AI GCP Model Armor configurationv3.12+
Configuration for enforcing content safety policies on LLM requests and responses using GCP Model Armor.
Environment variables
-
GCP_SERVICE_ACCOUNT_JSON: GCP service account credentials in JSON format -
GCP_PROJECT_ID: GCP project identifier -
GCP_LOCATION_ID: GCP location identifier -
GCP_TEMPLATE_ID: Guardrail template identifier
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: ai-gcp-model-armor
config:
project_id: ${{ env "DECK_GCP_PROJECT_ID" }}
location_id: ${{ env "DECK_GCP_LOCATION_ID" }}
template_id: ${{ env "DECK_GCP_TEMPLATE_ID" }}
guarding_mode: BOTH
gcp_use_service_account: true
gcp_service_account_json: ${{ env "DECK_GCP_SERVICE_ACCOUNT_JSON" }}
reveal_failure_categories: true
request_failure_message: Your request was blocked by content policies.
response_failure_message: The model's response was filtered for safety.
timeout: 15000
response_buffer_size: 4096
text_source: last_message
Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-gcp-model-armor",
"config": {
"project_id": "'$GCP_PROJECT_ID'",
"location_id": "'$GCP_LOCATION_ID'",
"template_id": "'$GCP_TEMPLATE_ID'",
"guarding_mode": "BOTH",
"gcp_use_service_account": true,
"gcp_service_account_json": "'$GCP_SERVICE_ACCOUNT_JSON'",
"reveal_failure_categories": true,
"request_failure_message": "Your request was blocked by content policies.",
"response_failure_message": "The model's response was filtered for safety.",
"timeout": 15000,
"response_buffer_size": 4096,
"text_source": "last_message"
}
}
'
Copied!
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-gcp-model-armor",
"config": {
"project_id": "'$GCP_PROJECT_ID'",
"location_id": "'$GCP_LOCATION_ID'",
"template_id": "'$GCP_TEMPLATE_ID'",
"guarding_mode": "BOTH",
"gcp_use_service_account": true,
"gcp_service_account_json": "'$GCP_SERVICE_ACCOUNT_JSON'",
"reveal_failure_categories": true,
"request_failure_message": "Your request was blocked by content policies.",
"response_failure_message": "The model's response was filtered for safety.",
"timeout": 15000,
"response_buffer_size": 4096,
"text_source": "last_message"
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: ai-gcp-model-armor
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
labels:
global: 'true'
config:
project_id: '$GCP_PROJECT_ID'
location_id: '$GCP_LOCATION_ID'
template_id: '$GCP_TEMPLATE_ID'
guarding_mode: BOTH
gcp_use_service_account: true
gcp_service_account_json: '$GCP_SERVICE_ACCOUNT_JSON'
reveal_failure_categories: true
request_failure_message: Your request was blocked by content policies.
response_failure_message: The model's response was filtered for safety.
timeout: 15000
response_buffer_size: 4096
text_source: last_message
plugin: ai-gcp-model-armor
" | kubectl apply -f -
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_gcp_model_armor" "my_ai_gcp_model_armor" {
enabled = true
config = {
project_id = var.gcp_project_id
location_id = var.gcp_location_id
template_id = var.gcp_template_id
guarding_mode = "BOTH"
gcp_use_service_account = true
gcp_service_account_json = var.gcp_service_account_json
reveal_failure_categories = true
request_failure_message = "Your request was blocked by content policies."
response_failure_message = "The model's response was filtered for safety."
timeout = 15000
response_buffer_size = 4096
text_source = "last_message"
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
Copied!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "gcp_template_id" {
type = string
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: ai-gcp-model-armor
service: serviceName|Id
config:
project_id: ${{ env "DECK_GCP_PROJECT_ID" }}
location_id: ${{ env "DECK_GCP_LOCATION_ID" }}
template_id: ${{ env "DECK_GCP_TEMPLATE_ID" }}
guarding_mode: BOTH
gcp_use_service_account: true
gcp_service_account_json: ${{ env "DECK_GCP_SERVICE_ACCOUNT_JSON" }}
reveal_failure_categories: true
request_failure_message: Your request was blocked by content policies.
response_failure_message: The model's response was filtered for safety.
timeout: 15000
response_buffer_size: 4096
text_source: last_message
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-gcp-model-armor",
"config": {
"project_id": "'$GCP_PROJECT_ID'",
"location_id": "'$GCP_LOCATION_ID'",
"template_id": "'$GCP_TEMPLATE_ID'",
"guarding_mode": "BOTH",
"gcp_use_service_account": true,
"gcp_service_account_json": "'$GCP_SERVICE_ACCOUNT_JSON'",
"reveal_failure_categories": true,
"request_failure_message": "Your request was blocked by content policies.",
"response_failure_message": "The model's response was filtered for safety.",
"timeout": 15000,
"response_buffer_size": 4096,
"text_source": "last_message"
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-gcp-model-armor",
"config": {
"project_id": "'$GCP_PROJECT_ID'",
"location_id": "'$GCP_LOCATION_ID'",
"template_id": "'$GCP_TEMPLATE_ID'",
"guarding_mode": "BOTH",
"gcp_use_service_account": true,
"gcp_service_account_json": "'$GCP_SERVICE_ACCOUNT_JSON'",
"reveal_failure_categories": true,
"request_failure_message": "Your request was blocked by content policies.",
"response_failure_message": "The model's response was filtered for safety.",
"timeout": 15000,
"response_buffer_size": 4096,
"text_source": "last_message"
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-gcp-model-armor
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
project_id: '$GCP_PROJECT_ID'
location_id: '$GCP_LOCATION_ID'
template_id: '$GCP_TEMPLATE_ID'
guarding_mode: BOTH
gcp_use_service_account: true
gcp_service_account_json: '$GCP_SERVICE_ACCOUNT_JSON'
reveal_failure_categories: true
request_failure_message: Your request was blocked by content policies.
response_failure_message: The model's response was filtered for safety.
timeout: 15000
response_buffer_size: 4096
text_source: last_message
plugin: ai-gcp-model-armor
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=ai-gcp-model-armor
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_gcp_model_armor" "my_ai_gcp_model_armor" {
enabled = true
config = {
project_id = var.gcp_project_id
location_id = var.gcp_location_id
template_id = var.gcp_template_id
guarding_mode = "BOTH"
gcp_use_service_account = true
gcp_service_account_json = var.gcp_service_account_json
reveal_failure_categories = true
request_failure_message = "Your request was blocked by content policies."
response_failure_message = "The model's response was filtered for safety."
timeout = 15000
response_buffer_size = 4096
text_source = "last_message"
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
Copied!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "gcp_template_id" {
type = string
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: ai-gcp-model-armor
route: routeName|Id
config:
project_id: ${{ env "DECK_GCP_PROJECT_ID" }}
location_id: ${{ env "DECK_GCP_LOCATION_ID" }}
template_id: ${{ env "DECK_GCP_TEMPLATE_ID" }}
guarding_mode: BOTH
gcp_use_service_account: true
gcp_service_account_json: ${{ env "DECK_GCP_SERVICE_ACCOUNT_JSON" }}
reveal_failure_categories: true
request_failure_message: Your request was blocked by content policies.
response_failure_message: The model's response was filtered for safety.
timeout: 15000
response_buffer_size: 4096
text_source: last_message
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-gcp-model-armor",
"config": {
"project_id": "'$GCP_PROJECT_ID'",
"location_id": "'$GCP_LOCATION_ID'",
"template_id": "'$GCP_TEMPLATE_ID'",
"guarding_mode": "BOTH",
"gcp_use_service_account": true,
"gcp_service_account_json": "'$GCP_SERVICE_ACCOUNT_JSON'",
"reveal_failure_categories": true,
"request_failure_message": "Your request was blocked by content policies.",
"response_failure_message": "The model's response was filtered for safety.",
"timeout": 15000,
"response_buffer_size": 4096,
"text_source": "last_message"
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-gcp-model-armor",
"config": {
"project_id": "'$GCP_PROJECT_ID'",
"location_id": "'$GCP_LOCATION_ID'",
"template_id": "'$GCP_TEMPLATE_ID'",
"guarding_mode": "BOTH",
"gcp_use_service_account": true,
"gcp_service_account_json": "'$GCP_SERVICE_ACCOUNT_JSON'",
"reveal_failure_categories": true,
"request_failure_message": "Your request was blocked by content policies.",
"response_failure_message": "The model's response was filtered for safety.",
"timeout": 15000,
"response_buffer_size": 4096,
"text_source": "last_message"
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-gcp-model-armor
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
project_id: '$GCP_PROJECT_ID'
location_id: '$GCP_LOCATION_ID'
template_id: '$GCP_TEMPLATE_ID'
guarding_mode: BOTH
gcp_use_service_account: true
gcp_service_account_json: '$GCP_SERVICE_ACCOUNT_JSON'
reveal_failure_categories: true
request_failure_message: Your request was blocked by content policies.
response_failure_message: The model's response was filtered for safety.
timeout: 15000
response_buffer_size: 4096
text_source: last_message
plugin: ai-gcp-model-armor
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=ai-gcp-model-armor
Copied!
kubectl annotate -n kong ingress konghq.com/plugins=ai-gcp-model-armor
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_gcp_model_armor" "my_ai_gcp_model_armor" {
enabled = true
config = {
project_id = var.gcp_project_id
location_id = var.gcp_location_id
template_id = var.gcp_template_id
guarding_mode = "BOTH"
gcp_use_service_account = true
gcp_service_account_json = var.gcp_service_account_json
reveal_failure_categories = true
request_failure_message = "Your request was blocked by content policies."
response_failure_message = "The model's response was filtered for safety."
timeout = 15000
response_buffer_size = 4096
text_source = "last_message"
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
Copied!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "gcp_template_id" {
type = string
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: ai-gcp-model-armor
consumer: consumerName|Id
config:
project_id: ${{ env "DECK_GCP_PROJECT_ID" }}
location_id: ${{ env "DECK_GCP_LOCATION_ID" }}
template_id: ${{ env "DECK_GCP_TEMPLATE_ID" }}
guarding_mode: BOTH
gcp_use_service_account: true
gcp_service_account_json: ${{ env "DECK_GCP_SERVICE_ACCOUNT_JSON" }}
reveal_failure_categories: true
request_failure_message: Your request was blocked by content policies.
response_failure_message: The model's response was filtered for safety.
timeout: 15000
response_buffer_size: 4096
text_source: last_message
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumers/{consumerName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-gcp-model-armor",
"config": {
"project_id": "'$GCP_PROJECT_ID'",
"location_id": "'$GCP_LOCATION_ID'",
"template_id": "'$GCP_TEMPLATE_ID'",
"guarding_mode": "BOTH",
"gcp_use_service_account": true,
"gcp_service_account_json": "'$GCP_SERVICE_ACCOUNT_JSON'",
"reveal_failure_categories": true,
"request_failure_message": "Your request was blocked by content policies.",
"response_failure_message": "The model's response was filtered for safety.",
"timeout": 15000,
"response_buffer_size": 4096,
"text_source": "last_message"
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/{consumerId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-gcp-model-armor",
"config": {
"project_id": "'$GCP_PROJECT_ID'",
"location_id": "'$GCP_LOCATION_ID'",
"template_id": "'$GCP_TEMPLATE_ID'",
"guarding_mode": "BOTH",
"gcp_use_service_account": true,
"gcp_service_account_json": "'$GCP_SERVICE_ACCOUNT_JSON'",
"reveal_failure_categories": true,
"request_failure_message": "Your request was blocked by content policies.",
"response_failure_message": "The model's response was filtered for safety.",
"timeout": 15000,
"response_buffer_size": 4096,
"text_source": "last_message"
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
consumerId: Theidof the consumer the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-gcp-model-armor
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
project_id: '$GCP_PROJECT_ID'
location_id: '$GCP_LOCATION_ID'
template_id: '$GCP_TEMPLATE_ID'
guarding_mode: BOTH
gcp_use_service_account: true
gcp_service_account_json: '$GCP_SERVICE_ACCOUNT_JSON'
reveal_failure_categories: true
request_failure_message: Your request was blocked by content policies.
response_failure_message: The model's response was filtered for safety.
timeout: 15000
response_buffer_size: 4096
text_source: last_message
plugin: ai-gcp-model-armor
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the KongConsumer resource:
kubectl annotate -n kong CONSUMER_NAME konghq.com/plugins=ai-gcp-model-armor
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_gcp_model_armor" "my_ai_gcp_model_armor" {
enabled = true
config = {
project_id = var.gcp_project_id
location_id = var.gcp_location_id
template_id = var.gcp_template_id
guarding_mode = "BOTH"
gcp_use_service_account = true
gcp_service_account_json = var.gcp_service_account_json
reveal_failure_categories = true
request_failure_message = "Your request was blocked by content policies."
response_failure_message = "The model's response was filtered for safety."
timeout = 15000
response_buffer_size = 4096
text_source = "last_message"
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer = {
id = konnect_gateway_consumer.my_consumer.id
}
}
Copied!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "gcp_template_id" {
type = string
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: ai-gcp-model-armor
consumer_group: consumerGroupName|Id
config:
project_id: ${{ env "DECK_GCP_PROJECT_ID" }}
location_id: ${{ env "DECK_GCP_LOCATION_ID" }}
template_id: ${{ env "DECK_GCP_TEMPLATE_ID" }}
guarding_mode: BOTH
gcp_use_service_account: true
gcp_service_account_json: ${{ env "DECK_GCP_SERVICE_ACCOUNT_JSON" }}
reveal_failure_categories: true
request_failure_message: Your request was blocked by content policies.
response_failure_message: The model's response was filtered for safety.
timeout: 15000
response_buffer_size: 4096
text_source: last_message
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumer_groups/{consumerGroupName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-gcp-model-armor",
"config": {
"project_id": "'$GCP_PROJECT_ID'",
"location_id": "'$GCP_LOCATION_ID'",
"template_id": "'$GCP_TEMPLATE_ID'",
"guarding_mode": "BOTH",
"gcp_use_service_account": true,
"gcp_service_account_json": "'$GCP_SERVICE_ACCOUNT_JSON'",
"reveal_failure_categories": true,
"request_failure_message": "Your request was blocked by content policies.",
"response_failure_message": "The model's response was filtered for safety.",
"timeout": 15000,
"response_buffer_size": 4096,
"text_source": "last_message"
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumer_groups/{consumerGroupId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-gcp-model-armor",
"config": {
"project_id": "'$GCP_PROJECT_ID'",
"location_id": "'$GCP_LOCATION_ID'",
"template_id": "'$GCP_TEMPLATE_ID'",
"guarding_mode": "BOTH",
"gcp_use_service_account": true,
"gcp_service_account_json": "'$GCP_SERVICE_ACCOUNT_JSON'",
"reveal_failure_categories": true,
"request_failure_message": "Your request was blocked by content policies.",
"response_failure_message": "The model's response was filtered for safety.",
"timeout": 15000,
"response_buffer_size": 4096,
"text_source": "last_message"
}
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
consumerGroupId: Theidof the consumer group the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-gcp-model-armor
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
project_id: '$GCP_PROJECT_ID'
location_id: '$GCP_LOCATION_ID'
template_id: '$GCP_TEMPLATE_ID'
guarding_mode: BOTH
gcp_use_service_account: true
gcp_service_account_json: '$GCP_SERVICE_ACCOUNT_JSON'
reveal_failure_categories: true
request_failure_message: Your request was blocked by content policies.
response_failure_message: The model's response was filtered for safety.
timeout: 15000
response_buffer_size: 4096
text_source: last_message
plugin: ai-gcp-model-armor
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the KongConsumerGroup resource:
kubectl annotate -n kong CONSUMERGROUP_NAME konghq.com/plugins=ai-gcp-model-armor
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_gcp_model_armor" "my_ai_gcp_model_armor" {
enabled = true
config = {
project_id = var.gcp_project_id
location_id = var.gcp_location_id
template_id = var.gcp_template_id
guarding_mode = "BOTH"
gcp_use_service_account = true
gcp_service_account_json = var.gcp_service_account_json
reveal_failure_categories = true
request_failure_message = "Your request was blocked by content policies."
response_failure_message = "The model's response was filtered for safety."
timeout = 15000
response_buffer_size = 4096
text_source = "last_message"
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer_group = {
id = konnect_gateway_consumer_group.my_consumer_group.id
}
}
Copied!
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "gcp_template_id" {
type = string
}
Copied!