# Gemini Enterprise Agent Platform — Terraform Scaffold

Provisions the infrastructure needed to use the Gemini Enterprise Agent Platform (Vertex AI Agent Engine) on an existing GCP project: required APIs, service accounts, and IAM bindings.

> **AI-generated code.** This module was scaffolded with AI assistance. Review all resources and IAM bindings before applying to a production project.

## Prerequisites

- Terraform >= 1.5.0
- An existing GCP project
- `gcloud` CLI authenticated with permissions to enable APIs and manage IAM

## Usage

```bash
cp terraform.tfvars.example terraform.tfvars
# edit terraform.tfvars — set your project_id

terraform init
terraform plan
terraform apply
```

## Variables

| Name | Required | Default | Description |
|---|---|---|---|
| `project_id` | yes | — | Existing GCP project ID |
| `prefix` | no | `gemini` | Short prefix applied to all resource names |

## Outputs

| Name | Description |
|---|---|
| `project_id` | GCP project ID |
| `agent_sa_email` | Runtime service account email (for apps) |
| `code_assist_sa_email` | Code Assist enterprise SA email |

## What gets created

- **7 GCP APIs** enabled (`aiplatform`, `cloudaicompanion`, `discoveryengine`, `dialogflow`, `secretmanager`, `iam`, `cloudresourcemanager`)
- **2 service accounts** — one for app runtime, one for IDE enterprise config
- **4 project IAM bindings**

## Setting up credentials

Use Application Default Credentials:

```bash
gcloud auth application-default login
gcloud config set project <your-project-id>
```

For workloads running on GCP (Cloud Run, GKE, Compute Engine), attach the service account to the resource — no credentials file needed.

## Granting developer access to Gemini Code Assist

```bash
# Single user
gcloud projects add-iam-policy-binding <project-id> \
  --member="user:<you@domain>" \
  --role="roles/cloudaicompanion.user"

# Create a Google Group (recommended for teams)
gcloud identity groups create devs@<domain> \
  --organization=<organization-id> \
  --display-name="Gemini Developers" \
  --description="Users with access to Gemini Code Assist"

# Add a member to the group
gcloud identity groups memberships add \
  --group-email=devs@<domain> \
  --member-email=<you@domain>

# Grant the group access
gcloud projects add-iam-policy-binding <project-id> \
  --member="group:devs@<domain>" \
  --role="roles/cloudaicompanion.user"
```

## VS Code setup

1. Install the **Gemini Code Assist** extension from the VS Code Marketplace
2. Sign in with a Google account that has `roles/cloudaicompanion.user` on the project
3. In Settings, set **Cloud AI Companion: Project** to your `project_id`

## Creating a GCP project

If you don't have a project yet:

```bash
# List available folders to find your folder ID
gcloud resource-manager folders list --organization=<organization-id>

# Create a new project inside a folder
gcloud projects create <project-id> \
  --name="<display-name>" \
  --folder=<folder-id>

# Link a billing account (required before enabling APIs)
gcloud billing projects link <project-id> \
  --billing-account=<billing-account-id>

# Verify
gcloud projects describe <project-id>
```

To find your billing account ID:

```bash
gcloud billing accounts list
```

## License

[MIT](LICENSE) © 2026 Slawomir Koszewski