Gemini Enterprise Blueprint - Release 1.2.0#15
Merged
aghassemlouei merged 18 commits intomainfrom May 1, 2026
Merged
Conversation
Updates the README to reflect the new version 1.2.0 and the latest capabilities of the blueprint. Revises the infrastructure description to better explain the core components, networking, security controls, and data storage. Clarifies the deployment automation features, including session persistence, interactive configuration, and helper functions.
Introduces support for a "none" deployment type, allowing the provisioning of the Gemini Enterprise application without a Load Balancer. Adds support for Google-managed SSL certificates via Certificate Manager. Simplifies CMEK management by removing key creation from Terraform and assuming keys are managed externally or via the deployment script. Adds Analytics capabilities by creating a BigQuery sink for Discovery Engine audit logs. Updates Data Store logic to create empty stores and wait for IAM propagation before importing data. Supports multiple user groups for Identity-Aware Proxy (IAP) access. Conditionally enables APIs based on the selected compliance regime.
Adds support for the IL5 compliance regime, including disabling specific features and implicit model caching not yet authorized for IL5. Introduces new commands for listing and distributing Gemini for Government licenses across projects. Enhances application creation by accepting display names, company names, and enabling audit logs. Updates assistant configurations and feature toggles to align with compliance requirements. Supports relative paths for Google Cloud Storage document imports.
Adds automated installation of tfenv and enforces Terraform version 1.12.2 to ensure consistent deployments. Introduces state hydration to persist configuration values across different stages and sessions. Improves authentication handling, including better Application Default Credentials (ADC) and quota project setup. Adds support for importing existing Google Cloud Storage buckets and BigQuery datasets into Terraform state. Provides interactive menus for selecting compliance regimes (including IL5), certificate management types, and deployment topologies. Adds interactive BigQuery schema mapping for document imports directly within the script. Includes a new helper function menu option for distributing Gemini licenses. Automates CMEK key registration and validation for Discovery Engine.
…ured in deploy.sh
…ry code from create_engine function
The existing command to enable `*.googleapis.com` in the DDG does not work as expected in Cloud Shell due to conflict between the `-I` and `-n1` flags:
```
jason@cloudshell:~ (initial-project-bfc-stellar)$ echo "iam cloudkms pubsub serviceusage cloudresourcemanager bigquery assuredworkloads cloudbilling logging iamcredentials orgpolicy" | xargs -n1 -I {} gcloud services enable "{}.googleapis.com"
xargs: warning: options --max-args and --replace/-I/-i are mutually exclusive, ignoring previous --max-args value
ERROR: (gcloud.services.enable) PERMISSION_DENIED: Not found or permission denied for service(s): iam cloudkms pubsub serviceusage cloudresourcemanager bigquery assuredworkloads cloudbilling logging iamcredentials orgpolicy.googleapis.com.
Help Token: AVnrbfmsTEevSFSwLfl6nE2ahEtTpyBbh5Jg-fY7clGBTr7ve-gFg8ld07Un99vSg_6n0BcZq7yLF8Lkat_9Rv8fvMkXq_dtMVBr7r37M0Sv3uXF. This command is authenticated as [email protected] which is the active account specified by the [core/account] property
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
violations:
- subject: ?error_code=220002&services=iam+cloudkms+pubsub+serviceusage+cloudresourcemanager+bigquery+assuredworkloads+cloudbilling+logging+iamcredentials+orgpolicy.googleapis.com
type: googleapis.com
- '@type': type.googleapis.com/google.rpc.ErrorInfo
domain: serviceusage.googleapis.com
metadata:
services: iam cloudkms pubsub serviceusage cloudresourcemanager bigquery assuredworkloads
cloudbilling logging iamcredentials orgpolicy.googleapis.com
reason: SERVICE_CONFIG_NOT_FOUND_OR_PERMISSION_DENIED
```
This simplifies the command using Bash brace expansion.
* Update issue templates * Create pull_request_template.md * Update .github/ISSUE_TEMPLATE/documentation-suggestion.md Co-authored-by: Alijohn Ghassemlouei <[email protected]> * Update .github/pull_request_template.md Co-authored-by: Alijohn Ghassemlouei <[email protected]> * Update bug_report.md * Update feature request template for compliance options * Refine bug report template formatting and text Updated formatting and wording in the bug report template for clarity. * Refine wording in documentation suggestion template Updated phrasing in the documentation suggestion template for clarity. * Update feature_request.md * Update pull request template for compliance items --------- Co-authored-by: Alijohn Ghassemlouei <[email protected]>
- Adds a region selection prompt during infrastructure discovery to simplify configuration. - Skips Shared VPC, Access Policy, and Organization Policy checks when no deployment type is selected to prevent unnecessary errors. - Enhances error handling for Access Policy discovery by providing clear manual fallback instructions. - Verifies Terraform state bucket access prior to initialization to ensure proper permissions. - Prompts for authentication at startup if no active access token is found. - Elevates critical warning colors to red for better visibility of security and compliance notices. - Displays data store names during the document import process for better clarity. - Adds the missing Apache 2.0 license header to the engine features configuration file.
Improves query performance and reduces costs by configuring the BigQuery logging sink to use partitioned tables. This ensures that audit logs are stored more efficiently, making downstream analytics faster and more cost-effective.
Introduces a helper function to automate the creation of BigQuery analytics views. These views extract meaningful insights from audit logs, such as user activity, session details, and agent interactions. Updates the deployment flow to guide users on generating necessary activity before creating the views, as the underlying tables are only created once activity occurs. Also adds the new function to the interactive helper menu for easy access.
LanceWray
reviewed
Apr 30, 2026
… enterprise in an AW boundary
…are no longer needed and resolving CMEK registration error
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
8 tasks
LanceWray
approved these changes
May 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This pull request introduces significant enhancements to the deployment workflow, infrastructure, and CLI tools for the Gemini Enterprise blueprint, bumping the version to 1.2.0. The changes focus on hardening the deployment process, improving user experience, enabling advanced analytics, and extending support for regulated environments (specifically DoD IL5).
Key Changes
Deployment Script (
deploy.sh)tfenvmanagement to enforce Terraform version 1.12.2, ensuring all operators use the same environment.Infrastructure (Terraform)
CLI / Python (
gem4gov.py)Documentation & Templates
README.mdto reflect version 1.2.0 and the latest capabilities.Type of Change
Deployment & Compliance Impact
Checklist
Code Quality & Reusability
modules/orfast/can be leveraged for this change.documentation/naming-convention.md.Documentation
README.mdof the modified module or blueprint.Security
Testing
Testing Performed
deploy.shscript through various interactive paths to ensure state hydration and resource discovery work as expected.gemini-stage-0andgemini-stage-1.