# ─────────────────────────────────────────────
# 1. API Enablement
# ─────────────────────────────────────────────

locals {
  apis = toset([
    "iam.googleapis.com",
    "cloudresourcemanager.googleapis.com",
    "aiplatform.googleapis.com",
    "cloudaicompanion.googleapis.com",
    "discoveryengine.googleapis.com",
    "dialogflow.googleapis.com",
    "secretmanager.googleapis.com",
  ])
}

resource "google_project_service" "apis" {
  for_each = local.apis

  project = var.project_id
  service = each.value

  disable_on_destroy         = false
  disable_dependent_services = false
}

# ─────────────────────────────────────────────
# 2. Service Accounts
# ─────────────────────────────────────────────

resource "google_service_account" "agent_sa" {
  project      = var.project_id
  account_id   = "${var.prefix}-agent-sa"
  display_name = "Gemini Agent Runtime SA"
  description  = "Runtime service account for applications calling Vertex AI / Agent Engine APIs."

  depends_on = [google_project_service.apis]
}

resource "google_service_account" "code_assist_sa" {
  project      = var.project_id
  account_id   = "${var.prefix}-code-assist-sa"
  display_name = "Gemini Code Assist Enterprise SA"
  description  = "Service account for Gemini Code Assist Enterprise IDE plugin configuration."

  depends_on = [google_project_service.apis]
}

# ─────────────────────────────────────────────
# 3. Project-level IAM Bindings (additive)
# ─────────────────────────────────────────────

resource "google_project_iam_member" "agent_sa_aiplatform_user" {
  project = var.project_id
  role    = "roles/aiplatform.user"
  member  = google_service_account.agent_sa.member
}

resource "google_project_iam_member" "agent_sa_discovery_viewer" {
  project = var.project_id
  role    = "roles/discoveryengine.viewer"
  member  = google_service_account.agent_sa.member
}

resource "google_project_iam_member" "agent_sa_cac_user" {
  project = var.project_id
  role    = "roles/cloudaicompanion.user"
  member  = google_service_account.agent_sa.member
}

resource "google_project_iam_member" "code_assist_sa_cac_admin" {
  project = var.project_id
  role    = "roles/cloudaicompanion.admin"
  member  = google_service_account.code_assist_sa.member
}