Skip to content

Add failOpen to CES Guardrail llmPromptSecurity#1324

Merged
modular-magician merged 1 commit into
terraform-google-modules:masterfrom
modular-magician:downstream-pr-56dcd4246708a95bcc57b60d6bbad9383a64de64
May 21, 2026
Merged

Add failOpen to CES Guardrail llmPromptSecurity#1324
modular-magician merged 1 commit into
terraform-google-modules:masterfrom
modular-magician:downstream-pr-56dcd4246708a95bcc57b60d6bbad9383a64de64

Conversation

@modular-magician
Copy link
Copy Markdown
Collaborator

@modular-magician modular-magician commented May 21, 2026

Add failOpen field to llmPromptSecurity in google_ces_guardrail and google_ces_app_version

This PR adds the missing fail_open attribute to the llm_prompt_security block in the google_ces_guardrail and google_ces_app_version resources, achieving full API parity for this security feature.

Documentation

Rationale

The failOpen field at the root of the llmPromptSecurity object was missing from the Terraform provider schemas. This field determines whether the guardrail fails open (allowing user queries to pass through if LLM classification fails) or closed. Without it, users were unable to configure this critical fallback behavior when using the default system security settings.

Technical Details

  • Guardrail Schema Modification: Added failOpen (Boolean) to llmPromptSecurity properties in Guardrail.yaml.
  • AppVersion Schema Modification (API Parity): Added failOpen (Boolean, read-only output: true) under the nested guardrails.llmPromptSecurity properties in AppVersion.yaml to ensure complete schema parity across resources.
  • New Example: Created the template ces_guardrail_llm_prompt_security_fail_open.tf.tmpl to demonstrate usage with default_settings and fail_open = true.
  • Acceptance Test: Added TestAccCESGuardrail_cesGuardrailLlmPromptSecurityFailOpenExample_update to ces_guardrail_test.go.
    • Design Note: The test uses an inverted lifecycle flow (Create without block -> Update to add block with fail_open = true) to robustly handle proto3 default-value (false) omission in API responses, avoiding Terraform "empty nested block" diff loops.

Verification Results

  • Successfully generated the google and google-beta providers using PRODUCT=ces.
  • Acceptance tests ran and passed successfully on the generated provider (TestAccCESGuardrail_cesGuardrailLlmPromptSecurityFailOpenExample_update).
ces: added `fail_open` field to `llm_prompt_security` block in `google_ces_guardrail` resource

ces: added read-only `fail_open` field to `llm_prompt_security` block in `google_ces_app_version` resource

Derived from GoogleCloudPlatform/magic-modules#17634

@modular-magician
Add failOpen to CES Guardrail llmPromptSecurity (#17634)
5f0d98a 
[upstream:56dcd4246708a95bcc57b60d6bbad9383a64de64]

Signed-off-by: Modular Magician <magic-modules@google.com>
@modular-magician modular-magician merged commit 3fc5798 into terraform-google-modules:master May 21, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@modular-magician