pulumi-gcp 8.24.0a1743057423__py3-none-any.whl → 8.25.0__py3-none-any.whl

pulumi_gcp/compute/_inputs.py

@@ -97,6 +97,10 @@ __all__ = [
     'BackendServiceStrongSessionAffinityCookieArgsDict',
     'BackendServiceStrongSessionAffinityCookieTtlArgs',
     'BackendServiceStrongSessionAffinityCookieTtlArgsDict',
+    'BackendServiceTlsSettingsArgs',
+    'BackendServiceTlsSettingsArgsDict',
+    'BackendServiceTlsSettingsSubjectAltNameArgs',
+    'BackendServiceTlsSettingsSubjectAltNameArgsDict',
     'DiskAsyncPrimaryDiskArgs',
     'DiskAsyncPrimaryDiskArgsDict',
     'DiskAsyncReplicationSecondaryDiskArgs',
@@ -173,6 +177,16 @@ __all__ = [
     'ImageImageEncryptionKeyArgsDict',
     'ImageRawDiskArgs',
     'ImageRawDiskArgsDict',
+    'ImageShieldedInstanceInitialStateArgs',
+    'ImageShieldedInstanceInitialStateArgsDict',
+    'ImageShieldedInstanceInitialStateDbArgs',
+    'ImageShieldedInstanceInitialStateDbArgsDict',
+    'ImageShieldedInstanceInitialStateDbxArgs',
+    'ImageShieldedInstanceInitialStateDbxArgsDict',
+    'ImageShieldedInstanceInitialStateKekArgs',
+    'ImageShieldedInstanceInitialStateKekArgsDict',
+    'ImageShieldedInstanceInitialStatePkArgs',
+    'ImageShieldedInstanceInitialStatePkArgsDict',
     'InstanceAdvancedMachineFeaturesArgs',
     'InstanceAdvancedMachineFeaturesArgsDict',
     'InstanceAttachedDiskArgs',
@@ -181,6 +195,10 @@ __all__ = [
     'InstanceBootDiskArgsDict',
     'InstanceBootDiskInitializeParamsArgs',
     'InstanceBootDiskInitializeParamsArgsDict',
+    'InstanceBootDiskInitializeParamsSourceImageEncryptionKeyArgs',
+    'InstanceBootDiskInitializeParamsSourceImageEncryptionKeyArgsDict',
+    'InstanceBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs',
+    'InstanceBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgsDict',
     'InstanceConfidentialInstanceConfigArgs',
     'InstanceConfidentialInstanceConfigArgsDict',
     'InstanceFromMachineImageAdvancedMachineFeaturesArgs',
@@ -191,10 +209,16 @@ __all__ = [
     'InstanceFromMachineImageBootDiskArgsDict',
     'InstanceFromMachineImageBootDiskInitializeParamsArgs',
     'InstanceFromMachineImageBootDiskInitializeParamsArgsDict',
+    'InstanceFromMachineImageBootDiskInitializeParamsSourceImageEncryptionKeyArgs',
+    'InstanceFromMachineImageBootDiskInitializeParamsSourceImageEncryptionKeyArgsDict',
+    'InstanceFromMachineImageBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs',
+    'InstanceFromMachineImageBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgsDict',
     'InstanceFromMachineImageConfidentialInstanceConfigArgs',
     'InstanceFromMachineImageConfidentialInstanceConfigArgsDict',
     'InstanceFromMachineImageGuestAcceleratorArgs',
     'InstanceFromMachineImageGuestAcceleratorArgsDict',
+    'InstanceFromMachineImageInstanceEncryptionKeyArgs',
+    'InstanceFromMachineImageInstanceEncryptionKeyArgsDict',
     'InstanceFromMachineImageNetworkInterfaceArgs',
     'InstanceFromMachineImageNetworkInterfaceArgsDict',
     'InstanceFromMachineImageNetworkInterfaceAccessConfigArgs',
@@ -231,6 +255,8 @@ __all__ = [
     'InstanceFromMachineImageServiceAccountArgsDict',
     'InstanceFromMachineImageShieldedInstanceConfigArgs',
     'InstanceFromMachineImageShieldedInstanceConfigArgsDict',
+    'InstanceFromMachineImageSourceMachineImageEncryptionKeyArgs',
+    'InstanceFromMachineImageSourceMachineImageEncryptionKeyArgsDict',
     'InstanceFromTemplateAdvancedMachineFeaturesArgs',
     'InstanceFromTemplateAdvancedMachineFeaturesArgsDict',
     'InstanceFromTemplateAttachedDiskArgs',
@@ -239,10 +265,16 @@ __all__ = [
     'InstanceFromTemplateBootDiskArgsDict',
     'InstanceFromTemplateBootDiskInitializeParamsArgs',
     'InstanceFromTemplateBootDiskInitializeParamsArgsDict',
+    'InstanceFromTemplateBootDiskInitializeParamsSourceImageEncryptionKeyArgs',
+    'InstanceFromTemplateBootDiskInitializeParamsSourceImageEncryptionKeyArgsDict',
+    'InstanceFromTemplateBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs',
+    'InstanceFromTemplateBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgsDict',
     'InstanceFromTemplateConfidentialInstanceConfigArgs',
     'InstanceFromTemplateConfidentialInstanceConfigArgsDict',
     'InstanceFromTemplateGuestAcceleratorArgs',
     'InstanceFromTemplateGuestAcceleratorArgsDict',
+    'InstanceFromTemplateInstanceEncryptionKeyArgs',
+    'InstanceFromTemplateInstanceEncryptionKeyArgsDict',
     'InstanceFromTemplateNetworkInterfaceArgs',
     'InstanceFromTemplateNetworkInterfaceArgsDict',
     'InstanceFromTemplateNetworkInterfaceAccessConfigArgs',
@@ -321,6 +353,8 @@ __all__ = [
     'InstanceIAMBindingConditionArgsDict',
     'InstanceIAMMemberConditionArgs',
     'InstanceIAMMemberConditionArgsDict',
+    'InstanceInstanceEncryptionKeyArgs',
+    'InstanceInstanceEncryptionKeyArgsDict',
     'InstanceNetworkInterfaceArgs',
     'InstanceNetworkInterfaceArgsDict',
     'InstanceNetworkInterfaceAccessConfigArgs',
@@ -1021,6 +1055,8 @@ __all__ = [
     'ResourcePolicySnapshotSchedulePolicyScheduleWeeklyScheduleDayOfWeekArgsDict',
     'ResourcePolicySnapshotSchedulePolicySnapshotPropertiesArgs',
     'ResourcePolicySnapshotSchedulePolicySnapshotPropertiesArgsDict',
+    'ResourcePolicyWorkloadPolicyArgs',
+    'ResourcePolicyWorkloadPolicyArgsDict',
     'RouteAsPathArgs',
     'RouteAsPathArgsDict',
     'RouteWarningArgs',
@@ -1031,6 +1067,8 @@ __all__ = [
     'RouterBgpArgsDict',
     'RouterBgpAdvertisedIpRangeArgs',
     'RouterBgpAdvertisedIpRangeArgsDict',
+    'RouterMd5AuthenticationKeysArgs',
+    'RouterMd5AuthenticationKeysArgsDict',
     'RouterNatLogConfigArgs',
     'RouterNatLogConfigArgsDict',
     'RouterNatRuleArgs',
@@ -1271,6 +1309,10 @@ __all__ = [
     'URLMapPathMatcherPathRuleUrlRedirectArgsDict',
     'URLMapPathMatcherRouteRuleArgs',
     'URLMapPathMatcherRouteRuleArgsDict',
+    'URLMapPathMatcherRouteRuleCustomErrorResponsePolicyArgs',
+    'URLMapPathMatcherRouteRuleCustomErrorResponsePolicyArgsDict',
+    'URLMapPathMatcherRouteRuleCustomErrorResponsePolicyErrorResponseRuleArgs',
+    'URLMapPathMatcherRouteRuleCustomErrorResponsePolicyErrorResponseRuleArgsDict',
     'URLMapPathMatcherRouteRuleHeaderActionArgs',
     'URLMapPathMatcherRouteRuleHeaderActionArgsDict',
     'URLMapPathMatcherRouteRuleHeaderActionRequestHeadersToAddArgs',
@@ -5775,6 +5817,160 @@ class BackendServiceStrongSessionAffinityCookieTtlArgs:
         pulumi.set(self, "nanos", value)
 
 
+if not MYPY:
+    class BackendServiceTlsSettingsArgsDict(TypedDict):
+        authentication_config: NotRequired[pulumi.Input[str]]
+        """
+        Reference to the BackendAuthenticationConfig resource from the networksecurity.googleapis.com namespace.
+        Can be used in authenticating TLS connections to the backend, as specified by the authenticationMode field.
+        Can only be specified if authenticationMode is not NONE.
+        """
+        sni: NotRequired[pulumi.Input[str]]
+        """
+        Server Name Indication - see RFC3546 section 3.1. If set, the load balancer sends this string as the SNI hostname in the
+        TLS connection to the backend, and requires that this string match a Subject Alternative Name (SAN) in the backend's
+        server certificate. With a Regional Internet NEG backend, if the SNI is specified here, the load balancer uses it
+        regardless of whether the Regional Internet NEG is specified with FQDN or IP address and port.
+        """
+        subject_alt_names: NotRequired[pulumi.Input[Sequence[pulumi.Input['BackendServiceTlsSettingsSubjectAltNameArgsDict']]]]
+        """
+        A list of Subject Alternative Names (SANs) that the Load Balancer verifies during a TLS handshake with the backend.
+        When the server presents its X.509 certificate to the Load Balancer, the Load Balancer inspects the certificate's SAN field,
+        and requires that at least one SAN match one of the subjectAltNames in the list. This field is limited to 5 entries.
+        When both sni and subjectAltNames are specified, the load balancer matches the backend certificate's SAN only to
+        subjectAltNames.
+        Structure is documented below.
+        """
+elif False:
+    BackendServiceTlsSettingsArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class BackendServiceTlsSettingsArgs:
+    def __init__(__self__, *,
+                 authentication_config: Optional[pulumi.Input[str]] = None,
+                 sni: Optional[pulumi.Input[str]] = None,
+                 subject_alt_names: Optional[pulumi.Input[Sequence[pulumi.Input['BackendServiceTlsSettingsSubjectAltNameArgs']]]] = None):
+        """
+        :param pulumi.Input[str] authentication_config: Reference to the BackendAuthenticationConfig resource from the networksecurity.googleapis.com namespace.
+               Can be used in authenticating TLS connections to the backend, as specified by the authenticationMode field.
+               Can only be specified if authenticationMode is not NONE.
+        :param pulumi.Input[str] sni: Server Name Indication - see RFC3546 section 3.1. If set, the load balancer sends this string as the SNI hostname in the
+               TLS connection to the backend, and requires that this string match a Subject Alternative Name (SAN) in the backend's
+               server certificate. With a Regional Internet NEG backend, if the SNI is specified here, the load balancer uses it
+               regardless of whether the Regional Internet NEG is specified with FQDN or IP address and port.
+        :param pulumi.Input[Sequence[pulumi.Input['BackendServiceTlsSettingsSubjectAltNameArgs']]] subject_alt_names: A list of Subject Alternative Names (SANs) that the Load Balancer verifies during a TLS handshake with the backend.
+               When the server presents its X.509 certificate to the Load Balancer, the Load Balancer inspects the certificate's SAN field,
+               and requires that at least one SAN match one of the subjectAltNames in the list. This field is limited to 5 entries.
+               When both sni and subjectAltNames are specified, the load balancer matches the backend certificate's SAN only to
+               subjectAltNames.
+               Structure is documented below.
+        """
+        if authentication_config is not None:
+            pulumi.set(__self__, "authentication_config", authentication_config)
+        if sni is not None:
+            pulumi.set(__self__, "sni", sni)
+        if subject_alt_names is not None:
+            pulumi.set(__self__, "subject_alt_names", subject_alt_names)
+
+    @property
+    @pulumi.getter(name="authenticationConfig")
+    def authentication_config(self) -> Optional[pulumi.Input[str]]:
+        """
+        Reference to the BackendAuthenticationConfig resource from the networksecurity.googleapis.com namespace.
+        Can be used in authenticating TLS connections to the backend, as specified by the authenticationMode field.
+        Can only be specified if authenticationMode is not NONE.
+        """
+        return pulumi.get(self, "authentication_config")
+
+    @authentication_config.setter
+    def authentication_config(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "authentication_config", value)
+
+    @property
+    @pulumi.getter
+    def sni(self) -> Optional[pulumi.Input[str]]:
+        """
+        Server Name Indication - see RFC3546 section 3.1. If set, the load balancer sends this string as the SNI hostname in the
+        TLS connection to the backend, and requires that this string match a Subject Alternative Name (SAN) in the backend's
+        server certificate. With a Regional Internet NEG backend, if the SNI is specified here, the load balancer uses it
+        regardless of whether the Regional Internet NEG is specified with FQDN or IP address and port.
+        """
+        return pulumi.get(self, "sni")
+
+    @sni.setter
+    def sni(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "sni", value)
+
+    @property
+    @pulumi.getter(name="subjectAltNames")
+    def subject_alt_names(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['BackendServiceTlsSettingsSubjectAltNameArgs']]]]:
+        """
+        A list of Subject Alternative Names (SANs) that the Load Balancer verifies during a TLS handshake with the backend.
+        When the server presents its X.509 certificate to the Load Balancer, the Load Balancer inspects the certificate's SAN field,
+        and requires that at least one SAN match one of the subjectAltNames in the list. This field is limited to 5 entries.
+        When both sni and subjectAltNames are specified, the load balancer matches the backend certificate's SAN only to
+        subjectAltNames.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "subject_alt_names")
+
+    @subject_alt_names.setter
+    def subject_alt_names(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['BackendServiceTlsSettingsSubjectAltNameArgs']]]]):
+        pulumi.set(self, "subject_alt_names", value)
+
+
+if not MYPY:
+    class BackendServiceTlsSettingsSubjectAltNameArgsDict(TypedDict):
+        dns_name: NotRequired[pulumi.Input[str]]
+        """
+        The SAN specified as a DNS Name.
+        """
+        uniform_resource_identifier: NotRequired[pulumi.Input[str]]
+        """
+        The SAN specified as a URI.
+        """
+elif False:
+    BackendServiceTlsSettingsSubjectAltNameArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class BackendServiceTlsSettingsSubjectAltNameArgs:
+    def __init__(__self__, *,
+                 dns_name: Optional[pulumi.Input[str]] = None,
+                 uniform_resource_identifier: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] dns_name: The SAN specified as a DNS Name.
+        :param pulumi.Input[str] uniform_resource_identifier: The SAN specified as a URI.
+        """
+        if dns_name is not None:
+            pulumi.set(__self__, "dns_name", dns_name)
+        if uniform_resource_identifier is not None:
+            pulumi.set(__self__, "uniform_resource_identifier", uniform_resource_identifier)
+
+    @property
+    @pulumi.getter(name="dnsName")
+    def dns_name(self) -> Optional[pulumi.Input[str]]:
+        """
+        The SAN specified as a DNS Name.
+        """
+        return pulumi.get(self, "dns_name")
+
+    @dns_name.setter
+    def dns_name(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "dns_name", value)
+
+    @property
+    @pulumi.getter(name="uniformResourceIdentifier")
+    def uniform_resource_identifier(self) -> Optional[pulumi.Input[str]]:
+        """
+        The SAN specified as a URI.
+        """
+        return pulumi.get(self, "uniform_resource_identifier")
+
+    @uniform_resource_identifier.setter
+    def uniform_resource_identifier(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "uniform_resource_identifier", value)
+
+
 if not MYPY:
     class DiskAsyncPrimaryDiskArgsDict(TypedDict):
         disk: pulumi.Input[str]
@@ -10266,6 +10462,18 @@ if not MYPY:
         given KMS key. If absent, the Compute Engine default service
         account is used.
         """
+        raw_key: NotRequired[pulumi.Input[str]]
+        """
+        Specifies a 256-bit customer-supplied encryption key, encoded in
+        RFC 4648 base64 to either encrypt or decrypt this resource.
+        **Note**: This property is sensitive and will not be displayed in the plan.
+        """
+        rsa_encrypted_key: NotRequired[pulumi.Input[str]]
+        """
+        Specifies a 256-bit customer-supplied encryption key, encoded in
+        RFC 4648 base64 to either encrypt or decrypt this resource.
+        **Note**: This property is sensitive and will not be displayed in the plan.
+        """
 elif False:
     ImageImageEncryptionKeyArgsDict: TypeAlias = Mapping[str, Any]
 
@@ -10273,18 +10481,30 @@ elif False:
 class ImageImageEncryptionKeyArgs:
     def __init__(__self__, *,
                  kms_key_self_link: Optional[pulumi.Input[str]] = None,
-                 kms_key_service_account: Optional[pulumi.Input[str]] = None):
+                 kms_key_service_account: Optional[pulumi.Input[str]] = None,
+                 raw_key: Optional[pulumi.Input[str]] = None,
+                 rsa_encrypted_key: Optional[pulumi.Input[str]] = None):
         """
         :param pulumi.Input[str] kms_key_self_link: The self link of the encryption key that is stored in Google Cloud
                KMS.
         :param pulumi.Input[str] kms_key_service_account: The service account being used for the encryption request for the
                given KMS key. If absent, the Compute Engine default service
                account is used.
+        :param pulumi.Input[str] raw_key: Specifies a 256-bit customer-supplied encryption key, encoded in
+               RFC 4648 base64 to either encrypt or decrypt this resource.
+               **Note**: This property is sensitive and will not be displayed in the plan.
+        :param pulumi.Input[str] rsa_encrypted_key: Specifies a 256-bit customer-supplied encryption key, encoded in
+               RFC 4648 base64 to either encrypt or decrypt this resource.
+               **Note**: This property is sensitive and will not be displayed in the plan.
         """
         if kms_key_self_link is not None:
             pulumi.set(__self__, "kms_key_self_link", kms_key_self_link)
         if kms_key_service_account is not None:
             pulumi.set(__self__, "kms_key_service_account", kms_key_service_account)
+        if raw_key is not None:
+            pulumi.set(__self__, "raw_key", raw_key)
+        if rsa_encrypted_key is not None:
+            pulumi.set(__self__, "rsa_encrypted_key", rsa_encrypted_key)
 
     @property
     @pulumi.getter(name="kmsKeySelfLink")
@@ -10313,6 +10533,34 @@ class ImageImageEncryptionKeyArgs:
     def kms_key_service_account(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "kms_key_service_account", value)
 
+    @property
+    @pulumi.getter(name="rawKey")
+    def raw_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies a 256-bit customer-supplied encryption key, encoded in
+        RFC 4648 base64 to either encrypt or decrypt this resource.
+        **Note**: This property is sensitive and will not be displayed in the plan.
+        """
+        return pulumi.get(self, "raw_key")
+
+    @raw_key.setter
+    def raw_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "raw_key", value)
+
+    @property
+    @pulumi.getter(name="rsaEncryptedKey")
+    def rsa_encrypted_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies a 256-bit customer-supplied encryption key, encoded in
+        RFC 4648 base64 to either encrypt or decrypt this resource.
+        **Note**: This property is sensitive and will not be displayed in the plan.
+        """
+        return pulumi.get(self, "rsa_encrypted_key")
+
+    @rsa_encrypted_key.setter
+    def rsa_encrypted_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "rsa_encrypted_key", value)
+
 
 if not MYPY:
     class ImageRawDiskArgsDict(TypedDict):
@@ -10409,6 +10657,326 @@ class ImageRawDiskArgs:
         pulumi.set(self, "sha1", value)
 
 
+if not MYPY:
+    class ImageShieldedInstanceInitialStateArgsDict(TypedDict):
+        dbs: NotRequired[pulumi.Input[Sequence[pulumi.Input['ImageShieldedInstanceInitialStateDbArgsDict']]]]
+        """
+        The Key Database (db).
+        Structure is documented below.
+        """
+        dbxs: NotRequired[pulumi.Input[Sequence[pulumi.Input['ImageShieldedInstanceInitialStateDbxArgsDict']]]]
+        """
+        The forbidden key database (dbx).
+        Structure is documented below.
+        """
+        keks: NotRequired[pulumi.Input[Sequence[pulumi.Input['ImageShieldedInstanceInitialStateKekArgsDict']]]]
+        """
+        The Key Exchange Key (KEK).
+        Structure is documented below.
+        """
+        pk: NotRequired[pulumi.Input['ImageShieldedInstanceInitialStatePkArgsDict']]
+        """
+        The Platform Key (PK).
+        Structure is documented below.
+        """
+elif False:
+    ImageShieldedInstanceInitialStateArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class ImageShieldedInstanceInitialStateArgs:
+    def __init__(__self__, *,
+                 dbs: Optional[pulumi.Input[Sequence[pulumi.Input['ImageShieldedInstanceInitialStateDbArgs']]]] = None,
+                 dbxs: Optional[pulumi.Input[Sequence[pulumi.Input['ImageShieldedInstanceInitialStateDbxArgs']]]] = None,
+                 keks: Optional[pulumi.Input[Sequence[pulumi.Input['ImageShieldedInstanceInitialStateKekArgs']]]] = None,
+                 pk: Optional[pulumi.Input['ImageShieldedInstanceInitialStatePkArgs']] = None):
+        """
+        :param pulumi.Input[Sequence[pulumi.Input['ImageShieldedInstanceInitialStateDbArgs']]] dbs: The Key Database (db).
+               Structure is documented below.
+        :param pulumi.Input[Sequence[pulumi.Input['ImageShieldedInstanceInitialStateDbxArgs']]] dbxs: The forbidden key database (dbx).
+               Structure is documented below.
+        :param pulumi.Input[Sequence[pulumi.Input['ImageShieldedInstanceInitialStateKekArgs']]] keks: The Key Exchange Key (KEK).
+               Structure is documented below.
+        :param pulumi.Input['ImageShieldedInstanceInitialStatePkArgs'] pk: The Platform Key (PK).
+               Structure is documented below.
+        """
+        if dbs is not None:
+            pulumi.set(__self__, "dbs", dbs)
+        if dbxs is not None:
+            pulumi.set(__self__, "dbxs", dbxs)
+        if keks is not None:
+            pulumi.set(__self__, "keks", keks)
+        if pk is not None:
+            pulumi.set(__self__, "pk", pk)
+
+    @property
+    @pulumi.getter
+    def dbs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['ImageShieldedInstanceInitialStateDbArgs']]]]:
+        """
+        The Key Database (db).
+        Structure is documented below.
+        """
+        return pulumi.get(self, "dbs")
+
+    @dbs.setter
+    def dbs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['ImageShieldedInstanceInitialStateDbArgs']]]]):
+        pulumi.set(self, "dbs", value)
+
+    @property
+    @pulumi.getter
+    def dbxs(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['ImageShieldedInstanceInitialStateDbxArgs']]]]:
+        """
+        The forbidden key database (dbx).
+        Structure is documented below.
+        """
+        return pulumi.get(self, "dbxs")
+
+    @dbxs.setter
+    def dbxs(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['ImageShieldedInstanceInitialStateDbxArgs']]]]):
+        pulumi.set(self, "dbxs", value)
+
+    @property
+    @pulumi.getter
+    def keks(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['ImageShieldedInstanceInitialStateKekArgs']]]]:
+        """
+        The Key Exchange Key (KEK).
+        Structure is documented below.
+        """
+        return pulumi.get(self, "keks")
+
+    @keks.setter
+    def keks(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['ImageShieldedInstanceInitialStateKekArgs']]]]):
+        pulumi.set(self, "keks", value)
+
+    @property
+    @pulumi.getter
+    def pk(self) -> Optional[pulumi.Input['ImageShieldedInstanceInitialStatePkArgs']]:
+        """
+        The Platform Key (PK).
+        Structure is documented below.
+        """
+        return pulumi.get(self, "pk")
+
+    @pk.setter
+    def pk(self, value: Optional[pulumi.Input['ImageShieldedInstanceInitialStatePkArgs']]):
+        pulumi.set(self, "pk", value)
+
+
+if not MYPY:
+    class ImageShieldedInstanceInitialStateDbArgsDict(TypedDict):
+        content: pulumi.Input[str]
+        """
+        The raw content in the secure keys file.
+        A base64-encoded string.
+        """
+        file_type: NotRequired[pulumi.Input[str]]
+        """
+        The file type of source file.
+        """
+elif False:
+    ImageShieldedInstanceInitialStateDbArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class ImageShieldedInstanceInitialStateDbArgs:
+    def __init__(__self__, *,
+                 content: pulumi.Input[str],
+                 file_type: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] content: The raw content in the secure keys file.
+               A base64-encoded string.
+        :param pulumi.Input[str] file_type: The file type of source file.
+        """
+        pulumi.set(__self__, "content", content)
+        if file_type is not None:
+            pulumi.set(__self__, "file_type", file_type)
+
+    @property
+    @pulumi.getter
+    def content(self) -> pulumi.Input[str]:
+        """
+        The raw content in the secure keys file.
+        A base64-encoded string.
+        """
+        return pulumi.get(self, "content")
+
+    @content.setter
+    def content(self, value: pulumi.Input[str]):
+        pulumi.set(self, "content", value)
+
+    @property
+    @pulumi.getter(name="fileType")
+    def file_type(self) -> Optional[pulumi.Input[str]]:
+        """
+        The file type of source file.
+        """
+        return pulumi.get(self, "file_type")
+
+    @file_type.setter
+    def file_type(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "file_type", value)
+
+
+if not MYPY:
+    class ImageShieldedInstanceInitialStateDbxArgsDict(TypedDict):
+        content: pulumi.Input[str]
+        """
+        The raw content in the secure keys file.
+        A base64-encoded string.
+        """
+        file_type: NotRequired[pulumi.Input[str]]
+        """
+        The file type of source file.
+        """
+elif False:
+    ImageShieldedInstanceInitialStateDbxArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class ImageShieldedInstanceInitialStateDbxArgs:
+    def __init__(__self__, *,
+                 content: pulumi.Input[str],
+                 file_type: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] content: The raw content in the secure keys file.
+               A base64-encoded string.
+        :param pulumi.Input[str] file_type: The file type of source file.
+        """
+        pulumi.set(__self__, "content", content)
+        if file_type is not None:
+            pulumi.set(__self__, "file_type", file_type)
+
+    @property
+    @pulumi.getter
+    def content(self) -> pulumi.Input[str]:
+        """
+        The raw content in the secure keys file.
+        A base64-encoded string.
+        """
+        return pulumi.get(self, "content")
+
+    @content.setter
+    def content(self, value: pulumi.Input[str]):
+        pulumi.set(self, "content", value)
+
+    @property
+    @pulumi.getter(name="fileType")
+    def file_type(self) -> Optional[pulumi.Input[str]]:
+        """
+        The file type of source file.
+        """
+        return pulumi.get(self, "file_type")
+
+    @file_type.setter
+    def file_type(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "file_type", value)
+
+
+if not MYPY:
+    class ImageShieldedInstanceInitialStateKekArgsDict(TypedDict):
+        content: pulumi.Input[str]
+        """
+        The raw content in the secure keys file.
+        A base64-encoded string.
+        """
+        file_type: NotRequired[pulumi.Input[str]]
+        """
+        The file type of source file.
+        """
+elif False:
+    ImageShieldedInstanceInitialStateKekArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class ImageShieldedInstanceInitialStateKekArgs:
+    def __init__(__self__, *,
+                 content: pulumi.Input[str],
+                 file_type: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] content: The raw content in the secure keys file.
+               A base64-encoded string.
+        :param pulumi.Input[str] file_type: The file type of source file.
+        """
+        pulumi.set(__self__, "content", content)
+        if file_type is not None:
+            pulumi.set(__self__, "file_type", file_type)
+
+    @property
+    @pulumi.getter
+    def content(self) -> pulumi.Input[str]:
+        """
+        The raw content in the secure keys file.
+        A base64-encoded string.
+        """
+        return pulumi.get(self, "content")
+
+    @content.setter
+    def content(self, value: pulumi.Input[str]):
+        pulumi.set(self, "content", value)
+
+    @property
+    @pulumi.getter(name="fileType")
+    def file_type(self) -> Optional[pulumi.Input[str]]:
+        """
+        The file type of source file.
+        """
+        return pulumi.get(self, "file_type")
+
+    @file_type.setter
+    def file_type(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "file_type", value)
+
+
+if not MYPY:
+    class ImageShieldedInstanceInitialStatePkArgsDict(TypedDict):
+        content: pulumi.Input[str]
+        """
+        The raw content in the secure keys file.
+        A base64-encoded string.
+        """
+        file_type: NotRequired[pulumi.Input[str]]
+        """
+        The file type of source file.
+        """
+elif False:
+    ImageShieldedInstanceInitialStatePkArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class ImageShieldedInstanceInitialStatePkArgs:
+    def __init__(__self__, *,
+                 content: pulumi.Input[str],
+                 file_type: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] content: The raw content in the secure keys file.
+               A base64-encoded string.
+        :param pulumi.Input[str] file_type: The file type of source file.
+        """
+        pulumi.set(__self__, "content", content)
+        if file_type is not None:
+            pulumi.set(__self__, "file_type", file_type)
+
+    @property
+    @pulumi.getter
+    def content(self) -> pulumi.Input[str]:
+        """
+        The raw content in the secure keys file.
+        A base64-encoded string.
+        """
+        return pulumi.get(self, "content")
+
+    @content.setter
+    def content(self, value: pulumi.Input[str]):
+        pulumi.set(self, "content", value)
+
+    @property
+    @pulumi.getter(name="fileType")
+    def file_type(self) -> Optional[pulumi.Input[str]]:
+        """
+        The file type of source file.
+        """
+        return pulumi.get(self, "file_type")
+
+    @file_type.setter
+    def file_type(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "file_type", value)
+
+
 if not MYPY:
     class InstanceAdvancedMachineFeaturesArgsDict(TypedDict):
         enable_nested_virtualization: NotRequired[pulumi.Input[bool]]
@@ -10557,7 +11125,14 @@ if not MYPY:
         A 256-bit [customer-supplied encryption key]
         (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption),
         encoded in [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
-        to encrypt this disk. Only one of `kms_key_self_link` and `disk_encryption_key_raw` may be set.
+        to encrypt this disk. Only one of `kms_key_self_link`, `disk_encryption_key_rsa` and `disk_encryption_key_raw`
+        may be set.
+        """
+        disk_encryption_key_rsa: NotRequired[pulumi.Input[str]]
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit [customer-supplied encryption key]
+        (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) to encrypt this disk. Only one of `kms_key_self_link`, `disk_encryption_key_rsa` and `disk_encryption_key_raw`
+        may be set.
         """
         disk_encryption_key_sha256: NotRequired[pulumi.Input[str]]
         """
@@ -10565,11 +11140,15 @@ if not MYPY:
         encoded SHA-256 hash of the [customer-supplied encryption key]
         (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) that protects this resource.
         """
+        disk_encryption_service_account: NotRequired[pulumi.Input[str]]
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
         kms_key_self_link: NotRequired[pulumi.Input[str]]
         """
         The self_link of the encryption key that is
-        stored in Google Cloud KMS to encrypt this disk. Only one of `kms_key_self_link`
-        and `disk_encryption_key_raw` may be set.
+        stored in Google Cloud KMS to encrypt this disk. Only one of `kms_key_self_link`, `disk_encryption_key_rsa` and `disk_encryption_key_raw`
+        may be set.
         """
         mode: NotRequired[pulumi.Input[str]]
         """
@@ -10587,7 +11166,9 @@ class InstanceAttachedDiskArgs:
                  source: pulumi.Input[str],
                  device_name: Optional[pulumi.Input[str]] = None,
                  disk_encryption_key_raw: Optional[pulumi.Input[str]] = None,
+                 disk_encryption_key_rsa: Optional[pulumi.Input[str]] = None,
                  disk_encryption_key_sha256: Optional[pulumi.Input[str]] = None,
+                 disk_encryption_service_account: Optional[pulumi.Input[str]] = None,
                  kms_key_self_link: Optional[pulumi.Input[str]] = None,
                  mode: Optional[pulumi.Input[str]] = None):
         """
@@ -10597,13 +11178,18 @@ class InstanceAttachedDiskArgs:
         :param pulumi.Input[str] disk_encryption_key_raw: A 256-bit [customer-supplied encryption key]
                (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption),
                encoded in [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
-               to encrypt this disk. Only one of `kms_key_self_link` and `disk_encryption_key_raw` may be set.
+               to encrypt this disk. Only one of `kms_key_self_link`, `disk_encryption_key_rsa` and `disk_encryption_key_raw`
+               may be set.
+        :param pulumi.Input[str] disk_encryption_key_rsa: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit [customer-supplied encryption key]
+               (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) to encrypt this disk. Only one of `kms_key_self_link`, `disk_encryption_key_rsa` and `disk_encryption_key_raw`
+               may be set.
         :param pulumi.Input[str] disk_encryption_key_sha256: The [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
                encoded SHA-256 hash of the [customer-supplied encryption key]
                (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) that protects this resource.
+        :param pulumi.Input[str] disk_encryption_service_account: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
         :param pulumi.Input[str] kms_key_self_link: The self_link of the encryption key that is
-               stored in Google Cloud KMS to encrypt this disk. Only one of `kms_key_self_link`
-               and `disk_encryption_key_raw` may be set.
+               stored in Google Cloud KMS to encrypt this disk. Only one of `kms_key_self_link`, `disk_encryption_key_rsa` and `disk_encryption_key_raw`
+               may be set.
         :param pulumi.Input[str] mode: Either "READ_ONLY" or "READ_WRITE", defaults to "READ_WRITE"
                If you have a persistent disk with data that you want to share
                between multiple instances, detach it from any read-write instances and
@@ -10614,8 +11200,12 @@ class InstanceAttachedDiskArgs:
             pulumi.set(__self__, "device_name", device_name)
         if disk_encryption_key_raw is not None:
             pulumi.set(__self__, "disk_encryption_key_raw", disk_encryption_key_raw)
+        if disk_encryption_key_rsa is not None:
+            pulumi.set(__self__, "disk_encryption_key_rsa", disk_encryption_key_rsa)
         if disk_encryption_key_sha256 is not None:
             pulumi.set(__self__, "disk_encryption_key_sha256", disk_encryption_key_sha256)
+        if disk_encryption_service_account is not None:
+            pulumi.set(__self__, "disk_encryption_service_account", disk_encryption_service_account)
         if kms_key_self_link is not None:
             pulumi.set(__self__, "kms_key_self_link", kms_key_self_link)
         if mode is not None:
@@ -10653,7 +11243,8 @@ class InstanceAttachedDiskArgs:
         A 256-bit [customer-supplied encryption key]
         (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption),
         encoded in [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
-        to encrypt this disk. Only one of `kms_key_self_link` and `disk_encryption_key_raw` may be set.
+        to encrypt this disk. Only one of `kms_key_self_link`, `disk_encryption_key_rsa` and `disk_encryption_key_raw`
+        may be set.
         """
         return pulumi.get(self, "disk_encryption_key_raw")
 
@@ -10661,6 +11252,20 @@ class InstanceAttachedDiskArgs:
     def disk_encryption_key_raw(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "disk_encryption_key_raw", value)
 
+    @property
+    @pulumi.getter(name="diskEncryptionKeyRsa")
+    def disk_encryption_key_rsa(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit [customer-supplied encryption key]
+        (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) to encrypt this disk. Only one of `kms_key_self_link`, `disk_encryption_key_rsa` and `disk_encryption_key_raw`
+        may be set.
+        """
+        return pulumi.get(self, "disk_encryption_key_rsa")
+
+    @disk_encryption_key_rsa.setter
+    def disk_encryption_key_rsa(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "disk_encryption_key_rsa", value)
+
     @property
     @pulumi.getter(name="diskEncryptionKeySha256")
     def disk_encryption_key_sha256(self) -> Optional[pulumi.Input[str]]:
@@ -10675,13 +11280,25 @@ class InstanceAttachedDiskArgs:
     def disk_encryption_key_sha256(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "disk_encryption_key_sha256", value)
 
+    @property
+    @pulumi.getter(name="diskEncryptionServiceAccount")
+    def disk_encryption_service_account(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        return pulumi.get(self, "disk_encryption_service_account")
+
+    @disk_encryption_service_account.setter
+    def disk_encryption_service_account(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "disk_encryption_service_account", value)
+
     @property
     @pulumi.getter(name="kmsKeySelfLink")
     def kms_key_self_link(self) -> Optional[pulumi.Input[str]]:
         """
         The self_link of the encryption key that is
-        stored in Google Cloud KMS to encrypt this disk. Only one of `kms_key_self_link`
-        and `disk_encryption_key_raw` may be set.
+        stored in Google Cloud KMS to encrypt this disk. Only one of `kms_key_self_link`, `disk_encryption_key_rsa` and `disk_encryption_key_raw`
+        may be set.
         """
         return pulumi.get(self, "kms_key_self_link")
 
@@ -10722,15 +11339,28 @@ if not MYPY:
         A 256-bit [customer-supplied encryption key]
         (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption),
         encoded in [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
-        to encrypt this disk. Only one of `kms_key_self_link` and `disk_encryption_key_raw`
+        to encrypt this disk. Only one of `kms_key_self_link`, `disk_encryption_key_rsa` and `disk_encryption_key_raw`
         may be set.
         """
+        disk_encryption_key_rsa: NotRequired[pulumi.Input[str]]
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit [customer-supplied encryption key]
+        (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) to encrypt this disk. Only one of `kms_key_self_link`, `disk_encryption_key_rsa` and `disk_encryption_key_raw`
+        """
         disk_encryption_key_sha256: NotRequired[pulumi.Input[str]]
         """
         The [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
         encoded SHA-256 hash of the [customer-supplied encryption key]
         (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) that protects this resource.
         """
+        disk_encryption_service_account: NotRequired[pulumi.Input[str]]
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        guest_os_features: NotRequired[pulumi.Input[Sequence[pulumi.Input[str]]]]
+        """
+        A list of features to enable on the guest operating system. Applicable only for bootable images. Read [Enabling guest operating system features](https://cloud.google.com/compute/docs/images/create-delete-deprecate-private-images#guest-os-features) to see a list of available options.
+        """
         initialize_params: NotRequired[pulumi.Input['InstanceBootDiskInitializeParamsArgsDict']]
         """
         Parameters for a new disk that will be created
@@ -10744,8 +11374,9 @@ if not MYPY:
         kms_key_self_link: NotRequired[pulumi.Input[str]]
         """
         The self_link of the encryption key that is
-        stored in Google Cloud KMS to encrypt this disk. Only one of `kms_key_self_link`
-        and `disk_encryption_key_raw` may be set.
+        stored in Google Cloud KMS to encrypt this disk. Only one of `kms_key_self_link`,
+        `disk_encryption_key_rsa` and `disk_encryption_key_raw`
+        may be set.
         """
         mode: NotRequired[pulumi.Input[str]]
         """
@@ -10767,7 +11398,10 @@ class InstanceBootDiskArgs:
                  auto_delete: Optional[pulumi.Input[bool]] = None,
                  device_name: Optional[pulumi.Input[str]] = None,
                  disk_encryption_key_raw: Optional[pulumi.Input[str]] = None,
+                 disk_encryption_key_rsa: Optional[pulumi.Input[str]] = None,
                  disk_encryption_key_sha256: Optional[pulumi.Input[str]] = None,
+                 disk_encryption_service_account: Optional[pulumi.Input[str]] = None,
+                 guest_os_features: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  initialize_params: Optional[pulumi.Input['InstanceBootDiskInitializeParamsArgs']] = None,
                  interface: Optional[pulumi.Input[str]] = None,
                  kms_key_self_link: Optional[pulumi.Input[str]] = None,
@@ -10781,18 +11415,23 @@ class InstanceBootDiskArgs:
         :param pulumi.Input[str] disk_encryption_key_raw: A 256-bit [customer-supplied encryption key]
                (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption),
                encoded in [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
-               to encrypt this disk. Only one of `kms_key_self_link` and `disk_encryption_key_raw`
+               to encrypt this disk. Only one of `kms_key_self_link`, `disk_encryption_key_rsa` and `disk_encryption_key_raw`
                may be set.
+        :param pulumi.Input[str] disk_encryption_key_rsa: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit [customer-supplied encryption key]
+               (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) to encrypt this disk. Only one of `kms_key_self_link`, `disk_encryption_key_rsa` and `disk_encryption_key_raw`
         :param pulumi.Input[str] disk_encryption_key_sha256: The [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
                encoded SHA-256 hash of the [customer-supplied encryption key]
                (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) that protects this resource.
+        :param pulumi.Input[str] disk_encryption_service_account: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] guest_os_features: A list of features to enable on the guest operating system. Applicable only for bootable images. Read [Enabling guest operating system features](https://cloud.google.com/compute/docs/images/create-delete-deprecate-private-images#guest-os-features) to see a list of available options.
         :param pulumi.Input['InstanceBootDiskInitializeParamsArgs'] initialize_params: Parameters for a new disk that will be created
                alongside the new instance. Either `initialize_params` or `source` must be set.
                Structure is documented below.
         :param pulumi.Input[str] interface: The disk interface used for attaching this disk. One of SCSI or NVME. (This field is shared with attached_disk and only used for specific cases, please don't specify this field without advice from Google.)
         :param pulumi.Input[str] kms_key_self_link: The self_link of the encryption key that is
-               stored in Google Cloud KMS to encrypt this disk. Only one of `kms_key_self_link`
-               and `disk_encryption_key_raw` may be set.
+               stored in Google Cloud KMS to encrypt this disk. Only one of `kms_key_self_link`,
+               `disk_encryption_key_rsa` and `disk_encryption_key_raw`
+               may be set.
         :param pulumi.Input[str] mode: The mode in which to attach this disk, either `READ_WRITE`
                or `READ_ONLY`. If not specified, the default is to attach the disk in `READ_WRITE` mode.
         :param pulumi.Input[str] source: The name or self_link of the existing disk (such as those managed by
@@ -10805,8 +11444,14 @@ class InstanceBootDiskArgs:
             pulumi.set(__self__, "device_name", device_name)
         if disk_encryption_key_raw is not None:
             pulumi.set(__self__, "disk_encryption_key_raw", disk_encryption_key_raw)
+        if disk_encryption_key_rsa is not None:
+            pulumi.set(__self__, "disk_encryption_key_rsa", disk_encryption_key_rsa)
         if disk_encryption_key_sha256 is not None:
             pulumi.set(__self__, "disk_encryption_key_sha256", disk_encryption_key_sha256)
+        if disk_encryption_service_account is not None:
+            pulumi.set(__self__, "disk_encryption_service_account", disk_encryption_service_account)
+        if guest_os_features is not None:
+            pulumi.set(__self__, "guest_os_features", guest_os_features)
         if initialize_params is not None:
             pulumi.set(__self__, "initialize_params", initialize_params)
         if interface is not None:
@@ -10851,7 +11496,7 @@ class InstanceBootDiskArgs:
         A 256-bit [customer-supplied encryption key]
         (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption),
         encoded in [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
-        to encrypt this disk. Only one of `kms_key_self_link` and `disk_encryption_key_raw`
+        to encrypt this disk. Only one of `kms_key_self_link`, `disk_encryption_key_rsa` and `disk_encryption_key_raw`
         may be set.
         """
         return pulumi.get(self, "disk_encryption_key_raw")
@@ -10860,6 +11505,19 @@ class InstanceBootDiskArgs:
     def disk_encryption_key_raw(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "disk_encryption_key_raw", value)
 
+    @property
+    @pulumi.getter(name="diskEncryptionKeyRsa")
+    def disk_encryption_key_rsa(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit [customer-supplied encryption key]
+        (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) to encrypt this disk. Only one of `kms_key_self_link`, `disk_encryption_key_rsa` and `disk_encryption_key_raw`
+        """
+        return pulumi.get(self, "disk_encryption_key_rsa")
+
+    @disk_encryption_key_rsa.setter
+    def disk_encryption_key_rsa(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "disk_encryption_key_rsa", value)
+
     @property
     @pulumi.getter(name="diskEncryptionKeySha256")
     def disk_encryption_key_sha256(self) -> Optional[pulumi.Input[str]]:
@@ -10874,6 +11532,30 @@ class InstanceBootDiskArgs:
     def disk_encryption_key_sha256(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "disk_encryption_key_sha256", value)
 
+    @property
+    @pulumi.getter(name="diskEncryptionServiceAccount")
+    def disk_encryption_service_account(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        return pulumi.get(self, "disk_encryption_service_account")
+
+    @disk_encryption_service_account.setter
+    def disk_encryption_service_account(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "disk_encryption_service_account", value)
+
+    @property
+    @pulumi.getter(name="guestOsFeatures")
+    def guest_os_features(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        A list of features to enable on the guest operating system. Applicable only for bootable images. Read [Enabling guest operating system features](https://cloud.google.com/compute/docs/images/create-delete-deprecate-private-images#guest-os-features) to see a list of available options.
+        """
+        return pulumi.get(self, "guest_os_features")
+
+    @guest_os_features.setter
+    def guest_os_features(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "guest_os_features", value)
+
     @property
     @pulumi.getter(name="initializeParams")
     def initialize_params(self) -> Optional[pulumi.Input['InstanceBootDiskInitializeParamsArgs']]:
@@ -10905,8 +11587,9 @@ class InstanceBootDiskArgs:
     def kms_key_self_link(self) -> Optional[pulumi.Input[str]]:
         """
         The self_link of the encryption key that is
-        stored in Google Cloud KMS to encrypt this disk. Only one of `kms_key_self_link`
-        and `disk_encryption_key_raw` may be set.
+        stored in Google Cloud KMS to encrypt this disk. Only one of `kms_key_self_link`,
+        `disk_encryption_key_rsa` and `disk_encryption_key_raw`
+        may be set.
         """
         return pulumi.get(self, "kms_key_self_link")
 
@@ -10944,6 +11627,10 @@ class InstanceBootDiskArgs:
 
 if not MYPY:
     class InstanceBootDiskInitializeParamsArgsDict(TypedDict):
+        architecture: NotRequired[pulumi.Input[str]]
+        """
+        The architecture of the attached disk. Valid values are `ARM64` or `x86_64`.
+        """
         enable_confidential_compute: NotRequired[pulumi.Input[bool]]
         """
         Whether this disk is using confidential compute mode.
@@ -10999,6 +11686,18 @@ if not MYPY:
         The size of the image in gigabytes. If not specified, it
         will inherit the size of its base image.
         """
+        snapshot: NotRequired[pulumi.Input[str]]
+        """
+        The snapshot from which to initialize this disk. To create a disk with a snapshot that you created, specify the snapshot name in the following format: `global/snapshots/my-backup`
+        """
+        source_image_encryption_key: NotRequired[pulumi.Input['InstanceBootDiskInitializeParamsSourceImageEncryptionKeyArgsDict']]
+        """
+        Encryption key used to decrypt the given image. Structure is documented below.
+        """
+        source_snapshot_encryption_key: NotRequired[pulumi.Input['InstanceBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgsDict']]
+        """
+        Encryption key used to decrypt the given snapshot. Structure is documented below.
+        """
         storage_pool: NotRequired[pulumi.Input[str]]
         """
         The URL or the name of the storage pool in which the new disk is created.
@@ -11018,6 +11717,7 @@ elif False:
 @pulumi.input_type
 class InstanceBootDiskInitializeParamsArgs:
     def __init__(__self__, *,
+                 architecture: Optional[pulumi.Input[str]] = None,
                  enable_confidential_compute: Optional[pulumi.Input[bool]] = None,
                  image: Optional[pulumi.Input[str]] = None,
                  labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
@@ -11026,9 +11726,13 @@ class InstanceBootDiskInitializeParamsArgs:
                  resource_manager_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  resource_policies: Optional[pulumi.Input[str]] = None,
                  size: Optional[pulumi.Input[int]] = None,
+                 snapshot: Optional[pulumi.Input[str]] = None,
+                 source_image_encryption_key: Optional[pulumi.Input['InstanceBootDiskInitializeParamsSourceImageEncryptionKeyArgs']] = None,
+                 source_snapshot_encryption_key: Optional[pulumi.Input['InstanceBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs']] = None,
                  storage_pool: Optional[pulumi.Input[str]] = None,
                  type: Optional[pulumi.Input[str]] = None):
         """
+        :param pulumi.Input[str] architecture: The architecture of the attached disk. Valid values are `ARM64` or `x86_64`.
         :param pulumi.Input[bool] enable_confidential_compute: Whether this disk is using confidential compute mode.
                Note: Only supported on hyperdisk skus, disk_encryption_key is required when setting to true.
         :param pulumi.Input[str] image: The image from which to initialize this disk. This can be
@@ -11060,6 +11764,9 @@ class InstanceBootDiskInitializeParamsArgs:
         :param pulumi.Input[str] resource_policies: A list of self_links of resource policies to attach to the instance's boot disk. Modifying this list will cause the instance to recreate, so any external values are not set until the user specifies this field. Currently a max of 1 resource policy is supported.
         :param pulumi.Input[int] size: The size of the image in gigabytes. If not specified, it
                will inherit the size of its base image.
+        :param pulumi.Input[str] snapshot: The snapshot from which to initialize this disk. To create a disk with a snapshot that you created, specify the snapshot name in the following format: `global/snapshots/my-backup`
+        :param pulumi.Input['InstanceBootDiskInitializeParamsSourceImageEncryptionKeyArgs'] source_image_encryption_key: Encryption key used to decrypt the given image. Structure is documented below.
+        :param pulumi.Input['InstanceBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs'] source_snapshot_encryption_key: Encryption key used to decrypt the given snapshot. Structure is documented below.
         :param pulumi.Input[str] storage_pool: The URL or the name of the storage pool in which the new disk is created.
                For example:
                * https://www.googleapis.com/compute/v1/projects/{project}/zones/{zone}/storagePools/{storagePool}
@@ -11068,6 +11775,8 @@ class InstanceBootDiskInitializeParamsArgs:
                * /{storagePool}
         :param pulumi.Input[str] type: The GCE disk type. Such as pd-standard, pd-balanced or pd-ssd.
         """
+        if architecture is not None:
+            pulumi.set(__self__, "architecture", architecture)
         if enable_confidential_compute is not None:
             pulumi.set(__self__, "enable_confidential_compute", enable_confidential_compute)
         if image is not None:
@@ -11084,11 +11793,29 @@ class InstanceBootDiskInitializeParamsArgs:
             pulumi.set(__self__, "resource_policies", resource_policies)
         if size is not None:
             pulumi.set(__self__, "size", size)
+        if snapshot is not None:
+            pulumi.set(__self__, "snapshot", snapshot)
+        if source_image_encryption_key is not None:
+            pulumi.set(__self__, "source_image_encryption_key", source_image_encryption_key)
+        if source_snapshot_encryption_key is not None:
+            pulumi.set(__self__, "source_snapshot_encryption_key", source_snapshot_encryption_key)
         if storage_pool is not None:
             pulumi.set(__self__, "storage_pool", storage_pool)
         if type is not None:
             pulumi.set(__self__, "type", type)
 
+    @property
+    @pulumi.getter
+    def architecture(self) -> Optional[pulumi.Input[str]]:
+        """
+        The architecture of the attached disk. Valid values are `ARM64` or `x86_64`.
+        """
+        return pulumi.get(self, "architecture")
+
+    @architecture.setter
+    def architecture(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "architecture", value)
+
     @property
     @pulumi.getter(name="enableConfidentialCompute")
     def enable_confidential_compute(self) -> Optional[pulumi.Input[bool]]:
@@ -11208,6 +11935,42 @@ class InstanceBootDiskInitializeParamsArgs:
     def size(self, value: Optional[pulumi.Input[int]]):
         pulumi.set(self, "size", value)
 
+    @property
+    @pulumi.getter
+    def snapshot(self) -> Optional[pulumi.Input[str]]:
+        """
+        The snapshot from which to initialize this disk. To create a disk with a snapshot that you created, specify the snapshot name in the following format: `global/snapshots/my-backup`
+        """
+        return pulumi.get(self, "snapshot")
+
+    @snapshot.setter
+    def snapshot(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "snapshot", value)
+
+    @property
+    @pulumi.getter(name="sourceImageEncryptionKey")
+    def source_image_encryption_key(self) -> Optional[pulumi.Input['InstanceBootDiskInitializeParamsSourceImageEncryptionKeyArgs']]:
+        """
+        Encryption key used to decrypt the given image. Structure is documented below.
+        """
+        return pulumi.get(self, "source_image_encryption_key")
+
+    @source_image_encryption_key.setter
+    def source_image_encryption_key(self, value: Optional[pulumi.Input['InstanceBootDiskInitializeParamsSourceImageEncryptionKeyArgs']]):
+        pulumi.set(self, "source_image_encryption_key", value)
+
+    @property
+    @pulumi.getter(name="sourceSnapshotEncryptionKey")
+    def source_snapshot_encryption_key(self) -> Optional[pulumi.Input['InstanceBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs']]:
+        """
+        Encryption key used to decrypt the given snapshot. Structure is documented below.
+        """
+        return pulumi.get(self, "source_snapshot_encryption_key")
+
+    @source_snapshot_encryption_key.setter
+    def source_snapshot_encryption_key(self, value: Optional[pulumi.Input['InstanceBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs']]):
+        pulumi.set(self, "source_snapshot_encryption_key", value)
+
     @property
     @pulumi.getter(name="storagePool")
     def storage_pool(self) -> Optional[pulumi.Input[str]]:
@@ -11238,6 +12001,266 @@ class InstanceBootDiskInitializeParamsArgs:
         pulumi.set(self, "type", value)
 
 
+if not MYPY:
+    class InstanceBootDiskInitializeParamsSourceImageEncryptionKeyArgsDict(TypedDict):
+        kms_key_self_link: NotRequired[pulumi.Input[str]]
+        """
+        The self link of the encryption key that is stored in Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        kms_key_service_account: NotRequired[pulumi.Input[str]]
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        raw_key: NotRequired[pulumi.Input[str]]
+        """
+        Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        rsa_encrypted_key: NotRequired[pulumi.Input[str]]
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        sha256: NotRequired[pulumi.Input[str]]
+        """
+        The [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
+        encoded SHA-256 hash of the [customer-supplied encryption key]
+        (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) that protects this resource.
+        """
+elif False:
+    InstanceBootDiskInitializeParamsSourceImageEncryptionKeyArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class InstanceBootDiskInitializeParamsSourceImageEncryptionKeyArgs:
+    def __init__(__self__, *,
+                 kms_key_self_link: Optional[pulumi.Input[str]] = None,
+                 kms_key_service_account: Optional[pulumi.Input[str]] = None,
+                 raw_key: Optional[pulumi.Input[str]] = None,
+                 rsa_encrypted_key: Optional[pulumi.Input[str]] = None,
+                 sha256: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] kms_key_self_link: The self link of the encryption key that is stored in Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        :param pulumi.Input[str] kms_key_service_account: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        :param pulumi.Input[str] raw_key: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        :param pulumi.Input[str] rsa_encrypted_key: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        :param pulumi.Input[str] sha256: The [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
+               encoded SHA-256 hash of the [customer-supplied encryption key]
+               (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) that protects this resource.
+        """
+        if kms_key_self_link is not None:
+            pulumi.set(__self__, "kms_key_self_link", kms_key_self_link)
+        if kms_key_service_account is not None:
+            pulumi.set(__self__, "kms_key_service_account", kms_key_service_account)
+        if raw_key is not None:
+            pulumi.set(__self__, "raw_key", raw_key)
+        if rsa_encrypted_key is not None:
+            pulumi.set(__self__, "rsa_encrypted_key", rsa_encrypted_key)
+        if sha256 is not None:
+            pulumi.set(__self__, "sha256", sha256)
+
+    @property
+    @pulumi.getter(name="kmsKeySelfLink")
+    def kms_key_self_link(self) -> Optional[pulumi.Input[str]]:
+        """
+        The self link of the encryption key that is stored in Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        return pulumi.get(self, "kms_key_self_link")
+
+    @kms_key_self_link.setter
+    def kms_key_self_link(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_self_link", value)
+
+    @property
+    @pulumi.getter(name="kmsKeyServiceAccount")
+    def kms_key_service_account(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        return pulumi.get(self, "kms_key_service_account")
+
+    @kms_key_service_account.setter
+    def kms_key_service_account(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_service_account", value)
+
+    @property
+    @pulumi.getter(name="rawKey")
+    def raw_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        return pulumi.get(self, "raw_key")
+
+    @raw_key.setter
+    def raw_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "raw_key", value)
+
+    @property
+    @pulumi.getter(name="rsaEncryptedKey")
+    def rsa_encrypted_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        return pulumi.get(self, "rsa_encrypted_key")
+
+    @rsa_encrypted_key.setter
+    def rsa_encrypted_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "rsa_encrypted_key", value)
+
+    @property
+    @pulumi.getter
+    def sha256(self) -> Optional[pulumi.Input[str]]:
+        """
+        The [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
+        encoded SHA-256 hash of the [customer-supplied encryption key]
+        (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) that protects this resource.
+        """
+        return pulumi.get(self, "sha256")
+
+    @sha256.setter
+    def sha256(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "sha256", value)
+
+
+if not MYPY:
+    class InstanceBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgsDict(TypedDict):
+        kms_key_self_link: NotRequired[pulumi.Input[str]]
+        """
+        The self_link of the encryption key that is
+        stored in Google Cloud KMS to decrypt the given image. Only one of `kms_key_self_link`, `rsa_encrypted_key` and `raw_key`
+        may be set.
+        """
+        kms_key_service_account: NotRequired[pulumi.Input[str]]
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        raw_key: NotRequired[pulumi.Input[str]]
+        """
+        A 256-bit [customer-supplied encryption key]
+        (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption),
+        encoded in [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
+        to decrypt the given snapshot. Only one of `kms_key_self_link`, `rsa_encrypted_key` and `raw_key`
+        may be set.
+        """
+        rsa_encrypted_key: NotRequired[pulumi.Input[str]]
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit [customer-supplied encryption key]
+        (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) to decrypt the given snapshot. Only one of `kms_key_self_link`, `rsa_encrypted_key` and `raw_key`
+        may be set.
+        """
+        sha256: NotRequired[pulumi.Input[str]]
+        """
+        The [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
+        encoded SHA-256 hash of the [customer-supplied encryption key]
+        (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) that protects this resource.
+        """
+elif False:
+    InstanceBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class InstanceBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs:
+    def __init__(__self__, *,
+                 kms_key_self_link: Optional[pulumi.Input[str]] = None,
+                 kms_key_service_account: Optional[pulumi.Input[str]] = None,
+                 raw_key: Optional[pulumi.Input[str]] = None,
+                 rsa_encrypted_key: Optional[pulumi.Input[str]] = None,
+                 sha256: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] kms_key_self_link: The self_link of the encryption key that is
+               stored in Google Cloud KMS to decrypt the given image. Only one of `kms_key_self_link`, `rsa_encrypted_key` and `raw_key`
+               may be set.
+        :param pulumi.Input[str] kms_key_service_account: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        :param pulumi.Input[str] raw_key: A 256-bit [customer-supplied encryption key]
+               (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption),
+               encoded in [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
+               to decrypt the given snapshot. Only one of `kms_key_self_link`, `rsa_encrypted_key` and `raw_key`
+               may be set.
+        :param pulumi.Input[str] rsa_encrypted_key: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit [customer-supplied encryption key]
+               (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) to decrypt the given snapshot. Only one of `kms_key_self_link`, `rsa_encrypted_key` and `raw_key`
+               may be set.
+        :param pulumi.Input[str] sha256: The [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
+               encoded SHA-256 hash of the [customer-supplied encryption key]
+               (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) that protects this resource.
+        """
+        if kms_key_self_link is not None:
+            pulumi.set(__self__, "kms_key_self_link", kms_key_self_link)
+        if kms_key_service_account is not None:
+            pulumi.set(__self__, "kms_key_service_account", kms_key_service_account)
+        if raw_key is not None:
+            pulumi.set(__self__, "raw_key", raw_key)
+        if rsa_encrypted_key is not None:
+            pulumi.set(__self__, "rsa_encrypted_key", rsa_encrypted_key)
+        if sha256 is not None:
+            pulumi.set(__self__, "sha256", sha256)
+
+    @property
+    @pulumi.getter(name="kmsKeySelfLink")
+    def kms_key_self_link(self) -> Optional[pulumi.Input[str]]:
+        """
+        The self_link of the encryption key that is
+        stored in Google Cloud KMS to decrypt the given image. Only one of `kms_key_self_link`, `rsa_encrypted_key` and `raw_key`
+        may be set.
+        """
+        return pulumi.get(self, "kms_key_self_link")
+
+    @kms_key_self_link.setter
+    def kms_key_self_link(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_self_link", value)
+
+    @property
+    @pulumi.getter(name="kmsKeyServiceAccount")
+    def kms_key_service_account(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        return pulumi.get(self, "kms_key_service_account")
+
+    @kms_key_service_account.setter
+    def kms_key_service_account(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_service_account", value)
+
+    @property
+    @pulumi.getter(name="rawKey")
+    def raw_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        A 256-bit [customer-supplied encryption key]
+        (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption),
+        encoded in [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
+        to decrypt the given snapshot. Only one of `kms_key_self_link`, `rsa_encrypted_key` and `raw_key`
+        may be set.
+        """
+        return pulumi.get(self, "raw_key")
+
+    @raw_key.setter
+    def raw_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "raw_key", value)
+
+    @property
+    @pulumi.getter(name="rsaEncryptedKey")
+    def rsa_encrypted_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit [customer-supplied encryption key]
+        (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) to decrypt the given snapshot. Only one of `kms_key_self_link`, `rsa_encrypted_key` and `raw_key`
+        may be set.
+        """
+        return pulumi.get(self, "rsa_encrypted_key")
+
+    @rsa_encrypted_key.setter
+    def rsa_encrypted_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "rsa_encrypted_key", value)
+
+    @property
+    @pulumi.getter
+    def sha256(self) -> Optional[pulumi.Input[str]]:
+        """
+        The [RFC 4648 base64](https://tools.ietf.org/html/rfc4648#section-4)
+        encoded SHA-256 hash of the [customer-supplied encryption key]
+        (https://cloud.google.com/compute/docs/disks/customer-supplied-encryption) that protects this resource.
+        """
+        return pulumi.get(self, "sha256")
+
+    @sha256.setter
+    def sha256(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "sha256", value)
+
+
 if not MYPY:
     class InstanceConfidentialInstanceConfigArgsDict(TypedDict):
         confidential_instance_type: NotRequired[pulumi.Input[str]]
@@ -11434,15 +12457,23 @@ if not MYPY:
         """
         disk_encryption_key_raw: NotRequired[pulumi.Input[str]]
         """
-        A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
+        """
+        disk_encryption_key_rsa: NotRequired[pulumi.Input[str]]
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
         """
         disk_encryption_key_sha256: NotRequired[pulumi.Input[str]]
         """
         The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.
         """
+        disk_encryption_service_account: NotRequired[pulumi.Input[str]]
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used
+        """
         kms_key_self_link: NotRequired[pulumi.Input[str]]
         """
-        The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
         """
         mode: NotRequired[pulumi.Input[str]]
         """
@@ -11457,15 +12488,19 @@ class InstanceFromMachineImageAttachedDiskArgs:
                  source: pulumi.Input[str],
                  device_name: Optional[pulumi.Input[str]] = None,
                  disk_encryption_key_raw: Optional[pulumi.Input[str]] = None,
+                 disk_encryption_key_rsa: Optional[pulumi.Input[str]] = None,
                  disk_encryption_key_sha256: Optional[pulumi.Input[str]] = None,
+                 disk_encryption_service_account: Optional[pulumi.Input[str]] = None,
                  kms_key_self_link: Optional[pulumi.Input[str]] = None,
                  mode: Optional[pulumi.Input[str]] = None):
         """
         :param pulumi.Input[str] source: The name or self_link of the disk attached to this instance.
         :param pulumi.Input[str] device_name: Name with which the attached disk is accessible under /dev/disk/by-id/
-        :param pulumi.Input[str] disk_encryption_key_raw: A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        :param pulumi.Input[str] disk_encryption_key_raw: A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
+        :param pulumi.Input[str] disk_encryption_key_rsa: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
         :param pulumi.Input[str] disk_encryption_key_sha256: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.
-        :param pulumi.Input[str] kms_key_self_link: The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        :param pulumi.Input[str] disk_encryption_service_account: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used
+        :param pulumi.Input[str] kms_key_self_link: The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
         :param pulumi.Input[str] mode: Read/write mode for the disk. One of "READ_ONLY" or "READ_WRITE".
         """
         pulumi.set(__self__, "source", source)
@@ -11473,8 +12508,12 @@ class InstanceFromMachineImageAttachedDiskArgs:
             pulumi.set(__self__, "device_name", device_name)
         if disk_encryption_key_raw is not None:
             pulumi.set(__self__, "disk_encryption_key_raw", disk_encryption_key_raw)
+        if disk_encryption_key_rsa is not None:
+            pulumi.set(__self__, "disk_encryption_key_rsa", disk_encryption_key_rsa)
         if disk_encryption_key_sha256 is not None:
             pulumi.set(__self__, "disk_encryption_key_sha256", disk_encryption_key_sha256)
+        if disk_encryption_service_account is not None:
+            pulumi.set(__self__, "disk_encryption_service_account", disk_encryption_service_account)
         if kms_key_self_link is not None:
             pulumi.set(__self__, "kms_key_self_link", kms_key_self_link)
         if mode is not None:
@@ -11508,7 +12547,7 @@ class InstanceFromMachineImageAttachedDiskArgs:
     @pulumi.getter(name="diskEncryptionKeyRaw")
     def disk_encryption_key_raw(self) -> Optional[pulumi.Input[str]]:
         """
-        A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
         """
         return pulumi.get(self, "disk_encryption_key_raw")
 
@@ -11516,6 +12555,18 @@ class InstanceFromMachineImageAttachedDiskArgs:
     def disk_encryption_key_raw(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "disk_encryption_key_raw", value)
 
+    @property
+    @pulumi.getter(name="diskEncryptionKeyRsa")
+    def disk_encryption_key_rsa(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
+        """
+        return pulumi.get(self, "disk_encryption_key_rsa")
+
+    @disk_encryption_key_rsa.setter
+    def disk_encryption_key_rsa(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "disk_encryption_key_rsa", value)
+
     @property
     @pulumi.getter(name="diskEncryptionKeySha256")
     def disk_encryption_key_sha256(self) -> Optional[pulumi.Input[str]]:
@@ -11528,11 +12579,23 @@ class InstanceFromMachineImageAttachedDiskArgs:
     def disk_encryption_key_sha256(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "disk_encryption_key_sha256", value)
 
+    @property
+    @pulumi.getter(name="diskEncryptionServiceAccount")
+    def disk_encryption_service_account(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used
+        """
+        return pulumi.get(self, "disk_encryption_service_account")
+
+    @disk_encryption_service_account.setter
+    def disk_encryption_service_account(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "disk_encryption_service_account", value)
+
     @property
     @pulumi.getter(name="kmsKeySelfLink")
     def kms_key_self_link(self) -> Optional[pulumi.Input[str]]:
         """
-        The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
         """
         return pulumi.get(self, "kms_key_self_link")
 
@@ -11565,12 +12628,24 @@ if not MYPY:
         """
         disk_encryption_key_raw: NotRequired[pulumi.Input[str]]
         """
-        A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
+        """
+        disk_encryption_key_rsa: NotRequired[pulumi.Input[str]]
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
         """
         disk_encryption_key_sha256: NotRequired[pulumi.Input[str]]
         """
         The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.
         """
+        disk_encryption_service_account: NotRequired[pulumi.Input[str]]
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used
+        """
+        guest_os_features: NotRequired[pulumi.Input[Sequence[pulumi.Input[str]]]]
+        """
+        A list of features to enable on the guest operating system. Applicable only for bootable images.
+        """
         initialize_params: NotRequired[pulumi.Input['InstanceFromMachineImageBootDiskInitializeParamsArgsDict']]
         """
         Parameters with which a disk was created alongside the instance.
@@ -11581,7 +12656,7 @@ if not MYPY:
         """
         kms_key_self_link: NotRequired[pulumi.Input[str]]
         """
-        The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
         """
         mode: NotRequired[pulumi.Input[str]]
         """
@@ -11600,7 +12675,10 @@ class InstanceFromMachineImageBootDiskArgs:
                  auto_delete: Optional[pulumi.Input[bool]] = None,
                  device_name: Optional[pulumi.Input[str]] = None,
                  disk_encryption_key_raw: Optional[pulumi.Input[str]] = None,
+                 disk_encryption_key_rsa: Optional[pulumi.Input[str]] = None,
                  disk_encryption_key_sha256: Optional[pulumi.Input[str]] = None,
+                 disk_encryption_service_account: Optional[pulumi.Input[str]] = None,
+                 guest_os_features: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  initialize_params: Optional[pulumi.Input['InstanceFromMachineImageBootDiskInitializeParamsArgs']] = None,
                  interface: Optional[pulumi.Input[str]] = None,
                  kms_key_self_link: Optional[pulumi.Input[str]] = None,
@@ -11609,11 +12687,14 @@ class InstanceFromMachineImageBootDiskArgs:
         """
         :param pulumi.Input[bool] auto_delete: Whether the disk will be auto-deleted when the instance is deleted.
         :param pulumi.Input[str] device_name: Name with which attached disk will be accessible under /dev/disk/by-id/
-        :param pulumi.Input[str] disk_encryption_key_raw: A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        :param pulumi.Input[str] disk_encryption_key_raw: A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
+        :param pulumi.Input[str] disk_encryption_key_rsa: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
         :param pulumi.Input[str] disk_encryption_key_sha256: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.
+        :param pulumi.Input[str] disk_encryption_service_account: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] guest_os_features: A list of features to enable on the guest operating system. Applicable only for bootable images.
         :param pulumi.Input['InstanceFromMachineImageBootDiskInitializeParamsArgs'] initialize_params: Parameters with which a disk was created alongside the instance.
         :param pulumi.Input[str] interface: The disk interface used for attaching this disk. One of SCSI or NVME. (This field is shared with attached_disk and only used for specific cases, please don't specify this field without advice from Google.)
-        :param pulumi.Input[str] kms_key_self_link: The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        :param pulumi.Input[str] kms_key_self_link: The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
         :param pulumi.Input[str] mode: Read/write mode for the disk. One of "READ_ONLY" or "READ_WRITE".
         :param pulumi.Input[str] source: The name or self_link of the disk attached to this instance.
         """
@@ -11623,8 +12704,14 @@ class InstanceFromMachineImageBootDiskArgs:
             pulumi.set(__self__, "device_name", device_name)
         if disk_encryption_key_raw is not None:
             pulumi.set(__self__, "disk_encryption_key_raw", disk_encryption_key_raw)
+        if disk_encryption_key_rsa is not None:
+            pulumi.set(__self__, "disk_encryption_key_rsa", disk_encryption_key_rsa)
         if disk_encryption_key_sha256 is not None:
             pulumi.set(__self__, "disk_encryption_key_sha256", disk_encryption_key_sha256)
+        if disk_encryption_service_account is not None:
+            pulumi.set(__self__, "disk_encryption_service_account", disk_encryption_service_account)
+        if guest_os_features is not None:
+            pulumi.set(__self__, "guest_os_features", guest_os_features)
         if initialize_params is not None:
             pulumi.set(__self__, "initialize_params", initialize_params)
         if interface is not None:
@@ -11664,7 +12751,7 @@ class InstanceFromMachineImageBootDiskArgs:
     @pulumi.getter(name="diskEncryptionKeyRaw")
     def disk_encryption_key_raw(self) -> Optional[pulumi.Input[str]]:
         """
-        A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
         """
         return pulumi.get(self, "disk_encryption_key_raw")
 
@@ -11672,6 +12759,18 @@ class InstanceFromMachineImageBootDiskArgs:
     def disk_encryption_key_raw(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "disk_encryption_key_raw", value)
 
+    @property
+    @pulumi.getter(name="diskEncryptionKeyRsa")
+    def disk_encryption_key_rsa(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
+        """
+        return pulumi.get(self, "disk_encryption_key_rsa")
+
+    @disk_encryption_key_rsa.setter
+    def disk_encryption_key_rsa(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "disk_encryption_key_rsa", value)
+
     @property
     @pulumi.getter(name="diskEncryptionKeySha256")
     def disk_encryption_key_sha256(self) -> Optional[pulumi.Input[str]]:
@@ -11684,6 +12783,30 @@ class InstanceFromMachineImageBootDiskArgs:
     def disk_encryption_key_sha256(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "disk_encryption_key_sha256", value)
 
+    @property
+    @pulumi.getter(name="diskEncryptionServiceAccount")
+    def disk_encryption_service_account(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used
+        """
+        return pulumi.get(self, "disk_encryption_service_account")
+
+    @disk_encryption_service_account.setter
+    def disk_encryption_service_account(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "disk_encryption_service_account", value)
+
+    @property
+    @pulumi.getter(name="guestOsFeatures")
+    def guest_os_features(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        A list of features to enable on the guest operating system. Applicable only for bootable images.
+        """
+        return pulumi.get(self, "guest_os_features")
+
+    @guest_os_features.setter
+    def guest_os_features(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "guest_os_features", value)
+
     @property
     @pulumi.getter(name="initializeParams")
     def initialize_params(self) -> Optional[pulumi.Input['InstanceFromMachineImageBootDiskInitializeParamsArgs']]:
@@ -11712,7 +12835,7 @@ class InstanceFromMachineImageBootDiskArgs:
     @pulumi.getter(name="kmsKeySelfLink")
     def kms_key_self_link(self) -> Optional[pulumi.Input[str]]:
         """
-        The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
         """
         return pulumi.get(self, "kms_key_self_link")
 
@@ -11747,6 +12870,10 @@ class InstanceFromMachineImageBootDiskArgs:
 
 if not MYPY:
     class InstanceFromMachineImageBootDiskInitializeParamsArgsDict(TypedDict):
+        architecture: NotRequired[pulumi.Input[str]]
+        """
+        The architecture of the disk. One of "X86_64" or "ARM64".
+        """
         enable_confidential_compute: NotRequired[pulumi.Input[bool]]
         """
         A flag to enable confidential compute mode on boot disk
@@ -11779,6 +12906,18 @@ if not MYPY:
         """
         The size of the image in gigabytes.
         """
+        snapshot: NotRequired[pulumi.Input[str]]
+        """
+        The snapshot from which this disk was initialised.
+        """
+        source_image_encryption_key: NotRequired[pulumi.Input['InstanceFromMachineImageBootDiskInitializeParamsSourceImageEncryptionKeyArgsDict']]
+        """
+        The encryption key used to decrypt the source image.
+        """
+        source_snapshot_encryption_key: NotRequired[pulumi.Input['InstanceFromMachineImageBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgsDict']]
+        """
+        The encryption key used to decrypt the source snapshot.
+        """
         storage_pool: NotRequired[pulumi.Input[str]]
         """
         The URL of the storage pool in which the new disk is created
@@ -11793,6 +12932,7 @@ elif False:
 @pulumi.input_type
 class InstanceFromMachineImageBootDiskInitializeParamsArgs:
     def __init__(__self__, *,
+                 architecture: Optional[pulumi.Input[str]] = None,
                  enable_confidential_compute: Optional[pulumi.Input[bool]] = None,
                  image: Optional[pulumi.Input[str]] = None,
                  labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
@@ -11801,9 +12941,13 @@ class InstanceFromMachineImageBootDiskInitializeParamsArgs:
                  resource_manager_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  resource_policies: Optional[pulumi.Input[str]] = None,
                  size: Optional[pulumi.Input[int]] = None,
+                 snapshot: Optional[pulumi.Input[str]] = None,
+                 source_image_encryption_key: Optional[pulumi.Input['InstanceFromMachineImageBootDiskInitializeParamsSourceImageEncryptionKeyArgs']] = None,
+                 source_snapshot_encryption_key: Optional[pulumi.Input['InstanceFromMachineImageBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs']] = None,
                  storage_pool: Optional[pulumi.Input[str]] = None,
                  type: Optional[pulumi.Input[str]] = None):
         """
+        :param pulumi.Input[str] architecture: The architecture of the disk. One of "X86_64" or "ARM64".
         :param pulumi.Input[bool] enable_confidential_compute: A flag to enable confidential compute mode on boot disk
         :param pulumi.Input[str] image: The image from which this disk was initialised.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] labels: A set of key/value label pairs assigned to the disk.
@@ -11812,9 +12956,14 @@ class InstanceFromMachineImageBootDiskInitializeParamsArgs:
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] resource_manager_tags: A map of resource manager tags. Resource manager tag keys and values have the same definition as resource manager tags. Keys must be in the format tagKeys/{tag_key_id}, and values are in the format tagValues/456. The field is ignored (both PUT & PATCH) when empty.
         :param pulumi.Input[str] resource_policies: A list of self_links of resource policies to attach to the instance's boot disk. Modifying this list will cause the instance to recreate. Currently a max of 1 resource policy is supported.
         :param pulumi.Input[int] size: The size of the image in gigabytes.
+        :param pulumi.Input[str] snapshot: The snapshot from which this disk was initialised.
+        :param pulumi.Input['InstanceFromMachineImageBootDiskInitializeParamsSourceImageEncryptionKeyArgs'] source_image_encryption_key: The encryption key used to decrypt the source image.
+        :param pulumi.Input['InstanceFromMachineImageBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs'] source_snapshot_encryption_key: The encryption key used to decrypt the source snapshot.
         :param pulumi.Input[str] storage_pool: The URL of the storage pool in which the new disk is created
         :param pulumi.Input[str] type: The Google Compute Engine disk type. Such as pd-standard, pd-ssd or pd-balanced.
         """
+        if architecture is not None:
+            pulumi.set(__self__, "architecture", architecture)
         if enable_confidential_compute is not None:
             pulumi.set(__self__, "enable_confidential_compute", enable_confidential_compute)
         if image is not None:
@@ -11831,11 +12980,29 @@ class InstanceFromMachineImageBootDiskInitializeParamsArgs:
             pulumi.set(__self__, "resource_policies", resource_policies)
         if size is not None:
             pulumi.set(__self__, "size", size)
+        if snapshot is not None:
+            pulumi.set(__self__, "snapshot", snapshot)
+        if source_image_encryption_key is not None:
+            pulumi.set(__self__, "source_image_encryption_key", source_image_encryption_key)
+        if source_snapshot_encryption_key is not None:
+            pulumi.set(__self__, "source_snapshot_encryption_key", source_snapshot_encryption_key)
         if storage_pool is not None:
             pulumi.set(__self__, "storage_pool", storage_pool)
         if type is not None:
             pulumi.set(__self__, "type", type)
 
+    @property
+    @pulumi.getter
+    def architecture(self) -> Optional[pulumi.Input[str]]:
+        """
+        The architecture of the disk. One of "X86_64" or "ARM64".
+        """
+        return pulumi.get(self, "architecture")
+
+    @architecture.setter
+    def architecture(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "architecture", value)
+
     @property
     @pulumi.getter(name="enableConfidentialCompute")
     def enable_confidential_compute(self) -> Optional[pulumi.Input[bool]]:
@@ -11932,6 +13099,42 @@ class InstanceFromMachineImageBootDiskInitializeParamsArgs:
     def size(self, value: Optional[pulumi.Input[int]]):
         pulumi.set(self, "size", value)
 
+    @property
+    @pulumi.getter
+    def snapshot(self) -> Optional[pulumi.Input[str]]:
+        """
+        The snapshot from which this disk was initialised.
+        """
+        return pulumi.get(self, "snapshot")
+
+    @snapshot.setter
+    def snapshot(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "snapshot", value)
+
+    @property
+    @pulumi.getter(name="sourceImageEncryptionKey")
+    def source_image_encryption_key(self) -> Optional[pulumi.Input['InstanceFromMachineImageBootDiskInitializeParamsSourceImageEncryptionKeyArgs']]:
+        """
+        The encryption key used to decrypt the source image.
+        """
+        return pulumi.get(self, "source_image_encryption_key")
+
+    @source_image_encryption_key.setter
+    def source_image_encryption_key(self, value: Optional[pulumi.Input['InstanceFromMachineImageBootDiskInitializeParamsSourceImageEncryptionKeyArgs']]):
+        pulumi.set(self, "source_image_encryption_key", value)
+
+    @property
+    @pulumi.getter(name="sourceSnapshotEncryptionKey")
+    def source_snapshot_encryption_key(self) -> Optional[pulumi.Input['InstanceFromMachineImageBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs']]:
+        """
+        The encryption key used to decrypt the source snapshot.
+        """
+        return pulumi.get(self, "source_snapshot_encryption_key")
+
+    @source_snapshot_encryption_key.setter
+    def source_snapshot_encryption_key(self, value: Optional[pulumi.Input['InstanceFromMachineImageBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs']]):
+        pulumi.set(self, "source_snapshot_encryption_key", value)
+
     @property
     @pulumi.getter(name="storagePool")
     def storage_pool(self) -> Optional[pulumi.Input[str]]:
@@ -11957,6 +13160,230 @@ class InstanceFromMachineImageBootDiskInitializeParamsArgs:
         pulumi.set(self, "type", value)
 
 
+if not MYPY:
+    class InstanceFromMachineImageBootDiskInitializeParamsSourceImageEncryptionKeyArgsDict(TypedDict):
+        kms_key_self_link: NotRequired[pulumi.Input[str]]
+        """
+        The self link of the encryption key that is stored in Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        kms_key_service_account: NotRequired[pulumi.Input[str]]
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        raw_key: NotRequired[pulumi.Input[str]]
+        """
+        Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        rsa_encrypted_key: NotRequired[pulumi.Input[str]]
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        sha256: NotRequired[pulumi.Input[str]]
+        """
+        The SHA256 hash of the encryption key used to encrypt this disk.
+        """
+elif False:
+    InstanceFromMachineImageBootDiskInitializeParamsSourceImageEncryptionKeyArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class InstanceFromMachineImageBootDiskInitializeParamsSourceImageEncryptionKeyArgs:
+    def __init__(__self__, *,
+                 kms_key_self_link: Optional[pulumi.Input[str]] = None,
+                 kms_key_service_account: Optional[pulumi.Input[str]] = None,
+                 raw_key: Optional[pulumi.Input[str]] = None,
+                 rsa_encrypted_key: Optional[pulumi.Input[str]] = None,
+                 sha256: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] kms_key_self_link: The self link of the encryption key that is stored in Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        :param pulumi.Input[str] kms_key_service_account: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        :param pulumi.Input[str] raw_key: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        :param pulumi.Input[str] rsa_encrypted_key: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        :param pulumi.Input[str] sha256: The SHA256 hash of the encryption key used to encrypt this disk.
+        """
+        if kms_key_self_link is not None:
+            pulumi.set(__self__, "kms_key_self_link", kms_key_self_link)
+        if kms_key_service_account is not None:
+            pulumi.set(__self__, "kms_key_service_account", kms_key_service_account)
+        if raw_key is not None:
+            pulumi.set(__self__, "raw_key", raw_key)
+        if rsa_encrypted_key is not None:
+            pulumi.set(__self__, "rsa_encrypted_key", rsa_encrypted_key)
+        if sha256 is not None:
+            pulumi.set(__self__, "sha256", sha256)
+
+    @property
+    @pulumi.getter(name="kmsKeySelfLink")
+    def kms_key_self_link(self) -> Optional[pulumi.Input[str]]:
+        """
+        The self link of the encryption key that is stored in Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        return pulumi.get(self, "kms_key_self_link")
+
+    @kms_key_self_link.setter
+    def kms_key_self_link(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_self_link", value)
+
+    @property
+    @pulumi.getter(name="kmsKeyServiceAccount")
+    def kms_key_service_account(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        return pulumi.get(self, "kms_key_service_account")
+
+    @kms_key_service_account.setter
+    def kms_key_service_account(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_service_account", value)
+
+    @property
+    @pulumi.getter(name="rawKey")
+    def raw_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        return pulumi.get(self, "raw_key")
+
+    @raw_key.setter
+    def raw_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "raw_key", value)
+
+    @property
+    @pulumi.getter(name="rsaEncryptedKey")
+    def rsa_encrypted_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        return pulumi.get(self, "rsa_encrypted_key")
+
+    @rsa_encrypted_key.setter
+    def rsa_encrypted_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "rsa_encrypted_key", value)
+
+    @property
+    @pulumi.getter
+    def sha256(self) -> Optional[pulumi.Input[str]]:
+        """
+        The SHA256 hash of the encryption key used to encrypt this disk.
+        """
+        return pulumi.get(self, "sha256")
+
+    @sha256.setter
+    def sha256(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "sha256", value)
+
+
+if not MYPY:
+    class InstanceFromMachineImageBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgsDict(TypedDict):
+        kms_key_self_link: NotRequired[pulumi.Input[str]]
+        """
+        The self link of the encryption key that is stored in Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        kms_key_service_account: NotRequired[pulumi.Input[str]]
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        raw_key: NotRequired[pulumi.Input[str]]
+        """
+        Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        rsa_encrypted_key: NotRequired[pulumi.Input[str]]
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        sha256: NotRequired[pulumi.Input[str]]
+        """
+        The SHA256 hash of the encryption key used to encrypt this disk.
+        """
+elif False:
+    InstanceFromMachineImageBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class InstanceFromMachineImageBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs:
+    def __init__(__self__, *,
+                 kms_key_self_link: Optional[pulumi.Input[str]] = None,
+                 kms_key_service_account: Optional[pulumi.Input[str]] = None,
+                 raw_key: Optional[pulumi.Input[str]] = None,
+                 rsa_encrypted_key: Optional[pulumi.Input[str]] = None,
+                 sha256: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] kms_key_self_link: The self link of the encryption key that is stored in Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        :param pulumi.Input[str] kms_key_service_account: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        :param pulumi.Input[str] raw_key: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        :param pulumi.Input[str] rsa_encrypted_key: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        :param pulumi.Input[str] sha256: The SHA256 hash of the encryption key used to encrypt this disk.
+        """
+        if kms_key_self_link is not None:
+            pulumi.set(__self__, "kms_key_self_link", kms_key_self_link)
+        if kms_key_service_account is not None:
+            pulumi.set(__self__, "kms_key_service_account", kms_key_service_account)
+        if raw_key is not None:
+            pulumi.set(__self__, "raw_key", raw_key)
+        if rsa_encrypted_key is not None:
+            pulumi.set(__self__, "rsa_encrypted_key", rsa_encrypted_key)
+        if sha256 is not None:
+            pulumi.set(__self__, "sha256", sha256)
+
+    @property
+    @pulumi.getter(name="kmsKeySelfLink")
+    def kms_key_self_link(self) -> Optional[pulumi.Input[str]]:
+        """
+        The self link of the encryption key that is stored in Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        return pulumi.get(self, "kms_key_self_link")
+
+    @kms_key_self_link.setter
+    def kms_key_self_link(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_self_link", value)
+
+    @property
+    @pulumi.getter(name="kmsKeyServiceAccount")
+    def kms_key_service_account(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        return pulumi.get(self, "kms_key_service_account")
+
+    @kms_key_service_account.setter
+    def kms_key_service_account(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_service_account", value)
+
+    @property
+    @pulumi.getter(name="rawKey")
+    def raw_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        return pulumi.get(self, "raw_key")
+
+    @raw_key.setter
+    def raw_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "raw_key", value)
+
+    @property
+    @pulumi.getter(name="rsaEncryptedKey")
+    def rsa_encrypted_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        return pulumi.get(self, "rsa_encrypted_key")
+
+    @rsa_encrypted_key.setter
+    def rsa_encrypted_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "rsa_encrypted_key", value)
+
+    @property
+    @pulumi.getter
+    def sha256(self) -> Optional[pulumi.Input[str]]:
+        """
+        The SHA256 hash of the encryption key used to encrypt this disk.
+        """
+        return pulumi.get(self, "sha256")
+
+    @sha256.setter
+    def sha256(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "sha256", value)
+
+
 if not MYPY:
     class InstanceFromMachineImageConfidentialInstanceConfigArgsDict(TypedDict):
         confidential_instance_type: NotRequired[pulumi.Input[str]]
@@ -12068,6 +13495,78 @@ class InstanceFromMachineImageGuestAcceleratorArgs:
         pulumi.set(self, "type", value)
 
 
+if not MYPY:
+    class InstanceFromMachineImageInstanceEncryptionKeyArgsDict(TypedDict):
+        kms_key_self_link: NotRequired[pulumi.Input[str]]
+        """
+        The self link of the encryption key that is stored in Google Cloud KMS.
+        """
+        kms_key_service_account: NotRequired[pulumi.Input[str]]
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        sha256: NotRequired[pulumi.Input[str]]
+        """
+        The SHA256 hash of the customer's encryption key.
+        """
+elif False:
+    InstanceFromMachineImageInstanceEncryptionKeyArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class InstanceFromMachineImageInstanceEncryptionKeyArgs:
+    def __init__(__self__, *,
+                 kms_key_self_link: Optional[pulumi.Input[str]] = None,
+                 kms_key_service_account: Optional[pulumi.Input[str]] = None,
+                 sha256: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] kms_key_self_link: The self link of the encryption key that is stored in Google Cloud KMS.
+        :param pulumi.Input[str] kms_key_service_account: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        :param pulumi.Input[str] sha256: The SHA256 hash of the customer's encryption key.
+        """
+        if kms_key_self_link is not None:
+            pulumi.set(__self__, "kms_key_self_link", kms_key_self_link)
+        if kms_key_service_account is not None:
+            pulumi.set(__self__, "kms_key_service_account", kms_key_service_account)
+        if sha256 is not None:
+            pulumi.set(__self__, "sha256", sha256)
+
+    @property
+    @pulumi.getter(name="kmsKeySelfLink")
+    def kms_key_self_link(self) -> Optional[pulumi.Input[str]]:
+        """
+        The self link of the encryption key that is stored in Google Cloud KMS.
+        """
+        return pulumi.get(self, "kms_key_self_link")
+
+    @kms_key_self_link.setter
+    def kms_key_self_link(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_self_link", value)
+
+    @property
+    @pulumi.getter(name="kmsKeyServiceAccount")
+    def kms_key_service_account(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        return pulumi.get(self, "kms_key_service_account")
+
+    @kms_key_service_account.setter
+    def kms_key_service_account(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_service_account", value)
+
+    @property
+    @pulumi.getter
+    def sha256(self) -> Optional[pulumi.Input[str]]:
+        """
+        The SHA256 hash of the customer's encryption key.
+        """
+        return pulumi.get(self, "sha256")
+
+    @sha256.setter
+    def sha256(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "sha256", value)
+
+
 if not MYPY:
     class InstanceFromMachineImageNetworkInterfaceArgsDict(TypedDict):
         access_configs: NotRequired[pulumi.Input[Sequence[pulumi.Input['InstanceFromMachineImageNetworkInterfaceAccessConfigArgsDict']]]]
@@ -13682,6 +15181,81 @@ class InstanceFromMachineImageShieldedInstanceConfigArgs:
         pulumi.set(self, "enable_vtpm", value)
 
 
+if not MYPY:
+    class InstanceFromMachineImageSourceMachineImageEncryptionKeyArgsDict(TypedDict):
+        kms_key_name: NotRequired[pulumi.Input[str]]
+        kms_key_service_account: NotRequired[pulumi.Input[str]]
+        raw_key: NotRequired[pulumi.Input[str]]
+        rsa_encrypted_key: NotRequired[pulumi.Input[str]]
+        sha256: NotRequired[pulumi.Input[str]]
+elif False:
+    InstanceFromMachineImageSourceMachineImageEncryptionKeyArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class InstanceFromMachineImageSourceMachineImageEncryptionKeyArgs:
+    def __init__(__self__, *,
+                 kms_key_name: Optional[pulumi.Input[str]] = None,
+                 kms_key_service_account: Optional[pulumi.Input[str]] = None,
+                 raw_key: Optional[pulumi.Input[str]] = None,
+                 rsa_encrypted_key: Optional[pulumi.Input[str]] = None,
+                 sha256: Optional[pulumi.Input[str]] = None):
+        if kms_key_name is not None:
+            pulumi.set(__self__, "kms_key_name", kms_key_name)
+        if kms_key_service_account is not None:
+            pulumi.set(__self__, "kms_key_service_account", kms_key_service_account)
+        if raw_key is not None:
+            pulumi.set(__self__, "raw_key", raw_key)
+        if rsa_encrypted_key is not None:
+            pulumi.set(__self__, "rsa_encrypted_key", rsa_encrypted_key)
+        if sha256 is not None:
+            pulumi.set(__self__, "sha256", sha256)
+
+    @property
+    @pulumi.getter(name="kmsKeyName")
+    def kms_key_name(self) -> Optional[pulumi.Input[str]]:
+        return pulumi.get(self, "kms_key_name")
+
+    @kms_key_name.setter
+    def kms_key_name(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_name", value)
+
+    @property
+    @pulumi.getter(name="kmsKeyServiceAccount")
+    def kms_key_service_account(self) -> Optional[pulumi.Input[str]]:
+        return pulumi.get(self, "kms_key_service_account")
+
+    @kms_key_service_account.setter
+    def kms_key_service_account(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_service_account", value)
+
+    @property
+    @pulumi.getter(name="rawKey")
+    def raw_key(self) -> Optional[pulumi.Input[str]]:
+        return pulumi.get(self, "raw_key")
+
+    @raw_key.setter
+    def raw_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "raw_key", value)
+
+    @property
+    @pulumi.getter(name="rsaEncryptedKey")
+    def rsa_encrypted_key(self) -> Optional[pulumi.Input[str]]:
+        return pulumi.get(self, "rsa_encrypted_key")
+
+    @rsa_encrypted_key.setter
+    def rsa_encrypted_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "rsa_encrypted_key", value)
+
+    @property
+    @pulumi.getter
+    def sha256(self) -> Optional[pulumi.Input[str]]:
+        return pulumi.get(self, "sha256")
+
+    @sha256.setter
+    def sha256(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "sha256", value)
+
+
 if not MYPY:
     class InstanceFromTemplateAdvancedMachineFeaturesArgsDict(TypedDict):
         enable_nested_virtualization: NotRequired[pulumi.Input[bool]]
@@ -13826,15 +15400,23 @@ if not MYPY:
         """
         disk_encryption_key_raw: NotRequired[pulumi.Input[str]]
         """
-        A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
+        """
+        disk_encryption_key_rsa: NotRequired[pulumi.Input[str]]
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
         """
         disk_encryption_key_sha256: NotRequired[pulumi.Input[str]]
         """
         The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.
         """
+        disk_encryption_service_account: NotRequired[pulumi.Input[str]]
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used
+        """
         kms_key_self_link: NotRequired[pulumi.Input[str]]
         """
-        The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
         """
         mode: NotRequired[pulumi.Input[str]]
         """
@@ -13849,15 +15431,19 @@ class InstanceFromTemplateAttachedDiskArgs:
                  source: pulumi.Input[str],
                  device_name: Optional[pulumi.Input[str]] = None,
                  disk_encryption_key_raw: Optional[pulumi.Input[str]] = None,
+                 disk_encryption_key_rsa: Optional[pulumi.Input[str]] = None,
                  disk_encryption_key_sha256: Optional[pulumi.Input[str]] = None,
+                 disk_encryption_service_account: Optional[pulumi.Input[str]] = None,
                  kms_key_self_link: Optional[pulumi.Input[str]] = None,
                  mode: Optional[pulumi.Input[str]] = None):
         """
         :param pulumi.Input[str] source: The name or self_link of the disk attached to this instance.
         :param pulumi.Input[str] device_name: Name with which the attached disk is accessible under /dev/disk/by-id/
-        :param pulumi.Input[str] disk_encryption_key_raw: A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        :param pulumi.Input[str] disk_encryption_key_raw: A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
+        :param pulumi.Input[str] disk_encryption_key_rsa: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
         :param pulumi.Input[str] disk_encryption_key_sha256: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.
-        :param pulumi.Input[str] kms_key_self_link: The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        :param pulumi.Input[str] disk_encryption_service_account: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used
+        :param pulumi.Input[str] kms_key_self_link: The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
         :param pulumi.Input[str] mode: Read/write mode for the disk. One of "READ_ONLY" or "READ_WRITE".
         """
         pulumi.set(__self__, "source", source)
@@ -13865,8 +15451,12 @@ class InstanceFromTemplateAttachedDiskArgs:
             pulumi.set(__self__, "device_name", device_name)
         if disk_encryption_key_raw is not None:
             pulumi.set(__self__, "disk_encryption_key_raw", disk_encryption_key_raw)
+        if disk_encryption_key_rsa is not None:
+            pulumi.set(__self__, "disk_encryption_key_rsa", disk_encryption_key_rsa)
         if disk_encryption_key_sha256 is not None:
             pulumi.set(__self__, "disk_encryption_key_sha256", disk_encryption_key_sha256)
+        if disk_encryption_service_account is not None:
+            pulumi.set(__self__, "disk_encryption_service_account", disk_encryption_service_account)
         if kms_key_self_link is not None:
             pulumi.set(__self__, "kms_key_self_link", kms_key_self_link)
         if mode is not None:
@@ -13900,7 +15490,7 @@ class InstanceFromTemplateAttachedDiskArgs:
     @pulumi.getter(name="diskEncryptionKeyRaw")
     def disk_encryption_key_raw(self) -> Optional[pulumi.Input[str]]:
         """
-        A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
         """
         return pulumi.get(self, "disk_encryption_key_raw")
 
@@ -13908,6 +15498,18 @@ class InstanceFromTemplateAttachedDiskArgs:
     def disk_encryption_key_raw(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "disk_encryption_key_raw", value)
 
+    @property
+    @pulumi.getter(name="diskEncryptionKeyRsa")
+    def disk_encryption_key_rsa(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
+        """
+        return pulumi.get(self, "disk_encryption_key_rsa")
+
+    @disk_encryption_key_rsa.setter
+    def disk_encryption_key_rsa(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "disk_encryption_key_rsa", value)
+
     @property
     @pulumi.getter(name="diskEncryptionKeySha256")
     def disk_encryption_key_sha256(self) -> Optional[pulumi.Input[str]]:
@@ -13920,11 +15522,23 @@ class InstanceFromTemplateAttachedDiskArgs:
     def disk_encryption_key_sha256(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "disk_encryption_key_sha256", value)
 
+    @property
+    @pulumi.getter(name="diskEncryptionServiceAccount")
+    def disk_encryption_service_account(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used
+        """
+        return pulumi.get(self, "disk_encryption_service_account")
+
+    @disk_encryption_service_account.setter
+    def disk_encryption_service_account(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "disk_encryption_service_account", value)
+
     @property
     @pulumi.getter(name="kmsKeySelfLink")
     def kms_key_self_link(self) -> Optional[pulumi.Input[str]]:
         """
-        The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_rsa and disk_encryption_key_raw may be set.
         """
         return pulumi.get(self, "kms_key_self_link")
 
@@ -13957,12 +15571,24 @@ if not MYPY:
         """
         disk_encryption_key_raw: NotRequired[pulumi.Input[str]]
         """
-        A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
+        """
+        disk_encryption_key_rsa: NotRequired[pulumi.Input[str]]
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
         """
         disk_encryption_key_sha256: NotRequired[pulumi.Input[str]]
         """
         The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.
         """
+        disk_encryption_service_account: NotRequired[pulumi.Input[str]]
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used
+        """
+        guest_os_features: NotRequired[pulumi.Input[Sequence[pulumi.Input[str]]]]
+        """
+        A list of features to enable on the guest operating system. Applicable only for bootable images.
+        """
         initialize_params: NotRequired[pulumi.Input['InstanceFromTemplateBootDiskInitializeParamsArgsDict']]
         """
         Parameters with which a disk was created alongside the instance.
@@ -13973,7 +15599,7 @@ if not MYPY:
         """
         kms_key_self_link: NotRequired[pulumi.Input[str]]
         """
-        The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
         """
         mode: NotRequired[pulumi.Input[str]]
         """
@@ -13992,7 +15618,10 @@ class InstanceFromTemplateBootDiskArgs:
                  auto_delete: Optional[pulumi.Input[bool]] = None,
                  device_name: Optional[pulumi.Input[str]] = None,
                  disk_encryption_key_raw: Optional[pulumi.Input[str]] = None,
+                 disk_encryption_key_rsa: Optional[pulumi.Input[str]] = None,
                  disk_encryption_key_sha256: Optional[pulumi.Input[str]] = None,
+                 disk_encryption_service_account: Optional[pulumi.Input[str]] = None,
+                 guest_os_features: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  initialize_params: Optional[pulumi.Input['InstanceFromTemplateBootDiskInitializeParamsArgs']] = None,
                  interface: Optional[pulumi.Input[str]] = None,
                  kms_key_self_link: Optional[pulumi.Input[str]] = None,
@@ -14001,11 +15630,14 @@ class InstanceFromTemplateBootDiskArgs:
         """
         :param pulumi.Input[bool] auto_delete: Whether the disk will be auto-deleted when the instance is deleted.
         :param pulumi.Input[str] device_name: Name with which attached disk will be accessible under /dev/disk/by-id/
-        :param pulumi.Input[str] disk_encryption_key_raw: A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        :param pulumi.Input[str] disk_encryption_key_raw: A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
+        :param pulumi.Input[str] disk_encryption_key_rsa: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
         :param pulumi.Input[str] disk_encryption_key_sha256: The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied encryption key that protects this resource.
+        :param pulumi.Input[str] disk_encryption_service_account: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] guest_os_features: A list of features to enable on the guest operating system. Applicable only for bootable images.
         :param pulumi.Input['InstanceFromTemplateBootDiskInitializeParamsArgs'] initialize_params: Parameters with which a disk was created alongside the instance.
         :param pulumi.Input[str] interface: The disk interface used for attaching this disk. One of SCSI or NVME. (This field is shared with attached_disk and only used for specific cases, please don't specify this field without advice from Google.)
-        :param pulumi.Input[str] kms_key_self_link: The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        :param pulumi.Input[str] kms_key_self_link: The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
         :param pulumi.Input[str] mode: Read/write mode for the disk. One of "READ_ONLY" or "READ_WRITE".
         :param pulumi.Input[str] source: The name or self_link of the disk attached to this instance.
         """
@@ -14015,8 +15647,14 @@ class InstanceFromTemplateBootDiskArgs:
             pulumi.set(__self__, "device_name", device_name)
         if disk_encryption_key_raw is not None:
             pulumi.set(__self__, "disk_encryption_key_raw", disk_encryption_key_raw)
+        if disk_encryption_key_rsa is not None:
+            pulumi.set(__self__, "disk_encryption_key_rsa", disk_encryption_key_rsa)
         if disk_encryption_key_sha256 is not None:
             pulumi.set(__self__, "disk_encryption_key_sha256", disk_encryption_key_sha256)
+        if disk_encryption_service_account is not None:
+            pulumi.set(__self__, "disk_encryption_service_account", disk_encryption_service_account)
+        if guest_os_features is not None:
+            pulumi.set(__self__, "guest_os_features", guest_os_features)
         if initialize_params is not None:
             pulumi.set(__self__, "initialize_params", initialize_params)
         if interface is not None:
@@ -14056,7 +15694,7 @@ class InstanceFromTemplateBootDiskArgs:
     @pulumi.getter(name="diskEncryptionKeyRaw")
     def disk_encryption_key_raw(self) -> Optional[pulumi.Input[str]]:
         """
-        A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        A 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
         """
         return pulumi.get(self, "disk_encryption_key_raw")
 
@@ -14064,6 +15702,18 @@ class InstanceFromTemplateBootDiskArgs:
     def disk_encryption_key_raw(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "disk_encryption_key_raw", value)
 
+    @property
+    @pulumi.getter(name="diskEncryptionKeyRsa")
+    def disk_encryption_key_rsa(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
+        """
+        return pulumi.get(self, "disk_encryption_key_rsa")
+
+    @disk_encryption_key_rsa.setter
+    def disk_encryption_key_rsa(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "disk_encryption_key_rsa", value)
+
     @property
     @pulumi.getter(name="diskEncryptionKeySha256")
     def disk_encryption_key_sha256(self) -> Optional[pulumi.Input[str]]:
@@ -14076,6 +15726,30 @@ class InstanceFromTemplateBootDiskArgs:
     def disk_encryption_key_sha256(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "disk_encryption_key_sha256", value)
 
+    @property
+    @pulumi.getter(name="diskEncryptionServiceAccount")
+    def disk_encryption_service_account(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used
+        """
+        return pulumi.get(self, "disk_encryption_service_account")
+
+    @disk_encryption_service_account.setter
+    def disk_encryption_service_account(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "disk_encryption_service_account", value)
+
+    @property
+    @pulumi.getter(name="guestOsFeatures")
+    def guest_os_features(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        A list of features to enable on the guest operating system. Applicable only for bootable images.
+        """
+        return pulumi.get(self, "guest_os_features")
+
+    @guest_os_features.setter
+    def guest_os_features(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "guest_os_features", value)
+
     @property
     @pulumi.getter(name="initializeParams")
     def initialize_params(self) -> Optional[pulumi.Input['InstanceFromTemplateBootDiskInitializeParamsArgs']]:
@@ -14104,7 +15778,7 @@ class InstanceFromTemplateBootDiskArgs:
     @pulumi.getter(name="kmsKeySelfLink")
     def kms_key_self_link(self) -> Optional[pulumi.Input[str]]:
         """
-        The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link and disk_encryption_key_raw may be set.
+        The self_link of the encryption key that is stored in Google Cloud KMS to encrypt this disk. Only one of kms_key_self_link, disk_encryption_key_raw and disk_encryption_key_rsa may be set.
         """
         return pulumi.get(self, "kms_key_self_link")
 
@@ -14139,6 +15813,10 @@ class InstanceFromTemplateBootDiskArgs:
 
 if not MYPY:
     class InstanceFromTemplateBootDiskInitializeParamsArgsDict(TypedDict):
+        architecture: NotRequired[pulumi.Input[str]]
+        """
+        The architecture of the disk. One of "X86_64" or "ARM64".
+        """
         enable_confidential_compute: NotRequired[pulumi.Input[bool]]
         """
         A flag to enable confidential compute mode on boot disk
@@ -14171,6 +15849,18 @@ if not MYPY:
         """
         The size of the image in gigabytes.
         """
+        snapshot: NotRequired[pulumi.Input[str]]
+        """
+        The snapshot from which this disk was initialised.
+        """
+        source_image_encryption_key: NotRequired[pulumi.Input['InstanceFromTemplateBootDiskInitializeParamsSourceImageEncryptionKeyArgsDict']]
+        """
+        The encryption key used to decrypt the source image.
+        """
+        source_snapshot_encryption_key: NotRequired[pulumi.Input['InstanceFromTemplateBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgsDict']]
+        """
+        The encryption key used to decrypt the source snapshot.
+        """
         storage_pool: NotRequired[pulumi.Input[str]]
         """
         The URL of the storage pool in which the new disk is created
@@ -14185,6 +15875,7 @@ elif False:
 @pulumi.input_type
 class InstanceFromTemplateBootDiskInitializeParamsArgs:
     def __init__(__self__, *,
+                 architecture: Optional[pulumi.Input[str]] = None,
                  enable_confidential_compute: Optional[pulumi.Input[bool]] = None,
                  image: Optional[pulumi.Input[str]] = None,
                  labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
@@ -14193,9 +15884,13 @@ class InstanceFromTemplateBootDiskInitializeParamsArgs:
                  resource_manager_tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                  resource_policies: Optional[pulumi.Input[str]] = None,
                  size: Optional[pulumi.Input[int]] = None,
+                 snapshot: Optional[pulumi.Input[str]] = None,
+                 source_image_encryption_key: Optional[pulumi.Input['InstanceFromTemplateBootDiskInitializeParamsSourceImageEncryptionKeyArgs']] = None,
+                 source_snapshot_encryption_key: Optional[pulumi.Input['InstanceFromTemplateBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs']] = None,
                  storage_pool: Optional[pulumi.Input[str]] = None,
                  type: Optional[pulumi.Input[str]] = None):
         """
+        :param pulumi.Input[str] architecture: The architecture of the disk. One of "X86_64" or "ARM64".
         :param pulumi.Input[bool] enable_confidential_compute: A flag to enable confidential compute mode on boot disk
         :param pulumi.Input[str] image: The image from which this disk was initialised.
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] labels: A set of key/value label pairs assigned to the disk.
@@ -14204,9 +15899,14 @@ class InstanceFromTemplateBootDiskInitializeParamsArgs:
         :param pulumi.Input[Mapping[str, pulumi.Input[str]]] resource_manager_tags: A map of resource manager tags. Resource manager tag keys and values have the same definition as resource manager tags. Keys must be in the format tagKeys/{tag_key_id}, and values are in the format tagValues/456. The field is ignored (both PUT & PATCH) when empty.
         :param pulumi.Input[str] resource_policies: A list of self_links of resource policies to attach to the instance's boot disk. Modifying this list will cause the instance to recreate. Currently a max of 1 resource policy is supported.
         :param pulumi.Input[int] size: The size of the image in gigabytes.
+        :param pulumi.Input[str] snapshot: The snapshot from which this disk was initialised.
+        :param pulumi.Input['InstanceFromTemplateBootDiskInitializeParamsSourceImageEncryptionKeyArgs'] source_image_encryption_key: The encryption key used to decrypt the source image.
+        :param pulumi.Input['InstanceFromTemplateBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs'] source_snapshot_encryption_key: The encryption key used to decrypt the source snapshot.
         :param pulumi.Input[str] storage_pool: The URL of the storage pool in which the new disk is created
         :param pulumi.Input[str] type: The Google Compute Engine disk type. Such as pd-standard, pd-ssd or pd-balanced.
         """
+        if architecture is not None:
+            pulumi.set(__self__, "architecture", architecture)
         if enable_confidential_compute is not None:
             pulumi.set(__self__, "enable_confidential_compute", enable_confidential_compute)
         if image is not None:
@@ -14223,11 +15923,29 @@ class InstanceFromTemplateBootDiskInitializeParamsArgs:
             pulumi.set(__self__, "resource_policies", resource_policies)
         if size is not None:
             pulumi.set(__self__, "size", size)
+        if snapshot is not None:
+            pulumi.set(__self__, "snapshot", snapshot)
+        if source_image_encryption_key is not None:
+            pulumi.set(__self__, "source_image_encryption_key", source_image_encryption_key)
+        if source_snapshot_encryption_key is not None:
+            pulumi.set(__self__, "source_snapshot_encryption_key", source_snapshot_encryption_key)
         if storage_pool is not None:
             pulumi.set(__self__, "storage_pool", storage_pool)
         if type is not None:
             pulumi.set(__self__, "type", type)
 
+    @property
+    @pulumi.getter
+    def architecture(self) -> Optional[pulumi.Input[str]]:
+        """
+        The architecture of the disk. One of "X86_64" or "ARM64".
+        """
+        return pulumi.get(self, "architecture")
+
+    @architecture.setter
+    def architecture(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "architecture", value)
+
     @property
     @pulumi.getter(name="enableConfidentialCompute")
     def enable_confidential_compute(self) -> Optional[pulumi.Input[bool]]:
@@ -14324,6 +16042,42 @@ class InstanceFromTemplateBootDiskInitializeParamsArgs:
     def size(self, value: Optional[pulumi.Input[int]]):
         pulumi.set(self, "size", value)
 
+    @property
+    @pulumi.getter
+    def snapshot(self) -> Optional[pulumi.Input[str]]:
+        """
+        The snapshot from which this disk was initialised.
+        """
+        return pulumi.get(self, "snapshot")
+
+    @snapshot.setter
+    def snapshot(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "snapshot", value)
+
+    @property
+    @pulumi.getter(name="sourceImageEncryptionKey")
+    def source_image_encryption_key(self) -> Optional[pulumi.Input['InstanceFromTemplateBootDiskInitializeParamsSourceImageEncryptionKeyArgs']]:
+        """
+        The encryption key used to decrypt the source image.
+        """
+        return pulumi.get(self, "source_image_encryption_key")
+
+    @source_image_encryption_key.setter
+    def source_image_encryption_key(self, value: Optional[pulumi.Input['InstanceFromTemplateBootDiskInitializeParamsSourceImageEncryptionKeyArgs']]):
+        pulumi.set(self, "source_image_encryption_key", value)
+
+    @property
+    @pulumi.getter(name="sourceSnapshotEncryptionKey")
+    def source_snapshot_encryption_key(self) -> Optional[pulumi.Input['InstanceFromTemplateBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs']]:
+        """
+        The encryption key used to decrypt the source snapshot.
+        """
+        return pulumi.get(self, "source_snapshot_encryption_key")
+
+    @source_snapshot_encryption_key.setter
+    def source_snapshot_encryption_key(self, value: Optional[pulumi.Input['InstanceFromTemplateBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs']]):
+        pulumi.set(self, "source_snapshot_encryption_key", value)
+
     @property
     @pulumi.getter(name="storagePool")
     def storage_pool(self) -> Optional[pulumi.Input[str]]:
@@ -14349,6 +16103,230 @@ class InstanceFromTemplateBootDiskInitializeParamsArgs:
         pulumi.set(self, "type", value)
 
 
+if not MYPY:
+    class InstanceFromTemplateBootDiskInitializeParamsSourceImageEncryptionKeyArgsDict(TypedDict):
+        kms_key_self_link: NotRequired[pulumi.Input[str]]
+        """
+        The self link of the encryption key that is stored in Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        kms_key_service_account: NotRequired[pulumi.Input[str]]
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        raw_key: NotRequired[pulumi.Input[str]]
+        """
+        Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        rsa_encrypted_key: NotRequired[pulumi.Input[str]]
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        sha256: NotRequired[pulumi.Input[str]]
+        """
+        The SHA256 hash of the encryption key used to encrypt this disk.
+        """
+elif False:
+    InstanceFromTemplateBootDiskInitializeParamsSourceImageEncryptionKeyArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class InstanceFromTemplateBootDiskInitializeParamsSourceImageEncryptionKeyArgs:
+    def __init__(__self__, *,
+                 kms_key_self_link: Optional[pulumi.Input[str]] = None,
+                 kms_key_service_account: Optional[pulumi.Input[str]] = None,
+                 raw_key: Optional[pulumi.Input[str]] = None,
+                 rsa_encrypted_key: Optional[pulumi.Input[str]] = None,
+                 sha256: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] kms_key_self_link: The self link of the encryption key that is stored in Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        :param pulumi.Input[str] kms_key_service_account: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        :param pulumi.Input[str] raw_key: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        :param pulumi.Input[str] rsa_encrypted_key: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        :param pulumi.Input[str] sha256: The SHA256 hash of the encryption key used to encrypt this disk.
+        """
+        if kms_key_self_link is not None:
+            pulumi.set(__self__, "kms_key_self_link", kms_key_self_link)
+        if kms_key_service_account is not None:
+            pulumi.set(__self__, "kms_key_service_account", kms_key_service_account)
+        if raw_key is not None:
+            pulumi.set(__self__, "raw_key", raw_key)
+        if rsa_encrypted_key is not None:
+            pulumi.set(__self__, "rsa_encrypted_key", rsa_encrypted_key)
+        if sha256 is not None:
+            pulumi.set(__self__, "sha256", sha256)
+
+    @property
+    @pulumi.getter(name="kmsKeySelfLink")
+    def kms_key_self_link(self) -> Optional[pulumi.Input[str]]:
+        """
+        The self link of the encryption key that is stored in Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        return pulumi.get(self, "kms_key_self_link")
+
+    @kms_key_self_link.setter
+    def kms_key_self_link(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_self_link", value)
+
+    @property
+    @pulumi.getter(name="kmsKeyServiceAccount")
+    def kms_key_service_account(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        return pulumi.get(self, "kms_key_service_account")
+
+    @kms_key_service_account.setter
+    def kms_key_service_account(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_service_account", value)
+
+    @property
+    @pulumi.getter(name="rawKey")
+    def raw_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        return pulumi.get(self, "raw_key")
+
+    @raw_key.setter
+    def raw_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "raw_key", value)
+
+    @property
+    @pulumi.getter(name="rsaEncryptedKey")
+    def rsa_encrypted_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        return pulumi.get(self, "rsa_encrypted_key")
+
+    @rsa_encrypted_key.setter
+    def rsa_encrypted_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "rsa_encrypted_key", value)
+
+    @property
+    @pulumi.getter
+    def sha256(self) -> Optional[pulumi.Input[str]]:
+        """
+        The SHA256 hash of the encryption key used to encrypt this disk.
+        """
+        return pulumi.get(self, "sha256")
+
+    @sha256.setter
+    def sha256(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "sha256", value)
+
+
+if not MYPY:
+    class InstanceFromTemplateBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgsDict(TypedDict):
+        kms_key_self_link: NotRequired[pulumi.Input[str]]
+        """
+        The self link of the encryption key that is stored in Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        kms_key_service_account: NotRequired[pulumi.Input[str]]
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        raw_key: NotRequired[pulumi.Input[str]]
+        """
+        Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        rsa_encrypted_key: NotRequired[pulumi.Input[str]]
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        sha256: NotRequired[pulumi.Input[str]]
+        """
+        The SHA256 hash of the encryption key used to encrypt this disk.
+        """
+elif False:
+    InstanceFromTemplateBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class InstanceFromTemplateBootDiskInitializeParamsSourceSnapshotEncryptionKeyArgs:
+    def __init__(__self__, *,
+                 kms_key_self_link: Optional[pulumi.Input[str]] = None,
+                 kms_key_service_account: Optional[pulumi.Input[str]] = None,
+                 raw_key: Optional[pulumi.Input[str]] = None,
+                 rsa_encrypted_key: Optional[pulumi.Input[str]] = None,
+                 sha256: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] kms_key_self_link: The self link of the encryption key that is stored in Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        :param pulumi.Input[str] kms_key_service_account: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        :param pulumi.Input[str] raw_key: Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        :param pulumi.Input[str] rsa_encrypted_key: Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        :param pulumi.Input[str] sha256: The SHA256 hash of the encryption key used to encrypt this disk.
+        """
+        if kms_key_self_link is not None:
+            pulumi.set(__self__, "kms_key_self_link", kms_key_self_link)
+        if kms_key_service_account is not None:
+            pulumi.set(__self__, "kms_key_service_account", kms_key_service_account)
+        if raw_key is not None:
+            pulumi.set(__self__, "raw_key", raw_key)
+        if rsa_encrypted_key is not None:
+            pulumi.set(__self__, "rsa_encrypted_key", rsa_encrypted_key)
+        if sha256 is not None:
+            pulumi.set(__self__, "sha256", sha256)
+
+    @property
+    @pulumi.getter(name="kmsKeySelfLink")
+    def kms_key_self_link(self) -> Optional[pulumi.Input[str]]:
+        """
+        The self link of the encryption key that is stored in Google Cloud KMS. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        return pulumi.get(self, "kms_key_self_link")
+
+    @kms_key_self_link.setter
+    def kms_key_self_link(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_self_link", value)
+
+    @property
+    @pulumi.getter(name="kmsKeyServiceAccount")
+    def kms_key_service_account(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        return pulumi.get(self, "kms_key_service_account")
+
+    @kms_key_service_account.setter
+    def kms_key_service_account(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_service_account", value)
+
+    @property
+    @pulumi.getter(name="rawKey")
+    def raw_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies a 256-bit customer-supplied encryption key, encoded in RFC 4648 base64 to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        return pulumi.get(self, "raw_key")
+
+    @raw_key.setter
+    def raw_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "raw_key", value)
+
+    @property
+    @pulumi.getter(name="rsaEncryptedKey")
+    def rsa_encrypted_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies an RFC 4648 base64 encoded, RSA-wrapped 2048-bit customer-supplied encryption key to either encrypt or decrypt this resource. Only one of kms_key_self_link, rsa_encrypted_key and raw_key may be set.
+        """
+        return pulumi.get(self, "rsa_encrypted_key")
+
+    @rsa_encrypted_key.setter
+    def rsa_encrypted_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "rsa_encrypted_key", value)
+
+    @property
+    @pulumi.getter
+    def sha256(self) -> Optional[pulumi.Input[str]]:
+        """
+        The SHA256 hash of the encryption key used to encrypt this disk.
+        """
+        return pulumi.get(self, "sha256")
+
+    @sha256.setter
+    def sha256(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "sha256", value)
+
+
 if not MYPY:
     class InstanceFromTemplateConfidentialInstanceConfigArgsDict(TypedDict):
         confidential_instance_type: NotRequired[pulumi.Input[str]]
@@ -14460,6 +16438,78 @@ class InstanceFromTemplateGuestAcceleratorArgs:
         pulumi.set(self, "type", value)
 
 
+if not MYPY:
+    class InstanceFromTemplateInstanceEncryptionKeyArgsDict(TypedDict):
+        kms_key_self_link: NotRequired[pulumi.Input[str]]
+        """
+        The self link of the encryption key that is stored in Google Cloud KMS.
+        """
+        kms_key_service_account: NotRequired[pulumi.Input[str]]
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        sha256: NotRequired[pulumi.Input[str]]
+        """
+        The SHA256 hash of the customer's encryption key.
+        """
+elif False:
+    InstanceFromTemplateInstanceEncryptionKeyArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class InstanceFromTemplateInstanceEncryptionKeyArgs:
+    def __init__(__self__, *,
+                 kms_key_self_link: Optional[pulumi.Input[str]] = None,
+                 kms_key_service_account: Optional[pulumi.Input[str]] = None,
+                 sha256: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] kms_key_self_link: The self link of the encryption key that is stored in Google Cloud KMS.
+        :param pulumi.Input[str] kms_key_service_account: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        :param pulumi.Input[str] sha256: The SHA256 hash of the customer's encryption key.
+        """
+        if kms_key_self_link is not None:
+            pulumi.set(__self__, "kms_key_self_link", kms_key_self_link)
+        if kms_key_service_account is not None:
+            pulumi.set(__self__, "kms_key_service_account", kms_key_service_account)
+        if sha256 is not None:
+            pulumi.set(__self__, "sha256", sha256)
+
+    @property
+    @pulumi.getter(name="kmsKeySelfLink")
+    def kms_key_self_link(self) -> Optional[pulumi.Input[str]]:
+        """
+        The self link of the encryption key that is stored in Google Cloud KMS.
+        """
+        return pulumi.get(self, "kms_key_self_link")
+
+    @kms_key_self_link.setter
+    def kms_key_self_link(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_self_link", value)
+
+    @property
+    @pulumi.getter(name="kmsKeyServiceAccount")
+    def kms_key_service_account(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        return pulumi.get(self, "kms_key_service_account")
+
+    @kms_key_service_account.setter
+    def kms_key_service_account(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_service_account", value)
+
+    @property
+    @pulumi.getter
+    def sha256(self) -> Optional[pulumi.Input[str]]:
+        """
+        The SHA256 hash of the customer's encryption key.
+        """
+        return pulumi.get(self, "sha256")
+
+    @sha256.setter
+    def sha256(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "sha256", value)
+
+
 if not MYPY:
     class InstanceFromTemplateNetworkInterfaceArgsDict(TypedDict):
         access_configs: NotRequired[pulumi.Input[Sequence[pulumi.Input['InstanceFromTemplateNetworkInterfaceAccessConfigArgsDict']]]]
@@ -16189,13 +18239,18 @@ if not MYPY:
     class InstanceGroupManagerInstanceLifecyclePolicyArgsDict(TypedDict):
         default_action_on_failure: NotRequired[pulumi.Input[str]]
         """
-        , Default behavior for all instance or health check failures. Valid options are: `REPAIR`, `DO_NOTHING`. If `DO_NOTHING` then instances will not be repaired. If `REPAIR` (default), then failed instances will be repaired.
-        - - -
+        , Specifies the action that a MIG performs on a failed VM. If the value of the `on_failed_health_check` field is `DEFAULT_ACTION`, then the same action also applies to the VMs on which your application fails a health check. Valid options are: `DO_NOTHING`, `REPAIR`. If `DO_NOTHING`, then MIG does not repair a failed VM. If `REPAIR` (default), then MIG automatically repairs a failed VM by recreating it. For more information, see about repairing VMs in a MIG.
         """
         force_update_on_repair: NotRequired[pulumi.Input[str]]
         """
         , Specifies whether to apply the group's latest configuration when repairing a VM. Valid options are: `YES`, `NO`. If `YES` and you updated the group's instance template or per-instance configurations after the VM was created, then these changes are applied when VM is repaired. If `NO` (default), then updates are applied in accordance with the group's update policy type.
         """
+        on_failed_health_check: NotRequired[pulumi.Input[str]]
+        """
+        , Specifies the action that a MIG performs on an unhealthy VM. A VM is marked as unhealthy when the application running on that VM fails a health check. Valid options are: `DEFAULT_ACTION`, `DO_NOTHING`, `REPAIR`. If `DEFAULT_ACTION` (default), then MIG uses the same action configured for the  `default_action_on_failure` field. If `DO_NOTHING`, then MIG does not repair unhealthy VM. If `REPAIR`, then MIG automatically repairs an unhealthy VM by recreating it. For more information, see about repairing VMs in a MIG.
+
+        - - -
+        """
 elif False:
     InstanceGroupManagerInstanceLifecyclePolicyArgsDict: TypeAlias = Mapping[str, Any]
 
@@ -16203,23 +18258,27 @@ elif False:
 class InstanceGroupManagerInstanceLifecyclePolicyArgs:
     def __init__(__self__, *,
                  default_action_on_failure: Optional[pulumi.Input[str]] = None,
-                 force_update_on_repair: Optional[pulumi.Input[str]] = None):
+                 force_update_on_repair: Optional[pulumi.Input[str]] = None,
+                 on_failed_health_check: Optional[pulumi.Input[str]] = None):
         """
-        :param pulumi.Input[str] default_action_on_failure: , Default behavior for all instance or health check failures. Valid options are: `REPAIR`, `DO_NOTHING`. If `DO_NOTHING` then instances will not be repaired. If `REPAIR` (default), then failed instances will be repaired.
-               - - -
+        :param pulumi.Input[str] default_action_on_failure: , Specifies the action that a MIG performs on a failed VM. If the value of the `on_failed_health_check` field is `DEFAULT_ACTION`, then the same action also applies to the VMs on which your application fails a health check. Valid options are: `DO_NOTHING`, `REPAIR`. If `DO_NOTHING`, then MIG does not repair a failed VM. If `REPAIR` (default), then MIG automatically repairs a failed VM by recreating it. For more information, see about repairing VMs in a MIG.
         :param pulumi.Input[str] force_update_on_repair: , Specifies whether to apply the group's latest configuration when repairing a VM. Valid options are: `YES`, `NO`. If `YES` and you updated the group's instance template or per-instance configurations after the VM was created, then these changes are applied when VM is repaired. If `NO` (default), then updates are applied in accordance with the group's update policy type.
+        :param pulumi.Input[str] on_failed_health_check: , Specifies the action that a MIG performs on an unhealthy VM. A VM is marked as unhealthy when the application running on that VM fails a health check. Valid options are: `DEFAULT_ACTION`, `DO_NOTHING`, `REPAIR`. If `DEFAULT_ACTION` (default), then MIG uses the same action configured for the  `default_action_on_failure` field. If `DO_NOTHING`, then MIG does not repair unhealthy VM. If `REPAIR`, then MIG automatically repairs an unhealthy VM by recreating it. For more information, see about repairing VMs in a MIG.
+               
+               - - -
         """
         if default_action_on_failure is not None:
             pulumi.set(__self__, "default_action_on_failure", default_action_on_failure)
         if force_update_on_repair is not None:
             pulumi.set(__self__, "force_update_on_repair", force_update_on_repair)
+        if on_failed_health_check is not None:
+            pulumi.set(__self__, "on_failed_health_check", on_failed_health_check)
 
     @property
     @pulumi.getter(name="defaultActionOnFailure")
     def default_action_on_failure(self) -> Optional[pulumi.Input[str]]:
         """
-        , Default behavior for all instance or health check failures. Valid options are: `REPAIR`, `DO_NOTHING`. If `DO_NOTHING` then instances will not be repaired. If `REPAIR` (default), then failed instances will be repaired.
-        - - -
+        , Specifies the action that a MIG performs on a failed VM. If the value of the `on_failed_health_check` field is `DEFAULT_ACTION`, then the same action also applies to the VMs on which your application fails a health check. Valid options are: `DO_NOTHING`, `REPAIR`. If `DO_NOTHING`, then MIG does not repair a failed VM. If `REPAIR` (default), then MIG automatically repairs a failed VM by recreating it. For more information, see about repairing VMs in a MIG.
         """
         return pulumi.get(self, "default_action_on_failure")
 
@@ -16239,6 +18298,20 @@ class InstanceGroupManagerInstanceLifecyclePolicyArgs:
     def force_update_on_repair(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "force_update_on_repair", value)
 
+    @property
+    @pulumi.getter(name="onFailedHealthCheck")
+    def on_failed_health_check(self) -> Optional[pulumi.Input[str]]:
+        """
+        , Specifies the action that a MIG performs on an unhealthy VM. A VM is marked as unhealthy when the application running on that VM fails a health check. Valid options are: `DEFAULT_ACTION`, `DO_NOTHING`, `REPAIR`. If `DEFAULT_ACTION` (default), then MIG uses the same action configured for the  `default_action_on_failure` field. If `DO_NOTHING`, then MIG does not repair unhealthy VM. If `REPAIR`, then MIG automatically repairs an unhealthy VM by recreating it. For more information, see about repairing VMs in a MIG.
+
+        - - -
+        """
+        return pulumi.get(self, "on_failed_health_check")
+
+    @on_failed_health_check.setter
+    def on_failed_health_check(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "on_failed_health_check", value)
+
 
 if not MYPY:
     class InstanceGroupManagerNamedPortArgsDict(TypedDict):
@@ -17396,6 +19469,81 @@ class InstanceIAMMemberConditionArgs:
         pulumi.set(self, "description", value)
 
 
+if not MYPY:
+    class InstanceInstanceEncryptionKeyArgsDict(TypedDict):
+        kms_key_self_link: NotRequired[pulumi.Input[str]]
+        """
+        The self_link of the encryption key that is
+        stored in Google Cloud KMS to encrypt the data on this instance.
+        """
+        kms_key_service_account: NotRequired[pulumi.Input[str]]
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        sha256: NotRequired[pulumi.Input[str]]
+        """
+        The SHA256 hash of the customer's encryption key.
+        """
+elif False:
+    InstanceInstanceEncryptionKeyArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class InstanceInstanceEncryptionKeyArgs:
+    def __init__(__self__, *,
+                 kms_key_self_link: Optional[pulumi.Input[str]] = None,
+                 kms_key_service_account: Optional[pulumi.Input[str]] = None,
+                 sha256: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] kms_key_self_link: The self_link of the encryption key that is
+               stored in Google Cloud KMS to encrypt the data on this instance.
+        :param pulumi.Input[str] kms_key_service_account: The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        :param pulumi.Input[str] sha256: The SHA256 hash of the customer's encryption key.
+        """
+        if kms_key_self_link is not None:
+            pulumi.set(__self__, "kms_key_self_link", kms_key_self_link)
+        if kms_key_service_account is not None:
+            pulumi.set(__self__, "kms_key_service_account", kms_key_service_account)
+        if sha256 is not None:
+            pulumi.set(__self__, "sha256", sha256)
+
+    @property
+    @pulumi.getter(name="kmsKeySelfLink")
+    def kms_key_self_link(self) -> Optional[pulumi.Input[str]]:
+        """
+        The self_link of the encryption key that is
+        stored in Google Cloud KMS to encrypt the data on this instance.
+        """
+        return pulumi.get(self, "kms_key_self_link")
+
+    @kms_key_self_link.setter
+    def kms_key_self_link(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_self_link", value)
+
+    @property
+    @pulumi.getter(name="kmsKeyServiceAccount")
+    def kms_key_service_account(self) -> Optional[pulumi.Input[str]]:
+        """
+        The service account being used for the encryption request for the given KMS key. If absent, the Compute Engine default service account is used.
+        """
+        return pulumi.get(self, "kms_key_service_account")
+
+    @kms_key_service_account.setter
+    def kms_key_service_account(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "kms_key_service_account", value)
+
+    @property
+    @pulumi.getter
+    def sha256(self) -> Optional[pulumi.Input[str]]:
+        """
+        The SHA256 hash of the customer's encryption key.
+        """
+        return pulumi.get(self, "sha256")
+
+    @sha256.setter
+    def sha256(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "sha256", value)
+
+
 if not MYPY:
     class InstanceNetworkInterfaceArgsDict(TypedDict):
         access_configs: NotRequired[pulumi.Input[Sequence[pulumi.Input['InstanceNetworkInterfaceAccessConfigArgsDict']]]]
@@ -32886,15 +35034,19 @@ if not MYPY:
     class RegionInstanceGroupManagerInstanceLifecyclePolicyArgsDict(TypedDict):
         default_action_on_failure: NotRequired[pulumi.Input[str]]
         """
-        , Default behavior for all instance or health check failures. Valid options are: `REPAIR`, `DO_NOTHING`. If `DO_NOTHING` then instances will not be repaired. If `REPAIR` (default), then failed instances will be repaired.
-
-        - - -
-        <a name="nested_instance_flexibility_policy"></a>The `instance_flexibility_policy` block supports:
+        , Specifies the action that a MIG performs on a failed VM. If the value of the `on_failed_health_check` field is `DEFAULT_ACTION`, then the same action also applies to the VMs on which your application fails a health check. Valid options are: `DO_NOTHING`, `REPAIR`. If `DO_NOTHING`, then MIG does not repair a failed VM. If `REPAIR` (default), then MIG automatically repairs a failed VM by recreating it. For more information, see about repairing VMs in a MIG.
         """
         force_update_on_repair: NotRequired[pulumi.Input[str]]
         """
         , Specifies whether to apply the group's latest configuration when repairing a VM. Valid options are: `YES`, `NO`. If `YES` and you updated the group's instance template or per-instance configurations after the VM was created, then these changes are applied when VM is repaired. If `NO` (default), then updates are applied in accordance with the group's update policy type.
         """
+        on_failed_health_check: NotRequired[pulumi.Input[str]]
+        """
+        , Specifies the action that a MIG performs on an unhealthy VM. A VM is marked as unhealthy when the application running on that VM fails a health check. Valid options are: `DEFAULT_ACTION`, `DO_NOTHING`, `REPAIR`. If `DEFAULT_ACTION` (default), then MIG uses the same action configured for the  `default_action_on_failure` field. If `DO_NOTHING`, then MIG does not repair unhealthy VM. If `REPAIR`, then MIG automatically repairs an unhealthy VM by recreating it. For more information, see about repairing VMs in a MIG. 
+
+        - - -
+        <a name="nested_instance_flexibility_policy"></a>The `instance_flexibility_policy` block supports:
+        """
 elif False:
     RegionInstanceGroupManagerInstanceLifecyclePolicyArgsDict: TypeAlias = Mapping[str, Any]
 
@@ -32902,27 +35054,28 @@ elif False:
 class RegionInstanceGroupManagerInstanceLifecyclePolicyArgs:
     def __init__(__self__, *,
                  default_action_on_failure: Optional[pulumi.Input[str]] = None,
-                 force_update_on_repair: Optional[pulumi.Input[str]] = None):
+                 force_update_on_repair: Optional[pulumi.Input[str]] = None,
+                 on_failed_health_check: Optional[pulumi.Input[str]] = None):
         """
-        :param pulumi.Input[str] default_action_on_failure: , Default behavior for all instance or health check failures. Valid options are: `REPAIR`, `DO_NOTHING`. If `DO_NOTHING` then instances will not be repaired. If `REPAIR` (default), then failed instances will be repaired.
+        :param pulumi.Input[str] default_action_on_failure: , Specifies the action that a MIG performs on a failed VM. If the value of the `on_failed_health_check` field is `DEFAULT_ACTION`, then the same action also applies to the VMs on which your application fails a health check. Valid options are: `DO_NOTHING`, `REPAIR`. If `DO_NOTHING`, then MIG does not repair a failed VM. If `REPAIR` (default), then MIG automatically repairs a failed VM by recreating it. For more information, see about repairing VMs in a MIG.
+        :param pulumi.Input[str] force_update_on_repair: , Specifies whether to apply the group's latest configuration when repairing a VM. Valid options are: `YES`, `NO`. If `YES` and you updated the group's instance template or per-instance configurations after the VM was created, then these changes are applied when VM is repaired. If `NO` (default), then updates are applied in accordance with the group's update policy type.
+        :param pulumi.Input[str] on_failed_health_check: , Specifies the action that a MIG performs on an unhealthy VM. A VM is marked as unhealthy when the application running on that VM fails a health check. Valid options are: `DEFAULT_ACTION`, `DO_NOTHING`, `REPAIR`. If `DEFAULT_ACTION` (default), then MIG uses the same action configured for the  `default_action_on_failure` field. If `DO_NOTHING`, then MIG does not repair unhealthy VM. If `REPAIR`, then MIG automatically repairs an unhealthy VM by recreating it. For more information, see about repairing VMs in a MIG. 
                
                - - -
                <a name="nested_instance_flexibility_policy"></a>The `instance_flexibility_policy` block supports:
-        :param pulumi.Input[str] force_update_on_repair: , Specifies whether to apply the group's latest configuration when repairing a VM. Valid options are: `YES`, `NO`. If `YES` and you updated the group's instance template or per-instance configurations after the VM was created, then these changes are applied when VM is repaired. If `NO` (default), then updates are applied in accordance with the group's update policy type.
         """
         if default_action_on_failure is not None:
             pulumi.set(__self__, "default_action_on_failure", default_action_on_failure)
         if force_update_on_repair is not None:
             pulumi.set(__self__, "force_update_on_repair", force_update_on_repair)
+        if on_failed_health_check is not None:
+            pulumi.set(__self__, "on_failed_health_check", on_failed_health_check)
 
     @property
     @pulumi.getter(name="defaultActionOnFailure")
     def default_action_on_failure(self) -> Optional[pulumi.Input[str]]:
         """
-        , Default behavior for all instance or health check failures. Valid options are: `REPAIR`, `DO_NOTHING`. If `DO_NOTHING` then instances will not be repaired. If `REPAIR` (default), then failed instances will be repaired.
-
-        - - -
-        <a name="nested_instance_flexibility_policy"></a>The `instance_flexibility_policy` block supports:
+        , Specifies the action that a MIG performs on a failed VM. If the value of the `on_failed_health_check` field is `DEFAULT_ACTION`, then the same action also applies to the VMs on which your application fails a health check. Valid options are: `DO_NOTHING`, `REPAIR`. If `DO_NOTHING`, then MIG does not repair a failed VM. If `REPAIR` (default), then MIG automatically repairs a failed VM by recreating it. For more information, see about repairing VMs in a MIG.
         """
         return pulumi.get(self, "default_action_on_failure")
 
@@ -32942,6 +35095,21 @@ class RegionInstanceGroupManagerInstanceLifecyclePolicyArgs:
     def force_update_on_repair(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "force_update_on_repair", value)
 
+    @property
+    @pulumi.getter(name="onFailedHealthCheck")
+    def on_failed_health_check(self) -> Optional[pulumi.Input[str]]:
+        """
+        , Specifies the action that a MIG performs on an unhealthy VM. A VM is marked as unhealthy when the application running on that VM fails a health check. Valid options are: `DEFAULT_ACTION`, `DO_NOTHING`, `REPAIR`. If `DEFAULT_ACTION` (default), then MIG uses the same action configured for the  `default_action_on_failure` field. If `DO_NOTHING`, then MIG does not repair unhealthy VM. If `REPAIR`, then MIG automatically repairs an unhealthy VM by recreating it. For more information, see about repairing VMs in a MIG. 
+
+        - - -
+        <a name="nested_instance_flexibility_policy"></a>The `instance_flexibility_policy` block supports:
+        """
+        return pulumi.get(self, "on_failed_health_check")
+
+    @on_failed_health_check.setter
+    def on_failed_health_check(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "on_failed_health_check", value)
+
 
 if not MYPY:
     class RegionInstanceGroupManagerNamedPortArgsDict(TypedDict):
@@ -51147,6 +53315,10 @@ if not MYPY:
         attached.
         Possible values are: `COLLOCATED`.
         """
+        gpu_topology: NotRequired[pulumi.Input[str]]
+        """
+        Specifies the shape of the GPU slice, in slice based GPU families eg. A4X.
+        """
         max_distance: NotRequired[pulumi.Input[int]]
         """
         Specifies the number of max logical switches.
@@ -51165,6 +53337,7 @@ class ResourcePolicyGroupPlacementPolicyArgs:
     def __init__(__self__, *,
                  availability_domain_count: Optional[pulumi.Input[int]] = None,
                  collocation: Optional[pulumi.Input[str]] = None,
+                 gpu_topology: Optional[pulumi.Input[str]] = None,
                  max_distance: Optional[pulumi.Input[int]] = None,
                  vm_count: Optional[pulumi.Input[int]] = None):
         """
@@ -51175,6 +53348,7 @@ class ResourcePolicyGroupPlacementPolicyArgs:
                with a COLLOCATED policy, then exactly `vm_count` instances must be created at the same time with the resource policy
                attached.
                Possible values are: `COLLOCATED`.
+        :param pulumi.Input[str] gpu_topology: Specifies the shape of the GPU slice, in slice based GPU families eg. A4X.
         :param pulumi.Input[int] max_distance: Specifies the number of max logical switches.
         :param pulumi.Input[int] vm_count: Number of VMs in this placement group. Google does not recommend that you use this field
                unless you use a compact policy and you want your policy to work only if it contains this
@@ -51184,6 +53358,8 @@ class ResourcePolicyGroupPlacementPolicyArgs:
             pulumi.set(__self__, "availability_domain_count", availability_domain_count)
         if collocation is not None:
             pulumi.set(__self__, "collocation", collocation)
+        if gpu_topology is not None:
+            pulumi.set(__self__, "gpu_topology", gpu_topology)
         if max_distance is not None:
             pulumi.set(__self__, "max_distance", max_distance)
         if vm_count is not None:
@@ -51218,6 +53394,18 @@ class ResourcePolicyGroupPlacementPolicyArgs:
     def collocation(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "collocation", value)
 
+    @property
+    @pulumi.getter(name="gpuTopology")
+    def gpu_topology(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies the shape of the GPU slice, in slice based GPU families eg. A4X.
+        """
+        return pulumi.get(self, "gpu_topology")
+
+    @gpu_topology.setter
+    def gpu_topology(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "gpu_topology", value)
+
     @property
     @pulumi.getter(name="maxDistance")
     def max_distance(self) -> Optional[pulumi.Input[int]]:
@@ -51951,6 +54139,89 @@ class ResourcePolicySnapshotSchedulePolicySnapshotPropertiesArgs:
         pulumi.set(self, "storage_locations", value)
 
 
+if not MYPY:
+    class ResourcePolicyWorkloadPolicyArgsDict(TypedDict):
+        type: pulumi.Input[str]
+        """
+        The type of workload policy.
+        Possible values are: `HIGH_AVAILABILITY`, `HIGH_THROUGHPUT`.
+        """
+        accelerator_topology: NotRequired[pulumi.Input[str]]
+        """
+        The accelerator topology. This field can be set only when the workload policy type is HIGH_THROUGHPUT
+        and cannot be set if max topology distance is set.
+        """
+        max_topology_distance: NotRequired[pulumi.Input[str]]
+        """
+        The maximum topology distance. This field can be set only when the workload policy type is HIGH_THROUGHPUT
+        and cannot be set if accelerator topology is set.
+        Possible values are: `BLOCK`, `CLUSTER`, `SUBBLOCK`.
+        """
+elif False:
+    ResourcePolicyWorkloadPolicyArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class ResourcePolicyWorkloadPolicyArgs:
+    def __init__(__self__, *,
+                 type: pulumi.Input[str],
+                 accelerator_topology: Optional[pulumi.Input[str]] = None,
+                 max_topology_distance: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[str] type: The type of workload policy.
+               Possible values are: `HIGH_AVAILABILITY`, `HIGH_THROUGHPUT`.
+        :param pulumi.Input[str] accelerator_topology: The accelerator topology. This field can be set only when the workload policy type is HIGH_THROUGHPUT
+               and cannot be set if max topology distance is set.
+        :param pulumi.Input[str] max_topology_distance: The maximum topology distance. This field can be set only when the workload policy type is HIGH_THROUGHPUT
+               and cannot be set if accelerator topology is set.
+               Possible values are: `BLOCK`, `CLUSTER`, `SUBBLOCK`.
+        """
+        pulumi.set(__self__, "type", type)
+        if accelerator_topology is not None:
+            pulumi.set(__self__, "accelerator_topology", accelerator_topology)
+        if max_topology_distance is not None:
+            pulumi.set(__self__, "max_topology_distance", max_topology_distance)
+
+    @property
+    @pulumi.getter
+    def type(self) -> pulumi.Input[str]:
+        """
+        The type of workload policy.
+        Possible values are: `HIGH_AVAILABILITY`, `HIGH_THROUGHPUT`.
+        """
+        return pulumi.get(self, "type")
+
+    @type.setter
+    def type(self, value: pulumi.Input[str]):
+        pulumi.set(self, "type", value)
+
+    @property
+    @pulumi.getter(name="acceleratorTopology")
+    def accelerator_topology(self) -> Optional[pulumi.Input[str]]:
+        """
+        The accelerator topology. This field can be set only when the workload policy type is HIGH_THROUGHPUT
+        and cannot be set if max topology distance is set.
+        """
+        return pulumi.get(self, "accelerator_topology")
+
+    @accelerator_topology.setter
+    def accelerator_topology(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "accelerator_topology", value)
+
+    @property
+    @pulumi.getter(name="maxTopologyDistance")
+    def max_topology_distance(self) -> Optional[pulumi.Input[str]]:
+        """
+        The maximum topology distance. This field can be set only when the workload policy type is HIGH_THROUGHPUT
+        and cannot be set if accelerator topology is set.
+        Possible values are: `BLOCK`, `CLUSTER`, `SUBBLOCK`.
+        """
+        return pulumi.get(self, "max_topology_distance")
+
+    @max_topology_distance.setter
+    def max_topology_distance(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "max_topology_distance", value)
+
+
 if not MYPY:
     class RouteAsPathArgsDict(TypedDict):
         as_lists: NotRequired[pulumi.Input[Sequence[pulumi.Input[int]]]]
@@ -52391,6 +54662,8 @@ if not MYPY:
         description: NotRequired[pulumi.Input[str]]
         """
         User-specified description for the IP range.
+
+        <a name="nested_md5_authentication_keys"></a>The `md5_authentication_keys` block supports:
         """
 elif False:
     RouterBgpAdvertisedIpRangeArgsDict: TypeAlias = Mapping[str, Any]
@@ -52404,6 +54677,8 @@ class RouterBgpAdvertisedIpRangeArgs:
         :param pulumi.Input[str] range: The IP range to advertise. The value must be a
                CIDR-formatted string.
         :param pulumi.Input[str] description: User-specified description for the IP range.
+               
+               <a name="nested_md5_authentication_keys"></a>The `md5_authentication_keys` block supports:
         """
         pulumi.set(__self__, "range", range)
         if description is not None:
@@ -52427,6 +54702,8 @@ class RouterBgpAdvertisedIpRangeArgs:
     def description(self) -> Optional[pulumi.Input[str]]:
         """
         User-specified description for the IP range.
+
+        <a name="nested_md5_authentication_keys"></a>The `md5_authentication_keys` block supports:
         """
         return pulumi.get(self, "description")
 
@@ -52435,6 +54712,71 @@ class RouterBgpAdvertisedIpRangeArgs:
         pulumi.set(self, "description", value)
 
 
+if not MYPY:
+    class RouterMd5AuthenticationKeysArgsDict(TypedDict):
+        key: pulumi.Input[str]
+        """
+        Value of the key used for MD5 authentication.
+        """
+        name: pulumi.Input[str]
+        """
+        Name of the resource. The name must be 1-63 characters long, and
+        comply with RFC1035. Specifically, the name must be 1-63 characters
+        long and match the regular expression `a-z?`
+        which means the first character must be a lowercase letter, and all
+        following characters must be a dash, lowercase letter, or digit,
+        except the last character, which cannot be a dash.
+        """
+elif False:
+    RouterMd5AuthenticationKeysArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class RouterMd5AuthenticationKeysArgs:
+    def __init__(__self__, *,
+                 key: pulumi.Input[str],
+                 name: pulumi.Input[str]):
+        """
+        :param pulumi.Input[str] key: Value of the key used for MD5 authentication.
+        :param pulumi.Input[str] name: Name of the resource. The name must be 1-63 characters long, and
+               comply with RFC1035. Specifically, the name must be 1-63 characters
+               long and match the regular expression `a-z?`
+               which means the first character must be a lowercase letter, and all
+               following characters must be a dash, lowercase letter, or digit,
+               except the last character, which cannot be a dash.
+        """
+        pulumi.set(__self__, "key", key)
+        pulumi.set(__self__, "name", name)
+
+    @property
+    @pulumi.getter
+    def key(self) -> pulumi.Input[str]:
+        """
+        Value of the key used for MD5 authentication.
+        """
+        return pulumi.get(self, "key")
+
+    @key.setter
+    def key(self, value: pulumi.Input[str]):
+        pulumi.set(self, "key", value)
+
+    @property
+    @pulumi.getter
+    def name(self) -> pulumi.Input[str]:
+        """
+        Name of the resource. The name must be 1-63 characters long, and
+        comply with RFC1035. Specifically, the name must be 1-63 characters
+        long and match the regular expression `a-z?`
+        which means the first character must be a lowercase letter, and all
+        following characters must be a dash, lowercase letter, or digit,
+        except the last character, which cannot be a dash.
+        """
+        return pulumi.get(self, "name")
+
+    @name.setter
+    def name(self, value: pulumi.Input[str]):
+        pulumi.set(self, "name", value)
+
+
 if not MYPY:
     class RouterNatLogConfigArgsDict(TypedDict):
         enable: pulumi.Input[bool]
@@ -56195,6 +58537,12 @@ if not MYPY:
         RFC 4648 base64 to either encrypt or decrypt this resource.
         **Note**: This property is sensitive and will not be displayed in the plan.
         """
+        rsa_encrypted_key: NotRequired[pulumi.Input[str]]
+        """
+        Specifies an encryption key stored in Google Cloud KMS, encoded in
+        RFC 4648 base64 to either encrypt or decrypt this resource.
+        **Note**: This property is sensitive and will not be displayed in the plan.
+        """
         sha256: NotRequired[pulumi.Input[str]]
         """
         (Output)
@@ -56210,6 +58558,7 @@ class SnapshotSnapshotEncryptionKeyArgs:
                  kms_key_self_link: Optional[pulumi.Input[str]] = None,
                  kms_key_service_account: Optional[pulumi.Input[str]] = None,
                  raw_key: Optional[pulumi.Input[str]] = None,
+                 rsa_encrypted_key: Optional[pulumi.Input[str]] = None,
                  sha256: Optional[pulumi.Input[str]] = None):
         """
         :param pulumi.Input[str] kms_key_self_link: The name of the encryption key that is stored in Google Cloud KMS.
@@ -56218,6 +58567,9 @@ class SnapshotSnapshotEncryptionKeyArgs:
         :param pulumi.Input[str] raw_key: Specifies a 256-bit customer-supplied encryption key, encoded in
                RFC 4648 base64 to either encrypt or decrypt this resource.
                **Note**: This property is sensitive and will not be displayed in the plan.
+        :param pulumi.Input[str] rsa_encrypted_key: Specifies an encryption key stored in Google Cloud KMS, encoded in
+               RFC 4648 base64 to either encrypt or decrypt this resource.
+               **Note**: This property is sensitive and will not be displayed in the plan.
         :param pulumi.Input[str] sha256: (Output)
                The RFC 4648 base64 encoded SHA-256 hash of the customer-supplied
                encryption key that protects this resource.
@@ -56228,6 +58580,8 @@ class SnapshotSnapshotEncryptionKeyArgs:
             pulumi.set(__self__, "kms_key_service_account", kms_key_service_account)
         if raw_key is not None:
             pulumi.set(__self__, "raw_key", raw_key)
+        if rsa_encrypted_key is not None:
+            pulumi.set(__self__, "rsa_encrypted_key", rsa_encrypted_key)
         if sha256 is not None:
             pulumi.set(__self__, "sha256", sha256)
 
@@ -56270,6 +58624,20 @@ class SnapshotSnapshotEncryptionKeyArgs:
     def raw_key(self, value: Optional[pulumi.Input[str]]):
         pulumi.set(self, "raw_key", value)
 
+    @property
+    @pulumi.getter(name="rsaEncryptedKey")
+    def rsa_encrypted_key(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies an encryption key stored in Google Cloud KMS, encoded in
+        RFC 4648 base64 to either encrypt or decrypt this resource.
+        **Note**: This property is sensitive and will not be displayed in the plan.
+        """
+        return pulumi.get(self, "rsa_encrypted_key")
+
+    @rsa_encrypted_key.setter
+    def rsa_encrypted_key(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "rsa_encrypted_key", value)
+
     @property
     @pulumi.getter
     def sha256(self) -> Optional[pulumi.Input[str]]:
@@ -63176,6 +65544,11 @@ if not MYPY:
         you could add rules numbered from 6 to 8, 10 to 11, and 13 to 15 in the
         future without any impact on existing rules.
         """
+        custom_error_response_policy: NotRequired[pulumi.Input['URLMapPathMatcherRouteRuleCustomErrorResponsePolicyArgsDict']]
+        """
+        customErrorResponsePolicy specifies how the Load Balancer returns error responses when BackendService or BackendBucket responds with an error.
+        Structure is documented below.
+        """
         header_action: NotRequired[pulumi.Input['URLMapPathMatcherRouteRuleHeaderActionArgsDict']]
         """
         Specifies changes to request and response headers that need to take effect for
@@ -63223,6 +65596,7 @@ elif False:
 class URLMapPathMatcherRouteRuleArgs:
     def __init__(__self__, *,
                  priority: pulumi.Input[int],
+                 custom_error_response_policy: Optional[pulumi.Input['URLMapPathMatcherRouteRuleCustomErrorResponsePolicyArgs']] = None,
                  header_action: Optional[pulumi.Input['URLMapPathMatcherRouteRuleHeaderActionArgs']] = None,
                  match_rules: Optional[pulumi.Input[Sequence[pulumi.Input['URLMapPathMatcherRouteRuleMatchRuleArgs']]]] = None,
                  route_action: Optional[pulumi.Input['URLMapPathMatcherRouteRuleRouteActionArgs']] = None,
@@ -63242,6 +65616,8 @@ class URLMapPathMatcherRouteRuleArgs:
                1, 2, 3, 4, 5, 9, 12, 16 is a valid series of priority numbers to which
                you could add rules numbered from 6 to 8, 10 to 11, and 13 to 15 in the
                future without any impact on existing rules.
+        :param pulumi.Input['URLMapPathMatcherRouteRuleCustomErrorResponsePolicyArgs'] custom_error_response_policy: customErrorResponsePolicy specifies how the Load Balancer returns error responses when BackendService or BackendBucket responds with an error.
+               Structure is documented below.
         :param pulumi.Input['URLMapPathMatcherRouteRuleHeaderActionArgs'] header_action: Specifies changes to request and response headers that need to take effect for
                the selected backendService. The headerAction specified here are applied before
                the matching pathMatchers[].headerAction and after pathMatchers[].routeRules[].r
@@ -63269,6 +65645,8 @@ class URLMapPathMatcherRouteRuleArgs:
                Structure is documented below.
         """
         pulumi.set(__self__, "priority", priority)
+        if custom_error_response_policy is not None:
+            pulumi.set(__self__, "custom_error_response_policy", custom_error_response_policy)
         if header_action is not None:
             pulumi.set(__self__, "header_action", header_action)
         if match_rules is not None:
@@ -63304,6 +65682,19 @@ class URLMapPathMatcherRouteRuleArgs:
     def priority(self, value: pulumi.Input[int]):
         pulumi.set(self, "priority", value)
 
+    @property
+    @pulumi.getter(name="customErrorResponsePolicy")
+    def custom_error_response_policy(self) -> Optional[pulumi.Input['URLMapPathMatcherRouteRuleCustomErrorResponsePolicyArgs']]:
+        """
+        customErrorResponsePolicy specifies how the Load Balancer returns error responses when BackendService or BackendBucket responds with an error.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "custom_error_response_policy")
+
+    @custom_error_response_policy.setter
+    def custom_error_response_policy(self, value: Optional[pulumi.Input['URLMapPathMatcherRouteRuleCustomErrorResponsePolicyArgs']]):
+        pulumi.set(self, "custom_error_response_policy", value)
+
     @property
     @pulumi.getter(name="headerAction")
     def header_action(self) -> Optional[pulumi.Input['URLMapPathMatcherRouteRuleHeaderActionArgs']]:
@@ -63385,6 +65776,181 @@ class URLMapPathMatcherRouteRuleArgs:
         pulumi.set(self, "url_redirect", value)
 
 
+if not MYPY:
+    class URLMapPathMatcherRouteRuleCustomErrorResponsePolicyArgsDict(TypedDict):
+        error_response_rules: NotRequired[pulumi.Input[Sequence[pulumi.Input['URLMapPathMatcherRouteRuleCustomErrorResponsePolicyErrorResponseRuleArgsDict']]]]
+        """
+        Specifies rules for returning error responses.
+        In a given policy, if you specify rules for both a range of error codes as well as rules for specific error codes then rules with specific error codes have a higher priority.
+        For example, assume that you configure a rule for 401 (Un-authorized) code, and another for all 4 series error codes (4XX).
+        If the backend service returns a 401, then the rule for 401 will be applied. However if the backend service returns a 403, the rule for 4xx takes effect.
+        Structure is documented below.
+        """
+        error_service: NotRequired[pulumi.Input[str]]
+        """
+        The full or partial URL to the BackendBucket resource that contains the custom error content. Examples are:
+        https://www.googleapis.com/compute/v1/projects/project/global/backendBuckets/myBackendBucket
+        compute/v1/projects/project/global/backendBuckets/myBackendBucket
+        global/backendBuckets/myBackendBucket
+        If errorService is not specified at lower levels like pathMatcher, pathRule and routeRule, an errorService specified at a higher level in the UrlMap will be used. If UrlMap.defaultCustomErrorResponsePolicy contains one or more errorResponseRules[], it must specify errorService.
+        If load balancer cannot reach the backendBucket, a simple Not Found Error will be returned, with the original response code (or overrideResponseCode if configured).
+        """
+elif False:
+    URLMapPathMatcherRouteRuleCustomErrorResponsePolicyArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class URLMapPathMatcherRouteRuleCustomErrorResponsePolicyArgs:
+    def __init__(__self__, *,
+                 error_response_rules: Optional[pulumi.Input[Sequence[pulumi.Input['URLMapPathMatcherRouteRuleCustomErrorResponsePolicyErrorResponseRuleArgs']]]] = None,
+                 error_service: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[Sequence[pulumi.Input['URLMapPathMatcherRouteRuleCustomErrorResponsePolicyErrorResponseRuleArgs']]] error_response_rules: Specifies rules for returning error responses.
+               In a given policy, if you specify rules for both a range of error codes as well as rules for specific error codes then rules with specific error codes have a higher priority.
+               For example, assume that you configure a rule for 401 (Un-authorized) code, and another for all 4 series error codes (4XX).
+               If the backend service returns a 401, then the rule for 401 will be applied. However if the backend service returns a 403, the rule for 4xx takes effect.
+               Structure is documented below.
+        :param pulumi.Input[str] error_service: The full or partial URL to the BackendBucket resource that contains the custom error content. Examples are:
+               https://www.googleapis.com/compute/v1/projects/project/global/backendBuckets/myBackendBucket
+               compute/v1/projects/project/global/backendBuckets/myBackendBucket
+               global/backendBuckets/myBackendBucket
+               If errorService is not specified at lower levels like pathMatcher, pathRule and routeRule, an errorService specified at a higher level in the UrlMap will be used. If UrlMap.defaultCustomErrorResponsePolicy contains one or more errorResponseRules[], it must specify errorService.
+               If load balancer cannot reach the backendBucket, a simple Not Found Error will be returned, with the original response code (or overrideResponseCode if configured).
+        """
+        if error_response_rules is not None:
+            pulumi.set(__self__, "error_response_rules", error_response_rules)
+        if error_service is not None:
+            pulumi.set(__self__, "error_service", error_service)
+
+    @property
+    @pulumi.getter(name="errorResponseRules")
+    def error_response_rules(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['URLMapPathMatcherRouteRuleCustomErrorResponsePolicyErrorResponseRuleArgs']]]]:
+        """
+        Specifies rules for returning error responses.
+        In a given policy, if you specify rules for both a range of error codes as well as rules for specific error codes then rules with specific error codes have a higher priority.
+        For example, assume that you configure a rule for 401 (Un-authorized) code, and another for all 4 series error codes (4XX).
+        If the backend service returns a 401, then the rule for 401 will be applied. However if the backend service returns a 403, the rule for 4xx takes effect.
+        Structure is documented below.
+        """
+        return pulumi.get(self, "error_response_rules")
+
+    @error_response_rules.setter
+    def error_response_rules(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['URLMapPathMatcherRouteRuleCustomErrorResponsePolicyErrorResponseRuleArgs']]]]):
+        pulumi.set(self, "error_response_rules", value)
+
+    @property
+    @pulumi.getter(name="errorService")
+    def error_service(self) -> Optional[pulumi.Input[str]]:
+        """
+        The full or partial URL to the BackendBucket resource that contains the custom error content. Examples are:
+        https://www.googleapis.com/compute/v1/projects/project/global/backendBuckets/myBackendBucket
+        compute/v1/projects/project/global/backendBuckets/myBackendBucket
+        global/backendBuckets/myBackendBucket
+        If errorService is not specified at lower levels like pathMatcher, pathRule and routeRule, an errorService specified at a higher level in the UrlMap will be used. If UrlMap.defaultCustomErrorResponsePolicy contains one or more errorResponseRules[], it must specify errorService.
+        If load balancer cannot reach the backendBucket, a simple Not Found Error will be returned, with the original response code (or overrideResponseCode if configured).
+        """
+        return pulumi.get(self, "error_service")
+
+    @error_service.setter
+    def error_service(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "error_service", value)
+
+
+if not MYPY:
+    class URLMapPathMatcherRouteRuleCustomErrorResponsePolicyErrorResponseRuleArgsDict(TypedDict):
+        match_response_codes: NotRequired[pulumi.Input[Sequence[pulumi.Input[str]]]]
+        """
+        Valid values include:
+        - A number between 400 and 599: For example 401 or 503, in which case the load balancer applies the policy if the error code exactly matches this value.
+        - 5xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 500 to 599.
+        - 4xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 400 to 499.
+        Values must be unique within matchResponseCodes and across all errorResponseRules of CustomErrorResponsePolicy.
+        """
+        override_response_code: NotRequired[pulumi.Input[int]]
+        """
+        The HTTP status code returned with the response containing the custom error content.
+        If overrideResponseCode is not supplied, the same response code returned by the original backend bucket or backend service is returned to the client.
+        """
+        path: NotRequired[pulumi.Input[str]]
+        """
+        The full path to a file within backendBucket. For example: /errors/defaultError.html
+        path must start with a leading slash. path cannot have trailing slashes.
+        If the file is not available in backendBucket or the load balancer cannot reach the BackendBucket, a simple Not Found Error is returned to the client.
+        The value must be from 1 to 1024 characters.
+        """
+elif False:
+    URLMapPathMatcherRouteRuleCustomErrorResponsePolicyErrorResponseRuleArgsDict: TypeAlias = Mapping[str, Any]
+
+@pulumi.input_type
+class URLMapPathMatcherRouteRuleCustomErrorResponsePolicyErrorResponseRuleArgs:
+    def __init__(__self__, *,
+                 match_response_codes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 override_response_code: Optional[pulumi.Input[int]] = None,
+                 path: Optional[pulumi.Input[str]] = None):
+        """
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] match_response_codes: Valid values include:
+               - A number between 400 and 599: For example 401 or 503, in which case the load balancer applies the policy if the error code exactly matches this value.
+               - 5xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 500 to 599.
+               - 4xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 400 to 499.
+               Values must be unique within matchResponseCodes and across all errorResponseRules of CustomErrorResponsePolicy.
+        :param pulumi.Input[int] override_response_code: The HTTP status code returned with the response containing the custom error content.
+               If overrideResponseCode is not supplied, the same response code returned by the original backend bucket or backend service is returned to the client.
+        :param pulumi.Input[str] path: The full path to a file within backendBucket. For example: /errors/defaultError.html
+               path must start with a leading slash. path cannot have trailing slashes.
+               If the file is not available in backendBucket or the load balancer cannot reach the BackendBucket, a simple Not Found Error is returned to the client.
+               The value must be from 1 to 1024 characters.
+        """
+        if match_response_codes is not None:
+            pulumi.set(__self__, "match_response_codes", match_response_codes)
+        if override_response_code is not None:
+            pulumi.set(__self__, "override_response_code", override_response_code)
+        if path is not None:
+            pulumi.set(__self__, "path", path)
+
+    @property
+    @pulumi.getter(name="matchResponseCodes")
+    def match_response_codes(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        Valid values include:
+        - A number between 400 and 599: For example 401 or 503, in which case the load balancer applies the policy if the error code exactly matches this value.
+        - 5xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 500 to 599.
+        - 4xx: Load Balancer will apply the policy if the backend service responds with any response code in the range of 400 to 499.
+        Values must be unique within matchResponseCodes and across all errorResponseRules of CustomErrorResponsePolicy.
+        """
+        return pulumi.get(self, "match_response_codes")
+
+    @match_response_codes.setter
+    def match_response_codes(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "match_response_codes", value)
+
+    @property
+    @pulumi.getter(name="overrideResponseCode")
+    def override_response_code(self) -> Optional[pulumi.Input[int]]:
+        """
+        The HTTP status code returned with the response containing the custom error content.
+        If overrideResponseCode is not supplied, the same response code returned by the original backend bucket or backend service is returned to the client.
+        """
+        return pulumi.get(self, "override_response_code")
+
+    @override_response_code.setter
+    def override_response_code(self, value: Optional[pulumi.Input[int]]):
+        pulumi.set(self, "override_response_code", value)
+
+    @property
+    @pulumi.getter
+    def path(self) -> Optional[pulumi.Input[str]]:
+        """
+        The full path to a file within backendBucket. For example: /errors/defaultError.html
+        path must start with a leading slash. path cannot have trailing slashes.
+        If the file is not available in backendBucket or the load balancer cannot reach the BackendBucket, a simple Not Found Error is returned to the client.
+        The value must be from 1 to 1024 characters.
+        """
+        return pulumi.get(self, "path")
+
+    @path.setter
+    def path(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "path", value)
+
+
 if not MYPY:
     class URLMapPathMatcherRouteRuleHeaderActionArgsDict(TypedDict):
         request_headers_to_adds: NotRequired[pulumi.Input[Sequence[pulumi.Input['URLMapPathMatcherRouteRuleHeaderActionRequestHeadersToAddArgsDict']]]]