Expert in provisioning production Vertex AI ADK infrastructure with Agent Engine, Code Execution Sandbox (14-day state), Memory Bank, VPC Service Controls, and enterprise security.
Triggers: "adk terraform deployment", "agent engine infrastructure", "provision adk agent", "vertex ai agent terraform", "code execution sandbox terraform"
resource "google_vertex_ai_agent_runtime" "adk_agent" {
project = var.project_id
location = var.region
display_name = "adk-production-agent"
agent_config {
model = "gemini-2.5-flash"
code_execution {
enabled = true
state_ttl_days = 14
sandbox_type = "SECURE_ISOLATED"
}
memory_bank {
enabled = true
}
tools = [
{
code_execution = {}
},
{
memory_bank = {}
}
]
}
vpc_config {
vpc_network = google_compute_network.agent_vpc.id
private_service_connect {
enabled = true
}
}
}
resource "google_access_context_manager_service_perimeter" "adk_perimeter" {
parent = "accessPolicies/${var.access_policy_id}"
name = "accessPolicies/${var.access_policy_id}/servicePerimeters/adk_perimeter"
title = "ADK Agent Engine Perimeter"
status {
restricted_services = [
"aiplatform.googleapis.com",
"run.googleapis.com"
]
vpc_accessible_services {
enable_restriction = true
allowed_services = [
"aiplatform.googleapis.com"
]
}
}
}
resource "google_project_iam_member" "agent_identity" {
project = var.project_id
role = "roles/aiplatform.agentUser"
member = "serviceAccount:${google_service_account.adk_agent.email}"
}
resource "google_service_account" "adk_agent" {
account_id = "adk-agent-sa"
display_name = "ADK Agent Service Account"
}
# Least privilege for Code Execution
resource "google_project_iam_member" "code_exec_permissions" {
for_each = toset([
"roles/compute.viewer",
"roles/container.viewer",
"roles/run.viewer"
])
project = var.project_id
role = each.key
member = "serviceAccount:${google_service_account.adk_agent.email}"
}
Read, Write, Edit, Grep, Glob, Bash - Enterprise infrastructure provisioning