diff --git a/apps/infra/firestore.tf b/apps/infra/firestore.tf new file mode 100644 index 0000000..865da02 --- /dev/null +++ b/apps/infra/firestore.tf @@ -0,0 +1,16 @@ +# Firestore Database +# Native mode Firestore for real-time data synchronization +resource "google_firestore_database" "default" { + project = var.project_id + name = "(default)" + location_id = var.region + type = "FIRESTORE_NATIVE" + + # Enable delete protection in production for data safety + delete_protection_state = var.environment == "prod" ? "DELETE_PROTECTION_ENABLED" : "DELETE_PROTECTION_DISABLED" + + # Allow deletion when running terraform destroy + deletion_policy = "DELETE" + + depends_on = [google_project_service.apis] +} diff --git a/apps/infra/iam.tf b/apps/infra/iam.tf index db31bd4..21f09b9 100644 --- a/apps/infra/iam.tf +++ b/apps/infra/iam.tf @@ -107,3 +107,21 @@ resource "google_project_iam_member" "github_sa_user" { role = "roles/iam.serviceAccountUser" member = "serviceAccount:${google_service_account.github.email}" } + +# Vertex AI Service Identity +# This creates the Vertex AI Service Agent for the project +resource "google_project_service_identity" "vertex_ai" { + provider = google-beta + project = var.project_id + service = "aiplatform.googleapis.com" + + depends_on = [google_project_service.apis] +} + +# Grant Vertex AI Service Agent access to GCS buckets +# Required for model training, batch prediction, and artifact storage +resource "google_project_iam_member" "vertex_ai_storage" { + project = var.project_id + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_project_service_identity.vertex_ai.email}" +} diff --git a/apps/infra/security.tf b/apps/infra/security.tf index 65fb48d..53c35e2 100644 --- a/apps/infra/security.tf +++ b/apps/infra/security.tf @@ -13,6 +13,8 @@ resource "google_project_service" "apis" { "compute.googleapis.com", "iamcredentials.googleapis.com", "iam.googleapis.com", + "firestore.googleapis.com", + "aiplatform.googleapis.com", ]) project = var.project_id