* module project-factory: include project in conditional_var context for org policies
* module project-factory: include project and folders in conditional_var context for org policies
- Move project org policies (explicit and factory) to projects-iam invocation.
- Move folder org policies (explicit and factory) to folder-X-iam invocations (levels 1-4).
- Inject folder_ids into projects-iam condition_vars and pass resolved folders.
- Update and regenerate test inventories (example.yaml, simple.yaml, hardened.yaml).
TAG=agy
CONV=e0f45850-ab01-4600-a2b6-4de62465c204
---------
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
* Draft terraform_naming_convention
* Two fast/stages fixes for terraform_naming_convention
* Disable terraform_naming_convention for resources for now
* module fixes for terraform_naming_convention
* tfdoc
* Remove "moved" from recipe and needs-fixing
* Fix moved for spoke_ra
* fix tests
* Use default (snake_case) for resources
* factory.terraform_data.project-preconditions
* First-pass migration of resources + tests
* Fix tests/modules/organization
* Require snake_case for variables; Add annotations for _testing
* permit _fast_debug variable
* Fix net_vpc_factory and net_vpc_firewall tests
* tfdoc addons and recipe
* Fix more tests
* Fix some net-global -> net_global tests
---------
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
* Add example "Remote Docker registry with credentials" for artifact-registry
* Add inventory
(cherry picked from commit 903c4c423c0264bf270f1da13245fa01e58163d9)
Add inventory
(cherry picked from commit fd439be6412c2ea281578ee49f61cb3399850521)
---------
Co-authored-by: Julio Castillo <jccb@google.com>
* Bump GH template action versions to avoid GHA Node 20 deprecation
Github Actions runners are deprecating Node 20 as Node 20 is EOL in April, 2026. More information: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
This bumps all the GHAs in the FAST stage 0 templates to use newer versions that do not depend on Node 20. This avoids the EOL and clears the deprecation warning in GHA when users run any GHA workflows generated in stage 0.
I just ran stage 0 with these bumps and it seems to work fine.
* Fix failing fast tests from old GHA version in yaml inventory file
---------
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
* Allow creation of dynamic tags
* Extend project factory and related modules to support dynamic values
* Extend folder and organization modules
* project and organization readme
* Simplify dynamic tag support and remove unnecessary restrictions
• Schemas & Validations: Removed the restriction that forbade combining IAM fields with allowed_values_regex on tags. Updated validations in project and organization modules, and
simplified all relevant JSON schemas.
• Module Tag Bindings: Simplified the tag_value assignment in folder , project , gcs , bigquery-dataset , and kms modules by removing the defensive can(regex(...)) check and
calling templatestring directly.
• Outputs: Removed the tags_dynamic output from project and organization modules, as the same information is now available in tag_keys .
• Project Factory: Updated tag_vars_projects in projects.tf to use the native namespaced_name attribute and filtered manually for dynamic tags.
* fix(organization, project): fix linting and tests for dynamic tag support
- Align allowed_values_regex and description extraction in _tags_merged
locals to use lookup() for consistency with other fields.
- Fix spacing in project context variable (alphabetical ordering).
- Update organization tags test to include the new cost_center tag key
with allowed_values_regex.
- Update project tags test to include the new cost_center tag key and
reflect the resolved allowed_values_regex on environment.
* refactor(gcs): refine tag bindings and fix context test
- Add _tag_bindings local to pre-resolve context references, enabling
templatestring to receive a direct map reference (required by Terraform).
- Use var.context.tag_vars instead of the non-existent local.ctx.tag_vars.
- Fix HCL syntax in context.tfvars (escaped inner quotes).
- Update context test inventory to reflect 3 tag bindings including a
dynamic value resolved via templatestring.
* refactor: align modules with tag binding context pattern
- Add _tag_bindings local + templatestring dance to cloud-run-v2,
compute-vm, folder, kms modules (bigquery-dataset already had it)
- Exclude tag_vars from local.ctx in cloud-run-v2, compute-vm, folder,
kms, project modules (bigquery-dataset already had it)
- Add tag_vars to context variable in cloud-run-v2, compute-vm modules
(others already had it)
- Update all context tests with dynamic tag binding values using
var.context.tag_vars
* docs: add module-level tftest.yaml test instructions to GEMINI.md
* docs: regenerate READMEs after tag-regex alignment
- Regenerate variable tables in 7 module READMEs to reflect
line number shifts from prior tag-regex changes
- Add tag_vars exclusion to gcs ctx local
- Fix whitespace alignment in iam-service-account and
project-factory tag_vars blocks
- Update tftest resource counts for organization and project
- Remove tags_dynamic from organization/project output tables
* fix(project-factory): update test inventory for tag_bindings module split
- Move tag binding address from folder-2 to folder-2-iam in test
inventory (tag_bindings moved from creation to IAM modules)
- Update module instance count from 34 to 35
- Regenerate README tables after terraform fmt line shifts
- Apply terraform fmt to variables.tf
* refactor(project-factory): remove unnecessary depends_on from folder-iam modules
Folder IAM modules depend on their own folder creation modules, not
on module.projects. The explicit depends_on was leftover from an
earlier design.
* FAST stages
* Address review comments.
- FAST Stages:
- Added tag_keys to output-files.tf in 0-org-setup to pass org tags via tfvars.
- Sorted tag_keys and tag_values in output-files.tf.
- Updated project-factory, networking, and security stages to use tag_keys.
- Filtered tag_keys for dynamic tags only.
- Modules:
- Excluded tag_vars from local.ctx in iam-service-account and organization.
- Simplified tag_value in iam-service-account.
- Tests:
- Updated test inventories for 0-org-setup and project-factory.
* Fix tf format
* Fix tfdoc
* docs: add ADR for templatestring vars convention and update status of base path ADR
* More tfdoc
* Update schemas
* Use endswith in context loop
* Address review
* Update FAST readmes
* Update last modules
* Terraform fmt
* Revert alloydb
* Fix whitespace
---------
Co-authored-by: Ludovico Magnocavallo <ludo@qix.it>
* add dns armor module
* add dns armor to pf
* added missing/optional attributes
* Update project schemas
* Set version file copyright year to 2025
* replace module with single resource
* moved into it's own file
* Added tests and defaulting enabled to false
* Add optional name parameter and updated schemas
* make dns_threat_detector.enabled optional in project schemas
---------
Co-authored-by: Luca Prete <preteluca@gmail.com>
* feat(fast): add attachment groups factory to 2-networking
Adds support for `google_compute_interconnect_attachment_group` in the `2-networking` stage.
By implementing this at the factory level alongside `vlan-attachments`, users can now declaratively aggregate VLAN attachments across multiple VPCs and natively reference them using the `$attachment_groups:<key>` context identifier in their configuration YAMLs.
Includes:
- Factory implementation in `factory-vlan-attachments.tf`.
- New JSON schemas for `attachment-groups` and updates to `vlan-attachments` to support context linkage.
- Test coverage with new inventory generations.
Fixes#3791
* feat(agent-engine): add support for container and custom image specs
- Add container_config to deployment_files.
- Add image_spec with build_args to source_config.
- Make agent_framework optional and document supported values.
- Implement dynamic specs for container and source deployments.
- Add examples and automated tests for new deployment types.
* chore: update Google provider version to 7.28.0 across modules
Mechanical update of versions.tf and versions.tofu files using tools/versions.py.
* feat(agent-engine): refactor for container deployments and API alignment
- Group deployment settings under 'deployment_config' (renamed from 'deployment_files').
- Support container-based deployments via 'container_config' and 'image_spec'.
- Refactor 'source_files_config' (renamed from 'source_config') to include mutually exclusive 'python_spec' and 'image_spec'.
- Support 'developer_connect_config' as a source code type.
- Group engine settings (framework, env, secrets) under 'agent_engine_config'.
- Add support for 'memory_bank_config' persistent memory.
- Overhaul reasoning engine resources with dynamic blocks to match provider schema.
- Update all documentation examples, add TOC, and refresh test inventories.
* Update dynamic python_spec block and related example yamls
* Ignore changes setting for developer_connect_source under lifecycle management
* fixing review comments for `try` and default path for `source_path`
---------
Co-authored-by: Hemanand <hemr@google.com>
Co-authored-by: Julio Castillo <jccb@google.com>
* chore(fast): update boilerplate in 2-networking yaml files
* chore(fast): replace stackdriver.googleapis.com with logging and monitoring services
* fix(net-vpc-factory): correct description for secondary subnet example
