eaa420534b
* feat(agent-engine): add support for container and custom image specs - Add container_config to deployment_files. - Add image_spec with build_args to source_config. - Make agent_framework optional and document supported values. - Implement dynamic specs for container and source deployments. - Add examples and automated tests for new deployment types. * chore: update Google provider version to 7.28.0 across modules Mechanical update of versions.tf and versions.tofu files using tools/versions.py. * feat(agent-engine): refactor for container deployments and API alignment - Group deployment settings under 'deployment_config' (renamed from 'deployment_files'). - Support container-based deployments via 'container_config' and 'image_spec'. - Refactor 'source_files_config' (renamed from 'source_config') to include mutually exclusive 'python_spec' and 'image_spec'. - Support 'developer_connect_config' as a source code type. - Group engine settings (framework, env, secrets) under 'agent_engine_config'. - Add support for 'memory_bank_config' persistent memory. - Overhaul reasoning engine resources with dynamic blocks to match provider schema. - Update all documentation examples, add TOC, and refresh test inventories. * Update dynamic python_spec block and related example yamls * Ignore changes setting for developer_connect_source under lifecycle management * fixing review comments for `try` and default path for `source_path` --------- Co-authored-by: Hemanand <hemr@google.com> Co-authored-by: Julio Castillo <jccb@google.com>
Google KMS Module
This module allows creating and managing KMS crypto keys and IAM bindings at both the keyring and crypto key level. An existing keyring can be used, or a new one can be created and managed by the module if needed.
When using an existing keyring be mindful about applying IAM bindings, as all bindings used by this module are authoritative, and you might inadvertently override bindings managed by the keyring creator.
Protecting against destroy
In this module no lifecycle blocks are set on resources to prevent destroy, in order to allow for experimentation and testing where rapid apply/destroy cycles are needed. If you plan on using this module to manage non-development resources, clone it and uncomment the lifecycle blocks found in main.tf.
Examples
Keyring creation and crypto key rotation and IAM roles
module "kms" {
source = "./fabric/modules/kms"
project_id = var.project_id
keyring = {
location = var.region
name = "${var.prefix}-test"
}
keys = {
key-a = {
iam = {
"roles/cloudkms.admin" = ["group:${var.group_email}"]
}
iam_bindings = {
agent = {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [var.service_account.iam_email]
}
}
}
key-b = {
rotation_period = "604800s"
iam_bindings = {
# reusing the same binding name across different keys is supported
agent = {
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
members = [var.service_account.iam_email]
}
}
iam_bindings_additive = {
key-b-iam1 = {
key = "key-b"
member = "group:${var.group_email}"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
}
}
}
key-c = {
labels = {
env = "test"
}
}
}
}
# tftest modules=1 resources=8 inventory=basic.yaml e2e
Using an existing keyring
module "kms" {
source = "./fabric/modules/kms"
project_id = var.project_id
iam = {
"roles/cloudkms.admin" = ["group:${var.group_email}"]
}
keyring = { location = var.region, name = var.keyring.name }
keyring_create = false
keys = { key-a = {}, key-b = {}, key-c = {} }
}
# tftest skip (uses data sources)
Crypto key purpose
module "kms" {
source = "./fabric/modules/kms"
project_id = var.project_id
keyring = {
location = var.region
name = "${var.prefix}-test"
}
keys = {
key-a = {
purpose = "ASYMMETRIC_SIGN"
version_template = {
algorithm = "EC_SIGN_P384_SHA384"
protection_level = "HSM"
}
}
}
}
# tftest modules=1 resources=2 inventory=purpose.yaml e2e
Import job
module "kms" {
source = "./fabric/modules/kms"
project_id = var.project_id
keyring = {
location = var.region
name = "${var.prefix}-test"
}
import_job = {
id = "my-import-job"
import_method = "RSA_OAEP_3072_SHA1_AES_256"
protection_level = "SOFTWARE"
}
}
# tftest modules=1 resources=2 inventory=import-job.yaml e2e
Tag Bindings
Refer to the Creating and managing tags documentation for details on usage.
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
tags = {
environment = {
description = "Environment specification."
values = {
dev = {}
prod = {}
sandbox = {}
}
}
}
}
module "kms" {
source = "./fabric/modules/kms"
project_id = var.project_id
keyring = {
location = var.region
name = "${var.prefix}-test"
}
tag_bindings = {
env-sandbox = module.org.tag_values["environment/sandbox"].id
}
}
# tftest modules=2 resources=6
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| keyring | Keyring attributes. | object({…}) |
✓ | |
| project_id | Project id where the keyring will be created. | string |
✓ | |
| context | Context-specific interpolations. | object({…}) |
{} |
|
| iam | Keyring IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
| iam_bindings | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | map(object({…})) |
{} |
|
| iam_bindings_additive | Keyring individual additive IAM bindings. Keys are arbitrary. | map(object({…})) |
{} |
|
| import_job | Keyring import job attributes. | object({…}) |
null |
|
| keyring_create | Set to false to manage keys and IAM bindings in an existing keyring. | bool |
true |
|
| keys | Key names and base attributes. Set attributes to null if not needed. | map(object({…})) |
{} |
|
| tag_bindings | Tag bindings for this keyring, in key => tag value id format. | map(string) |
{} |
Outputs
| name | description | sensitive |
|---|---|---|
| id | Fully qualified keyring id. | |
| import_job | Keyring import job resources. | |
| key_ids | Fully qualified key ids. | |
| keyring | Keyring resource. | |
| keys | Key resources. | |
| location | Keyring location. | |
| name | Keyring name. |