diff --git a/modules/agent-engine/README.md b/modules/agent-engine/README.md
index 4996f6234..f886a4972 100644
--- a/modules/agent-engine/README.md
+++ b/modules/agent-engine/README.md
@@ -190,7 +190,7 @@ module "agent_engine" {
## Define environment variables and use secrets
-You can define environment variables and load existing secrets as environment variables into your agent.
+You can define environment variables and load existing secrets as environment variables into your agent.
```hcl
module "agent_engine" {
@@ -236,8 +236,8 @@ The module allows you to dynamically reference context values for resources crea
| [description](variables.tf#L57) | The Agent Engine description. | string | | "Terraform managed." |
| [encryption_key](variables.tf#L64) | The full resource name of the Cloud KMS CryptoKey. | string | | null |
| [generate_pickle](variables.tf#L70) | Generate the pickle file from a source file. | bool | | true |
-| [service_account_config](variables.tf#L95) | Service account configurations. | object({…}) | | {} |
-| [source_files](variables.tf#L112) | The to source files path and names. | object({…}) | | {} |
+| [service_account_config](variables-serviceaccount.tf#L18) | Service account configurations. | object({…}) | | {} |
+| [source_files](variables.tf#L95) | The to source files path and names. | object({…}) | | {} |
## Outputs
diff --git a/modules/agent-engine/main.tf b/modules/agent-engine/main.tf
index 5c94bd339..a50c42c27 100644
--- a/modules/agent-engine/main.tf
+++ b/modules/agent-engine/main.tf
@@ -16,15 +16,6 @@
locals {
_ctx_p = "$"
- _service_account_external_email = (
- var.service_account_config.email == null
- ? null
- : lookup(
- local.ctx.iam_principals,
- var.service_account_config.email,
- var.service_account_config.email
- )
- )
bucket_name = (
var.bucket_config.create
? google_storage_bucket.default[0].name
@@ -41,15 +32,6 @@ locals {
project_id = lookup(
local.ctx.project_ids, var.project_id, var.project_id
)
- service_account_email = (
- var.service_account_config.create
- ? google_service_account.default[0].email
- : local._service_account_external_email
- )
- service_account_roles = [
- for role in var.service_account_config.roles
- : lookup(local.ctx.custom_roles, role, role)
- ]
}
resource "google_vertex_ai_reasoning_engine" "default" {
@@ -192,21 +174,3 @@ resource "google_storage_bucket_object" "requirements" {
source = "${var.source_files.path}/${var.source_files.requirements}"
source_md5hash = filemd5("${var.source_files.path}/${var.source_files.requirements}")
}
-
-resource "google_service_account" "default" {
- count = var.service_account_config.create ? 1 : 0
- account_id = coalesce(var.service_account_config.name, var.name)
- project = local.project_id
- display_name = "Agent Engine ${coalesce(var.service_account_config.name, var.name)}."
-}
-
-resource "google_project_iam_member" "default" {
- for_each = (
- var.service_account_config.create
- ? toset(local.service_account_roles)
- : toset([])
- )
- role = each.key
- project = local.project_id
- member = google_service_account.default[0].member
-}
diff --git a/modules/agent-engine/outputs.tf b/modules/agent-engine/outputs.tf
index 8bce46940..0b418d1c1 100644
--- a/modules/agent-engine/outputs.tf
+++ b/modules/agent-engine/outputs.tf
@@ -21,5 +21,5 @@ output "id" {
output "service_account" {
description = "Service account resource."
- value = try(google_service_account.default[0], null)
+ value = try(google_service_account.service_account[0], null)
}
diff --git a/modules/agent-engine/serviceaccount.tf b/modules/agent-engine/serviceaccount.tf
new file mode 100644
index 000000000..46c7499e4
--- /dev/null
+++ b/modules/agent-engine/serviceaccount.tf
@@ -0,0 +1,55 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+ service_account_email = (
+ var.service_account_config.create
+ ? google_service_account.service_account[0].email # use managed SA, when creating
+ : (var.service_account_config.email == null ? null # set to null, if no email provided
+ : lookup( # lookup SA in context
+ local.ctx.iam_principals,
+ var.service_account_config.email,
+ var.service_account_config.email
+ )
+ )
+ )
+ service_account_roles = [
+ for role in var.service_account_config.roles
+ : lookup(local.ctx.custom_roles, role, role)
+ ]
+}
+
+resource "google_service_account" "service_account" {
+ count = var.service_account_config.create ? 1 : 0
+ project = local.project_id
+ account_id = coalesce(var.service_account_config.name, var.name)
+ display_name = coalesce(
+ var.service_account_config.display_name,
+ var.service_account_config.name,
+ var.name
+ )
+}
+
+resource "google_project_iam_member" "default" {
+ for_each = (
+ var.service_account_config.create
+ ? toset(local.service_account_roles)
+ : toset([])
+ )
+ role = each.key
+ project = local.project_id
+ member = google_service_account.service_account[0].member
+}
diff --git a/modules/agent-engine/variables-serviceaccount.tf b/modules/agent-engine/variables-serviceaccount.tf
new file mode 100644
index 000000000..5f4166c69
--- /dev/null
+++ b/modules/agent-engine/variables-serviceaccount.tf
@@ -0,0 +1,34 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# this differs from serverless, as it has different roles assigned by default
+variable "service_account_config" {
+ description = "Service account configurations."
+ type = object({
+ create = optional(bool, true)
+ display_name = optional(string)
+ email = optional(string)
+ name = optional(string)
+ roles = optional(list(string), [
+ "roles/aiplatform.user",
+ "roles/storage.objectViewer",
+ # TODO: remove when b/441480710 is solved
+ "roles/viewer"
+ ])
+ })
+ nullable = false
+ default = {}
+}
diff --git a/modules/agent-engine/variables.tf b/modules/agent-engine/variables.tf
index 1098ab871..c40ae635c 100644
--- a/modules/agent-engine/variables.tf
+++ b/modules/agent-engine/variables.tf
@@ -92,23 +92,6 @@ variable "region" {
nullable = false
}
-variable "service_account_config" {
- description = "Service account configurations."
- type = object({
- create = optional(bool, true)
- email = optional(string)
- name = optional(string)
- roles = optional(list(string), [
- "roles/aiplatform.user",
- "roles/storage.objectViewer",
- # TODO: remove when b/441480710 is solved
- "roles/viewer"
- ])
- })
- nullable = false
- default = {}
-}
-
variable "source_files" {
description = "The to source files path and names."
type = object({
diff --git a/modules/cloud-function-v1/serviceaccount.tf b/modules/cloud-function-v1/serviceaccount.tf
index f1fdec866..46c7499e4 100644
--- a/modules/cloud-function-v1/serviceaccount.tf
+++ b/modules/cloud-function-v1/serviceaccount.tf
@@ -17,11 +17,13 @@
locals {
service_account_email = (
var.service_account_config.create
- ? google_service_account.service_account[0].email
- : lookup(
- local.ctx.iam_principals,
- var.service_account_config.email,
- var.service_account_config.email
+ ? google_service_account.service_account[0].email # use managed SA, when creating
+ : (var.service_account_config.email == null ? null # set to null, if no email provided
+ : lookup( # lookup SA in context
+ local.ctx.iam_principals,
+ var.service_account_config.email,
+ var.service_account_config.email
+ )
)
)
service_account_roles = [
diff --git a/modules/cloud-function-v2/serviceaccount.tf b/modules/cloud-function-v2/serviceaccount.tf
index f1fdec866..46c7499e4 100644
--- a/modules/cloud-function-v2/serviceaccount.tf
+++ b/modules/cloud-function-v2/serviceaccount.tf
@@ -17,11 +17,13 @@
locals {
service_account_email = (
var.service_account_config.create
- ? google_service_account.service_account[0].email
- : lookup(
- local.ctx.iam_principals,
- var.service_account_config.email,
- var.service_account_config.email
+ ? google_service_account.service_account[0].email # use managed SA, when creating
+ : (var.service_account_config.email == null ? null # set to null, if no email provided
+ : lookup( # lookup SA in context
+ local.ctx.iam_principals,
+ var.service_account_config.email,
+ var.service_account_config.email
+ )
)
)
service_account_roles = [
diff --git a/modules/cloud-run-v2/serviceaccount.tf b/modules/cloud-run-v2/serviceaccount.tf
index f1fdec866..46c7499e4 100644
--- a/modules/cloud-run-v2/serviceaccount.tf
+++ b/modules/cloud-run-v2/serviceaccount.tf
@@ -17,11 +17,13 @@
locals {
service_account_email = (
var.service_account_config.create
- ? google_service_account.service_account[0].email
- : lookup(
- local.ctx.iam_principals,
- var.service_account_config.email,
- var.service_account_config.email
+ ? google_service_account.service_account[0].email # use managed SA, when creating
+ : (var.service_account_config.email == null ? null # set to null, if no email provided
+ : lookup( # lookup SA in context
+ local.ctx.iam_principals,
+ var.service_account_config.email,
+ var.service_account_config.email
+ )
)
)
service_account_roles = [
diff --git a/tests/modules/agent_engine/examples/encryption.yaml b/tests/modules/agent_engine/examples/encryption.yaml
index 1a4394c0b..d0c02a74c 100644
--- a/tests/modules/agent_engine/examples/encryption.yaml
+++ b/tests/modules/agent_engine/examples/encryption.yaml
@@ -28,12 +28,12 @@ values:
member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
project: project-id
role: roles/viewer
- module.agent_engine.google_service_account.default[0]:
+ module.agent_engine.google_service_account.service_account[0]:
account_id: my-agent
create_ignore_already_exists: null
description: null
disabled: false
- display_name: Agent Engine my-agent.
+ display_name: my-agent
email: my-agent@project-id.iam.gserviceaccount.com
member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
project: project-id
diff --git a/tests/modules/agent_engine/examples/environment.yaml b/tests/modules/agent_engine/examples/environment.yaml
index 03e012a0d..a92d3d1e6 100644
--- a/tests/modules/agent_engine/examples/environment.yaml
+++ b/tests/modules/agent_engine/examples/environment.yaml
@@ -28,12 +28,12 @@ values:
member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
project: project-id
role: roles/viewer
- module.agent_engine.google_service_account.default[0]:
+ module.agent_engine.google_service_account.service_account[0]:
account_id: my-agent
create_ignore_already_exists: null
description: null
disabled: false
- display_name: Agent Engine my-agent.
+ display_name: my-agent
email: my-agent@project-id.iam.gserviceaccount.com
member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
project: project-id
diff --git a/tests/modules/agent_engine/examples/minimal-pickle.yaml b/tests/modules/agent_engine/examples/minimal-pickle.yaml
index aef4d90f9..8cb0cd285 100644
--- a/tests/modules/agent_engine/examples/minimal-pickle.yaml
+++ b/tests/modules/agent_engine/examples/minimal-pickle.yaml
@@ -28,12 +28,12 @@ values:
member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
project: project-id
role: roles/viewer
- module.agent_engine.google_service_account.default[0]:
+ module.agent_engine.google_service_account.service_account[0]:
account_id: my-agent
create_ignore_already_exists: null
description: null
disabled: false
- display_name: Agent Engine my-agent.
+ display_name: my-agent
email: my-agent@project-id.iam.gserviceaccount.com
member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
project: project-id
diff --git a/tests/modules/agent_engine/examples/minimal.yaml b/tests/modules/agent_engine/examples/minimal.yaml
index 658bbe93b..ba1a04600 100644
--- a/tests/modules/agent_engine/examples/minimal.yaml
+++ b/tests/modules/agent_engine/examples/minimal.yaml
@@ -28,12 +28,12 @@ values:
member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
project: project-id
role: roles/viewer
- module.agent_engine.google_service_account.default[0]:
+ module.agent_engine.google_service_account.service_account[0]:
account_id: my-agent
create_ignore_already_exists: null
description: null
disabled: false
- display_name: Agent Engine my-agent.
+ display_name: my-agent
email: my-agent@project-id.iam.gserviceaccount.com
member: serviceAccount:my-agent@project-id.iam.gserviceaccount.com
project: project-id
diff --git a/tools/duplicate-diff.py b/tools/duplicate-diff.py
index 86e9659c8..ac9152555 100755
--- a/tools/duplicate-diff.py
+++ b/tools/duplicate-diff.py
@@ -149,6 +149,7 @@ duplicates = [
"modules/cloud-function-v2/bundle.tf",
],
[
+ "modules/agent-engine/serviceaccount.tf",
"modules/cloud-function-v1/serviceaccount.tf",
"modules/cloud-function-v2/serviceaccount.tf",
"modules/cloud-run-v2/serviceaccount.tf",