77 lines
2.7 KiB
Terraform
77 lines
2.7 KiB
Terraform
# ─────────────────────────────────────────────
|
|
# 1. API Enablement
|
|
# ─────────────────────────────────────────────
|
|
|
|
locals {
|
|
apis = toset([
|
|
"iam.googleapis.com",
|
|
"cloudresourcemanager.googleapis.com",
|
|
"aiplatform.googleapis.com",
|
|
"cloudaicompanion.googleapis.com",
|
|
"discoveryengine.googleapis.com",
|
|
"dialogflow.googleapis.com",
|
|
"secretmanager.googleapis.com",
|
|
])
|
|
}
|
|
|
|
resource "google_project_service" "apis" {
|
|
for_each = local.apis
|
|
|
|
project = var.project_id
|
|
service = each.value
|
|
|
|
disable_on_destroy = false
|
|
disable_dependent_services = false
|
|
}
|
|
|
|
# ─────────────────────────────────────────────
|
|
# 2. Service Accounts
|
|
# ─────────────────────────────────────────────
|
|
|
|
resource "google_service_account" "agent_sa" {
|
|
project = var.project_id
|
|
account_id = "${var.prefix}-agent-sa"
|
|
display_name = "Gemini Agent Runtime SA"
|
|
description = "Runtime service account for applications calling Vertex AI / Agent Engine APIs."
|
|
|
|
depends_on = [google_project_service.apis]
|
|
}
|
|
|
|
resource "google_service_account" "code_assist_sa" {
|
|
project = var.project_id
|
|
account_id = "${var.prefix}-code-assist-sa"
|
|
display_name = "Gemini Code Assist Enterprise SA"
|
|
description = "Service account for Gemini Code Assist Enterprise IDE plugin configuration."
|
|
|
|
depends_on = [google_project_service.apis]
|
|
}
|
|
|
|
# ─────────────────────────────────────────────
|
|
# 3. Project-level IAM Bindings (additive)
|
|
# ─────────────────────────────────────────────
|
|
|
|
resource "google_project_iam_member" "agent_sa_aiplatform_user" {
|
|
project = var.project_id
|
|
role = "roles/aiplatform.user"
|
|
member = google_service_account.agent_sa.member
|
|
}
|
|
|
|
resource "google_project_iam_member" "agent_sa_discovery_viewer" {
|
|
project = var.project_id
|
|
role = "roles/discoveryengine.viewer"
|
|
member = google_service_account.agent_sa.member
|
|
}
|
|
|
|
resource "google_project_iam_member" "agent_sa_cac_user" {
|
|
project = var.project_id
|
|
role = "roles/cloudaicompanion.user"
|
|
member = google_service_account.agent_sa.member
|
|
}
|
|
|
|
resource "google_project_iam_member" "code_assist_sa_cac_admin" {
|
|
project = var.project_id
|
|
role = "roles/cloudaicompanion.admin"
|
|
member = google_service_account.code_assist_sa.member
|
|
}
|
|
|