feat(infra): add Firestore and Vertex AI resources

apps/infra/firestore.tf

@@ -0,0 +1,16 @@
+# Firestore Database
+# Native mode Firestore for real-time data synchronization
+resource "google_firestore_database" "default" {
+  project     = var.project_id
+  name        = "(default)"
+  location_id = var.region
+  type        = "FIRESTORE_NATIVE"
+
+  # Enable delete protection in production for data safety
+  delete_protection_state = var.environment == "prod" ? "DELETE_PROTECTION_ENABLED" : "DELETE_PROTECTION_DISABLED"
+
+  # Allow deletion when running terraform destroy
+  deletion_policy = "DELETE"
+
+  depends_on = [google_project_service.apis]
+}

apps/infra/iam.tf

@@ -107,3 +107,21 @@ resource "google_project_iam_member" "github_sa_user" {
   role    = "roles/iam.serviceAccountUser"
   member  = "serviceAccount:${google_service_account.github.email}"
 }
+
+# Vertex AI Service Identity
+# This creates the Vertex AI Service Agent for the project
+resource "google_project_service_identity" "vertex_ai" {
+  provider = google-beta
+  project  = var.project_id
+  service  = "aiplatform.googleapis.com"
+
+  depends_on = [google_project_service.apis]
+}
+
+# Grant Vertex AI Service Agent access to GCS buckets
+# Required for model training, batch prediction, and artifact storage
+resource "google_project_iam_member" "vertex_ai_storage" {
+  project = var.project_id
+  role    = "roles/storage.objectViewer"
+  member  = "serviceAccount:${google_project_service_identity.vertex_ai.email}"
+}

apps/infra/security.tf

@@ -13,6 +13,8 @@ resource "google_project_service" "apis" {
     "compute.googleapis.com",
     "iamcredentials.googleapis.com",
     "iam.googleapis.com",
+    "firestore.googleapis.com",
+    "aiplatform.googleapis.com",
   ])
 
   project = var.project_id