Add example "Remote Docker registry with credentials" for artifact-registry (#3887)

* Add example "Remote Docker registry with credentials" for artifact-registry

* Add inventory

(cherry picked from commit 903c4c423c0264bf270f1da13245fa01e58163d9)

Add inventory

(cherry picked from commit fd439be6412c2ea281578ee49f61cb3399850521)

---------

Co-authored-by: Julio Castillo <jccb@google.com>

modules/artifact-registry/README.md

@@ -97,6 +97,60 @@ module "registry-virtual" {
 # tftest modules=3 resources=3 inventory=remote-virtual.yaml
 ```
 
+## Remote Docker registry with credentials
+
+```hcl
+
+module "project" {
+  source          = "./fabric/modules/project"
+  name            = "ar"
+  billing_account = var.billing_account_id
+  prefix          = var.prefix
+  parent          = var.folder_id
+  services = [
+    "artifactregistry.googleapis.com",
+  ]
+}
+
+module "registry-mirror" {
+  source     = "./fabric/modules/artifact-registry"
+  project_id = module.project.id
+  location   = "europe-west1"
+  name       = "mirror"
+  format = {
+    docker = {
+      remote = {
+        custom_repository = "https://example.com"
+        upstream_credentials = {
+          username                = "myuser"
+          password_secret_version = "${module.secret-manager.ids["example-com-password"]}/versions/latest"
+        }
+      }
+    }
+  }
+}
+
+
+module "secret-manager" {
+  source     = "./fabric/modules/secret-manager"
+  project_id = module.project.id
+  secrets = {
+    example-com-password = {
+      global_replica_locations = {
+        europe-west1 = null
+      }
+      iam = {
+        "roles/secretmanager.secretAccessor" = [
+          module.project.service_agents["artifactregistry"].iam_email
+        ]
+      }
+    }
+  }
+}
+
+# tftest modules=3 resources=3 inventory=remote-credentials.yaml
+```
+
 ## Additional Docker and Maven Options
 
 ```hcl

tests/modules/artifact_registry/examples/remote-credentials.yaml

@@ -0,0 +1,120 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.project.google_project.project[0]:
+    auto_create_network: false
+    billing_account: 123456-123456-123456
+    deletion_policy: DELETE
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    folder_id: '1122334455'
+    labels: null
+    name: test-ar
+    org_id: null
+    project_id: test-ar
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+  module.project.google_project_iam_member.service_agents["artifactregistry"]:
+    condition: []
+    project: test-ar
+    role: roles/artifactregistry.serviceAgent
+  module.project.google_project_service.project_services["artifactregistry.googleapis.com"]:
+    disable_dependent_services: false
+    disable_on_destroy: false
+    project: test-ar
+    service: artifactregistry.googleapis.com
+    timeouts: null
+  module.project.google_project_service_identity.default["artifactregistry.googleapis.com"]:
+    project: test-ar
+    service: artifactregistry.googleapis.com
+    timeouts: null
+  module.registry-mirror.google_artifact_registry_repository.registry:
+    cleanup_policies: []
+    cleanup_policy_dry_run: null
+    description: Terraform-managed registry
+    docker_config: []
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    format: DOCKER
+    kms_key_name: null
+    labels: null
+    location: europe-west1
+    maven_config: []
+    mode: REMOTE_REPOSITORY
+    project: test-ar
+    remote_repository_config:
+    - apt_repository: []
+      common_repository: []
+      description: null
+      disable_upstream_validation: null
+      docker_repository:
+      - custom_repository:
+        - uri: https://example.com
+        public_repository: null
+      maven_repository: []
+      npm_repository: []
+      python_repository: []
+      upstream_credentials:
+      - username_password_credentials:
+        - username: myuser
+      yum_repository: []
+    repository_id: mirror
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+    virtual_repository_config: []
+    vulnerability_scanning_config:
+    - enablement_config: null
+  module.secret-manager.google_secret_manager_secret.default["example-com-password"]:
+    annotations: null
+    deletion_protection: false
+    effective_labels:
+      goog-terraform-provisioned: 'true'
+    labels: null
+    project: test-ar
+    replication:
+    - auto: []
+      user_managed:
+      - replicas:
+        - customer_managed_encryption: []
+          location: europe-west1
+    rotation: []
+    secret_id: example-com-password
+    tags: null
+    terraform_labels:
+      goog-terraform-provisioned: 'true'
+    timeouts: null
+    topics: []
+    ttl: null
+    version_aliases: null
+    version_destroy_ttl: null
+  ? module.secret-manager.google_secret_manager_secret_iam_binding.authoritative["example-com-password.roles/secretmanager.secretAccessor"]
+  : condition: []
+    role: roles/secretmanager.secretAccessor
+
+counts:
+  google_artifact_registry_repository: 1
+  google_project: 1
+  google_project_iam_member: 1
+  google_project_service: 1
+  google_project_service_identity: 1
+  google_secret_manager_secret: 1
+  google_secret_manager_secret_iam_binding: 1
+  modules: 3
+  resources: 7
+
+outputs: {}