Add enable_deletion_protection variable to agent engine module (#3898)

2026-04-22 16:05:09 +02:00
parent 9eb69ffaa3
commit 275dd6a9ea
9 changed files with 225 additions and 17 deletions
--- a/modules/agent-engine/README.md
+++ b/modules/agent-engine/README.md
@@ -25,6 +25,7 @@ The module creates Agent Engine and related dependencies.
 - [Container-based deployment](#container-based-deployment)
 - [Memory Bank](#memory-bank)
 - [Getting values from context](#getting-values-from-context)
+- [Disable deletion protection](#disable-deletion-protection)
 - [Variables](#variables)
 - [Outputs](#outputs)
 <!-- END TOC -->
@@ -412,23 +413,51 @@ module "agent_engine" {
 }
 # tftest inventory=context.yaml
 ```
+
+## Disable deletion protection
+
+By default you can't neither delete your agent if it has session or your GCS bucket if it has files inside. For testing, you can anyway force the deletion of these resources:
+
+```hcl
+module "agent_engine" {
+  source                     = "./fabric/modules/agent-engine"
+  name                       = "my-agent"
+  project_id                 = var.project_id
+  region                     = var.region
+  enable_deletion_protection = false
+
+  agent_engine_config = {
+    agent_framework = "google-adk"
+  }
+
+  deployment_config = {
+    package_config = {
+      pickle_path       = "assets/src/pickle.pkl"
+      dependencies_path = "assets/src/dependencies.tar.gz"
+      requirements_path = "assets/src/requirements.txt"
+    }
+  }
+}
+# tftest inventory=deletion-protection.yaml
+```
 <!-- BEGIN TFDOC -->
 ## Variables

 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
-| [name](variables.tf#L172) | The name of the agent. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L191) | The id of the project where to deploy the agent. | <code>string</code> | ✓ |  |
-| [region](variables.tf#L197) | The region where to deploy the agent. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L178) | The name of the agent. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L197) | The id of the project where to deploy the agent. | <code>string</code> | ✓ |  |
+| [region](variables.tf#L203) | The region where to deploy the agent. | <code>string</code> | ✓ |  |
 | [agent_engine_config](variables.tf#L17) | The agent configuration. Supported values for agent_framework: 'google-adk', 'langchain', 'langgraph', 'ag2', 'llama-index', 'custom'. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [bucket_config](variables.tf#L41) | The GCS bucket configuration. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [context](variables.tf#L53) | Context-specific interpolations. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [deployment_config](variables.tf#L69) | The deployment configuration. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [description](variables.tf#L129) | The Agent Engine description. | <code>string</code> |  | <code>&#34;Terraform managed.&#34;</code> |
-| [encryption_key](variables.tf#L136) | The full resource name of the Cloud KMS CryptoKey. | <code>string</code> |  | <code>null</code> |
-| [managed](variables.tf#L142) | Whether the Terraform module should control the code updates. | <code>bool</code> |  | <code>true</code> |
-| [memory_bank_config](variables.tf#L149) | Configuration for the memory bank. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [networking_config](variables.tf#L178) | Networking configuration. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [context](variables.tf#L52) | Context-specific interpolations. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [deployment_config](variables.tf#L68) | The deployment configuration. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [description](variables.tf#L128) | The Agent Engine description. | <code>string</code> |  | <code>&#34;Terraform managed.&#34;</code> |
+| [enable_deletion_protection](variables.tf#L135) | Whether deletion protection should be enabled. | <code>bool</code> |  | <code>true</code> |
+| [encryption_key](variables.tf#L142) | The full resource name of the Cloud KMS CryptoKey. | <code>string</code> |  | <code>null</code> |
+| [managed](variables.tf#L148) | Whether the Terraform module should control the code updates. | <code>bool</code> |  | <code>true</code> |
+| [memory_bank_config](variables.tf#L155) | Configuration for the memory bank. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [networking_config](variables.tf#L184) | Networking configuration. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [service_account_config](variables-serviceaccount.tf#L18) | Service account configurations. | <code>object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |

 ## Outputs
--- a/modules/agent-engine/agent-managed.tf
+++ b/modules/agent-engine/agent-managed.tf
@@ -21,6 +21,11 @@ resource "google_vertex_ai_reasoning_engine" "managed" {
  project      = local.project_id
  description  = var.description
  region       = local.location
+  deletion_policy = (
+    var.enable_deletion_protection
+    ? null
+    : "FORCE"
+  )

  dynamic "encryption_spec" {
    for_each = var.encryption_key == null ? {} : { 1 = 1 }
--- a/modules/agent-engine/agent-unmanaged.tf
+++ b/modules/agent-engine/agent-unmanaged.tf
@@ -21,6 +21,11 @@ resource "google_vertex_ai_reasoning_engine" "unmanaged" {
  project      = local.project_id
  description  = var.description
  region       = local.location
+  deletion_policy = (
+    var.enable_deletion_protection
+    ? null
+    : "FORCE"
+  )

  dynamic "encryption_spec" {
    for_each = var.encryption_key == null ? {} : { 1 = 1 }
--- a/modules/agent-engine/main.tf
+++ b/modules/agent-engine/main.tf
@@ -63,7 +63,7 @@ resource "google_storage_bucket" "default" {
  project                     = local.project_id
  location                    = local.location
  uniform_bucket_level_access = var.bucket_config.uniform_bucket_level_access
-  force_destroy               = !var.bucket_config.deletion_protection
+  force_destroy               = !var.enable_deletion_protection
 }

 resource "google_storage_bucket_object" "dependencies" {
--- a/modules/agent-engine/variables.tf
+++ b/modules/agent-engine/variables.tf
@@ -42,7 +42,6 @@ variable "bucket_config" {
  description = "The GCS bucket configuration."
  type = object({
    create                      = optional(bool, true)
-    deletion_protection         = optional(bool, true)
    name                        = optional(string)
    uniform_bucket_level_access = optional(bool, true)
  })
@@ -133,6 +132,13 @@ variable "description" {
  default     = "Terraform managed."
 }

+variable "enable_deletion_protection" {
+  description = "Whether deletion protection should be enabled."
+  type        = bool
+  nullable    = false
+  default     = true
+}
+
 variable "encryption_key" {
  description = "The full resource name of the Cloud KMS CryptoKey."
  type        = string
--- a/modules/cloudsql-instance/main.tf
+++ b/modules/cloudsql-instance/main.tf
@@ -394,4 +394,3 @@ resource "google_sql_ssl_cert" "client_certificates" {
  instance    = google_sql_database_instance.primary.name
  common_name = each.key
 }
-
--- a/modules/project/service-agents.yaml
+++ b/modules/project/service-agents.yaml
@@ -2124,4 +2124,3 @@
  is_primary: false
  aliases: []
  skip_iam: false
-