kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add new agent-gateway module (#3931)

Browse Source
This commit is contained in:
Luca Prete
2026-05-14 10:03:35 +02:00
committed by GitHub
parent 748684dd9c
commit 2c489cfd32
12 changed files with 616 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -33,7 +33,7 @@ Currently available modules:
- **networking** - [DNS](./modules/dns), [DNS Response Policy](./modules/dns-response-policy/), [Cloud Endpoints](./modules/endpoints), [address reservation](./modules/net-address), [NAT](./modules/net-cloudnat), [VLAN Attachment](./modules/net-vlan-attachment/), [External Application LB](./modules/net-lb-app-ext/), [External Passthrough Network LB](./modules/net-lb-ext), [External Regional Application Load Balancer](./modules/net-lb-app-ext-regional/), [Firewall policy](./modules/net-firewall-policy), [Internal Application LB](./modules/net-lb-app-int), [Cross-region Internal Application LB](./modules/net-lb-app-int-cross-region), [Internal Passthrough Network LB](./modules/net-lb-int), [Internal Proxy Network LB](./modules/net-lb-proxy-int), [IPSec over Interconnect](./modules/net-ipsec-over-interconnect), [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), [VPN dynamic](./modules/net-vpn-dynamic), [HA VPN](./modules/net-vpn-ha), [VPN static](./modules/net-vpn-static), [Service Directory](./modules/service-directory), [Secure Web Proxy](./modules/net-swp)
- **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [COS container](./modules/cloud-config-container/cos-generic-metadata/) (coredns, mysql, onprem, squid), [GKE cluster](./modules/gke-cluster-standard), [GKE hub](./modules/gke-hub), [GKE nodepool](./modules/gke-nodepool), [GCVE private cloud](./modules/gcve-private-cloud)
- **data** - [AlloyDB instance](./modules/alloydb), [Analytics Hub](./modules/analytics-hub), [BigQuery connection](./modules/bigquery-connection), [BigQuery dataset](./modules/bigquery-dataset), [Biglake Catalog](./modules/biglake-catalog), [Bigtable instance](./modules/bigtable-instance), [Dataplex](./modules/dataplex), [Dataplex Aspect Types](./modules/dataplex-aspect-types/), [Dataplex DataScan](./modules/dataplex-datascan), [Cloud SQL instance](./modules/cloudsql-instance), [Spanner instance](./modules/spanner-instance), [Firestore](./modules/firestore), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Data Catalog Tag](./modules/data-catalog-tag), [Data Catalog Tag Template](./modules/data-catalog-tag-template), [Datafusion](./modules/datafusion), [Dataproc](./modules/dataproc), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub), [Dataform Repository](./modules/dataform-repository/), [Looker Core](./modules/looker-core)
- **AI** - [AI Applications](./modules/ai-applications/README.md)
- **AI** - [AI Applications](./modules/ai-applications/README.md), [Agent Engine](./modules/agent-engine/README.md), [Agent Gateway](./modules/agent-gateway/README.md)
- **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Cloud Build V2 Connection](./modules/cloud-build-v2-connection), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository), [Cloud Deploy](./modules/cloud-deploy), [Secure Source Manager instance](./modules/secure-source-manager-instance), [Workstation cluster](./modules/workstation-cluster)
- **security** - [Binauthz](./modules/binauthz/), [Certificate Authority Service (CAS)](./modules/certificate-authority-service), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc), [Certificate Manager](./modules/certificate-manager/)
- **serverless** - [Cloud Function v1](./modules/cloud-function-v1), [Cloud Function v2](./modules/cloud-function-v2), [Cloud Run v2](./modules/cloud-run-v2)

120
modules/agent-gateway/README.md Normal file
View File

@@ -0,0 +1,120 @@
# Agent Gateway
The module facilitates the deployments of Agent Gateways.
<!-- BEGIN TOC -->
- [API](#api)
- [Minimal Gateway deployment](#minimal-gateway-deployment)
- [PSC-I: attach to an existing service attachment](#psc-i-attach-to-an-existing-service-attachment)
- [Connect to self-managed proxies](#connect-to-self-managed-proxies)
- [Context](#context)
- [Variables](#variables)
- [Outputs](#outputs)
<!-- END TOC -->
## API
In order to use this module you first need to enable the `networkservices.googleapis.com` API.
## Minimal Gateway deployment
In order to deploy a gateway, you need to specify a name, a region and the direction it needs to apply to.
```hcl
module "agent-gateway" {
source = "./fabric/modules/agent-gateway"
name = "my-gateway"
project_id = "my-project-id"
region = "europe-west1"
access_path = "CLIENT_TO_AGENT" # can be also: ingress, or egress (or AGENT_TO_ANYWHERE)
}
# tftest inventory=minimal.yaml
```
## PSC-I: attach to an existing service attachment
If it's a egress (or AGENT_TO_ANYWHERE) agent, you can attach with a PSC interface to an existing service attachment.
```hcl
module "agent-gateway" {
source = "./fabric/modules/agent-gateway"
name = "my-gateway"
project_id = "my-project-id"
region = "europe-west1"
access_path = "AGENT_TO_ANYWHERE"
networking_config = {
psc_i_network_attachment_id = "projects/my-project-id/regions/europe-west1/serviceAttachments/my-sa"
}
}
# tftest inventory=psc-i.yaml
```
## Connect to self-managed proxies
You can connect to compatible proxies you manage, by specifying the proxy uri.
```hcl
module "agent-gateway" {
source = "./fabric/modules/agent-gateway"
name = "my-gateway"
project_id = "my-project-id"
region = "europe-west1"
is_google_managed = false
proxy_uri = "my-proxy-uri"
}
# tftest inventory=proxy.yaml
```
## Context
The module supports the contexts interpolation. For example:
```hcl
module "agent-gateway" {
source = "./fabric/modules/agent-gateway"
name = "my-gateway"
project_id = "$project_ids:main"
region = "$locations:primary"
access_path = "AGENT_TO_ANYWHERE"
networking_config = {
psc_i_network_attachment_id = "$psc_network_attachments:my-sa"
}
context = {
locations = {
primary = "europe-west1"
}
project_ids = {
main = "my-prj-id"
}
psc_network_attachments = {
my-sa = "projects/my-project-id/regions/europe-west1/serviceAttachments/my-sa"
}
}
}
# tftest inventory=context.yaml
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L77) | The name of the Agent Gateway. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L93) | The ID of the project where the data stores and the agents will be created. | <code>string</code> | ✓ | |
| [region](variables.tf#L126) | The region where the agent gateway is created. | <code>string</code> | ✓ | |
| [access_path](variables.tf#L17) | The direction the gateway applies to: ingress (CLIENT_TO_AGENT) or egress (AGENT_TO_ANYWHERE) (if var.is_google_managed = false). | <code>string</code> | | <code>null</code> |
| [context](variables.tf#L47) | Context-specific interpolations. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [description](variables.tf#L58) | The description of the Agent Gateway. | <code>string</code> | | <code>&#34;Terraform managed.&#34;</code> |
| [is_google_managed](variables.tf#L64) | Whether the Agent Gateway is Google or self-managed. | <code>bool</code> | | <code>true</code> |
| [labels](variables.tf#L71) | Labels to associate to the Agent Gateway. | <code>map&#40;string&#41;</code> | | <code>null</code> |
| [networking_config](variables.tf#L84) | The Agent Gateway networking configuration. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [protocols](variables.tf#L99) | The protocols managed by the Agent Gateway. | <code>list&#40;string&#41;</code> | | <code>&#91;&#34;MCP&#34;&#93;</code> |
| [proxy_uri](variables.tf#L111) | The uri of a compatible self-managed proxy (if var.is_google_managed = false). | <code>string</code> | | <code>null</code> |
| [registries](variables.tf#L132) | A list of Agent Registries containing the agents, MCP servers and tools governed by the Agent Gateway. Note: Currently limited to project-scoped registries Must be of format //agentregistry.googleapis.com/{version}/projects/{{project}}/locations/{{location}}. | <code>list&#40;string&#41;</code> | | <code>null</code> |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| [agent_gateway](outputs.tf#L17) | The Agent Gateway object. | |
| [id](outputs.tf#L22) | The Agent Gateway id. | |
<!-- END TFDOC -->

77
modules/agent-gateway/main.tf Normal file
View File

@@ -0,0 +1,77 @@
/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
locals {
_ctx_p = "$"
ctx = {
for k, v in var.context : k => {
for kk, vv in v : "${local._ctx_p}${k}:${kk}" => vv
} if k != "condition_vars"
}
location = lookup(
local.ctx.locations, var.region, var.region
)
network_attachment_id = try(lookup(
local.ctx.psc_network_attachments,
var.networking_config.psc_i_network_attachment_id,
var.networking_config.psc_i_network_attachment_id
), null)
project_id = lookup(
local.ctx.project_ids, var.project_id, var.project_id
)
}
resource "google_network_services_agent_gateway" "default" {
provider = google-beta
project = local.project_id
location = local.location
name = var.name
description = var.description
labels = var.labels
protocols = var.protocols
registries = var.registries
dynamic "google_managed" {
for_each = var.is_google_managed ? [""] : []
content {
governed_access_path = (
try(lower(var.access_path), "") == "ingress"
|| var.access_path == "CLIENT_TO_AGENT"
? "CLIENT_TO_AGENT"
: "AGENT_TO_ANYWHERE"
)
}
}
dynamic "network_config" {
for_each = local.network_attachment_id == null ? [] : [""]
content {
egress {
network_attachment = local.network_attachment_id
}
}
}
dynamic "self_managed" {
for_each = var.is_google_managed ? [] : [""]
content {
resource_uri = var.proxy_uri
}
}
}

25
modules/agent-gateway/outputs.tf Normal file
View File

@@ -0,0 +1,25 @@
/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "agent_gateway" {
description = "The Agent Gateway object."
value = google_network_services_agent_gateway.default
}
output "id" {
description = "The Agent Gateway id."
value = google_network_services_agent_gateway.default.id
}

23
modules/agent-gateway/providers.tf Normal file
View File

@@ -0,0 +1,23 @@
/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
provider "google" {
network_services_custom_endpoint = "https://networkservices.googleapis.com/v1alpha1/"
}
provider "google-beta" {
network_services_custom_endpoint = "https://networkservices.googleapis.com/v1alpha1/"
}

136
modules/agent-gateway/variables.tf Normal file
View File

@@ -0,0 +1,136 @@
/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "access_path" {
description = "The direction the gateway applies to: ingress (CLIENT_TO_AGENT) or egress (AGENT_TO_ANYWHERE) (if var.is_google_managed = false)."
type = string
default = null
validation {
condition = (
var.is_google_managed == true
&& var.access_path == null
? false : true
)
error_message = "You must specify var.access_path if var.is_google_managed = true."
}
validation {
condition = (
var.access_path != null
&& !(
lower(var.access_path) == "egress"
|| lower(var.access_path) == "ingress"
|| var.access_path == "CLIENT_TO_AGENT"
|| var.access_path == "AGENT_TO_ANYWHERE"
)
? false : true
)
error_message = "access_path can be one of the following: ingress (or CLIENT_TO_AGENT), egress (or AGENT_TO_ANYWHERE)."
}
}
variable "context" {
description = "Context-specific interpolations."
type = object({
locations = optional(map(string), {})
project_ids = optional(map(string), {})
psc_network_attachments = optional(map(string), {})
})
default = {}
nullable = false
}
variable "description" {
description = "The description of the Agent Gateway."
type = string
default = "Terraform managed."
}
variable "is_google_managed" {
description = "Whether the Agent Gateway is Google or self-managed."
type = bool
nullable = false
default = true
}
variable "labels" {
description = "Labels to associate to the Agent Gateway."
type = map(string)
default = null
}
variable "name" {
description = "The name of the Agent Gateway."
type = string
nullable = false
}
# Structured as object, as more arguments are coming soon
variable "networking_config" {
description = "The Agent Gateway networking configuration."
type = object({
psc_i_network_attachment_id = optional(string)
})
nullable = false
default = {}
}
variable "project_id" {
description = "The ID of the project where the data stores and the agents will be created."
type = string
nullable = false
}
variable "protocols" {
description = "The protocols managed by the Agent Gateway."
type = list(string)
nullable = false
default = ["MCP"]
validation {
condition = length(var.protocols) == 0 || (length(var.protocols) == 1 && var.protocols[0] == "MCP")
error_message = "var.protocols can be one of the following: [], [\"MCP\"]."
}
}
variable "proxy_uri" {
description = "The uri of a compatible self-managed proxy (if var.is_google_managed = false)."
type = string
default = null
validation {
condition = (
var.is_google_managed == false
&& var.proxy_uri == null
? false : true
)
error_message = "You must specify var.proxy_uri if var.is_google_managed = false."
}
}
variable "region" {
description = "The region where the agent gateway is created."
type = string
nullable = false
}
variable "registries" {
description = "A list of Agent Registries containing the agents, MCP servers and tools governed by the Agent Gateway. Note: Currently limited to project-scoped registries Must be of format //agentregistry.googleapis.com/{version}/projects/{{project}}/locations/{{location}}."
type = list(string)
default = null
}

35
modules/agent-gateway/versions.tf generated Normal file
View File

@@ -0,0 +1,35 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Fabric release: v55.4.0
terraform {
required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.29.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.29.0, < 8.0.0" # tftest
}
}
provider_meta "google" {
module_name = "google-pso-tool/cloud-foundation-fabric/modules/agent-gateway:v55.4.0-tf"
}
provider_meta "google-beta" {
module_name = "google-pso-tool/cloud-foundation-fabric/modules/agent-gateway:v55.4.0-tf"
}
}

35
modules/agent-gateway/versions.tofu generated Normal file
View File

@@ -0,0 +1,35 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Fabric release: v55.4.0
terraform {
required_version = ">= 1.11.0"
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.29.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.29.0, < 8.0.0" # tftest
}
}
provider_meta "google" {
module_name = "google-pso-tool/cloud-foundation-fabric/modules/agent-gateway:v55.4.0-tofu"
}
provider_meta "google-beta" {
module_name = "google-pso-tool/cloud-foundation-fabric/modules/agent-gateway:v55.4.0-tofu"
}
}

42
tests/modules/agent_gateway/examples/context.yaml Normal file
View File

@@ -0,0 +1,42 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.agent-gateway.google_network_services_agent_gateway.default:
description: Terraform managed.
effective_labels:
goog-terraform-provisioned: 'true'
google_managed:
- governed_access_path: AGENT_TO_ANYWHERE
labels: null
location: europe-west1
name: my-gateway
network_config:
- egress:
- network_attachment: projects/my-project-id/regions/europe-west1/serviceAttachments/my-sa
project: my-prj-id
protocols:
- MCP
registries: null
self_managed: []
terraform_labels:
goog-terraform-provisioned: 'true'
timeouts: null
counts:
google_network_services_agent_gateway: 1
modules: 1
resources: 1
outputs: {}

40
tests/modules/agent_gateway/examples/minimal.yaml Normal file
View File

@@ -0,0 +1,40 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.agent-gateway.google_network_services_agent_gateway.default:
description: Terraform managed.
effective_labels:
goog-terraform-provisioned: 'true'
google_managed:
- governed_access_path: CLIENT_TO_AGENT
labels: null
location: europe-west1
name: my-gateway
network_config: []
project: my-project-id
protocols:
- MCP
registries: null
self_managed: []
terraform_labels:
goog-terraform-provisioned: 'true'
timeouts: null
counts:
google_network_services_agent_gateway: 1
modules: 1
resources: 1
outputs: {}

40
tests/modules/agent_gateway/examples/proxy.yaml Normal file
View File

@@ -0,0 +1,40 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.agent-gateway.google_network_services_agent_gateway.default:
description: Terraform managed.
effective_labels:
goog-terraform-provisioned: 'true'
google_managed: []
labels: null
location: europe-west1
name: my-gateway
network_config: []
project: my-project-id
protocols:
- MCP
registries: null
self_managed:
- resource_uri: my-proxy-uri
terraform_labels:
goog-terraform-provisioned: 'true'
timeouts: null
counts:
google_network_services_agent_gateway: 1
modules: 1
resources: 1
outputs: {}

42
tests/modules/agent_gateway/examples/psc-i.yaml Normal file
View File

@@ -0,0 +1,42 @@
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
values:
module.agent-gateway.google_network_services_agent_gateway.default:
description: Terraform managed.
effective_labels:
goog-terraform-provisioned: 'true'
google_managed:
- governed_access_path: AGENT_TO_ANYWHERE
labels: null
location: europe-west1
name: my-gateway
network_config:
- egress:
- network_attachment: projects/my-project-id/regions/europe-west1/serviceAttachments/my-sa
project: my-project-id
protocols:
- MCP
registries: null
self_managed: []
terraform_labels:
goog-terraform-provisioned: 'true'
timeouts: null
counts:
google_network_services_agent_gateway: 1
modules: 1
resources: 1
outputs: {}