Hi, Ken.
You won’t be able to usefully set DOMAIN and EMAIL as a function of first-launch from GCP, because at the moment the instance launches, you can’t yet have updated the domain records to point to the instance IP.
That said, the OpenEMR instance running on GCP is super-vanilla – there’s one tiny bit of run-once first time customization that runs when the instance is first launched ( openemr-devops/vm-rekey.sh at master · openemr/openemr-devops · GitHub resets the admin password to Google’s specs and the container SSL cert is wiped for regeneration). This means that you should have no issues with manipulating the docker-compose.yaml on your own terms and relaunching the container – or, if you intend to use vendor-supplied certs, simply injecting them and changing the Apache config to suit.
You may find your life would be easier yet if you chose to use the Lightsail script as your base directly – the primary reason I don’t find it HIPAA-eligible on AWS is the lack of encryption at rest, and Google doesn’t have that problem.