GoogleCloudPlatform
diff --git a/‎mmv1/products/ces/Toolset.yaml‎
Lines changed: 286 additions & 0 deletions b/‎mmv1/products/ces/Toolset.yaml‎
Lines changed: 286 additions & 0 deletions
diff --git a/‎mmv1/templates/terraform/examples/ces_toolset_openapi_api_key_config.tf.tmpl‎
Lines changed: 55 additions & 0 deletions b/‎mmv1/templates/terraform/examples/ces_toolset_openapi_api_key_config.tf.tmpl‎
Lines changed: 55 additions & 0 deletions
@@ -0,0 +1,286 @@
+# Copyright 2025 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: Toolset
+description: Description
+base_url: projects/{{project}}/locations/{{location}}/apps/{{app}}/toolsets
+update_mask: true
+self_link:
+  projects/{{project}}/locations/{{location}}/apps/{{app}}/toolsets/{{toolset_id}}
+create_url:
+  projects/{{project}}/locations/{{location}}/apps/{{app}}/toolsets?toolsetId={{toolset_id}}
+update_verb: PATCH
+id_format:
+  projects/{{project}}/locations/{{location}}/apps/{{app}}/toolsets/{{toolset_id}}
+import_format:
+  - projects/{{project}}/locations/{{location}}/apps/{{app}}/toolsets/{{toolset_id}}
+examples:
+  - name: "ces_toolset_openapi_service_account_auth_config"
+    primary_resource_id: "ces_toolset_openapi_service_account_auth_config"  # yamllint disable rule:line-length
+    vars:
+      app_display_name: 'my-app'
+      app_id: 'app-id'
+      toolset_id: 'toolset1'
+      location: 'us'
+  - name: "ces_toolset_openapi_oauth_config"
+    primary_resource_id: "ces_toolset_openapi_oauth_config"
+    vars:
+      app_display_name: 'my-app'
+      app_id: 'app-id'
+      toolset_id: 'toolset1'
+      location: 'us'
+  - name: "ces_toolset_openapi_service_agent_id_token_auth_config"
+    primary_resource_id: "ces_toolset_openapi_service_agent_id_token_auth_config"
+    vars:
+      app_display_name: 'my-app'
+      app_id: 'app-id'
+      toolset_id: 'toolset1'
+      location: 'us'
+  - name: "ces_toolset_openapi_api_key_config"
+    primary_resource_id: "ces_toolset_openapi_api_key_config"
+    vars:
+      app_display_name: 'my-app'
+      app_id: 'app-id'
+      toolset_id: 'toolset1'
+      location: 'us'
+autogen_async: true
+autogen_status: VG9vbHNldA==
+parameters:
+  - name: location
+    type: String
+    description: Resource ID segment making up resource `name`. It identifies the
+      resource within its parent collection as described in
+      https://google.aip.dev/122.
+    immutable: true
+    url_param_only: true
+    required: true
+  - name: app
+    type: String
+    description: Resource ID segment making up resource `name`. It identifies the
+      resource within its parent collection as described in
+      https://google.aip.dev/122.
+    immutable: true
+    url_param_only: true
+    required: true
+  - name: toolsetId
+    type: String
+    description: |-
+      The ID to use for the toolset, which will become the final component of
+      the toolset's resource name. If not provided, a unique ID will be
+      automatically assigned for the toolset.
+    immutable: true
+    url_param_only: true
+    required: true
+properties:
+  - name: createTime
+    type: String
+    description: Timestamp when the toolset was created.
+    output: true
+  - name: description
+    type: String
+    description: The description of the toolset.
+  - name: displayName
+    type: String
+    description: The display name of the toolset. Must be unique within the same
+      app.
+  - name: etag
+    type: String
+    output: true
+    description: |-
+      ETag used to ensure the object hasn't changed during a read-modify-write
+      operation. If the etag is empty, the update will overwrite any concurrent
+      changes.
+  - name: executionType
+    type: String
+    description: |2-
+
+      Possible values:
+      SYNCHRONOUS
+      ASYNCHRONOUS
+  - name: name
+    type: String
+    description: |-
+      Identifier. The unique identifier of the toolset.
+      Format:
+      `projects/{project}/locations/{location}/apps/{app}/toolsets/{toolset}`
+    output: true
+  - name: openApiToolset
+    type: NestedObject
+    description: |-
+      A toolset that contains a list of tools that are defined by an OpenAPI
+      schema.
+    properties:
+      - name: apiAuthentication
+        type: NestedObject
+        description: Authentication information required for API calls.
+        properties:
+          - name: apiKeyConfig
+            type: NestedObject
+            description: Configurations for authentication with API key.
+            properties:
+              - name: apiKeySecretVersion
+                type: String
+                description: |-
+                  The name of the SecretManager secret version resource storing the API key.
+                  Format: `projects/{project}/secrets/{secret}/versions/{version}`
+                  Note: You should grant `roles/secretmanager.secretAccessor` role to the CES
+                  service agent
+                  `[email protected]`.
+                required: true
+              - name: keyName
+                type: String
+                description: |-
+                  The parameter name or the header name of the API key.
+                  E.g., If the API request is "https://example.com/act?X-Api-Key=", "X-Api-Key" would be the parameter name.
+                required: true
+              - name: requestLocation
+                type: String
+                description: |-
+                  Key location in the request.
+                  Possible values:
+                  HEADER
+                  QUERY_STRING
+                required: true
+          - name: oauthConfig
+            type: NestedObject
+            description: Configurations for authentication with OAuth.
+            properties:
+              - name: clientId
+                type: String
+                description: The client ID from the OAuth provider.
+                required: true
+              - name: clientSecretVersion
+                type: String
+                description: |-
+                  The name of the SecretManager secret version resource storing the
+                  client secret.
+                  Format: `projects/{project}/secrets/{secret}/versions/{version}`
+
+                  Note: You should grant `roles/secretmanager.secretAccessor` role to the CES
+                  service agent
+                  `[email protected]`.
+                required: true
+              - name: oauthGrantType
+                type: String
+                description: |-
+                  OAuth grant types.
+                  Possible values:
+                  CLIENT_CREDENTIAL
+                required: true
+              - name: scopes
+                type: Array
+                description: The OAuth scopes to grant.
+                item_type:
+                  type: String
+              - name: tokenEndpoint
+                type: String
+                description: The token endpoint in the OAuth provider to exchange for an
+                  access token.
+                required: true
+          - name: serviceAccountAuthConfig
+            type: NestedObject
+            description: Configurations for authentication using a custom service
+              account.
+            properties:
+              - name: serviceAccount
+                type: String
+                description: |-
+                  The email address of the service account used for authenticatation. CES
+                  uses this service account to exchange an access token and the access token
+                  is then sent in the `Authorization` header of the request.
+
+                  The service account must have the
+                  `roles/iam.serviceAccountTokenCreator` role granted to the
+                  CES service agent
+                  `[email protected]`.
+                required: true
+          - name: serviceAgentIdTokenAuthConfig
+            type: NestedObject
+            description: |-
+              Configurations for authentication with [ID
+              token](https://cloud.google.com/docs/authentication/token-types#id) generated
+              from service agent.
+            allow_empty_object: true
+            send_empty_value: true
+            properties: []
+      - name: ignoreUnknownFields
+        type: Boolean
+        description: |-
+          If true, the agent will ignore unknown fields in the API response for all
+          operations defined in the OpenAPI schema.
+      - name: openApiSchema
+        type: String
+        description: The OpenAPI schema of the toolset.
+        required: true
+      - name: serviceDirectoryConfig
+        type: NestedObject
+        description: Configuration for tools using Service Directory.
+        properties:
+          - name: service
+            type: String
+            description: |-
+              The name of [Service
+              Directory](https://cloud.google.com/service-directory) service.
+              Format:
+              `projects/{project}/locations/{location}/namespaces/{namespace}/services/{service}`.
+              Location of the service directory must be the same as the location of the
+              app.
+            required: true
+      - name: tlsConfig
+        type: NestedObject
+        description: The TLS configuration.
+        properties:
+          - name: caCerts
+            type: Array
+            description: |-
+              Specifies a list of allowed custom CA certificates for HTTPS
+              verification.
+            required: true
+            item_type:
+              type: NestedObject
+              properties:
+                - name: cert
+                  type: String
+                  description: |-
+                    The allowed custom CA certificates (in DER format) for
+                    HTTPS verification. This overrides the default SSL trust store. If this
+                    is empty or unspecified, CES will use Google's default trust
+                    store to verify certificates. N.B. Make sure the HTTPS server
+                    certificates are signed with "subject alt name". For instance a
+                    certificate can be self-signed using the following command,
+                    openssl x509 -req -days 200 -in example.com.csr \
+                    -signkey example.com.key \
+                    -out example.com.crt \
+                    -extfile <(printf "\nsubjectAltName='DNS:www.example.com'")
+                  required: true
+                - name: displayName
+                  type: String
+                  description: |-
+                    The name of the allowed custom CA certificates. This
+                    can be used to disambiguate the custom CA certificates.
+                  required: true
+      - name: url
+        type: String
+        description: |-
+          The server URL of the Open API schema.
+          This field is only set in toolsets in the environment dependencies
+          during the export process if the schema contains a server url.
+          During the import process, if this url is present in the environment dependencies
+          and the schema has the $env_var placeholder,
+          it will replace the placeholder in the schema.
+        output: true
+  - name: updateTime
+    type: String
+    description: Timestamp when the toolset was last updated.
+    output: true
@@ -0,0 +1,55 @@
+resource "google_ces_app" "ces_app_for_toolset" {
+  app_id = "{{index $.Vars "app_id"}}"
+  location = "us"
+  description = "App used as parent for CES Toolset example"
+  display_name = "{{index $.Vars "app_display_name"}}"
+
+  language_settings {
+    default_language_code    = "en-US"
+    supported_language_codes = ["es-ES", "fr-FR"]
+    enable_multilingual_support = true
+    fallback_action          = "escalate"
+  }
+  time_zone_settings {
+    time_zone = "America/Los_Angeles"
+  }
+}
+
+resource "google_ces_toolset" "ces_toolset_openapi_api_key_config" {
+  toolset_id = "{{index $.Vars "toolset_id"}}"
+  location = "us"
+  app      = google_ces_app.ces_app_for_toolset.app_id
+  display_name = "Basic toolset display name"
+  description = "Test description"
+  execution_type = "SYNCHRONOUS"
+
+  open_api_toolset {
+    open_api_schema = <<-EOT
+      openapi: 3.0.0
+      info:
+        title: My Sample API
+        version: 1.0.0
+        description: A simple API example
+      servers:
+        - url: https://api.example.com/v1
+      paths: {}
+    EOT
+    ignore_unknown_fields = false
+    tls_config {
+        ca_certs {
+          display_name="example"
+          cert="ZXhhbXBsZQ=="
+        }
+    }
+    service_directory_config {
+      service = "projects/example/locations/us/namespaces/namespace/services/service"
+    }
+    api_authentication {
+        api_key_config {
+            key_name = "ExampleKey"
+            api_key_secret_version = "projects/fake-project/secrets/fake-secret/versions/version-1"
+            request_location = "HEADER"
+        }
+    }
+  }
+}