| description | Use when provisioning Vertex AI ADK infrastructure with Terraform. Trigger with phrases like "deploy ADK terraform", "agent engine infrastructure", "provision ADK agent", "vertex AI agent terraform", or "code execution sandbox terraform". Provisions Agent Engine runtime, 14-day code execution sandbox, Memory Bank, VPC Service Controls, IAM roles, and secure multi-agent infrastructure. |
| allowed-tools | Read, Write, Edit, Grep, Glob, Bash(terraform:*), Bash(gcloud:*) |
| name | adk-infra-expert |
| license | MIT |
| version | 1.0.0 |
| author | Jeremy Longshore <jeremy@intentsolutions.io> |
Prerequisites
Before using this skill, ensure:
- Google Cloud project with billing enabled
- Terraform 1.0+ installed
- gcloud CLI authenticated with appropriate permissions
- Vertex AI API enabled in target project
- VPC Service Controls access policy created (for enterprise)
- Understanding of Agent Engine architecture and requirements
Instructions
- Initialize Terraform: Set up backend for remote state storage
- Configure Variables: Define project_id, region, agent configuration
- Provision VPC: Create network infrastructure with Private Service Connect
- Set Up IAM: Create service accounts with least privilege roles
- Deploy Agent Engine: Configure runtime with code execution and memory bank
- Enable VPC-SC: Apply service perimeter for data exfiltration protection
- Configure Monitoring: Set up Cloud Monitoring dashboards and alerts
- Validate Deployment: Test agent endpoint and verify all components
Output
Agent Engine Deployment:
# {baseDir}/terraform/main.tf
resource "google_vertex_ai_agent_runtime" "adk_agent" {
project = var.project_id
location = var.region
display_name = "adk-production-agent"
agent_config {
model = "gemini-2.5-flash"
code_execution {
enabled = true
state_ttl_days = 14
sandbox_type = "SECURE_ISOLATED"
}
memory_bank {
enabled = true
}
}
vpc_config {
vpc_network = google_compute_network.agent_vpc.id
private_service_connect {
enabled = true
}
}
}
VPC Service Controls:
resource "google_access_context_manager_service_perimeter" "adk_perimeter" {
parent = "accessPolicies/${var.access_policy_id}"
title = "ADK Agent Engine Perimeter"
status {
restricted_services = [
"aiplatform.googleapis.com",
"run.googleapis.com"
]
}
}
IAM Configuration:
resource "google_service_account" "adk_agent" {
account_id = "adk-agent-sa"
display_name = "ADK Agent Service Account"
}
resource "google_project_iam_member" "agent_identity" {
project = var.project_id
role = "roles/aiplatform.agentUser"
member = "serviceAccount:${google_service_account.adk_agent.email}"
}
Error Handling
Terraform State Lock
- Error: "Error acquiring the state lock"
- Solution: Use
terraform force-unlock <lock-id>or wait for lock expiry
API Not Enabled
- Error: "Vertex AI API has not been used"
- Solution: Enable with
gcloud services enable aiplatform.googleapis.com
VPC-SC Configuration
- Error: "Access denied by VPC Service Controls"
- Solution: Add project to service perimeter or adjust ingress/egress policies
IAM Permission Denied
- Error: "does not have required permission"
- Solution: Grant roles/owner temporarily to service account running Terraform
Resource Already Exists
- Error: "Resource already exists"
- Solution: Import existing resource or use data source instead
Resources
- Agent Engine: https://cloud.google.com/vertex-ai/generative-ai/docs/agent-engine/overview
- VPC-SC: https://cloud.google.com/vpc-service-controls/docs
- Terraform Google Provider: https://registry.terraform.io/providers/hashicorp/google/latest
- ADK Terraform examples in {baseDir}/examples/