kovagoadi/hunfabric
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add new agent-gateway module (#3931)

Browse Source
This commit is contained in:
Luca Prete
2026-05-14 10:03:35 +02:00
committed by GitHub
parent 748684dd9c
commit 2c489cfd32
12 changed files with 616 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
modules/agent-gateway/README.md Normal file
View File

@@ -0,0 +1,120 @@
# Agent Gateway
The module facilitates the deployments of Agent Gateways.
<!-- BEGIN TOC -->
- [API](#api)
- [Minimal Gateway deployment](#minimal-gateway-deployment)
- [PSC-I: attach to an existing service attachment](#psc-i-attach-to-an-existing-service-attachment)
- [Connect to self-managed proxies](#connect-to-self-managed-proxies)
- [Context](#context)
- [Variables](#variables)
- [Outputs](#outputs)
<!-- END TOC -->
## API
In order to use this module you first need to enable the `networkservices.googleapis.com` API.
## Minimal Gateway deployment
In order to deploy a gateway, you need to specify a name, a region and the direction it needs to apply to.
```hcl
module "agent-gateway" {
source = "./fabric/modules/agent-gateway"
name = "my-gateway"
project_id = "my-project-id"
region = "europe-west1"
access_path = "CLIENT_TO_AGENT" # can be also: ingress, or egress (or AGENT_TO_ANYWHERE)
}
# tftest inventory=minimal.yaml
```
## PSC-I: attach to an existing service attachment
If it's a egress (or AGENT_TO_ANYWHERE) agent, you can attach with a PSC interface to an existing service attachment.
```hcl
module "agent-gateway" {
source = "./fabric/modules/agent-gateway"
name = "my-gateway"
project_id = "my-project-id"
region = "europe-west1"
access_path = "AGENT_TO_ANYWHERE"
networking_config = {
psc_i_network_attachment_id = "projects/my-project-id/regions/europe-west1/serviceAttachments/my-sa"
}
}
# tftest inventory=psc-i.yaml
```
## Connect to self-managed proxies
You can connect to compatible proxies you manage, by specifying the proxy uri.
```hcl
module "agent-gateway" {
source = "./fabric/modules/agent-gateway"
name = "my-gateway"
project_id = "my-project-id"
region = "europe-west1"
is_google_managed = false
proxy_uri = "my-proxy-uri"
}
# tftest inventory=proxy.yaml
```
## Context
The module supports the contexts interpolation. For example:
```hcl
module "agent-gateway" {
source = "./fabric/modules/agent-gateway"
name = "my-gateway"
project_id = "$project_ids:main"
region = "$locations:primary"
access_path = "AGENT_TO_ANYWHERE"
networking_config = {
psc_i_network_attachment_id = "$psc_network_attachments:my-sa"
}
context = {
locations = {
primary = "europe-west1"
}
project_ids = {
main = "my-prj-id"
}
psc_network_attachments = {
my-sa = "projects/my-project-id/regions/europe-west1/serviceAttachments/my-sa"
}
}
}
# tftest inventory=context.yaml
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L77) | The name of the Agent Gateway. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L93) | The ID of the project where the data stores and the agents will be created. | <code>string</code> | ✓ | |
| [region](variables.tf#L126) | The region where the agent gateway is created. | <code>string</code> | ✓ | |
| [access_path](variables.tf#L17) | The direction the gateway applies to: ingress (CLIENT_TO_AGENT) or egress (AGENT_TO_ANYWHERE) (if var.is_google_managed = false). | <code>string</code> | | <code>null</code> |
| [context](variables.tf#L47) | Context-specific interpolations. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [description](variables.tf#L58) | The description of the Agent Gateway. | <code>string</code> | | <code>&#34;Terraform managed.&#34;</code> |
| [is_google_managed](variables.tf#L64) | Whether the Agent Gateway is Google or self-managed. | <code>bool</code> | | <code>true</code> |
| [labels](variables.tf#L71) | Labels to associate to the Agent Gateway. | <code>map&#40;string&#41;</code> | | <code>null</code> |
| [networking_config](variables.tf#L84) | The Agent Gateway networking configuration. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [protocols](variables.tf#L99) | The protocols managed by the Agent Gateway. | <code>list&#40;string&#41;</code> | | <code>&#91;&#34;MCP&#34;&#93;</code> |
| [proxy_uri](variables.tf#L111) | The uri of a compatible self-managed proxy (if var.is_google_managed = false). | <code>string</code> | | <code>null</code> |
| [registries](variables.tf#L132) | A list of Agent Registries containing the agents, MCP servers and tools governed by the Agent Gateway. Note: Currently limited to project-scoped registries Must be of format //agentregistry.googleapis.com/{version}/projects/{{project}}/locations/{{location}}. | <code>list&#40;string&#41;</code> | | <code>null</code> |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| [agent_gateway](outputs.tf#L17) | The Agent Gateway object. | |
| [id](outputs.tf#L22) | The Agent Gateway id. | |
<!-- END TFDOC -->

77
modules/agent-gateway/main.tf Normal file
View File

@@ -0,0 +1,77 @@
/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
locals {
_ctx_p = "$"
ctx = {
for k, v in var.context : k => {
for kk, vv in v : "${local._ctx_p}${k}:${kk}" => vv
} if k != "condition_vars"
}
location = lookup(
local.ctx.locations, var.region, var.region
)
network_attachment_id = try(lookup(
local.ctx.psc_network_attachments,
var.networking_config.psc_i_network_attachment_id,
var.networking_config.psc_i_network_attachment_id
), null)
project_id = lookup(
local.ctx.project_ids, var.project_id, var.project_id
)
}
resource "google_network_services_agent_gateway" "default" {
provider = google-beta
project = local.project_id
location = local.location
name = var.name
description = var.description
labels = var.labels
protocols = var.protocols
registries = var.registries
dynamic "google_managed" {
for_each = var.is_google_managed ? [""] : []
content {
governed_access_path = (
try(lower(var.access_path), "") == "ingress"
|| var.access_path == "CLIENT_TO_AGENT"
? "CLIENT_TO_AGENT"
: "AGENT_TO_ANYWHERE"
)
}
}
dynamic "network_config" {
for_each = local.network_attachment_id == null ? [] : [""]
content {
egress {
network_attachment = local.network_attachment_id
}
}
}
dynamic "self_managed" {
for_each = var.is_google_managed ? [] : [""]
content {
resource_uri = var.proxy_uri
}
}
}

25
modules/agent-gateway/outputs.tf Normal file
View File

@@ -0,0 +1,25 @@
/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "agent_gateway" {
description = "The Agent Gateway object."
value = google_network_services_agent_gateway.default
}
output "id" {
description = "The Agent Gateway id."
value = google_network_services_agent_gateway.default.id
}

23
modules/agent-gateway/providers.tf Normal file
View File

@@ -0,0 +1,23 @@
/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
provider "google" {
network_services_custom_endpoint = "https://networkservices.googleapis.com/v1alpha1/"
}
provider "google-beta" {
network_services_custom_endpoint = "https://networkservices.googleapis.com/v1alpha1/"
}

136
modules/agent-gateway/variables.tf Normal file
View File

@@ -0,0 +1,136 @@
/**
* Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "access_path" {
description = "The direction the gateway applies to: ingress (CLIENT_TO_AGENT) or egress (AGENT_TO_ANYWHERE) (if var.is_google_managed = false)."
type = string
default = null
validation {
condition = (
var.is_google_managed == true
&& var.access_path == null
? false : true
)
error_message = "You must specify var.access_path if var.is_google_managed = true."
}
validation {
condition = (
var.access_path != null
&& !(
lower(var.access_path) == "egress"
|| lower(var.access_path) == "ingress"
|| var.access_path == "CLIENT_TO_AGENT"
|| var.access_path == "AGENT_TO_ANYWHERE"
)
? false : true
)
error_message = "access_path can be one of the following: ingress (or CLIENT_TO_AGENT), egress (or AGENT_TO_ANYWHERE)."
}
}
variable "context" {
description = "Context-specific interpolations."
type = object({
locations = optional(map(string), {})
project_ids = optional(map(string), {})
psc_network_attachments = optional(map(string), {})
})
default = {}
nullable = false
}
variable "description" {
description = "The description of the Agent Gateway."
type = string
default = "Terraform managed."
}
variable "is_google_managed" {
description = "Whether the Agent Gateway is Google or self-managed."
type = bool
nullable = false
default = true
}
variable "labels" {
description = "Labels to associate to the Agent Gateway."
type = map(string)
default = null
}
variable "name" {
description = "The name of the Agent Gateway."
type = string
nullable = false
}
# Structured as object, as more arguments are coming soon
variable "networking_config" {
description = "The Agent Gateway networking configuration."
type = object({
psc_i_network_attachment_id = optional(string)
})
nullable = false
default = {}
}
variable "project_id" {
description = "The ID of the project where the data stores and the agents will be created."
type = string
nullable = false
}
variable "protocols" {
description = "The protocols managed by the Agent Gateway."
type = list(string)
nullable = false
default = ["MCP"]
validation {
condition = length(var.protocols) == 0 || (length(var.protocols) == 1 && var.protocols[0] == "MCP")
error_message = "var.protocols can be one of the following: [], [\"MCP\"]."
}
}
variable "proxy_uri" {
description = "The uri of a compatible self-managed proxy (if var.is_google_managed = false)."
type = string
default = null
validation {
condition = (
var.is_google_managed == false
&& var.proxy_uri == null
? false : true
)
error_message = "You must specify var.proxy_uri if var.is_google_managed = false."
}
}
variable "region" {
description = "The region where the agent gateway is created."
type = string
nullable = false
}
variable "registries" {
description = "A list of Agent Registries containing the agents, MCP servers and tools governed by the Agent Gateway. Note: Currently limited to project-scoped registries Must be of format //agentregistry.googleapis.com/{version}/projects/{{project}}/locations/{{location}}."
type = list(string)
default = null
}

35
modules/agent-gateway/versions.tf generated Normal file
View File

@@ -0,0 +1,35 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Fabric release: v55.4.0
terraform {
required_version = ">= 1.12.2"
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.29.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.29.0, < 8.0.0" # tftest
}
}
provider_meta "google" {
module_name = "google-pso-tool/cloud-foundation-fabric/modules/agent-gateway:v55.4.0-tf"
}
provider_meta "google-beta" {
module_name = "google-pso-tool/cloud-foundation-fabric/modules/agent-gateway:v55.4.0-tf"
}
}

35
modules/agent-gateway/versions.tofu generated Normal file
View File

@@ -0,0 +1,35 @@
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Fabric release: v55.4.0
terraform {
required_version = ">= 1.11.0"
required_providers {
google = {
source = "hashicorp/google"
version = ">= 7.29.0, < 8.0.0" # tftest
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 7.29.0, < 8.0.0" # tftest
}
}
provider_meta "google" {
module_name = "google-pso-tool/cloud-foundation-fabric/modules/agent-gateway:v55.4.0-tofu"
}
provider_meta "google-beta" {
module_name = "google-pso-tool/cloud-foundation-fabric/modules/agent-gateway:v55.4.0-tofu"
}
}