Files

Hemanand eaa420534b Add agent engine BYOC support (#3885 )

* feat(agent-engine): add support for container and custom image specs

- Add container_config to deployment_files.
- Add image_spec with build_args to source_config.
- Make agent_framework optional and document supported values.
- Implement dynamic specs for container and source deployments.
- Add examples and automated tests for new deployment types.

* chore: update Google provider version to 7.28.0 across modules

Mechanical update of versions.tf and versions.tofu files using tools/versions.py.

* feat(agent-engine): refactor for container deployments and API alignment

- Group deployment settings under 'deployment_config' (renamed from 'deployment_files').
- Support container-based deployments via 'container_config' and 'image_spec'.
- Refactor 'source_files_config' (renamed from 'source_config') to include mutually exclusive 'python_spec' and 'image_spec'.
- Support 'developer_connect_config' as a source code type.
- Group engine settings (framework, env, secrets) under 'agent_engine_config'.
- Add support for 'memory_bank_config' persistent memory.
- Overhaul reasoning engine resources with dynamic blocks to match provider schema.
- Update all documentation examples, add TOC, and refresh test inventories.

* Update dynamic python_spec block and related example yamls

* Ignore changes setting for developer_connect_source under lifecycle management

* fixing review comments for `try` and default path for `source_path`

---------

Co-authored-by: Hemanand <hemr@google.com>
Co-authored-by: Julio Castillo <jccb@google.com>

2026-04-21 17:46:20 +00:00

iam.tf

[secure-source-manager-instance] Allow provisioning of instances with managed certificates (#3310 )

2025-09-08 15:53:46 +00:00

main.tf

fix(secure-source-manager-instance): when importing a repo do not force default_branch (#3812 )

2026-03-26 14:13:33 +01:00

outputs.tf

[secure-source-manager-instance] Allow provisioning of instances with managed certificates (#3310 )

2025-09-08 15:53:46 +00:00

README.md

Fix pre-commit hook (#3882 )

2026-04-18 10:07:14 +02:00

variables-iam.tf

[secure-source-manager-instance] Allow provisioning of instances with managed certificates (#3310 )

2025-09-08 15:53:46 +00:00

variables.tf

Make SSM gitignores a list (#3413 )

2025-10-15 11:35:44 +02:00

versions.tf

Add agent engine BYOC support (#3885 )

2026-04-21 17:46:20 +00:00

versions.tofu

Add agent engine BYOC support (#3885 )

2026-04-21 17:46:20 +00:00

README.md

Secure Source Manager

This module allows to create a Secure Source Manager instance and repositories in it. Additionally it allows creating instance IAM bindings and repository IAM bindings.

Public instance

module "ssm_instance" {
  source      = "./fabric/modules/secure-source-manager-instance"
  project_id  = var.project_id
  instance_id = "my-instance"
  location    = var.region
  repositories = {
    my-repository = {
      location = var.region
    }
  }
}
# tftest modules=1 resources=2 inventory=public-instance.yaml

Public instance with CMEK

module "ssm_instance" {
  source      = "./fabric/modules/secure-source-manager-instance"
  project_id  = var.project_id
  instance_id = "my-instance"
  location    = var.region
  kms_key     = "projects/another-project-id/locations/${var.region}/keyRings/my-key-ring/cryptoKeys/my-key"
  repositories = {
    my-repository = {}
  }
}
# tftest modules=1 resources=2 inventory=public-instance-with-cmek.yaml

Private instance

module "ssm_instance" {
  source      = "./fabric/modules/secure-source-manager-instance"
  project_id  = var.project_id
  instance_id = "my-instance"
  location    = var.region
  private_configs = {
    is_private = true
  }
  repositories = {
    my-repository = {}
  }
}
# tftest modules=1 resources=2 inventory=private-instance.yaml

You can optionally specify a Certificate Authority (CAS) pool and use your own certificate.

module "ssm_instance" {
  source      = "./fabric/modules/secure-source-manager-instance"
  project_id  = var.project_id
  instance_id = "my-instance"
  location    = var.region
  private_configs = {
    is_private = true
    ca_pool_id = "projects/another-project/locations/${var.region}/caPools/my-ca-pool"
  }
  repositories = {
    my-repository = {}
  }
}
# tftest modules=1 resources=2 inventory=private-instance-ca-pool.yaml

IAM

module "ssm_instance" {
  source      = "./fabric/modules/secure-source-manager-instance"
  project_id  = var.project_id
  instance_id = "my-instance"
  location    = var.region
  iam = {
    "roles/securesourcemanager.instanceOwner" = [
      "group:my-instance-admins@myorg.com"
    ]
  }
  repositories = {
    my-repository = {
      iam = {
        "roles/securesourcemanager.repoAdmin" = [
          "group:my-repo-admins@myorg.com"
        ]
      }
    }
  }
}
# tftest modules=1 resources=4 inventory=iam.yaml


module "ssm_instance" {
  source      = "./fabric/modules/secure-source-manager-instance"
  project_id  = var.project_id
  instance_id = "my-instance"
  location    = var.region
  iam_bindings_additive = {
    my-instance-admin = {
      role   = "roles/securesourcemanager.instanceOwner"
      member = "group:my-instance-admins@myorg.com"
    }
  }
  repositories = {
    my-repository = {
      iam_bindings_additive = {
        my-repository-admin = {
          role   = "roles/securesourcemanager.repoAdmin"
          member = "group:my-repo-admins@myorg.com"
        }
      }
    }
  }
}
# tftest modules=1 resources=4 inventory=iam-bindings.yaml

module "ssm_instance" {
  source      = "./fabric/modules/secure-source-manager-instance"
  project_id  = var.project_id
  instance_id = "my-instance"
  location    = var.region
  iam_bindings = {
    my-instance-admin = {
      role = "roles/securesourcemanager.instanceOwner"
      members = [
        "group:my-instance-admins@myorg.com"
      ]
    }
  }
  repositories = {
    my-repository = {
      iam_bindings = {
        my-repository-admin = {
          role = "roles/securesourcemanager.repoAdmin"
          members = [
            "group:my-repo-admins@myorg.com"
          ]
        }
      }
    }
  }
}
# tftest modules=1 resources=4 inventory=iam-bindings-additive.yaml

Branch Protection Rules

module "ssm_instance" {
  source      = "./fabric/modules/secure-source-manager-instance"
  project_id  = var.project_id
  instance_id = "my-instance"
  location    = var.region
  repositories = {
    my-repository = {
      branch_rules = {
        rule1 = {
          disabled                  = false
          include_pattern           = "main"
          require_pull_request      = true
          minimum_approvals_count   = 1
          minimum_reviews_count     = 1
          require_comments_resolved = true
          allow_stale_reviews       = false
          require_linear_history    = true
        }
      }
    }
  }
}
# tftest modules=1 resources=3 inventory=branch-protection-rules.yaml

Initial Configuration

module "ssm_instance" {
  source      = "./fabric/modules/secure-source-manager-instance"
  project_id  = var.project_id
  instance_id = "my-instance"
  location    = var.region
  repositories = {
    my-repository = {
      initial_config = {
        default_branch = "main"
        gitignores     = ["terraform.tfstate"]
      }
    }
  }
}
# tftest inventory=initial-config.yaml

Variables

name	description	type	required	default
instance_id	Instance ID.	`string`	✓
location	Location.	`string`	✓
project_id	Project ID.	`string`	✓
repositories	Repositories.	`map(object({…}))`	✓
iam	IAM bindings.	`map(list(string))`		`{}`
iam_bindings	IAM bindings.	`map(object({…}))`		`{}`
iam_bindings_additive	IAM bindings.	`map(object({…}))`		`{}`
instance_create	Create SSM Instance. When set to false, uses instance_id to reference existing SSM instance.	`bool`		`true`
kms_key	KMS key.	`string`		`null`
labels	Instance labels.	`map(string)`		`null`
private_configs	The configurations for SSM private instances.	`object({…})`		`{}`

Outputs

name	description	sensitive
instance	Instance.
instance_id	Instance id.
repositories	Repositories.
repository_ids	Repository ids.