Skip to content

Instantly share code, notes, and snippets.

@mikesparr

mikesparr/model-armor-example-gcloud-or-tf.md

Created January 30, 2026 19:35
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save mikesparr/c1963aba4028ef7008b19820dbb255da to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save mikesparr/c1963aba4028ef7008b19820dbb255da to your computer and use it in GitHub Desktop.
Download ZIP
Google Cloud Model Armor setup example with gcloud sdk or Terraform
Raw
model-armor-example-gcloud-or-tf.md

Model Armor Credit Card Number Masking Example

Gcloud SDK

#!/bin/bash

export PROJECT_ID="EXAMPLE-PROJECT-ID"  # <--- Change this
export LOCATION="us-central1"
export INSPECT_TEMPLATE_ID="cc-inspect-template"
export DEID_TEMPLATE_ID="cc-mask-template"
export MODEL_ARMOR_TEMPLATE_ID="cc-masking-policy"

echo "Using Project: $PROJECT_ID"

# enable services
echo "Enabling DLP and Model Armor APIs..."
gcloud services enable dlp.googleapis.com modelarmor.googleapis.com --project="$PROJECT_ID"

# create config
cat <<EOF > inspect-config.json
{
  "inspectConfig": {
    "infoTypes": [
      { "name": "CREDIT_CARD_NUMBER" }
    ],
    "minLikelihood": "LIKELY"
  }
}
EOF

echo "Creating DLP Inspect Template..."
gcloud dlp templates inspect create "$INSPECT_TEMPLATE_ID" \
    --project="$PROJECT_ID" \
    --location="$LOCATION" \
    --display-name="Inspect CC" \
    --config-file=inspect-config.json

# create dlp de-identify config
cat <<EOF > deid-config.json
{
  "deidentifyTemplate": {
    "deidentifyConfig": {
      "infoTypeTransformations": {
        "transformations": [
          {
            "infoTypes": [{ "name": "CREDIT_CARD_NUMBER" }],
            "primitiveTransformation": {
              "characterMaskConfig": {
                "maskingCharacter": "*",
                "numberToMask": 12,
                "reverseOrder": false
              }
            }
          }
        ]
      }
    }
  }
}
EOF

echo "Creating DLP De-identification Template..."
gcloud dlp templates deidentify create "$DEID_TEMPLATE_ID" \
    --project="$PROJECT_ID" \
    --location="$LOCATION" \
    --display-name="CC Mask Last 4" \
    --config-file=deid-config.json

# grant permissions
PROJECT_NUMBER=$(gcloud projects describe "$PROJECT_ID" --format="value(projectNumber)")
SERVICE_AGENT="service-$PROJECT_NUMBER@gcp-sa-modelarmor.iam.gserviceaccount.com"

echo "Granting DLP permissions to Model Armor Service Agent: $SERVICE_AGENT"
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
    --member="serviceAccount:$SERVICE_AGENT" \
    --role="roles/dlp.user" \
    --condition=None

# Construct the full resource paths for the DLP templates
INSPECT_PATH="projects/$PROJECT_ID/locations/$LOCATION/inspectTemplates/$INSPECT_TEMPLATE_ID"
DEID_PATH="projects/$PROJECT_ID/locations/$LOCATION/deidentifyTemplates/$DEID_TEMPLATE_ID"

echo "Creating Model Armor Template..."
gcloud model-armor templates create "$MODEL_ARMOR_TEMPLATE_ID" \
    --project="$PROJECT_ID" \
    --location="$LOCATION" \
    --advanced-config-inspect-template="$INSPECT_PATH" \
    --advanced-config-deidentify-template="$DEID_PATH"

echo "=============================================================================="
echo "Setup Complete!"
echo "Model Armor Template Path: projects/$PROJECT_ID/locations/$LOCATION/templates/$MODEL_ARMOR_TEMPLATE_ID"
echo "=============================================================================="

# Clean up local JSON files
rm inspect-config.json deid-config.json

Terraform

resource "google_data_loss_prevention_inspect_template" "cc_inspect" {
  parent       = "projects/${var.project_id}"
  display_name = "Detect Credit Cards"

  inspect_config {
    info_types {
      name = "CREDIT_CARD_NUMBER"
    }
    min_likelihood = "LIKELY"
  }
}

resource "google_data_loss_prevention_deidentify_template" "cc_mask_last_4" {
  parent       = "projects/${var.project_id}"
  display_name = "Mask CC leaving last 4"

  deidentify_config {
    info_type_transformations {
      transformations {
        info_types {
          name = "CREDIT_CARD_NUMBER"
        }
        primitive_transformation {
          character_mask_config {
            masking_character = "*"
            number_to_mask    = 12
            reverse_order     = false
          }
        }
      }
    }
  }
}

resource "google_model_armor_template" "default" {
  template_id = "cc-masking-policy"
  location    = "us-central1"

  sdp_settings {
    advanced_config {
      inspect_template    = google_data_loss_prevention_inspect_template.cc_inspect.id
      deidentify_template = google_data_loss_prevention_deidentify_template.cc_mask_last_4.id
    }
  }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment