The gcp:modelarmor/floorsetting:Floorsetting resource, part of the Pulumi GCP provider, defines minimum Model Armor requirements at a specific point in the Google Cloud resource hierarchy (organization, folder, or project). This guide focuses on three capabilities: establishing floor settings at project level, configuring content filters and enforcement, and enabling inspection mode with logging.
Floor settings attach to existing Google Cloud projects, folders, or organizations and apply to all Model Armor templates created within that scope. When multiple floor settings conflict, settings lower in the hierarchy take precedence. The examples are intentionally small. Combine them with your own hierarchy structure and filter requirements.
Create a minimal floor setting at project level
Organizations establishing Model Armor governance start by creating floor settings that define baseline requirements for all templates within a scope.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const floorsetting_basic = new gcp.modelarmor.Floorsetting("floorsetting-basic", {
parent: "projects/my-project-name",
location: "global",
filterConfig: {},
});
import pulumi
import pulumi_gcp as gcp
floorsetting_basic = gcp.modelarmor.Floorsetting("floorsetting-basic",
parent="projects/my-project-name",
location="global",
filter_config={})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/modelarmor"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := modelarmor.NewFloorsetting(ctx, "floorsetting-basic", &modelarmor.FloorsettingArgs{
Parent: pulumi.String("projects/my-project-name"),
Location: pulumi.String("global"),
FilterConfig: &modelarmor.FloorsettingFilterConfigArgs{},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var floorsetting_basic = new Gcp.ModelArmor.Floorsetting("floorsetting-basic", new()
{
Parent = "projects/my-project-name",
Location = "global",
FilterConfig = null,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.modelarmor.Floorsetting;
import com.pulumi.gcp.modelarmor.FloorsettingArgs;
import com.pulumi.gcp.modelarmor.inputs.FloorsettingFilterConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var floorsetting_basic = new Floorsetting("floorsetting-basic", FloorsettingArgs.builder()
.parent("projects/my-project-name")
.location("global")
.filterConfig(FloorsettingFilterConfigArgs.builder()
.build())
.build());
}
}
resources:
floorsetting-basic:
type: gcp:modelarmor:Floorsetting
properties:
parent: projects/my-project-name
location: global
filterConfig: {}
The parent property attaches the floor setting to a project, folder, or organization. The location property must be “global” for Model Armor. The empty filterConfig establishes the resource without enforcing specific filters; enableFloorSettingEnforcement defaults to false, so templates can still be created without meeting filter requirements.
Enforce content filters across multiple categories
Production deployments typically enable multiple filter types to protect against dangerous content, sensitive data exposure, prompt injection, and malicious URIs.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const floorsetting_filter_config = new gcp.modelarmor.Floorsetting("floorsetting-filter-config", {
location: "global",
parent: "project/my-project-name",
filterConfig: {
raiSettings: {
raiFilters: [{
filterType: "DANGEROUS",
confidenceLevel: "MEDIUM_AND_ABOVE",
}],
},
sdpSettings: {
basicConfig: {
filterEnforcement: "ENABLED",
},
},
piAndJailbreakFilterSettings: {
filterEnforcement: "ENABLED",
confidenceLevel: "HIGH",
},
maliciousUriFilterSettings: {
filterEnforcement: "ENABLED",
},
},
enableFloorSettingEnforcement: true,
});
import pulumi
import pulumi_gcp as gcp
floorsetting_filter_config = gcp.modelarmor.Floorsetting("floorsetting-filter-config",
location="global",
parent="project/my-project-name",
filter_config={
"rai_settings": {
"rai_filters": [{
"filter_type": "DANGEROUS",
"confidence_level": "MEDIUM_AND_ABOVE",
}],
},
"sdp_settings": {
"basic_config": {
"filter_enforcement": "ENABLED",
},
},
"pi_and_jailbreak_filter_settings": {
"filter_enforcement": "ENABLED",
"confidence_level": "HIGH",
},
"malicious_uri_filter_settings": {
"filter_enforcement": "ENABLED",
},
},
enable_floor_setting_enforcement=True)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/modelarmor"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := modelarmor.NewFloorsetting(ctx, "floorsetting-filter-config", &modelarmor.FloorsettingArgs{
Location: pulumi.String("global"),
Parent: pulumi.String("project/my-project-name"),
FilterConfig: &modelarmor.FloorsettingFilterConfigArgs{
RaiSettings: &modelarmor.FloorsettingFilterConfigRaiSettingsArgs{
RaiFilters: modelarmor.FloorsettingFilterConfigRaiSettingsRaiFilterArray{
&modelarmor.FloorsettingFilterConfigRaiSettingsRaiFilterArgs{
FilterType: pulumi.String("DANGEROUS"),
ConfidenceLevel: pulumi.String("MEDIUM_AND_ABOVE"),
},
},
},
SdpSettings: &modelarmor.FloorsettingFilterConfigSdpSettingsArgs{
BasicConfig: &modelarmor.FloorsettingFilterConfigSdpSettingsBasicConfigArgs{
FilterEnforcement: pulumi.String("ENABLED"),
},
},
PiAndJailbreakFilterSettings: &modelarmor.FloorsettingFilterConfigPiAndJailbreakFilterSettingsArgs{
FilterEnforcement: pulumi.String("ENABLED"),
ConfidenceLevel: pulumi.String("HIGH"),
},
MaliciousUriFilterSettings: &modelarmor.FloorsettingFilterConfigMaliciousUriFilterSettingsArgs{
FilterEnforcement: pulumi.String("ENABLED"),
},
},
EnableFloorSettingEnforcement: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var floorsetting_filter_config = new Gcp.ModelArmor.Floorsetting("floorsetting-filter-config", new()
{
Location = "global",
Parent = "project/my-project-name",
FilterConfig = new Gcp.ModelArmor.Inputs.FloorsettingFilterConfigArgs
{
RaiSettings = new Gcp.ModelArmor.Inputs.FloorsettingFilterConfigRaiSettingsArgs
{
RaiFilters = new[]
{
new Gcp.ModelArmor.Inputs.FloorsettingFilterConfigRaiSettingsRaiFilterArgs
{
FilterType = "DANGEROUS",
ConfidenceLevel = "MEDIUM_AND_ABOVE",
},
},
},
SdpSettings = new Gcp.ModelArmor.Inputs.FloorsettingFilterConfigSdpSettingsArgs
{
BasicConfig = new Gcp.ModelArmor.Inputs.FloorsettingFilterConfigSdpSettingsBasicConfigArgs
{
FilterEnforcement = "ENABLED",
},
},
PiAndJailbreakFilterSettings = new Gcp.ModelArmor.Inputs.FloorsettingFilterConfigPiAndJailbreakFilterSettingsArgs
{
FilterEnforcement = "ENABLED",
ConfidenceLevel = "HIGH",
},
MaliciousUriFilterSettings = new Gcp.ModelArmor.Inputs.FloorsettingFilterConfigMaliciousUriFilterSettingsArgs
{
FilterEnforcement = "ENABLED",
},
},
EnableFloorSettingEnforcement = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.modelarmor.Floorsetting;
import com.pulumi.gcp.modelarmor.FloorsettingArgs;
import com.pulumi.gcp.modelarmor.inputs.FloorsettingFilterConfigArgs;
import com.pulumi.gcp.modelarmor.inputs.FloorsettingFilterConfigRaiSettingsArgs;
import com.pulumi.gcp.modelarmor.inputs.FloorsettingFilterConfigSdpSettingsArgs;
import com.pulumi.gcp.modelarmor.inputs.FloorsettingFilterConfigSdpSettingsBasicConfigArgs;
import com.pulumi.gcp.modelarmor.inputs.FloorsettingFilterConfigPiAndJailbreakFilterSettingsArgs;
import com.pulumi.gcp.modelarmor.inputs.FloorsettingFilterConfigMaliciousUriFilterSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var floorsetting_filter_config = new Floorsetting("floorsetting-filter-config", FloorsettingArgs.builder()
.location("global")
.parent("project/my-project-name")
.filterConfig(FloorsettingFilterConfigArgs.builder()
.raiSettings(FloorsettingFilterConfigRaiSettingsArgs.builder()
.raiFilters(FloorsettingFilterConfigRaiSettingsRaiFilterArgs.builder()
.filterType("DANGEROUS")
.confidenceLevel("MEDIUM_AND_ABOVE")
.build())
.build())
.sdpSettings(FloorsettingFilterConfigSdpSettingsArgs.builder()
.basicConfig(FloorsettingFilterConfigSdpSettingsBasicConfigArgs.builder()
.filterEnforcement("ENABLED")
.build())
.build())
.piAndJailbreakFilterSettings(FloorsettingFilterConfigPiAndJailbreakFilterSettingsArgs.builder()
.filterEnforcement("ENABLED")
.confidenceLevel("HIGH")
.build())
.maliciousUriFilterSettings(FloorsettingFilterConfigMaliciousUriFilterSettingsArgs.builder()
.filterEnforcement("ENABLED")
.build())
.build())
.enableFloorSettingEnforcement(true)
.build());
}
}
resources:
floorsetting-filter-config:
type: gcp:modelarmor:Floorsetting
properties:
location: global
parent: project/my-project-name
filterConfig:
raiSettings:
raiFilters:
- filterType: DANGEROUS
confidenceLevel: MEDIUM_AND_ABOVE
sdpSettings:
basicConfig:
filterEnforcement: ENABLED
piAndJailbreakFilterSettings:
filterEnforcement: ENABLED
confidenceLevel: HIGH
maliciousUriFilterSettings:
filterEnforcement: ENABLED
enableFloorSettingEnforcement: true
When enableFloorSettingEnforcement is true, all templates created within the scope must meet the filter requirements. The filterConfig defines four filter categories: raiSettings blocks dangerous content at medium confidence or higher, sdpSettings prevents sensitive data exposure, piAndJailbreakFilterSettings stops prompt injection at high confidence, and maliciousUriFilterSettings blocks malicious links. Each filter’s confidenceLevel and filterEnforcement properties control when content is blocked.
Enable inspection mode with logging and language detection
Teams evaluating Model Armor often start with inspection-only mode to understand filter behavior before enforcing blocks.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const floorsetting_integrated_metadata = new gcp.modelarmor.Floorsetting("floorsetting-integrated-metadata", {
location: "global",
parent: "projects/my-project-name",
filterConfig: {},
enableFloorSettingEnforcement: false,
aiPlatformFloorSetting: {
inspectOnly: true,
enableCloudLogging: true,
},
floorSettingMetadata: {
multiLanguageDetection: {
enableMultiLanguageDetection: false,
},
},
});
import pulumi
import pulumi_gcp as gcp
floorsetting_integrated_metadata = gcp.modelarmor.Floorsetting("floorsetting-integrated-metadata",
location="global",
parent="projects/my-project-name",
filter_config={},
enable_floor_setting_enforcement=False,
ai_platform_floor_setting={
"inspect_only": True,
"enable_cloud_logging": True,
},
floor_setting_metadata={
"multi_language_detection": {
"enable_multi_language_detection": False,
},
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/modelarmor"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := modelarmor.NewFloorsetting(ctx, "floorsetting-integrated-metadata", &modelarmor.FloorsettingArgs{
Location: pulumi.String("global"),
Parent: pulumi.String("projects/my-project-name"),
FilterConfig: &modelarmor.FloorsettingFilterConfigArgs{},
EnableFloorSettingEnforcement: pulumi.Bool(false),
AiPlatformFloorSetting: &modelarmor.FloorsettingAiPlatformFloorSettingArgs{
InspectOnly: pulumi.Bool(true),
EnableCloudLogging: pulumi.Bool(true),
},
FloorSettingMetadata: &modelarmor.FloorsettingFloorSettingMetadataArgs{
MultiLanguageDetection: &modelarmor.FloorsettingFloorSettingMetadataMultiLanguageDetectionArgs{
EnableMultiLanguageDetection: pulumi.Bool(false),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var floorsetting_integrated_metadata = new Gcp.ModelArmor.Floorsetting("floorsetting-integrated-metadata", new()
{
Location = "global",
Parent = "projects/my-project-name",
FilterConfig = null,
EnableFloorSettingEnforcement = false,
AiPlatformFloorSetting = new Gcp.ModelArmor.Inputs.FloorsettingAiPlatformFloorSettingArgs
{
InspectOnly = true,
EnableCloudLogging = true,
},
FloorSettingMetadata = new Gcp.ModelArmor.Inputs.FloorsettingFloorSettingMetadataArgs
{
MultiLanguageDetection = new Gcp.ModelArmor.Inputs.FloorsettingFloorSettingMetadataMultiLanguageDetectionArgs
{
EnableMultiLanguageDetection = false,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.modelarmor.Floorsetting;
import com.pulumi.gcp.modelarmor.FloorsettingArgs;
import com.pulumi.gcp.modelarmor.inputs.FloorsettingFilterConfigArgs;
import com.pulumi.gcp.modelarmor.inputs.FloorsettingAiPlatformFloorSettingArgs;
import com.pulumi.gcp.modelarmor.inputs.FloorsettingFloorSettingMetadataArgs;
import com.pulumi.gcp.modelarmor.inputs.FloorsettingFloorSettingMetadataMultiLanguageDetectionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var floorsetting_integrated_metadata = new Floorsetting("floorsetting-integrated-metadata", FloorsettingArgs.builder()
.location("global")
.parent("projects/my-project-name")
.filterConfig(FloorsettingFilterConfigArgs.builder()
.build())
.enableFloorSettingEnforcement(false)
.aiPlatformFloorSetting(FloorsettingAiPlatformFloorSettingArgs.builder()
.inspectOnly(true)
.enableCloudLogging(true)
.build())
.floorSettingMetadata(FloorsettingFloorSettingMetadataArgs.builder()
.multiLanguageDetection(FloorsettingFloorSettingMetadataMultiLanguageDetectionArgs.builder()
.enableMultiLanguageDetection(false)
.build())
.build())
.build());
}
}
resources:
floorsetting-integrated-metadata:
type: gcp:modelarmor:Floorsetting
properties:
location: global
parent: projects/my-project-name
filterConfig: {}
enableFloorSettingEnforcement: false
aiPlatformFloorSetting:
inspectOnly: true
enableCloudLogging: true
floorSettingMetadata:
multiLanguageDetection:
enableMultiLanguageDetection: false
The aiPlatformFloorSetting configures AI Platform integration. When inspectOnly is true, filters evaluate content but don’t block requests; enableCloudLogging sends filter matches to Cloud Logging for analysis. The floorSettingMetadata enables multi-language detection, allowing filters to work across languages. This configuration helps teams understand filter behavior before enabling enforcement.
Beyond these examples
These snippets focus on specific floor setting features: hierarchy-based floor settings, content filtering (RAI, SDP, jailbreak, malicious URIs), and inspection mode with Cloud Logging. They’re intentionally minimal rather than full governance frameworks.
The examples reference pre-existing infrastructure such as Google Cloud projects, folders, or organizations. They focus on configuring floor settings rather than provisioning the surrounding hierarchy.
To keep things focused, common floor setting patterns are omitted, including:
- Folder and organization-level floor settings (parent variations)
- Integrated services configuration (integratedServices)
- Google MCP Server floor settings (googleMcpServerFloorSetting)
- Confidence level tuning for individual filters
These omissions are intentional: the goal is to illustrate how each floor setting feature is wired, not provide drop-in governance modules. See the Model Armor Floorsetting resource reference for all available configuration options.
Let's configure GCP Model Armor Floor Settings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Hierarchy & Precedence
What happens when floor settings conflict across different hierarchy levels?
Settings lower in the resource hierarchy take precedence. For example, a project-level floor setting overrides folder-level or organization-level settings.
What format should I use for the parent property?
Use one of these formats:
projects/{project}, folders/{folder}, or organizations/{organizationId}.Configuration & Required Fields
What's the minimum configuration needed to create a floor setting?
You need three required properties:
parent, location, and filterConfig. The filterConfig can be an empty object for basic setup.What types of filters can I configure in filterConfig?
You can configure four filter types:
- RAI filters -
raiSettingswith filter type and confidence level - SDP filters -
sdpSettingswith basic configuration - PI and jailbreak filters -
piAndJailbreakFilterSettingswith enforcement and confidence - Malicious URI filters -
maliciousUriFilterSettingswith enforcement
What's the difference between enableFloorSettingEnforcement and inspectOnly mode?
enableFloorSettingEnforcement controls whether the floor setting is enforced globally. The inspectOnly mode (in aiPlatformFloorSetting) allows monitoring without blocking, useful for testing filter configurations.Immutability & Lifecycle
What properties can't I change after creating a floor setting?
Both
location and parent are immutable. You’ll need to recreate the resource to change either property.How do I import an existing floor setting?
Use either format:
{{parent}}/locations/{{location}}/floorSetting or {{parent}}/{{location}}. For example: pulumi import gcp:modelarmor/floorsetting:Floorsetting default projects/my-project/locations/global/floorSettingOptional Features
How do I enable multi-language detection?
Configure
floorSettingMetadata with multiLanguageDetection settings. Set enableMultiLanguageDetection to true or false as needed.