This repository is a collection of resources for the Financial Services Industry (FSI) GECX Bundle.
- A Google Cloud Project:
- Project ID of a new or existing Google Cloud Project, preferably with no APIs enabled.
- You must have roles/owner or equivalent IAM permissions on the project.
- A CCAI Platform instance - you can get one by following the
- Development environment with:
- Google Cloud SDK (gcloud CLI)
- Terraform (version 1.0+)
- git
- You can also use Cloud Shell which comes preinstalled with all required tools.
- Familiarity with:
| Name | Description | Optional | Default Value |
|---|---|---|---|
project_id |
Google Cloud Project ID. | No | |
region |
Google Cloud region. | Yes | "us-central1" |
zone |
Google Cloud zone. | Yes | "us-central1-c" |
deploy_cloud_build_triggers |
Whether to deploy Cloud Build triggers. | Yes | false |
deploy_cloud_run_services |
Whether to deploy Cloud Run services. | Yes | false |
banking_service_image_url |
Image URL for the banking service. | Yes | null |
banking_ui_image_url |
Image URL for the banking UI. | Yes | null |
iap_login_ui_image_url |
Image URL for the IAP login UI. | Yes | null |
additional_cloud_run_iap_members |
A list of IAM members to grant the Cloud Run IAP role. | Yes | [] |
ccai_company_id |
CCAI Company ID. | No | |
ccai_host |
CCAI Host URL. | No | |
custom_domain |
The custom domain for the Load Balancer. | No | |
set_cloud_run_audiences |
Whether to set the Cloud Run audiences env variable. | Yes | false |
github_app_installation_id |
GitHub App Installation ID (required if deploy_cloud_build_triggers is true). |
Yes | null |
github_repo_remote_uri |
GitHub Repository Remote URI (required if deploy_cloud_build_triggers is true). |
Yes | "https://github.com/cloud-gtm/fsi-gecx-bundle.git" |
github_connection_name |
GitHub connection name. | Yes | "cloud-gtm" |
github_oauth_token_secret_name |
GitHub OAuth token secret name (required if deploy_cloud_build_triggers is true). |
Yes | |
manage_github_connection |
Whether to manage the GitHub connection. | Yes | false |
cx_agent_studio_deployment_name |
CX Agent Studio Web Widget deployment name. | Yes | null |
cx_agent_studio_upload_tool_name |
CX Agent Studio File Upload Tool deployment name. | Yes | null |
cx_agent_studio_populate_content_tool_name |
CX Agent Studio Populate Form Content Tool deployment name. | Yes | null |
cx_agent_studio_get_user_location_tool_name |
CX Agent Studio Get User Location Tool deployment name. | Yes | null |
use_external_identities |
Whether to enable the blocking functions in the agent. This cannot be enabled in Argolis as they require unauthenticated invocations as per https://www.npmjs.com/package/gcip-cloud-functions. | Yes | false |
enable_blocking_functions |
Whether to enable the blocking functions in the agent. | Yes | false |
| Name | Description | Optional | Default Value |
|---|---|---|---|
ccai-company-secret |
The CCAI Company secret. | No | |
iap-client-id |
The IAP Client ID. | No | |
iap-client-secret |
The IAP Client Secret. | No | |
livekit-api-key |
LiveKit API Key for Gemini Live Voice Agent authentication. | Yes | "devkey" (managed by Terraform) |
livekit-api-secret |
LiveKit API Secret for Gemini Live Voice Agent authentication. | Yes | "secret" (managed by Terraform) |
If you're deploying the solution, fork it, and then change the github_repo_remote_uri variable to point to your fork. This is required for Cloud Build Triggers to work.
First go through the steps Enable required APIs, Enable OAuth Consent Screen Branding, Create OAuth Client, Create Secrets, and Create GitHub Connection. These steps need to be completed manually. Once these are completed proceed to the Infrastructure Deployment.
# Log in with Application Default Credentials (ADC)
gcloud auth application-default login
# Set the specified project as the active project in your configuration
export PROJECT_ID="[GCP_PROJECT_ID]"
gcloud config set project $PROJECT_ID
# Check the configuration to ensure the project and account are correct
gcloud config list
# Create Terraform state bucket
BUCKET_NAME="${PROJECT_ID}-tf-state"
LOCATION="us"
gcloud storage buckets create "gs://${BUCKET_NAME}" --location="${LOCATION}" --uniform-bucket-level-access
cd ./deployment/terraform
# Create tfbackend file
TF_BACKEND=${BUCKET_NAME}.tfbackend
echo -n 'bucket = "'${BUCKET_NAME}'"' > environment/${TF_BACKEND}
# Create TF vars file from template
envsubst "\$PROJECT_ID" < terraform.tfvars.template > terraform.tfvars
# Return to the root of the repository
cd ../../Open Cloud Shell, authorize it enable Compute Engine, Cloud Build, and Secret Manager:
gcloud services enable \
compute.googleapis.com \
secretmanager.googleapis.com \
cloudbuild.googleapis.com
-
Go to https://console.cloud.google.com/auth/branding?project=${PROJECT_ID}
echo https://console.cloud.google.com/auth/branding?project=${PROJECT_ID}
-
Click "Get started".
-
Fill in your application name (e.g., Banking Demo), and select a support email.
-
Click "Next".
-
Choose an Audience.
-
Click "Next".
-
Enter and email address for the contact information.
-
Click "Next"
-
Review/agree to the terms and conditions and click "Continue".
-
Click "Create".
-
Go to https://console.cloud.google.com/auth/clients?project=${PROJECT_ID}
echo https://console.cloud.google.com/auth/clients?project=${PROJECT_ID}
-
Click "Create client".
-
Select 'Web application' for the application type.
-
Fill in name, e.g. 'Banking Demo IAP'.
-
Click "Create".
-
A modal window will pop up with the client_id and client_secret. Copy the "Client ID" and "Client Secret" values and set the variables below:
CLIENT_ID="[OAUTH_CLIENT_ID]" # The Client ID from the [Create OAuth client](#create-oauth-client) section. CLIENT_SECRET="[OAUTH_CLIENT_SECRET]" # The Client Secret from the [Create OAuth client](#create-oauth-client) section.
-
After being redirected back to the Clients page, click on the client you just created.
-
In the 'Authorized redirect URIs' section, click 'Add URI' and add the following URIs. Set the
CUSTOM_DOMAINvariable below based on your custom domain.
-
https://iap.googleapis.com/v1/oauth/clientIds/${CLIENT_ID}:handleRedirect
-
https://${CUSTOM_DOMAIN}/__/auth/handler
CUSTOM_DOMAIN="your-custom-domain" # Replace with your custom base domain echo https://iap.googleapis.com/v1/oauth/clientIds/${CLIENT_ID}:handleRedirect echo https://vertexaisearch.cloud.google.com/oauth-redirect echo https://${CUSTOM_DOMAIN}/__/auth/handler
- Click "Save".
CCAI_COMPANY_SECRET="[CCAI_COMPANY_SECRET]" # The CCAI Company Secret.
gcloud secrets create iap-client-id \
--replication-policy="automatic" \
--data-file=<(echo -n "${CLIENT_ID}")
gcloud secrets create iap-client-secret \
--replication-policy="automatic" \
--data-file=<(echo -n "${CLIENT_SECRET}")
gcloud secrets create ccai-company-secret \
--replication-policy="automatic" \
--data-file=<(echo -n "${CCAI_COMPANY_SECRET}")-
Go to https://console.cloud.google.com/cloud-build/repositories/2nd-gen?project=${PROJECT_ID} and click on "Create host connection".
echo https://console.cloud.google.com/cloud-build/repositories/2nd-gen?project=${PROJECT_ID}
-
Select a region (e.g., us-central1), enter a name (e.g., cloud-gtm).
-
Click "Connect".
-
A window will pop up in GitHub asking for authorization with a message like:
Project xxx is requesting your GitHub OAuth token. If you continue, the token will be stored in Secret Manager for use with Cloud Build GitHub Connection cloud-gtm -
Click "Continue".
-
Click "Install in a new account" on the bottom right of the dialog.
-
Select the appropriate organization and sign in.
-
Next, select "Only select repositories" and choose the fsi-gecx-bundle repository that was forked.
-
Click "Update access".
-
Navigate to Secret Manager: https://console.cloud.google.com/security/secret-manager?project=${PROJECT_ID}
echo https://console.cloud.google.com/security/secret-manager?project=${PROJECT_ID}
-
Copy the name of the secret that was created by the Cloud Build GitHub Connection (it should be in the format of cloud-gtm-github-token-xxxxxx).
-
Paste this value into the
github_oauth_token_secret_namevariable in theterraform.tfvarsfile of the deployment/terraform directory. Only paste the name, not the fully qualified resource name.
Update the terraform.tfvars file with the following values:
- custom_domain
- ccai_company_id
- ccai_host
- additional_cloud_run_iap_members
# From the root of the repository
# If you need to reconfigure use `make tf-init ARGS="--reconfigure"`
make tf-init
# Make note of the load_balancer_ip output for use later in the [Create DNS A entry](#create-dns-a-entry)
make tf-apply-initial- After creating the "Web widget" deployment channel for your agent in CX Agent Studio, you will get a Deployment ID. Copy this value and update the
cx_agent_studio_deployment_namevariable in theterraform.tfvarsfile of the deployment/terraform directory and runterraform apply. Additionally update thecx_agent_studio_upload_tool_nameandcx_agent_studio_populate_form_content_tool_namevariables in theterraform.tfvarsfile with the file upload and populate form content tool deployment ids respectively.
make create-gecxOpen up your terraform.tfvars file and copy in these variables (the output from the make upload-gecx will give you the values for these):
cx_agent_studio_deployment_name- 'Web widget deployment id'cx_agent_studio_upload_tool_name- 'Trigger file upload tool name'cx_agent_studio_populate_form_content_tool_name- 'Trigger populate form content tool name'cx_agent_studio_get_user_location_tool_name- 'Trigger get user location tool name'cx_agent_studio_voice_agent_deployment_name- 'Voice agent deployment id'
make tf-applymake trigger-site-crawlUsing the load_balancer_ip output from the tf-apply-initial target, create a DNS A entry for the load balancer in a project where you manage DNS records.
DNS_ZONE_NAME="mservidio-demo"
CUSTOM_DOMAIN="banking-test.mservidio.demo.altostrat.com" # Do not include trailing period, it is already in the command below
LB_IP="8.232.143.195"
DNS_PROJECT=[THE_PROJECT_FOR_DNS]
gcloud dns record-sets create "${CUSTOM_DOMAIN}." \
--zone="${DNS_ZONE_NAME}" \
--type="A" \
--ttl="300" \
--rrdatas="${LB_IP}" \
--project="${DNS_PROJECT}"To grant access to additional users, add their email addresses to the additional_cloud_run_iap_members variable in the terraform.tfvars file and run make tf-apply.
Example:
additional_cloud_run_iap_members = ["domain:google.com", "user:user@google.com"]For developers running the banking service and UI applications locally in their developer workspace:
Use the Makefile bootstrapper to clean and sync all Python packages (via uv) and install React frontend node modules concurrently:
make installTo configure the local React applications to connect to your Firebase/Identity Platform engine:
- Main Banking UI: Copy
banking-ui/public/fbConfig.template.jstobanking-ui/public/fbConfig.jsand update it with your Firebase Web App credentials. - Custom Login Gate: Copy
iap-login-ui/config.template.jstoiap-login-ui/config.jsand update it with your Identity Platform project credentials.
(Note: Both fbConfig.js and config.js are globally git-ignored to prevent accidental credential leakage or workspace diff pollution. You must configure these manually in your local workspace).
Launch both the FastAPI backend API server (port 8080) and the React Vite frontend dev server concurrently:
make runTo test the voice support assistant locally in your developer workspace:
- Spin up the local LiveKit server container:
docker compose -f deployment/local/docker-compose.livekit.yaml up -d
- Start the Voice Agent process:
(Note: The agent automatically connects to the local LiveKit server using default development keys. Ensure you have activated your python environment and installed dependencies).
python adk-agent/credit-support-agent/voice_agent.py
Navigate to http://localhost:5173/ in your browser to access your local FSI banking workspace.