Align agent-engine with interface for Cloud Functions and Cloud Run

modules/agent-engine/README.md

@@ -190,7 +190,7 @@ module "agent_engine" {
 
 ## Define environment variables and use secrets
 
-You can define environment variables and load existing secrets as environment variables into your agent. 
+You can define environment variables and load existing secrets as environment variables into your agent.
 
 ```hcl
 module "agent_engine" {
@@ -236,8 +236,8 @@ The module allows you to dynamically reference context values for resources crea
 | [description](variables.tf#L57) | The Agent Engine description. | <code>string</code> |  | <code>&#34;Terraform managed.&#34;</code> |
 | [encryption_key](variables.tf#L64) | The full resource name of the Cloud KMS CryptoKey. | <code>string</code> |  | <code>null</code> |
 | [generate_pickle](variables.tf#L70) | Generate the pickle file from a source file. | <code>bool</code> |  | <code>true</code> |
-| [service_account_config](variables.tf#L95) | Service account configurations. | <code title="object&#40;&#123;&#10;  create &#61; optional&#40;bool, true&#41;&#10;  email  &#61; optional&#40;string&#41;&#10;  name   &#61; optional&#40;string&#41;&#10;  roles &#61; optional&#40;list&#40;string&#41;, &#91;&#10;    &#34;roles&#47;aiplatform.user&#34;,&#10;    &#34;roles&#47;storage.objectViewer&#34;,&#10;    &#34;roles&#47;viewer&#34;&#10;  &#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [source_files](variables.tf#L112) | The to source files path and names. | <code title="object&#40;&#123;&#10;  dependencies        &#61; optional&#40;string, &#34;dependencies.tar.gz&#34;&#41;&#10;  path                &#61; optional&#40;string, &#34;.&#47;src&#34;&#41;&#10;  pickle_out          &#61; optional&#40;string, &#34;pickle.pkl&#34;&#41;&#10;  pickle_src          &#61; optional&#40;string, &#34;agent.py&#34;&#41;&#10;  pickle_src_var_name &#61; optional&#40;string, &#34;local_agent&#34;&#41;&#10;  requirements        &#61; optional&#40;string, &#34;requirements.txt&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [service_account_config](variables-serviceaccount.tf#L18) | Service account configurations. | <code title="object&#40;&#123;&#10;  create       &#61; optional&#40;bool, true&#41;&#10;  display_name &#61; optional&#40;string&#41;&#10;  email        &#61; optional&#40;string&#41;&#10;  name         &#61; optional&#40;string&#41;&#10;  roles &#61; optional&#40;list&#40;string&#41;, &#91;&#10;    &#34;roles&#47;aiplatform.user&#34;,&#10;    &#34;roles&#47;storage.objectViewer&#34;,&#10;    &#34;roles&#47;viewer&#34;&#10;  &#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [source_files](variables.tf#L95) | The to source files path and names. | <code title="object&#40;&#123;&#10;  dependencies        &#61; optional&#40;string, &#34;dependencies.tar.gz&#34;&#41;&#10;  path                &#61; optional&#40;string, &#34;.&#47;src&#34;&#41;&#10;  pickle_out          &#61; optional&#40;string, &#34;pickle.pkl&#34;&#41;&#10;  pickle_src          &#61; optional&#40;string, &#34;agent.py&#34;&#41;&#10;  pickle_src_var_name &#61; optional&#40;string, &#34;local_agent&#34;&#41;&#10;  requirements        &#61; optional&#40;string, &#34;requirements.txt&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 

modules/agent-engine/main.tf

@@ -16,15 +16,6 @@
 
 locals {
   _ctx_p = "$"
-  _service_account_external_email = (
-    var.service_account_config.email == null
-    ? null
-    : lookup(
-      local.ctx.iam_principals,
-      var.service_account_config.email,
-      var.service_account_config.email
-    )
-  )
   bucket_name = (
     var.bucket_config.create
     ? google_storage_bucket.default[0].name
@@ -41,15 +32,6 @@ locals {
   project_id = lookup(
     local.ctx.project_ids, var.project_id, var.project_id
   )
-  service_account_email = (
-    var.service_account_config.create
-    ? google_service_account.default[0].email
-    : local._service_account_external_email
-  )
-  service_account_roles = [
-    for role in var.service_account_config.roles
-    : lookup(local.ctx.custom_roles, role, role)
-  ]
 }
 
 resource "google_vertex_ai_reasoning_engine" "default" {
@@ -192,21 +174,3 @@ resource "google_storage_bucket_object" "requirements" {
   source         = "${var.source_files.path}/${var.source_files.requirements}"
   source_md5hash = filemd5("${var.source_files.path}/${var.source_files.requirements}")
 }
-
-resource "google_service_account" "default" {
-  count        = var.service_account_config.create ? 1 : 0
-  account_id   = coalesce(var.service_account_config.name, var.name)
-  project      = local.project_id
-  display_name = "Agent Engine ${coalesce(var.service_account_config.name, var.name)}."
-}
-
-resource "google_project_iam_member" "default" {
-  for_each = (
-    var.service_account_config.create
-    ? toset(local.service_account_roles)
-    : toset([])
-  )
-  role    = each.key
-  project = local.project_id
-  member  = google_service_account.default[0].member
-}

modules/agent-engine/outputs.tf

@@ -21,5 +21,5 @@ output "id" {
 
 output "service_account" {
   description = "Service account resource."
-  value       = try(google_service_account.default[0], null)
+  value       = try(google_service_account.service_account[0], null)
 }

modules/agent-engine/serviceaccount.tf

@@ -0,0 +1,55 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  service_account_email = (
+    var.service_account_config.create
+    ? google_service_account.service_account[0].email  # use managed SA, when creating
+    : (var.service_account_config.email == null ? null # set to null, if no email provided
+      : lookup(                                        # lookup SA in context
+        local.ctx.iam_principals,
+        var.service_account_config.email,
+        var.service_account_config.email
+      )
+    )
+  )
+  service_account_roles = [
+    for role in var.service_account_config.roles
+    : lookup(local.ctx.custom_roles, role, role)
+  ]
+}
+
+resource "google_service_account" "service_account" {
+  count      = var.service_account_config.create ? 1 : 0
+  project    = local.project_id
+  account_id = coalesce(var.service_account_config.name, var.name)
+  display_name = coalesce(
+    var.service_account_config.display_name,
+    var.service_account_config.name,
+    var.name
+  )
+}
+
+resource "google_project_iam_member" "default" {
+  for_each = (
+    var.service_account_config.create
+    ? toset(local.service_account_roles)
+    : toset([])
+  )
+  role    = each.key
+  project = local.project_id
+  member  = google_service_account.service_account[0].member
+}

modules/agent-engine/variables-serviceaccount.tf

@@ -0,0 +1,34 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# this differs from serverless, as it has different roles assigned by default
+variable "service_account_config" {
+  description = "Service account configurations."
+  type = object({
+    create       = optional(bool, true)
+    display_name = optional(string)
+    email        = optional(string)
+    name         = optional(string)
+    roles = optional(list(string), [
+      "roles/aiplatform.user",
+      "roles/storage.objectViewer",
+      # TODO: remove when b/441480710 is solved
+      "roles/viewer"
+    ])
+  })
+  nullable = false
+  default  = {}
+}

modules/agent-engine/variables.tf

@@ -92,23 +92,6 @@ variable "region" {
   nullable    = false
 }
 
-variable "service_account_config" {
-  description = "Service account configurations."
-  type = object({
-    create = optional(bool, true)
-    email  = optional(string)
-    name   = optional(string)
-    roles = optional(list(string), [
-      "roles/aiplatform.user",
-      "roles/storage.objectViewer",
-      # TODO: remove when b/441480710 is solved
-      "roles/viewer"
-    ])
-  })
-  nullable = false
-  default  = {}
-}
-
 variable "source_files" {
   description = "The to source files path and names."
   type = object({