diff --git a/examples/v2/README.md b/examples/v2/README.md
index 44c04b3d..5d576ec1 100644
--- a/examples/v2/README.md
+++ b/examples/v2/README.md
@@ -18,6 +18,7 @@ This example assumes that below mentioned prerequisites are in place before cons
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| build\_config | Optional Cloud Build configuration for Cloud Run. This block enables building a container image from source using Cloud Build instead of specifying a prebuilt container image. | <pre>object({<br>    source_location          = optional(string)<br>    function_target          = optional(string)<br>    image_uri                = optional(string)<br>    base_image               = optional(string)<br>    enable_automatic_updates = optional(bool)<br>    worker_pool              = optional(string)<br>    environment_variables    = optional(map(string))<br>    service_account          = optional(string)<br>  })</pre> | `null` | no |
 | cloud\_run\_deletion\_protection | This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services | `bool` | `true` | no |
 | project\_id | The project ID to deploy to | `string` | n/a | yes |
 
diff --git a/examples/v2/main.tf b/examples/v2/main.tf
index 2b9a061d..cd87ba54 100644
--- a/examples/v2/main.tf
+++ b/examples/v2/main.tf
@@ -21,8 +21,8 @@ resource "google_service_account" "sa" {
 }
 
 module "cloud_run_v2" {
-  source  = "GoogleCloudPlatform/cloud-run/google//modules/v2"
-  version = "~> 0.16"
+  source = "../../modules/v2"
+  # version = "~> 0.16"
 
   service_name           = "ci-cloud-run-v2"
   project_id             = var.project_id
@@ -38,4 +38,34 @@ module "cloud_run_v2" {
       container_name  = "hello-world"
     }
   ]
+  build_config = {
+    source_location          = "gs://cloudrun-open-test"
+    function_target          = "helloHttp"
+    image_uri                = "us-docker.pkg.dev/cloudrun/container/hello"
+    base_image               = "us-central1-docker.pkg.dev/serverless-runtimes/google-22-full/runtimes/nodejs22"
+    enable_automatic_updates = true
+    environment_variables = {
+      FOO_KEY = "FOO_VALUE"
+      BAR_KEY = "BAR_VALUE"
+    }
+    service_account = google_service_account.cloudbuild_service_account.id
+  }
+}
+
+
+resource "google_service_account" "cloudbuild_service_account" {
+  project    = "coastal-mercury-471819-s6"
+  account_id = "build-sa"
+}
+
+resource "google_project_iam_member" "act_as" {
+  project = "coastal-mercury-471819-s6"
+  role    = "roles/iam.serviceAccountUser"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
+resource "google_project_iam_member" "logs_writer" {
+  project = "coastal-mercury-471819-s6"
+  role    = "roles/logging.logWriter"
+  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
 }
diff --git a/examples/v2/variables.tf b/examples/v2/variables.tf
index 4b5ed2d3..0fc9f075 100644
--- a/examples/v2/variables.tf
+++ b/examples/v2/variables.tf
@@ -24,3 +24,18 @@ variable "cloud_run_deletion_protection" {
   description = "This field prevents Terraform from destroying or recreating the Cloud Run v2 Jobs and Services"
   default     = true
 }
+
+variable "build_config" {
+  description = "Optional Cloud Build configuration for Cloud Run. This block enables building a container image from source using Cloud Build instead of specifying a prebuilt container image."
+  type = object({
+    source_location          = optional(string)
+    function_target          = optional(string)
+    image_uri                = optional(string)
+    base_image               = optional(string)
+    enable_automatic_updates = optional(bool)
+    worker_pool              = optional(string)
+    environment_variables    = optional(map(string))
+    service_account          = optional(string)
+  })
+  default = null
+}
\ No newline at end of file
diff --git a/metadata.yaml b/metadata.yaml
index e69eef06..9a0e2231 100644
--- a/metadata.yaml
+++ b/metadata.yaml
@@ -94,13 +94,7 @@ spec:
         defaultValue: true
       - name: traffic_split
         description: Managing traffic routing to the service
-        varType: |-
-          list(object({
-              latest_revision = bool
-              percent         = number
-              revision_name   = string
-              tag             = string
-            }))
+        varType: "list(object({\r\n    latest_revision = bool\r\n    percent         = number\r\n    revision_name   = string\r\n    tag             = string\r\n  }))"
         defaultValue:
           - latest_revision: true
             percent: 100
@@ -143,14 +137,7 @@ spec:
         defaultValue: ""
       - name: volumes
         description: "[Beta] Volumes needed for environment variables (when using secret)"
-        varType: |-
-          list(object({
-              name = string
-              secret = set(object({
-                secret_name = string
-                items       = map(string)
-              }))
-            }))
+        varType: "list(object({\r\n    name = string\r\n    secret = set(object({\r\n      secret_name = string\r\n      items       = map(string)\r\n    }))\r\n  }))"
         defaultValue: []
       - name: limits
         description: Resource limits to the container
@@ -161,11 +148,7 @@ spec:
         defaultValue: {}
       - name: ports
         description: Port which the container listens to (http1 or h2c)
-        varType: |-
-          object({
-              name = string
-              port = number
-            })
+        varType: "object({\r\n    name = string\r\n    port = number\r\n  })"
         defaultValue:
           name: http1
           port: 8080
@@ -178,79 +161,22 @@ spec:
         varType: list(string)
         defaultValue: []
       - name: startup_probe
-        description: |
-          Startup probe of application within the container.
-          All other probes are disabled if a startup probe is provided, until it succeeds.
-          Container will not be added to service endpoints if the probe fails.
-          More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
-        varType: |-
-          object({
-              failure_threshold     = optional(number, null)
-              initial_delay_seconds = optional(number, null)
-              timeout_seconds       = optional(number, null)
-              period_seconds        = optional(number, null)
-              http_get = optional(object({
-                path = optional(string)
-                http_headers = optional(list(object({
-                  name  = string
-                  value = string
-                })), null)
-              }), null)
-              tcp_socket = optional(object({
-                port = optional(number)
-              }), null)
-              grpc = optional(object({
-                port    = optional(number)
-                service = optional(string)
-              }), null)
-            })
+        description: "Startup probe of application within the container.\r\nAll other probes are disabled if a startup probe is provided, until it succeeds.\r\nContainer will not be added to service endpoints if the probe fails.\r\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes\r\n"
+        varType: "object({\r\n    failure_threshold     = optional(number, null)\r\n    initial_delay_seconds = optional(number, null)\r\n    timeout_seconds       = optional(number, null)\r\n    period_seconds        = optional(number, null)\r\n    http_get = optional(object({\r\n      path = optional(string)\r\n      http_headers = optional(list(object({\r\n        name  = string\r\n        value = string\r\n      })), null)\r\n    }), null)\r\n    tcp_socket = optional(object({\r\n      port = optional(number)\r\n    }), null)\r\n    grpc = optional(object({\r\n      port    = optional(number)\r\n      service = optional(string)\r\n    }), null)\r\n  })"
       - name: liveness_probe
-        description: |
-          Periodic probe of container liveness. Container will be restarted if the probe fails.
-          More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
-        varType: |-
-          object({
-              failure_threshold     = optional(number, null)
-              initial_delay_seconds = optional(number, null)
-              timeout_seconds       = optional(number, null)
-              period_seconds        = optional(number, null)
-              http_get = optional(object({
-                path = optional(string)
-                http_headers = optional(list(object({
-                  name  = string
-                  value = string
-                })), null)
-              }), null)
-              grpc = optional(object({
-                port    = optional(number)
-                service = optional(string)
-              }), null)
-            })
+        description: "Periodic probe of container liveness. Container will be restarted if the probe fails.\r\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes\r\n"
+        varType: "object({\r\n    failure_threshold     = optional(number, null)\r\n    initial_delay_seconds = optional(number, null)\r\n    timeout_seconds       = optional(number, null)\r\n    period_seconds        = optional(number, null)\r\n    http_get = optional(object({\r\n      path = optional(string)\r\n      http_headers = optional(list(object({\r\n        name  = string\r\n        value = string\r\n      })), null)\r\n    }), null)\r\n    grpc = optional(object({\r\n      port    = optional(number)\r\n      service = optional(string)\r\n    }), null)\r\n  })"
       - name: env_vars
         description: Environment variables (cleartext)
-        varType: |-
-          list(object({
-              value = string
-              name  = string
-            }))
+        varType: "list(object({\r\n    value = string\r\n    name  = string\r\n  }))"
         defaultValue: []
       - name: env_secret_vars
         description: "[Beta] Environment variables (Secret Manager)"
-        varType: |-
-          list(object({
-              name = string
-              value_from = set(object({
-                secret_key_ref = map(string)
-              }))
-            }))
+        varType: "list(object({\r\n    name = string\r\n    value_from = set(object({\r\n      secret_key_ref = map(string)\r\n    }))\r\n  }))"
         defaultValue: []
       - name: volume_mounts
         description: "[Beta] Volume Mounts to be attached to the container (when using secret)"
-        varType: |-
-          list(object({
-              mount_path = string
-              name       = string
-            }))
+        varType: "list(object({\r\n    mount_path = string\r\n    name       = string\r\n  }))"
         defaultValue: []
       - name: verified_domain_name
         description: List of Custom Domain Name
@@ -323,13 +249,13 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/cloudkms.admin
-          - roles/resourcemanager.projectIamAdmin
           - roles/run.admin
           - roles/iam.serviceAccountAdmin
           - roles/artifactregistry.admin
           - roles/iam.serviceAccountUser
           - roles/serviceusage.serviceUsageViewer
+          - roles/cloudkms.admin
+          - roles/resourcemanager.projectIamAdmin
     services:
       - accesscontextmanager.googleapis.com
       - cloudbilling.googleapis.com
diff --git a/modules/job-exec/metadata.yaml b/modules/job-exec/metadata.yaml
index 70cd2b44..910fc940 100644
--- a/modules/job-exec/metadata.yaml
+++ b/modules/job-exec/metadata.yaml
@@ -104,24 +104,11 @@ spec:
         defaultValue: []
       - name: env_vars
         description: Environment variables (cleartext)
-        varType: |-
-          list(object({
-              value = string
-              name  = string
-            }))
+        varType: "list(object({\r\n    value = string\r\n    name  = string\r\n  }))"
         defaultValue: []
       - name: env_secret_vars
         description: Environment variables (Secret Manager)
-        varType: |-
-          list(object({
-              name = string
-              value_source = set(object({
-                secret_key_ref = object({
-                  secret  = string
-                  version = optional(string, "latest")
-                })
-              }))
-            }))
+        varType: "list(object({\r\n    name = string\r\n    value_source = set(object({\r\n      secret_key_ref = object({\r\n        secret  = string\r\n        version = optional(string, \"latest\")\r\n      })\r\n    }))\r\n  }))"
         defaultValue: []
       - name: launch_stage
         description: The launch stage. (see https://cloud.google.com/products#product-launch-stages). Defaults to GA.
@@ -142,18 +129,7 @@ spec:
         varType: number
       - name: volumes
         description: A list of Volumes to make available to containers.
-        varType: |-
-          list(object({
-              name = string
-              cloud_sql_instance = optional(object({
-                instances = list(string)
-              }))
-              gcs = optional(object({
-                bucket        = string
-                read_only     = optional(bool)
-                mount_options = optional(list(string))
-              }))
-            }))
+        varType: "list(object({\r\n    name = string\r\n    cloud_sql_instance = optional(object({\r\n      instances = list(string)\r\n    }))\r\n    gcs = optional(object({\r\n      bucket        = string\r\n      read_only     = optional(bool)\r\n      mount_options = optional(list(string))\r\n    }))\r\n  }))"
         defaultValue: []
         connections:
           - source:
@@ -175,27 +151,15 @@ spec:
               outputExpr: "{\"name\": \"gcs-bucket-vol\", \"gcs\": { \"bucket\": name}}"
       - name: volume_mounts
         description: Volume to mount into the container's filesystem.
-        varType: |-
-          list(object({
-              name       = string
-              mount_path = string
-            }))
+        varType: "list(object({\r\n    name       = string\r\n    mount_path = string\r\n  }))"
         defaultValue: []
       - name: vpc_access
         description: VPC Access configuration to use for this Task.
-        varType: |-
-          list(object({
-              connector = string
-              egress    = string
-            }))
+        varType: "list(object({\r\n    connector = string\r\n    egress    = string\r\n  }))"
         defaultValue: []
       - name: limits
         description: Resource limits to the container
-        varType: |-
-          object({
-              cpu    = optional(string)
-              memory = optional(string)
-            })
+        varType: "object({\r\n    cpu    = optional(string)\r\n    memory = optional(string)\r\n  })"
       - name: timeout
         description: Max allowed time duration the Task may be active before the system will actively try to mark it failed and kill associated containers.
         varType: string
@@ -219,13 +183,13 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/run.admin
           - roles/iam.serviceAccountAdmin
           - roles/artifactregistry.admin
           - roles/iam.serviceAccountUser
           - roles/serviceusage.serviceUsageViewer
           - roles/cloudkms.admin
           - roles/resourcemanager.projectIamAdmin
+          - roles/run.admin
     services:
       - accesscontextmanager.googleapis.com
       - cloudbilling.googleapis.com
diff --git a/modules/secure-cloud-run-core/metadata.yaml b/modules/secure-cloud-run-core/metadata.yaml
index 102c62e7..e011df13 100644
--- a/modules/secure-cloud-run-core/metadata.yaml
+++ b/modules/secure-cloud-run-core/metadata.yaml
@@ -90,14 +90,7 @@ spec:
         required: true
       - name: default_rules
         description: Default rule for Cloud Armor.
-        varType: |-
-          map(object({
-              action         = string
-              priority       = string
-              versioned_expr = string
-              src_ip_ranges  = list(string)
-              description    = string
-            }))
+        varType: "map(object({\r\n    action         = string\r\n    priority       = string\r\n    versioned_expr = string\r\n    src_ip_ranges  = list(string)\r\n    description    = string\r\n  }))"
         defaultValue:
           default_rule:
             action: allow
@@ -108,12 +101,7 @@ spec:
             versioned_expr: SRC_IPS_V1
       - name: owasp_rules
         description: These are additional Cloud Armor rules for SQLi, XSS, LFI, RCE, RFI, Scannerdetection, Protocolattack and Sessionfixation (requires Cloud Armor default_rule).
-        varType: |-
-          map(object({
-              action     = string
-              priority   = string
-              expression = string
-            }))
+        varType: "map(object({\r\n    action     = string\r\n    priority   = string\r\n    expression = string\r\n  }))"
         defaultValue:
           rule_canary:
             action: deny(403)
@@ -153,11 +141,7 @@ spec:
         defaultValue: tf-cr-lb
       - name: env_vars
         description: Environment variables.
-        varType: |-
-          list(object({
-              value = string
-              name  = string
-            }))
+        varType: "list(object({\r\n    value = string\r\n    name  = string\r\n  }))"
         defaultValue: []
       - name: members
         description: Users/SAs to be given invoker access to the service with the prefix `serviceAccount:' for SAs and `user:` for users.
@@ -169,13 +153,7 @@ spec:
         defaultValue: true
       - name: traffic_split
         description: Managing traffic routing to the service.
-        varType: |-
-          list(object({
-              latest_revision = bool
-              percent         = number
-              revision_name   = string
-              tag             = string
-            }))
+        varType: "list(object({\r\n    latest_revision = bool\r\n    percent         = number\r\n    revision_name   = string\r\n    tag             = string\r\n  }))"
         defaultValue:
           - latest_revision: true
             percent: 100
@@ -198,14 +176,7 @@ spec:
         defaultValue: 120
       - name: volumes
         description: "[Beta] Volumes needed for environment variables (when using secret)."
-        varType: |-
-          list(object({
-              name = string
-              secret = set(object({
-                secret_name = string
-                items       = map(string)
-              }))
-            }))
+        varType: "list(object({\r\n    name = string\r\n    secret = set(object({\r\n      secret_name = string\r\n      items       = map(string)\r\n    }))\r\n  }))"
         defaultValue: []
       - name: limits
         description: Resource limits to the container.
@@ -216,11 +187,7 @@ spec:
         defaultValue: {}
       - name: ports
         description: Port which the container listens to (http1 or h2c).
-        varType: |-
-          object({
-              name = string
-              port = number
-            })
+        varType: "object({\r\n    name = string\r\n    port = number\r\n  })"
         defaultValue:
           name: http1
           port: 8080
@@ -234,11 +201,7 @@ spec:
         defaultValue: []
       - name: volume_mounts
         description: "[Beta] Volume Mounts to be attached to the container (when using secret)."
-        varType: |-
-          list(object({
-              mount_path = string
-              name       = string
-            }))
+        varType: "list(object({\r\n    mount_path = string\r\n    name       = string\r\n  }))"
         defaultValue: []
       - name: verified_domain_name
         description: List of custom Domain Name.
@@ -281,11 +244,7 @@ spec:
         defaultValue: private-ranges-only
       - name: ssl_certificates
         description: A object with a list of domains to auto-generate SSL certificates or a list of SSL Certificates self-links in the pattern `projects/<PROJECT-ID>/global/sslCertificates/<CERT-NAME>` to be used by Load Balancer.
-        varType: |-
-          object({
-              ssl_certificates_self_links       = list(string)
-              generate_certificates_for_domains = list(string)
-            })
+        varType: "object({\r\n    ssl_certificates_self_links       = list(string)\r\n    generate_certificates_for_domains = list(string)\r\n  })"
         required: true
     outputs:
       - name: domain_map_id
@@ -306,13 +265,13 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/cloudkms.admin
-          - roles/resourcemanager.projectIamAdmin
           - roles/run.admin
           - roles/iam.serviceAccountAdmin
           - roles/artifactregistry.admin
           - roles/iam.serviceAccountUser
           - roles/serviceusage.serviceUsageViewer
+          - roles/cloudkms.admin
+          - roles/resourcemanager.projectIamAdmin
     services:
       - accesscontextmanager.googleapis.com
       - cloudbilling.googleapis.com
diff --git a/modules/secure-cloud-run-security/metadata.yaml b/modules/secure-cloud-run-security/metadata.yaml
index cd7fd432..d053a939 100644
--- a/modules/secure-cloud-run-security/metadata.yaml
+++ b/modules/secure-cloud-run-security/metadata.yaml
@@ -113,14 +113,8 @@ spec:
         varType: string
         defaultValue: ""
       - name: groups
-        description: "  Groups which will have roles assigned.\n  The Serverless Administrators email group which the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User.\n  The Serverless Security Administrators email group which the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader.\n  The Cloud Run Developer email group which the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter.\n  The Cloud Run User email group which the following roles will be added: Cloud Run Invoker.\n"
-        varType: |-
-          object({
-              group_serverless_administrator          = optional(string, null)
-              group_serverless_security_administrator = optional(string, null)
-              group_cloud_run_developer               = optional(string, null)
-              group_cloud_run_user                    = optional(string, null)
-            })
+        description: "  Groups which will have roles assigned.\r\n  The Serverless Administrators email group which the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User.\r\n  The Serverless Security Administrators email group which the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader.\r\n  The Cloud Run Developer email group which the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter.\r\n  The Cloud Run User email group which the following roles will be added: Cloud Run Invoker.\r\n"
+        varType: "object({\r\n    group_serverless_administrator          = optional(string, null)\r\n    group_serverless_security_administrator = optional(string, null)\r\n    group_cloud_run_developer               = optional(string, null)\r\n    group_cloud_run_user                    = optional(string, null)\r\n  })"
         defaultValue: {}
     outputs:
       - name: key_self_link
@@ -133,13 +127,13 @@ spec:
     roles:
       - level: Project
         roles:
+          - roles/iam.serviceAccountUser
+          - roles/serviceusage.serviceUsageViewer
           - roles/cloudkms.admin
           - roles/resourcemanager.projectIamAdmin
           - roles/run.admin
           - roles/iam.serviceAccountAdmin
           - roles/artifactregistry.admin
-          - roles/iam.serviceAccountUser
-          - roles/serviceusage.serviceUsageViewer
     services:
       - accesscontextmanager.googleapis.com
       - cloudbilling.googleapis.com
diff --git a/modules/secure-cloud-run/metadata.yaml b/modules/secure-cloud-run/metadata.yaml
index 3554ee0b..4b41b04f 100644
--- a/modules/secure-cloud-run/metadata.yaml
+++ b/modules/secure-cloud-run/metadata.yaml
@@ -105,11 +105,7 @@ spec:
         required: true
       - name: env_vars
         description: Environment variables (cleartext)
-        varType: |-
-          list(object({
-              value = string
-              name  = string
-            }))
+        varType: "list(object({\r\n    value = string\r\n    name  = string\r\n  }))"
         defaultValue: []
       - name: members
         description: Users/SAs to be given invoker access to the service with the prefix `serviceAccount:' for SAs and `user:` for users.
@@ -192,32 +188,15 @@ spec:
         defaultValue: []
       - name: volumes
         description: "[Beta] Volumes needed for environment variables (when using secret)."
-        varType: |-
-          list(object({
-              name = string
-              secret = set(object({
-                secret_name = string
-                items       = map(string)
-              }))
-            }))
+        varType: "list(object({\r\n    name = string\r\n    secret = set(object({\r\n      secret_name = string\r\n      items       = map(string)\r\n    }))\r\n  }))"
         defaultValue: []
       - name: groups
-        description: "  Groups which will have roles assigned.\n  The Serverless Administrators email group which the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User.\n  The Serverless Security Administrators email group which the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader.\n  The Cloud Run Developer email group which the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter.\n  The Cloud Run User email group which the following roles will be added: Cloud Run Invoker.\n"
-        varType: |-
-          object({
-              group_serverless_administrator          = optional(string, null)
-              group_serverless_security_administrator = optional(string, null)
-              group_cloud_run_developer               = optional(string, null)
-              group_cloud_run_user                    = optional(string, null)
-            })
+        description: "  Groups which will have roles assigned.\r\n  The Serverless Administrators email group which the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User.\r\n  The Serverless Security Administrators email group which the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader.\r\n  The Cloud Run Developer email group which the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter.\r\n  The Cloud Run User email group which the following roles will be added: Cloud Run Invoker.\r\n"
+        varType: "object({\r\n    group_serverless_administrator          = optional(string, null)\r\n    group_serverless_security_administrator = optional(string, null)\r\n    group_cloud_run_developer               = optional(string, null)\r\n    group_cloud_run_user                    = optional(string, null)\r\n  })"
         defaultValue: {}
       - name: ssl_certificates
         description: A object with a list of domains to auto-generate SSL certificates or a list of SSL Certificates self-links in the pattern `projects/<PROJECT-ID>/global/sslCertificates/<CERT-NAME>` to be used by Load Balancer.
-        varType: |-
-          object({
-              ssl_certificates_self_links       = list(string)
-              generate_certificates_for_domains = list(string)
-            })
+        varType: "object({\r\n    ssl_certificates_self_links       = list(string)\r\n    generate_certificates_for_domains = list(string)\r\n  })"
         required: true
     outputs:
       - name: cloud_services_sa
diff --git a/modules/secure-serverless-harness/metadata.yaml b/modules/secure-serverless-harness/metadata.yaml
index 7ede4e8f..194e2478 100644
--- a/modules/secure-serverless-harness/metadata.yaml
+++ b/modules/secure-serverless-harness/metadata.yaml
@@ -125,11 +125,7 @@ spec:
           `ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow identities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
           `SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
           `OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions).
-        varType: |-
-          list(object({
-              from = any
-              to   = any
-            }))
+        varType: "list(object({\r\n    from = any\r\n    to   = any\r\n  }))"
         defaultValue: []
       - name: ingress_policies
         description: |-
@@ -141,11 +137,7 @@ spec:
           `ID_TYPE` = `null` or `IDENTITY_TYPE_UNSPECIFIED` (only allow identities from list); `ANY_IDENTITY`; `ANY_USER_ACCOUNT`; `ANY_SERVICE_ACCOUNT`
           `SRV_NAME` = "`*`" (allow all services) or [Specific Services](https://cloud.google.com/vpc-service-controls/docs/supported-products#supported_products)
           `OP_TYPE` = [methods](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions) or [permissions](https://cloud.google.com/vpc-service-controls/docs/supported-method-restrictions).
-        varType: |-
-          list(object({
-              from = any
-              to   = any
-            }))
+        varType: "list(object({\r\n    from = any\r\n    to   = any\r\n  }))"
         defaultValue: []
       - name: region
         description: The region in which the subnetwork will be created.
@@ -282,13 +274,13 @@ spec:
     roles:
       - level: Project
         roles:
+          - roles/iam.serviceAccountAdmin
+          - roles/artifactregistry.admin
           - roles/iam.serviceAccountUser
           - roles/serviceusage.serviceUsageViewer
           - roles/cloudkms.admin
           - roles/resourcemanager.projectIamAdmin
           - roles/run.admin
-          - roles/iam.serviceAccountAdmin
-          - roles/artifactregistry.admin
     services:
       - accesscontextmanager.googleapis.com
       - cloudbilling.googleapis.com
diff --git a/modules/v2/README.md b/modules/v2/README.md
index 017b8176..d07b3642 100644
--- a/modules/v2/README.md
+++ b/modules/v2/README.md
@@ -51,6 +51,7 @@ Functional examples are included in the
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | binary\_authorization | Settings for the Binary Authorization feature. | <pre>object({<br>    breakglass_justification = optional(bool) # If present, indicates to use Breakglass using this justification. If useDefault is False, then it must be empty. For more information on breakglass, [see](https://cloud.google.com/binary-authorization/docs/using-breakglass)<br>    use_default              = optional(bool) #If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled.<br>  })</pre> | `null` | no |
+| build\_config | Optional Cloud Build Configuration for building a Cloud Run function. | <pre>object({<br>    source_location          = optional(string)<br>    function_target          = optional(string)<br>    image_uri                = optional(string)<br>    base_image               = optional(string)<br>    enable_automatic_updates = optional(bool)<br>    worker_pool              = optional(string)<br>    environment_variables    = optional(map(string))<br>    service_account          = optional(string)<br>  })</pre> | `null` | no |
 | client | Arbitrary identifier for the API client and version identifier | <pre>object({<br>    name    = optional(string, null)<br>    version = optional(string, null)<br>  })</pre> | `{}` | no |
 | cloud\_run\_deletion\_protection | This field prevents Terraform from destroying or recreating the Cloud Run jobs and services | `bool` | `true` | no |
 | containers | Container images for the service | <pre>list(object({<br>    container_name       = optional(string, null)<br>    container_image      = string<br>    working_dir          = optional(string, null)<br>    depends_on_container = optional(list(string), null)<br>    container_args       = optional(list(string), null)<br>    container_command    = optional(list(string), null)<br>    env_vars             = optional(map(string), {})<br>    env_secret_vars = optional(map(object({<br>      secret  = string<br>      version = string<br>    })), {})<br>    volume_mounts = optional(list(object({<br>      name       = string<br>      mount_path = string<br>    })), [])<br>    ports = optional(object({<br>      name           = optional(string, "http1")<br>      container_port = optional(number, 8080)<br>    }), {})<br>    resources = optional(object({<br>      limits = optional(object({<br>        cpu        = optional(string)<br>        memory     = optional(string)<br>        nvidia_gpu = optional(string)<br>      }))<br>      cpu_idle          = optional(bool, true)<br>      startup_cpu_boost = optional(bool, false)<br>    }), {})<br>    startup_probe = optional(object({<br>      failure_threshold     = optional(number, null)<br>      initial_delay_seconds = optional(number, null)<br>      timeout_seconds       = optional(number, null)<br>      period_seconds        = optional(number, null)<br>      http_get = optional(object({<br>        path = optional(string)<br>        port = optional(string)<br>        http_headers = optional(list(object({<br>          name  = string<br>          value = string<br>        })), [])<br>      }), null)<br>      tcp_socket = optional(object({<br>        port = optional(number)<br>      }), null)<br>      grpc = optional(object({<br>        port    = optional(number)<br>        service = optional(string)<br>      }), null)<br>    }), null)<br>    liveness_probe = optional(object({<br>      failure_threshold     = optional(number, null)<br>      initial_delay_seconds = optional(number, null)<br>      timeout_seconds       = optional(number, null)<br>      period_seconds        = optional(number, null)<br>      http_get = optional(object({<br>        path = optional(string)<br>        port = optional(string)<br>        http_headers = optional(list(object({<br>          name  = string<br>          value = string<br>        })), [])<br>      }), null)<br>      tcp_socket = optional(object({<br>        port = optional(number)<br>      }), null)<br>      grpc = optional(object({<br>        port    = optional(number)<br>        service = optional(string)<br>      }), null)<br>    }), null)<br>  }))</pre> | n/a | yes |
@@ -90,6 +91,7 @@ Functional examples are included in the
 | Name | Description |
 |------|-------------|
 | apphub\_service\_uri | Service URI in CAIS style to be used by Apphub. |
+| build\_name | The Cloud Build name of the latest successful deployment of the Service. |
 | creator | Email address of the authenticated creator. |
 | effective\_annotations | All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services. |
 | last\_modifier | Email address of the last authenticated modifier. |
diff --git a/modules/v2/main.tf b/modules/v2/main.tf
index e94534e6..41baa8c3 100644
--- a/modules/v2/main.tf
+++ b/modules/v2/main.tf
@@ -340,6 +340,20 @@ resource "google_cloud_run_v2_service" "main" {
     }
   } // template
 
+  dynamic "build_config" {
+    for_each = var.build_config != null ? [var.build_config] : []
+    content {
+      source_location          = try(build_config.value.source_location, null)
+      function_target          = try(build_config.value.function_target, null)
+      image_uri                = try(build_config.value.image_uri, null)
+      base_image               = try(build_config.value.base_image, null)
+      enable_automatic_updates = try(build_config.value.enable_automatic_updates, null)
+      worker_pool              = try(build_config.value.worker_pool, null)
+      service_account          = try(build_config.value.service_account, null)
+      environment_variables    = try(build_config.value.environment_variables, null)
+    }
+  } //build_config
+
   annotations      = var.service_annotations
   client           = var.client.name
   client_version   = var.client.version
diff --git a/modules/v2/metadata.yaml b/modules/v2/metadata.yaml
index b19cf64e..ce22489b 100644
--- a/modules/v2/metadata.yaml
+++ b/modules/v2/metadata.yaml
@@ -73,79 +73,7 @@ spec:
         varType: string
       - name: containers
         description: Container images for the service
-        varType: |-
-          list(object({
-              container_name       = optional(string, null)
-              container_image      = string
-              working_dir          = optional(string, null)
-              depends_on_container = optional(list(string), null)
-              container_args       = optional(list(string), null)
-              container_command    = optional(list(string), null)
-              env_vars             = optional(map(string), {})
-              env_secret_vars = optional(map(object({
-                secret  = string
-                version = string
-              })), {})
-              volume_mounts = optional(list(object({
-                name       = string
-                mount_path = string
-              })), [])
-              ports = optional(object({
-                name           = optional(string, "http1")
-                container_port = optional(number, 8080)
-              }), {})
-              resources = optional(object({
-                limits = optional(object({
-                  cpu        = optional(string)
-                  memory     = optional(string)
-                  nvidia_gpu = optional(string)
-                }))
-                cpu_idle          = optional(bool, true)
-                startup_cpu_boost = optional(bool, false)
-              }), {})
-              startup_probe = optional(object({
-                failure_threshold     = optional(number, null)
-                initial_delay_seconds = optional(number, null)
-                timeout_seconds       = optional(number, null)
-                period_seconds        = optional(number, null)
-                http_get = optional(object({
-                  path = optional(string)
-                  port = optional(string)
-                  http_headers = optional(list(object({
-                    name  = string
-                    value = string
-                  })), [])
-                }), null)
-                tcp_socket = optional(object({
-                  port = optional(number)
-                }), null)
-                grpc = optional(object({
-                  port    = optional(number)
-                  service = optional(string)
-                }), null)
-              }), null)
-              liveness_probe = optional(object({
-                failure_threshold     = optional(number, null)
-                initial_delay_seconds = optional(number, null)
-                timeout_seconds       = optional(number, null)
-                period_seconds        = optional(number, null)
-                http_get = optional(object({
-                  path = optional(string)
-                  port = optional(string)
-                  http_headers = optional(list(object({
-                    name  = string
-                    value = string
-                  })), [])
-                }), null)
-                tcp_socket = optional(object({
-                  port = optional(number)
-                }), null)
-                grpc = optional(object({
-                  port    = optional(number)
-                  service = optional(string)
-                }), null)
-              }), null)
-            }))
+        varType: "list(object({\r\n    container_name       = optional(string, null)\r\n    container_image      = string\r\n    working_dir          = optional(string, null)\r\n    depends_on_container = optional(list(string), null)\r\n    container_args       = optional(list(string), null)\r\n    container_command    = optional(list(string), null)\r\n    env_vars             = optional(map(string), {})\r\n    env_secret_vars = optional(map(object({\r\n      secret  = string\r\n      version = string\r\n    })), {})\r\n    volume_mounts = optional(list(object({\r\n      name       = string\r\n      mount_path = string\r\n    })), [])\r\n    ports = optional(object({\r\n      name           = optional(string, \"http1\")\r\n      container_port = optional(number, 8080)\r\n    }), {})\r\n    resources = optional(object({\r\n      limits = optional(object({\r\n        cpu        = optional(string)\r\n        memory     = optional(string)\r\n        nvidia_gpu = optional(string)\r\n      }))\r\n      cpu_idle          = optional(bool, true)\r\n      startup_cpu_boost = optional(bool, false)\r\n    }), {})\r\n    startup_probe = optional(object({\r\n      failure_threshold     = optional(number, null)\r\n      initial_delay_seconds = optional(number, null)\r\n      timeout_seconds       = optional(number, null)\r\n      period_seconds        = optional(number, null)\r\n      http_get = optional(object({\r\n        path = optional(string)\r\n        port = optional(string)\r\n        http_headers = optional(list(object({\r\n          name  = string\r\n          value = string\r\n        })), [])\r\n      }), null)\r\n      tcp_socket = optional(object({\r\n        port = optional(number)\r\n      }), null)\r\n      grpc = optional(object({\r\n        port    = optional(number)\r\n        service = optional(string)\r\n      }), null)\r\n    }), null)\r\n    liveness_probe = optional(object({\r\n      failure_threshold     = optional(number, null)\r\n      initial_delay_seconds = optional(number, null)\r\n      timeout_seconds       = optional(number, null)\r\n      period_seconds        = optional(number, null)\r\n      http_get = optional(object({\r\n        path = optional(string)\r\n        port = optional(string)\r\n        http_headers = optional(list(object({\r\n          name  = string\r\n          value = string\r\n        })), [])\r\n      }), null)\r\n      tcp_socket = optional(object({\r\n        port = optional(number)\r\n      }), null)\r\n      grpc = optional(object({\r\n        port    = optional(number)\r\n        service = optional(string)\r\n      }), null)\r\n    }), null)\r\n  }))"
         required: true
         connections:
           - source:
@@ -234,10 +162,7 @@ spec:
               inputPath: env_vars
       - name: node_selector
         description: Node Selector describes the hardware requirements of the GPU resource. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_service#nested_template_node_selector).
-        varType: |-
-          object({
-              accelerator = string
-            })
+        varType: "object({\r\n    accelerator = string\r\n  })"
       - name: gpu_zonal_redundancy_disabled
         description: True if GPU zonal redundancy is disabled on this revision.
         varType: bool
@@ -330,16 +255,7 @@ spec:
         defaultValue: []
       - name: vpc_access
         description: Configure this to enable your service to send traffic to a Virtual Private Cloud. Set egress to ALL_TRAFFIC or PRIVATE_RANGES_ONLY. Choose a connector or network_interfaces (for direct VPC egress). [More info](https://cloud.google.com/run/docs/configuring/connecting-vpc)
-        varType: |-
-          object({
-              connector = optional(string)
-              egress    = optional(string)
-              network_interfaces = optional(object({
-                network    = optional(string)
-                subnetwork = optional(string)
-                tags       = optional(list(string))
-              }))
-            })
+        varType: "object({\r\n    connector = optional(string)\r\n    egress    = optional(string)\r\n    network_interfaces = optional(object({\r\n      network    = optional(string)\r\n      subnetwork = optional(string)\r\n      tags       = optional(list(string))\r\n    }))\r\n  })"
         connections:
           - source:
               source: github.com/terraform-google-modules/terraform-google-network//modules/vpc-serverless-connector-beta
@@ -357,35 +273,7 @@ spec:
         defaultValue: false
       - name: volumes
         description: Volumes needed for environment variables (when using secret)
-        varType: |-
-          list(object({
-              name = string
-              secret = optional(object({
-                secret       = string
-                default_mode = optional(string)
-                items = optional(object({
-                  path    = string
-                  version = optional(string)
-                  mode    = optional(string)
-                }))
-              }))
-              cloud_sql_instance = optional(object({
-                instances = optional(list(string))
-              }))
-              empty_dir = optional(object({
-                medium     = optional(string)
-                size_limit = optional(string)
-              }))
-              gcs = optional(object({
-                bucket    = string
-                read_only = optional(string)
-              }))
-              nfs = optional(object({
-                server    = string
-                path      = string
-                read_only = optional(string)
-              }))
-            }))
+        varType: "list(object({\r\n    name = string\r\n    secret = optional(object({\r\n      secret       = string\r\n      default_mode = optional(string)\r\n      items = optional(object({\r\n        path    = string\r\n        version = optional(string)\r\n        mode    = optional(string)\r\n      }))\r\n    }))\r\n    cloud_sql_instance = optional(object({\r\n      instances = optional(list(string))\r\n    }))\r\n    empty_dir = optional(object({\r\n      medium     = optional(string)\r\n      size_limit = optional(string)\r\n    }))\r\n    gcs = optional(object({\r\n      bucket    = string\r\n      read_only = optional(string)\r\n    }))\r\n    nfs = optional(object({\r\n      server    = string\r\n      path      = string\r\n      read_only = optional(string)\r\n    }))\r\n  }))"
         defaultValue: []
         connections:
           - source:
@@ -408,20 +296,11 @@ spec:
               inputPath: gcs.bucket
       - name: traffic
         description: Specifies how to distribute traffic over a collection of Revisions belonging to the Service. If traffic is empty or not provided, defaults to 100% traffic to the latest Ready Revision.
-        varType: |-
-          list(object({
-              type     = optional(string, "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST")
-              percent  = optional(number, 100)
-              revision = optional(string, null)
-              tag      = optional(string, null)
-            }))
+        varType: "list(object({\r\n    type     = optional(string, \"TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST\")\r\n    percent  = optional(number, 100)\r\n    revision = optional(string, null)\r\n    tag      = optional(string, null)\r\n  }))"
         defaultValue: []
       - name: service_scaling
         description: Bounds the number of container instances for the service
-        varType: |-
-          object({
-              min_instance_count = optional(number)
-            })
+        varType: "object({\r\n    min_instance_count = optional(number)\r\n  })"
       - name: service_labels
         description: Unstructured key value map that can be used to organize and categorize objects. For more information, visit [create and update labels for projects](https://cloud.google.com/resource-manager/docs/creating-managing-labels) or [configure labels for services](https://cloud.google.com/run/docs/configuring/labels)
         varType: map(string)
@@ -438,11 +317,7 @@ spec:
         defaultValue: {}
       - name: client
         description: Arbitrary identifier for the API client and version identifier
-        varType: |-
-          object({
-              name    = optional(string, null)
-              version = optional(string, null)
-            })
+        varType: "object({\r\n    name    = optional(string, null)\r\n    version = optional(string, null)\r\n  })"
         defaultValue: {}
       - name: launch_stage
         description: The launch stage as defined by Google Cloud Platform Launch Stages. Cloud Run supports ALPHA, BETA, and GA. If no value is specified, GA is assumed.
@@ -453,21 +328,13 @@ spec:
         varType: list(string)
       - name: binary_authorization
         description: Settings for the Binary Authorization feature.
-        varType: |-
-          object({
-              breakglass_justification = optional(bool) # If present, indicates to use Breakglass using this justification. If useDefault is False, then it must be empty. For more information on breakglass, [see](https://cloud.google.com/binary-authorization/docs/using-breakglass)
-              use_default              = optional(bool) #If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled.
-            })
+        varType: "object({\r\n    breakglass_justification = optional(bool) # If present, indicates to use Breakglass using this justification. If useDefault is False, then it must be empty. For more information on breakglass, [see](https://cloud.google.com/binary-authorization/docs/using-breakglass)\r\n    use_default              = optional(bool) #If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled.\r\n  })"
       - name: revision
         description: The unique name for the revision. If this field is omitted, it will be automatically generated based on the Service name
         varType: string
       - name: template_scaling
         description: Maximum and minimum number of instances for this Revision
-        varType: |-
-          object({
-              min_instance_count = optional(number)
-              max_instance_count = optional(number)
-            })
+        varType: "object({\r\n    min_instance_count = optional(number)\r\n    max_instance_count = optional(number)\r\n  })"
       - name: template_labels
         description: Unstructured key value map that can be used to organize and categorize objects. For more information, visit [create and update labels for projects](https://cloud.google.com/resource-manager/docs/creating-managing-labels) or [configure labels for services](https://cloud.google.com/run/docs/configuring/labels)
         varType: map(string)
@@ -501,6 +368,9 @@ spec:
         description: The sandbox environment to host this Revision.
         varType: string
         defaultValue: EXECUTION_ENVIRONMENT_GEN2
+      - name: build_config
+        description: Optional Cloud Build Configuration for building a Cloud Run function.
+        varType: "object({\r\n    source_location          = optional(string)\r\n    function_target          = optional(string)\r\n    image_uri                = optional(string)\r\n    base_image               = optional(string)\r\n    enable_automatic_updates = optional(bool)\r\n    worker_pool              = optional(string)\r\n    environment_variables    = optional(map(string))\r\n    service_account          = optional(string)\r\n  })"
     outputs:
       - name: apphub_service_uri
         description: Service URI in CAIS style to be used by Apphub.
@@ -509,6 +379,8 @@ spec:
           - location: string
             service_id: string
             service_uri: string
+      - name: build_name
+        description: The Cloud Build name of the latest successful deployment of the Service.
       - name: creator
         description: Email address of the authenticated creator.
         type: string
diff --git a/modules/v2/outputs.tf b/modules/v2/outputs.tf
index 4e76d00f..ecde671c 100644
--- a/modules/v2/outputs.tf
+++ b/modules/v2/outputs.tf
@@ -87,3 +87,9 @@ output "apphub_service_uri" {
   }
   description = "Service URI in CAIS style to be used by Apphub."
 }
+
+
+output "build_name" {
+  description = "The Cloud Build name of the latest successful deployment of the Service."
+  value       = try(google_cloud_run_v2_service.main.build_config[0].name, null)
+}
diff --git a/modules/v2/variables.tf b/modules/v2/variables.tf
index c62537e7..b5f5d684 100644
--- a/modules/v2/variables.tf
+++ b/modules/v2/variables.tf
@@ -357,3 +357,17 @@ variable "execution_environment" {
   }
 }
 
+variable "build_config" {
+  description = "Optional Cloud Build Configuration for building a Cloud Run function."
+  type = object({
+    source_location          = optional(string)
+    function_target          = optional(string)
+    image_uri                = optional(string)
+    base_image               = optional(string)
+    enable_automatic_updates = optional(bool)
+    worker_pool              = optional(string)
+    environment_variables    = optional(map(string))
+    service_account          = optional(string)
+  })
+  default = null
+}