parameter",
labels={
"key1": "val1",
"key2": "val2",
"key3": "val3",
"key4": "val4",
"key5": "val5",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/parametermanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := parametermanager.NewParameter(ctx, "parameter-with-labels", ¶metermanager.ParameterArgs{
ParameterId: pulumi.String("parameter"),
Labels: pulumi.StringMap{
"key1": pulumi.String("val1"),
"key2": pulumi.String("val2"),
"key3": pulumi.String("val3"),
"key4": pulumi.String("val4"),
"key5": pulumi.String("val5"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var parameter_with_labels = new Gcp.ParameterManager.Parameter("parameter-with-labels", new()
{
ParameterId = "parameter",
Labels =
{
{ "key1", "val1" },
{ "key2", "val2" },
{ "key3", "val3" },
{ "key4", "val4" },
{ "key5", "val5" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.parametermanager.Parameter;
import com.pulumi.gcp.parametermanager.ParameterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var parameter_with_labels = new Parameter("parameter-with-labels", ParameterArgs.builder()
.parameterId("parameter")
.labels(Map.ofEntries(
Map.entry("key1", "val1"),
Map.entry("key2", "val2"),
Map.entry("key3", "val3"),
Map.entry("key4", "val4"),
Map.entry("key5", "val5")
))
.build());
}
}
resources:
parameter-with-labels:
type: gcp:parametermanager:Parameter
properties:
parameterId: parameter
labels:
key1: val1
key2: val2
key3: val3
key4: val4
key5: val5
The labels property accepts key-value pairs for metadata tagging. Labels enable filtering in the console and API, and support cost allocation when analyzing billing data. Each parameter can have up to 64 labels.
Encrypt parameter versions with customer-managed keys
Compliance requirements often mandate customer-managed encryption rather than Google-managed defaults.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const project = gcp.organizations.getProject({});
const parameter_with_kms_key = new gcp.parametermanager.Parameter("parameter-with-kms-key", {
parameterId: "parameter",
kmsKey: "kms-key",
});
import pulumi
import pulumi_gcp as gcp
project = gcp.organizations.get_project()
parameter_with_kms_key = gcp.parametermanager.Parameter("parameter-with-kms-key",
parameter_id="parameter",
kms_key="kms-key")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/parametermanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := organizations.LookupProject(ctx, &organizations.LookupProjectArgs{}, nil)
if err != nil {
return err
}
_, err = parametermanager.NewParameter(ctx, "parameter-with-kms-key", ¶metermanager.ParameterArgs{
ParameterId: pulumi.String("parameter"),
KmsKey: pulumi.String("kms-key"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var project = Gcp.Organizations.GetProject.Invoke();
var parameter_with_kms_key = new Gcp.ParameterManager.Parameter("parameter-with-kms-key", new()
{
ParameterId = "parameter",
KmsKey = "kms-key",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetProjectArgs;
import com.pulumi.gcp.parametermanager.Parameter;
import com.pulumi.gcp.parametermanager.ParameterArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var project = OrganizationsFunctions.getProject(GetProjectArgs.builder()
.build());
var parameter_with_kms_key = new Parameter("parameter-with-kms-key", ParameterArgs.builder()
.parameterId("parameter")
.kmsKey("kms-key")
.build());
}
}
resources:
parameter-with-kms-key:
type: gcp:parametermanager:Parameter
properties:
parameterId: parameter
kmsKey: kms-key
variables:
project:
fn::invoke:
function: gcp:organizations:getProject
arguments: {}
The kmsKey property specifies a Cloud KMS CryptoKey for encrypting parameter version payloads. The key must exist before creating the parameter, and your service account needs the CryptoKey Encrypter/Decrypter role. The format is projects/{{project}}/locations/global/keyRings/{{key_ring}}/cryptoKeys/{{crypto_key}}.
Beyond these examples
These snippets focus on specific parameter-level features: parameter creation and identification, format validation for structured data, and labeling and customer-managed encryption. They’re intentionally minimal rather than complete configuration management solutions.
The examples may reference pre-existing infrastructure such as GCP project with Parameter Manager API enabled, and Cloud KMS key ring and crypto key for encryption. They focus on configuring the parameter container rather than provisioning the surrounding infrastructure or storing actual values.
To keep things focused, common parameter patterns are omitted, including:
- Parameter version creation and value storage
- IAM policy bindings (policyMembers)
- Parameter value retrieval and rotation
- Integration with Secret Manager or other services
These omissions are intentional: the goal is to illustrate how each parameter feature is wired, not provide drop-in configuration management modules. See the Parameter Manager Parameter resource reference for all available configuration options.
Let's create GCP Parameter Manager Parameters
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Immutability
parameterId, project, and format properties are immutable and require resource replacement if changed.UNFORMATTED (default), YAML, and JSON. The format is immutable after creation.projects/{{project}}/locations/global/parameters/{{parameter_id}}, {{project}}/{{parameter_id}}, or just {{parameter_id}}.Labels & Metadata
labels field is non-authoritative and only manages labels in your configuration. Use effectiveLabels to see all labels on the resource, including those added by other clients.Encryption & Security
kmsKey property with the full Cloud KMS CryptoKey resource name in the format: projects/{{project}}/locations/global/keyRings/{{key_ring}}/cryptoKeys/{{crypto_key}}Basic Setup
parameterId, which must be unique within the project. The project defaults to the provider project if not specified.