@intentius/chant-lexicon-gcp 0.0.18 → 0.0.24

package/src/composites/cloud-run-service.ts

@@ -1,7 +1,13 @@
 /**
- * CloudRunService composite — RunService + optional IAMPolicyMember for public access.
+ * CloudRunServiceComposite composite — RunService + optional IAMPolicyMember for public access.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import {
+  CloudRunService as CloudRunServiceResource,
+  IAMPolicyMember,
+} from "../generated";
+
 export interface CloudRunServiceProps {
   /** Service name. */
   name: string;
@@ -29,11 +35,11 @@ export interface CloudRunServiceProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
-}
-
-export interface CloudRunServiceResult {
-  service: Record<string, unknown>;
-  publicIam?: Record<string, unknown>;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    service?: Partial<ConstructorParameters<typeof CloudRunServiceResource>[0]>;
+    publicIam?: Partial<ConstructorParameters<typeof IAMPolicyMember>[0]>;
+  };
 }
 
 /**
@@ -50,7 +56,7 @@ export interface CloudRunServiceResult {
  * });
  * ```
  */
-export function CloudRunService(props: CloudRunServiceProps): CloudRunServiceResult {
+export const CloudRunServiceComposite = Composite<CloudRunServiceProps>((props) => {
   const {
     name,
     image,
@@ -65,6 +71,7 @@ export function CloudRunService(props: CloudRunServiceProps): CloudRunServiceRes
     env,
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -84,7 +91,7 @@ export function CloudRunService(props: CloudRunServiceProps): CloudRunServiceRes
     },
   ];
 
-  const service: Record<string, unknown> = {
+  const service = new CloudRunServiceResource(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -99,12 +106,12 @@ export function CloudRunService(props: CloudRunServiceProps): CloudRunServiceRes
       },
       containers,
     },
-  };
+  } as Record<string, unknown>, defs?.service));
 
-  const result: CloudRunServiceResult = { service };
+  const result: Record<string, any> = { service };
 
   if (publicAccess) {
-    result.publicIam = {
+    result.publicIam = new IAMPolicyMember(mergeDefaults({
       metadata: {
         name: `${name}-public`,
         ...(namespace && { namespace }),
@@ -117,8 +124,8 @@ export function CloudRunService(props: CloudRunServiceProps): CloudRunServiceRes
         kind: "RunService",
         name,
       },
-    };
+    } as Record<string, unknown>, defs?.publicIam));
   }
 
   return result;
-}
+}, "CloudRunServiceComposite");

package/src/composites/cloud-sql-instance.ts

@@ -2,6 +2,9 @@
  * CloudSqlInstance composite — SQLInstance + SQLDatabase + SQLUser.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { SQLInstance, SQLDatabase, SQLUser } from "../generated";
+
 export interface CloudSqlInstanceProps {
   /** Instance name. */
   name: string;
@@ -27,12 +30,12 @@ export interface CloudSqlInstanceProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
-}
-
-export interface CloudSqlInstanceResult {
-  instance: Record<string, unknown>;
-  database: Record<string, unknown>;
-  user: Record<string, unknown>;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    instance?: Partial<ConstructorParameters<typeof SQLInstance>[0]>;
+    database?: Partial<ConstructorParameters<typeof SQLDatabase>[0]>;
+    user?: Partial<ConstructorParameters<typeof SQLUser>[0]>;
+  };
 }
 
 /**
@@ -49,7 +52,7 @@ export interface CloudSqlInstanceResult {
  * });
  * ```
  */
-export function CloudSqlInstance(props: CloudSqlInstanceProps): CloudSqlInstanceResult {
+export const CloudSqlInstance = Composite<CloudSqlInstanceProps>((props) => {
   const {
     name,
     databaseVersion = "POSTGRES_15",
@@ -63,6 +66,7 @@ export function CloudSqlInstance(props: CloudSqlInstanceProps): CloudSqlInstance
     highAvailability = false,
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -85,7 +89,7 @@ export function CloudSqlInstance(props: CloudSqlInstanceProps): CloudSqlInstance
     };
   }
 
-  const instance: Record<string, unknown> = {
+  const instance = new SQLInstance(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
@@ -94,18 +98,18 @@ export function CloudSqlInstance(props: CloudSqlInstanceProps): CloudSqlInstance
     databaseVersion,
     ...(region && { region }),
     settings,
-  };
+  } as Record<string, unknown>, defs?.instance));
 
-  const database: Record<string, unknown> = {
+  const database = new SQLDatabase(mergeDefaults({
     metadata: {
       name: databaseName,
       ...(namespace && { namespace }),
       labels: { ...commonLabels, "app.kubernetes.io/component": "database" },
     },
     instanceRef: { name },
-  };
+  } as Record<string, unknown>, defs?.database));
 
-  const user: Record<string, unknown> = {
+  const user = new SQLUser(mergeDefaults({
     metadata: {
       name: `${name}-${userName}`,
       ...(namespace && { namespace }),
@@ -120,7 +124,7 @@ export function CloudSqlInstance(props: CloudSqlInstanceProps): CloudSqlInstance
         },
       },
     },
-  };
+  } as Record<string, unknown>, defs?.user));
 
   return { instance, database, user };
-}
+}, "CloudSqlInstance");

package/src/composites/composites.test.ts

@@ -1,6 +1,6 @@
 import { describe, test, expect } from "bun:test";
 import { GkeCluster } from "./gke-cluster";
-import { CloudRunService } from "./cloud-run-service";
+import { CloudRunServiceComposite } from "./cloud-run-service";
 import { CloudSqlInstance } from "./cloud-sql-instance";
 import { GcsBucket } from "./gcs-bucket";
 import { VpcNetwork } from "./vpc-network";
@@ -10,6 +10,11 @@ import { PrivateService } from "./private-service";
 import { ManagedCertificate } from "./managed-certificate";
 import { SecureProject } from "./secure-project";
 
+/** Helper to extract props from a Declarable member. */
+function p(member: unknown): Record<string, any> {
+  return (member as any).props;
+}
+
 // ── GkeCluster ──────────────────────────────────────────────────────
 
 describe("GkeCluster", () => {
@@ -21,60 +26,81 @@ describe("GkeCluster", () => {
 
   test("includes common labels", () => {
     const result = GkeCluster({ name: "my-cluster" });
-    const labels = result.cluster.metadata as any;
-    expect(labels.labels["app.kubernetes.io/managed-by"]).toBe("chant");
+    const meta = p(result.cluster).metadata;
+    expect(meta.labels["app.kubernetes.io/managed-by"]).toBe("chant");
   });
 
   test("node pool references cluster", () => {
     const result = GkeCluster({ name: "my-cluster" });
-    expect((result.nodePool as any).clusterRef.name).toBe("my-cluster");
+    expect(p(result.nodePool).clusterRef.name).toBe("my-cluster");
   });
 
   test("respects maxNodeCount", () => {
     const result = GkeCluster({ name: "c", maxNodeCount: 20 });
-    expect((result.nodePool as any).autoscaling.maxNodeCount).toBe(20);
+    expect(p(result.nodePool).autoscaling.maxNodeCount).toBe(20);
   });
 
   test("sets namespace when provided", () => {
     const result = GkeCluster({ name: "c", namespace: "infra" });
-    expect((result.cluster.metadata as any).namespace).toBe("infra");
-    expect((result.nodePool.metadata as any).namespace).toBe("infra");
+    expect(p(result.cluster).metadata.namespace).toBe("infra");
+    expect(p(result.nodePool).metadata.namespace).toBe("infra");
   });
 
   test("enables workload identity by default", () => {
     const result = GkeCluster({ name: "c" });
-    expect((result.cluster as any).workloadIdentityConfig).toBeDefined();
-    expect((result.nodePool as any).nodeConfig.workloadMetadataConfig).toBeDefined();
+    expect(p(result.cluster).workloadIdentityConfig).toBeDefined();
+    expect(p(result.nodePool).nodeConfig.workloadMetadataConfig).toBeDefined();
+  });
+
+  test("workloadPool uses explicit projectId", () => {
+    const result = GkeCluster({ name: "c", projectId: "my-project-123" });
+    expect(p(result.cluster).workloadIdentityConfig.workloadPool).toBe(
+      "my-project-123.svc.id.goog",
+    );
+  });
+
+  test("workloadPool falls back to GCP_PROJECT_ID env var", () => {
+    const prev = process.env.GCP_PROJECT_ID;
+    process.env.GCP_PROJECT_ID = "env-project-456";
+    try {
+      const result = GkeCluster({ name: "c" });
+      expect(p(result.cluster).workloadIdentityConfig.workloadPool).toBe(
+        "env-project-456.svc.id.goog",
+      );
+    } finally {
+      if (prev === undefined) delete process.env.GCP_PROJECT_ID;
+      else process.env.GCP_PROJECT_ID = prev;
+    }
   });
 });
 
 // ── CloudRunService ─────────────────────────────────────────────────
 
-describe("CloudRunService", () => {
+describe("CloudRunServiceComposite", () => {
   test("returns service", () => {
-    const result = CloudRunService({ name: "api", image: "gcr.io/p/api:1" });
+    const result = CloudRunServiceComposite({ name: "api", image: "gcr.io/p/api:1" });
     expect(result.service).toBeDefined();
   });
 
   test("no public IAM by default", () => {
-    const result = CloudRunService({ name: "api", image: "gcr.io/p/api:1" });
+    const result = CloudRunServiceComposite({ name: "api", image: "gcr.io/p/api:1" });
     expect(result.publicIam).toBeUndefined();
   });
 
   test("creates public IAM when requested", () => {
-    const result = CloudRunService({
+    const result = CloudRunServiceComposite({
       name: "api",
       image: "gcr.io/p/api:1",
       publicAccess: true,
     });
     expect(result.publicIam).toBeDefined();
-    expect((result.publicIam as any).member).toBe("allUsers");
-    expect((result.publicIam as any).role).toBe("roles/run.invoker");
+    expect(p(result.publicIam).member).toBe("allUsers");
+    expect(p(result.publicIam).role).toBe("roles/run.invoker");
   });
 
   test("sets custom port", () => {
-    const result = CloudRunService({ name: "api", image: "img", port: 3000 });
-    const containers = (result.service as any).template.containers;
+    const result = CloudRunServiceComposite({ name: "api", image: "img", port: 3000 });
+    const containers = p(result.service).template.containers;
     expect(containers[0].ports[0].containerPort).toBe(3000);
   });
 });
@@ -91,22 +117,22 @@ describe("CloudSqlInstance", () => {
 
   test("database references instance", () => {
     const result = CloudSqlInstance({ name: "db" });
-    expect((result.database as any).instanceRef.name).toBe("db");
+    expect(p(result.database).instanceRef.name).toBe("db");
   });
 
   test("default database version is POSTGRES_15", () => {
     const result = CloudSqlInstance({ name: "db" });
-    expect((result.instance as any).databaseVersion).toBe("POSTGRES_15");
+    expect(p(result.instance).databaseVersion).toBe("POSTGRES_15");
   });
 
   test("enables backups by default", () => {
     const result = CloudSqlInstance({ name: "db" });
-    expect((result.instance as any).settings.backupConfiguration.enabled).toBe(true);
+    expect(p(result.instance).settings.backupConfiguration.enabled).toBe(true);
   });
 
   test("high availability when requested", () => {
     const result = CloudSqlInstance({ name: "db", highAvailability: true });
-    expect((result.instance as any).settings.availabilityType).toBe("REGIONAL");
+    expect(p(result.instance).settings.availabilityType).toBe("REGIONAL");
   });
 });
 
@@ -120,7 +146,7 @@ describe("GcsBucket", () => {
 
   test("uniform access enabled by default", () => {
     const result = GcsBucket({ name: "my-bucket" });
-    expect((result.bucket as any).uniformBucketLevelAccess).toBe(true);
+    expect(p(result.bucket).uniformBucketLevelAccess).toBe(true);
   });
 
   test("adds lifecycle rules", () => {
@@ -128,8 +154,8 @@ describe("GcsBucket", () => {
       name: "my-bucket",
       lifecycleDeleteAfterDays: 30,
     });
-    expect((result.bucket as any).lifecycleRule).toHaveLength(1);
-    expect((result.bucket as any).lifecycleRule[0].condition.age).toBe(30);
+    expect(p(result.bucket).lifecycleRule).toHaveLength(1);
+    expect(p(result.bucket).lifecycleRule[0].condition.age).toBe(30);
   });
 
   test("adds encryption when kmsKeyName provided", () => {
@@ -137,17 +163,17 @@ describe("GcsBucket", () => {
       name: "my-bucket",
       kmsKeyName: "projects/p/locations/l/keyRings/kr/cryptoKeys/k",
     });
-    expect((result.bucket as any).encryption).toBeDefined();
+    expect(p(result.bucket).encryption).toBeDefined();
   });
 
   test("versioning disabled by default", () => {
     const result = GcsBucket({ name: "my-bucket" });
-    expect((result.bucket as any).versioning).toBeUndefined();
+    expect(p(result.bucket).versioning).toBeUndefined();
   });
 
   test("versioning enabled when requested", () => {
     const result = GcsBucket({ name: "my-bucket", versioning: true });
-    expect((result.bucket as any).versioning.enabled).toBe(true);
+    expect(p(result.bucket).versioning.enabled).toBe(true);
   });
 });
 
@@ -166,8 +192,8 @@ describe("VpcNetwork", () => {
         { name: "app", ipCidrRange: "10.0.0.0/24", region: "us-central1" },
       ],
     });
-    expect(result.subnets).toHaveLength(1);
-    expect((result.subnets[0] as any).ipCidrRange).toBe("10.0.0.0/24");
+    expect(result.subnet_app).toBeDefined();
+    expect(p(result.subnet_app).ipCidrRange).toBe("10.0.0.0/24");
   });
 
   test("subnet references network", () => {
@@ -175,7 +201,7 @@ describe("VpcNetwork", () => {
       name: "my-vpc",
       subnets: [{ name: "app", ipCidrRange: "10.0.0.0/24", region: "us-central1" }],
     });
-    expect((result.subnets[0] as any).networkRef.name).toBe("my-vpc");
+    expect(p(result.subnet_app).networkRef.name).toBe("my-vpc");
   });
 
   test("creates internal firewall by default", () => {
@@ -183,8 +209,8 @@ describe("VpcNetwork", () => {
       name: "my-vpc",
       subnets: [{ name: "app", ipCidrRange: "10.0.0.0/24", region: "us-central1" }],
     });
-    expect(result.firewalls.length).toBeGreaterThanOrEqual(1);
-    expect((result.firewalls[0] as any).metadata.name).toBe("my-vpc-allow-internal");
+    expect(result.firewallAllowInternal).toBeDefined();
+    expect(p(result.firewallAllowInternal).metadata.name).toBe("my-vpc-allow-internal");
   });
 
   test("creates NAT when enabled", () => {
@@ -195,7 +221,7 @@ describe("VpcNetwork", () => {
     });
     expect(result.router).toBeDefined();
     expect(result.routerNat).toBeDefined();
-    expect((result.routerNat as any).routerRef.name).toBe("my-vpc-router");
+    expect(p(result.routerNat).routerRef.name).toBe("my-vpc-router");
   });
 
   test("no NAT by default", () => {
@@ -206,9 +232,8 @@ describe("VpcNetwork", () => {
 
   test("IAP SSH firewall when requested", () => {
     const result = VpcNetwork({ name: "my-vpc", allowIapSsh: true });
-    const iapFw = result.firewalls.find((f: any) => (f.metadata as any).name.includes("iap-ssh"));
-    expect(iapFw).toBeDefined();
-    expect((iapFw as any).sourceRanges).toContain("35.235.240.0/20");
+    expect(result.firewallAllowIapSsh).toBeDefined();
+    expect(p(result.firewallAllowIapSsh).sourceRanges).toContain("35.235.240.0/20");
   });
 });
 
@@ -223,7 +248,7 @@ describe("PubSubPipeline", () => {
 
   test("subscription references topic", () => {
     const result = PubSubPipeline({ name: "events" });
-    expect((result.subscription as any).topicRef.name).toBe("events-topic");
+    expect(p(result.subscription).topicRef.name).toBe("events-topic");
   });
 
   test("no DLQ by default", () => {
@@ -234,8 +259,8 @@ describe("PubSubPipeline", () => {
   test("creates DLQ when enabled", () => {
     const result = PubSubPipeline({ name: "events", enableDeadLetterQueue: true });
     expect(result.deadLetterTopic).toBeDefined();
-    expect((result.deadLetterTopic as any).metadata.name).toBe("events-dlq");
-    expect((result.subscription as any).deadLetterPolicy.deadLetterTopicRef.name).toBe("events-dlq");
+    expect(p(result.deadLetterTopic).metadata.name).toBe("events-dlq");
+    expect(p(result.subscription).deadLetterPolicy.deadLetterTopicRef.name).toBe("events-dlq");
   });
 
   test("creates subscriber IAM when service account provided", () => {
@@ -244,18 +269,18 @@ describe("PubSubPipeline", () => {
       subscriberServiceAccount: "worker@project.iam.gserviceaccount.com",
     });
     expect(result.subscriberIam).toBeDefined();
-    expect((result.subscriberIam as any).role).toBe("roles/pubsub.subscriber");
+    expect(p(result.subscriberIam).role).toBe("roles/pubsub.subscriber");
   });
 
   test("sets namespace when provided", () => {
     const result = PubSubPipeline({ name: "events", namespace: "infra" });
-    expect((result.topic as any).metadata.namespace).toBe("infra");
-    expect((result.subscription as any).metadata.namespace).toBe("infra");
+    expect(p(result.topic).metadata.namespace).toBe("infra");
+    expect(p(result.subscription).metadata.namespace).toBe("infra");
   });
 
   test("includes managed-by label", () => {
     const result = PubSubPipeline({ name: "events" });
-    expect((result.topic as any).metadata.labels["app.kubernetes.io/managed-by"]).toBe("chant");
+    expect(p(result.topic).metadata.labels["app.kubernetes.io/managed-by"]).toBe("chant");
   });
 });
 
@@ -289,8 +314,8 @@ describe("CloudFunctionWithTrigger", () => {
       publicAccess: true,
     });
     expect(result.invokerIam).toBeDefined();
-    expect((result.invokerIam as any).member).toBe("allUsers");
-    expect((result.invokerIam as any).role).toBe("roles/cloudfunctions.invoker");
+    expect(p(result.invokerIam).member).toBe("allUsers");
+    expect(p(result.invokerIam).role).toBe("roles/cloudfunctions.invoker");
   });
 
   test("sets runtime and entry point", () => {
@@ -299,8 +324,8 @@ describe("CloudFunctionWithTrigger", () => {
       runtime: "python312",
       entryPoint: "main",
     });
-    expect((result.function as any).runtime).toBe("python312");
-    expect((result.function as any).entryPoint).toBe("main");
+    expect(p(result.function).runtime).toBe("python312");
+    expect(p(result.function).entryPoint).toBe("main");
   });
 
   test("configures pubsub trigger", () => {
@@ -311,8 +336,8 @@ describe("CloudFunctionWithTrigger", () => {
       triggerType: "pubsub",
       triggerTopic: "my-topic",
     });
-    expect((result.function as any).eventTrigger).toBeDefined();
-    expect((result.function as any).eventTrigger.pubsubTopic).toBe("my-topic");
+    expect(p(result.function).eventTrigger).toBeDefined();
+    expect(p(result.function).eventTrigger.pubsubTopic).toBe("my-topic");
   });
 });
 
@@ -327,12 +352,12 @@ describe("PrivateService", () => {
 
   test("address references network", () => {
     const result = PrivateService({ name: "db", networkName: "my-vpc" });
-    expect((result.globalAddress as any).networkRef.name).toBe("my-vpc");
+    expect(p(result.globalAddress).networkRef.name).toBe("my-vpc");
   });
 
   test("connection references network", () => {
     const result = PrivateService({ name: "db", networkName: "my-vpc" });
-    expect((result.serviceConnection as any).networkRef.name).toBe("my-vpc");
+    expect(p(result.serviceConnection).networkRef.name).toBe("my-vpc");
   });
 
   test("no DNS by default", () => {
@@ -343,7 +368,7 @@ describe("PrivateService", () => {
   test("creates DNS zone when enabled", () => {
     const result = PrivateService({ name: "db", networkName: "my-vpc", enableDns: true });
     expect(result.dnsZone).toBeDefined();
-    expect((result.dnsZone as any).visibility).toBe("private");
+    expect(p(result.dnsZone).visibility).toBe("private");
   });
 });
 
@@ -357,7 +382,7 @@ describe("ManagedCertificate", () => {
 
   test("certificate includes domains", () => {
     const result = ManagedCertificate({ name: "my-cert", domains: ["example.com", "www.example.com"] });
-    expect((result.certificate as any).managed.domains).toEqual(["example.com", "www.example.com"]);
+    expect(p(result.certificate).managed.domains).toEqual(["example.com", "www.example.com"]);
   });
 
   test("no proxy by default", () => {
@@ -375,7 +400,7 @@ describe("ManagedCertificate", () => {
     });
     expect(result.targetHttpsProxy).toBeDefined();
     expect(result.urlMap).toBeDefined();
-    expect((result.urlMap as any).defaultService.backendServiceRef.name).toBe("my-backend");
+    expect(p(result.urlMap).defaultService.backendServiceRef.name).toBe("my-backend");
   });
 });
 
@@ -386,19 +411,26 @@ describe("SecureProject", () => {
     const result = SecureProject({ name: "my-project" });
     expect(result.project).toBeDefined();
     expect(result.auditConfig).toBeDefined();
-    expect(result.services.length).toBeGreaterThan(0);
+    // Default 5 APIs become service_compute, service_container, etc.
+    expect(result.service_compute).toBeDefined();
+    expect(result.service_container).toBeDefined();
+    expect(result.service_iam).toBeDefined();
+    expect(result.service_logging).toBeDefined();
+    expect(result.service_monitoring).toBeDefined();
   });
 
   test("audit config covers all services", () => {
     const result = SecureProject({ name: "my-project" });
-    expect((result.auditConfig as any).service).toBe("allServices");
-    expect((result.auditConfig as any).auditLogConfigs.length).toBe(3);
+    expect(p(result.auditConfig).service).toBe("allServices");
+    expect(p(result.auditConfig).auditLogConfigs.length).toBe(3);
   });
 
   test("enables default APIs", () => {
     const result = SecureProject({ name: "my-project" });
-    expect(result.services.length).toBe(5);
-    expect(result.services.some((s: any) => s.resourceID === "compute.googleapis.com")).toBe(true);
+    // 5 services as individual members
+    const serviceKeys = Object.keys(result.members).filter((k) => k.startsWith("service_"));
+    expect(serviceKeys.length).toBe(5);
+    expect(p(result.service_compute).resourceID).toBe("compute.googleapis.com");
   });
 
   test("no owner IAM by default", () => {
@@ -412,8 +444,8 @@ describe("SecureProject", () => {
       owner: "user:admin@example.com",
     });
     expect(result.ownerIam).toBeDefined();
-    expect((result.ownerIam as any).member).toBe("user:admin@example.com");
-    expect((result.ownerIam as any).role).toBe("roles/owner");
+    expect(p(result.ownerIam).member).toBe("user:admin@example.com");
+    expect(p(result.ownerIam).role).toBe("roles/owner");
   });
 
   test("creates logging sink when destination provided", () => {
@@ -422,7 +454,7 @@ describe("SecureProject", () => {
       loggingSinkDestination: "bigquery.googleapis.com/projects/my-project/datasets/audit_logs",
     });
     expect(result.loggingSink).toBeDefined();
-    expect((result.loggingSink as any).destination).toContain("bigquery");
+    expect(p(result.loggingSink).destination).toContain("bigquery");
   });
 
   test("no logging sink by default", () => {

package/src/composites/gcs-bucket.ts

@@ -2,6 +2,9 @@
  * GcsBucket composite — StorageBucket with encryption, uniform access, and lifecycle.
  */
 
+import { Composite, mergeDefaults } from "@intentius/chant";
+import { StorageBucket } from "../generated";
+
 export interface GcsBucketProps {
   /** Bucket name. */
   name: string;
@@ -23,10 +26,10 @@ export interface GcsBucketProps {
   labels?: Record<string, string>;
   /** Namespace for all resources. */
   namespace?: string;
-}
-
-export interface GcsBucketResult {
-  bucket: Record<string, unknown>;
+  /** Per-member defaults for customizing individual resources. */
+  defaults?: {
+    bucket?: Partial<ConstructorParameters<typeof StorageBucket>[0]>;
+  };
 }
 
 /**
@@ -44,7 +47,7 @@ export interface GcsBucketResult {
  * });
  * ```
  */
-export function GcsBucket(props: GcsBucketProps): GcsBucketResult {
+export const GcsBucket = Composite<GcsBucketProps>((props) => {
   const {
     name,
     location = "US",
@@ -56,6 +59,7 @@ export function GcsBucket(props: GcsBucketProps): GcsBucketResult {
     lifecycleNearlineAfterDays,
     labels: extraLabels = {},
     namespace,
+    defaults: defs,
   } = props;
 
   const commonLabels: Record<string, string> = {
@@ -75,7 +79,7 @@ export function GcsBucket(props: GcsBucketProps): GcsBucketResult {
   }
 
   if (kmsKeyName) {
-    spec.encryption = { defaultKmsKeyName: kmsKeyName };
+    spec.encryption = { kmsKeyRef: { external: kmsKeyName } };
   }
 
   const lifecycleRules: Array<Record<string, unknown>> = [];
@@ -98,14 +102,14 @@ export function GcsBucket(props: GcsBucketProps): GcsBucketResult {
     spec.lifecycleRule = lifecycleRules;
   }
 
-  const bucket: Record<string, unknown> = {
+  const bucket = new StorageBucket(mergeDefaults({
     metadata: {
       name,
       ...(namespace && { namespace }),
       labels: { ...commonLabels, "app.kubernetes.io/component": "storage" },
     },
     ...spec,
-  };
+  } as Record<string, unknown>, defs?.bucket));
 
   return { bucket };
-}
+}, "GcsBucket");