Agent Engine: remove unnecesary permission after bug fix (#3926)

modules/agent-engine/variables-serviceaccount.tf

@@ -24,9 +24,7 @@ variable "service_account_config" {
     name         = optional(string)
     roles = optional(list(string), [
       "roles/aiplatform.user",
-      "roles/storage.objectViewer",
-      # TODO: remove when b/441480710 is solved
-      "roles/viewer"
+      "roles/storage.objectViewer"
     ])
   })
   nullable = false

tests/modules/agent_engine/examples/container.yaml

@@ -23,11 +23,6 @@ values:
     member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
     project: project-id
     role: roles/storage.objectViewer
-  module.agent_engine.google_project_iam_member.default["roles/viewer"]:
-    condition: []
-    member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
-    project: project-id
-    role: roles/viewer
   module.agent_engine.google_service_account.service_account[0]:
     account_id: my-agent
     create_ignore_already_exists: null
@@ -73,11 +68,11 @@ values:
     triggers: null
 
 counts:
-  google_project_iam_member: 3
+  google_project_iam_member: 2
   google_service_account: 1
   google_vertex_ai_reasoning_engine: 1
   modules: 1
-  resources: 6
+  resources: 5
   time_sleep: 1
 
 outputs: {}

tests/modules/agent_engine/examples/deletion-protection.yaml

@@ -23,11 +23,6 @@ values:
     member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
     project: project-id
     role: roles/storage.objectViewer
-  module.agent_engine.google_project_iam_member.default["roles/viewer"]:
-    condition: []
-    member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
-    project: project-id
-    role: roles/viewer
   module.agent_engine.google_service_account.service_account[0]:
     account_id: my-agent
     create_ignore_already_exists: null
@@ -153,13 +148,13 @@ values:
     triggers: null
 
 counts:
-  google_project_iam_member: 3
+  google_project_iam_member: 2
   google_service_account: 1
   google_storage_bucket: 1
   google_storage_bucket_object: 3
   google_vertex_ai_reasoning_engine: 1
   modules: 1
-  resources: 10
+  resources: 9
   time_sleep: 1
 
 outputs: {}

tests/modules/agent_engine/examples/encryption.yaml

@@ -23,11 +23,6 @@ values:
     member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
     project: project-id
     role: roles/storage.objectViewer
-  module.agent_engine.google_project_iam_member.default["roles/viewer"]:
-    condition: []
-    member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
-    project: project-id
-    role: roles/viewer
   module.agent_engine.google_service_account.service_account[0]:
     account_id: my-agent
     create_ignore_already_exists: null
@@ -73,11 +68,11 @@ values:
     triggers: null
 
 counts:
-  google_project_iam_member: 3
+  google_project_iam_member: 2
   google_service_account: 1
   google_vertex_ai_reasoning_engine: 1
   modules: 1
-  resources: 6
+  resources: 5
   time_sleep: 1
 
 outputs: {}

tests/modules/agent_engine/examples/environment.yaml

@@ -23,11 +23,6 @@ values:
     member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
     project: project-id
     role: roles/storage.objectViewer
-  module.agent_engine.google_project_iam_member.default["roles/viewer"]:
-    condition: []
-    member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
-    project: project-id
-    role: roles/viewer
   module.agent_engine.google_service_account.service_account[0]:
     account_id: my-agent
     create_ignore_already_exists: null
@@ -81,11 +76,11 @@ values:
     triggers: null
 
 counts:
-  google_project_iam_member: 3
+  google_project_iam_member: 2
   google_service_account: 1
   google_vertex_ai_reasoning_engine: 1
   modules: 1
-  resources: 6
+  resources: 5
   time_sleep: 1
 
 outputs: {}

tests/modules/agent_engine/examples/image-spec.yaml

@@ -23,11 +23,6 @@ values:
     member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
     project: project-id
     role: roles/storage.objectViewer
-  module.agent_engine.google_project_iam_member.default["roles/viewer"]:
-    condition: []
-    member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
-    project: project-id
-    role: roles/viewer
   module.agent_engine.google_service_account.service_account[0]:
     account_id: my-agent
     create_ignore_already_exists: null
@@ -74,11 +69,11 @@ values:
     triggers: null
 
 counts:
-  google_project_iam_member: 3
+  google_project_iam_member: 2
   google_service_account: 1
   google_vertex_ai_reasoning_engine: 1
   modules: 1
-  resources: 6
+  resources: 5
   time_sleep: 1
 
 outputs: {}

tests/modules/agent_engine/examples/minimal-pickle.yaml

@@ -23,11 +23,6 @@ values:
     member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
     project: project-id
     role: roles/storage.objectViewer
-  module.agent_engine.google_project_iam_member.default["roles/viewer"]:
-    condition: []
-    member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
-    project: project-id
-    role: roles/viewer
   module.agent_engine.google_service_account.service_account[0]:
     account_id: my-agent
     create_ignore_already_exists: null
@@ -153,13 +148,13 @@ values:
     triggers: null
 
 counts:
-  google_project_iam_member: 3
+  google_project_iam_member: 2
   google_service_account: 1
   google_storage_bucket: 1
   google_storage_bucket_object: 3
   google_vertex_ai_reasoning_engine: 1
   modules: 1
-  resources: 10
+  resources: 9
   time_sleep: 1
 
 outputs: {}

tests/modules/agent_engine/examples/minimal.yaml

@@ -23,11 +23,6 @@ values:
     member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
     project: project-id
     role: roles/storage.objectViewer
-  module.agent_engine.google_project_iam_member.default["roles/viewer"]:
-    condition: []
-    member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
-    project: project-id
-    role: roles/viewer
   module.agent_engine.google_service_account.service_account[0]:
     account_id: my-agent
     create_ignore_already_exists: null
@@ -72,11 +67,11 @@ values:
     triggers: null
 
 counts:
-  google_project_iam_member: 3
+  google_project_iam_member: 2
   google_service_account: 1
   google_vertex_ai_reasoning_engine: 1
   modules: 1
-  resources: 6
+  resources: 5
   time_sleep: 1
 
 outputs: {}

tests/modules/agent_engine/examples/pickle-gcs.yaml

@@ -23,11 +23,6 @@ values:
     member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
     project: project-id
     role: roles/storage.objectViewer
-  module.agent_engine.google_project_iam_member.default["roles/viewer"]:
-    condition: []
-    member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
-    project: project-id
-    role: roles/viewer
   module.agent_engine.google_service_account.service_account[0]:
     account_id: my-agent
     create_ignore_already_exists: null
@@ -96,12 +91,12 @@ values:
     triggers: null
 
 counts:
-  google_project_iam_member: 3
+  google_project_iam_member: 2
   google_service_account: 1
   google_storage_bucket: 1
   google_vertex_ai_reasoning_engine: 1
   modules: 1
-  resources: 7
+  resources: 6
   time_sleep: 1
 
 outputs: {}

tests/modules/agent_engine/examples/psc-i.yaml

@@ -23,11 +23,6 @@ values:
     member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
     project: project-id
     role: roles/storage.objectViewer
-  module.agent_engine.google_project_iam_member.default["roles/viewer"]:
-    condition: []
-    member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
-    project: project-id
-    role: roles/viewer
   module.agent_engine.google_service_account.service_account[0]:
     account_id: my-agent
     create_ignore_already_exists: null
@@ -80,11 +75,11 @@ values:
     triggers: null
 
 counts:
-  google_project_iam_member: 3
+  google_project_iam_member: 2
   google_service_account: 1
   google_vertex_ai_reasoning_engine: 1
   modules: 1
-  resources: 6
+  resources: 5
   time_sleep: 1
 
 outputs: {}

tests/modules/agent_engine/examples/sa-default.yaml

@@ -23,11 +23,6 @@ values:
     member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
     project: project-id
     role: roles/storage.objectViewer
-  module.agent_engine.google_project_iam_member.default["roles/viewer"]:
-    condition: []
-    member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
-    project: project-id
-    role: roles/viewer
   module.agent_engine.google_service_account.service_account[0]:
     account_id: my-agent
     create_ignore_already_exists: null
@@ -72,11 +67,11 @@ values:
     triggers: null
 
 counts:
-  google_project_iam_member: 3
+  google_project_iam_member: 2
   google_service_account: 1
   google_vertex_ai_reasoning_engine: 1
   modules: 1
-  resources: 6
+  resources: 5
   time_sleep: 1
 
 outputs: {}

tests/modules/agent_engine/examples/unmanaged.yaml

@@ -23,11 +23,6 @@ values:
     member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
     project: project-id
     role: roles/storage.objectViewer
-  module.agent_engine.google_project_iam_member.default["roles/viewer"]:
-    condition: []
-    member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
-    project: project-id
-    role: roles/viewer
   module.agent_engine.google_service_account.service_account[0]:
     account_id: my-agent
     create_ignore_already_exists: null
@@ -72,11 +67,11 @@ values:
     triggers: null
 
 counts:
-  google_project_iam_member: 3
+  google_project_iam_member: 2
   google_service_account: 1
   google_vertex_ai_reasoning_engine: 1
   modules: 1
-  resources: 6
+  resources: 5
   time_sleep: 1
 
 outputs: {}