diff --git a/mmv1/products/vertexai/ReasoningEngine.yaml b/mmv1/products/vertexai/ReasoningEngine.yaml index 783addf587a2..ce04efa25c4a 100644 --- a/mmv1/products/vertexai/ReasoningEngine.yaml +++ b/mmv1/products/vertexai/ReasoningEngine.yaml @@ -47,6 +47,23 @@ examples: exclude_docs: true vars: name: 'reasoning-engine' + - name: 'vertex_ai_reasoning_engine_psc_interface' + primary_resource_id: 'reasoning_engine' + vars: + name: 'reasoning-engine' + bucket_name: 'reasoning-engine' + network_name: 'network' + network_attachment_name: 'network-attachment' + subnetwork_name: 'subnetwork' + external_providers: ["time"] + bootstrap_iam: + - member: "serviceAccount:service-{project_number}@gcp-sa-aiplatform.iam.gserviceaccount.com" + role: "roles/compute.networkAdmin" + - member: "serviceAccount:service-{project_number}@gcp-sa-aiplatform.iam.gserviceaccount.com" + role: "roles/dns.peer" + - member: "serviceAccount:service-{project_number}@gcp-sa-aiplatform-re.iam.gserviceaccount.com" + role: "roles/viewer" + exclude_test: true - name: 'vertex_ai_reasoning_engine_full' primary_resource_id: 'reasoning_engine' vars: @@ -198,6 +215,51 @@ properties: The Cloud Secret Manager secret version. Can be 'latest' for the latest version, an integer for a specific version, or a version alias. + - name: 'pscInterfaceConfig' + type: NestedObject + description: |- + Optional. Configuration for PSC-Interface. + properties: + - name: 'networkAttachment' + type: String + description: |- + Optional. The name of the Compute Engine network attachment + to attach to the resource within the region and user project. + To specify this field, you must have already created a network attachment. + This field is only used for resources using PSC-Interface. + - name: 'dnsPeeringConfigs' + type: 'Array' + description: | + Optional. DNS peering configurations. + When specified, Vertex AI will attempt to configure DNS + peering zones in the tenant project VPC to resolve the + specified domains using the target network's Cloud DNS. + The user must grant the dns.peer role to the Vertex AI + service Agent on the target project. + item_type: + type: NestedObject + properties: + - name: 'domain' + type: String + description: | + Required. The DNS name suffix of the zone being peered + to, e.g., "my-internal-domain.corp.". + Must end with a dot. + required: true + - name: 'targetProject' + type: String + description: | + Required. The project id hosting the Cloud DNS managed + zone that contains the 'domain'. + The Vertex AI service Agent requires the dns.peer role + on this project. + required: true + - name: 'targetNetwork' + type: String + description: | + Required. The VPC network name in the targetProject + where the DNS zone specified by 'domain' is visible. + required: true - name: 'resourceLimits' type: KeyValuePairs default_from_api: true diff --git a/mmv1/templates/terraform/examples/vertex_ai_reasoning_engine_psc_interface.tf.tmpl b/mmv1/templates/terraform/examples/vertex_ai_reasoning_engine_psc_interface.tf.tmpl new file mode 100644 index 000000000000..485aada7acb0 --- /dev/null +++ b/mmv1/templates/terraform/examples/vertex_ai_reasoning_engine_psc_interface.tf.tmpl @@ -0,0 +1,97 @@ +# When PSC-I is configured, Agent deletion will fail, +# although the agent will be deleted. +# Bug at https://github.com/hashicorp/terraform-provider-google/issues/25637 + +resource "google_vertex_ai_reasoning_engine" "{{$.PrimaryResourceId}}" { + display_name = "{{index $.Vars "name"}}" + description = "A basic reasoning engine" + region = "us-central1" + + spec { + agent_framework = "google-adk" + + package_spec { + python_version = "3.11" + dependency_files_gcs_uri = "${google_storage_bucket.bucket.url}/${google_storage_bucket_object.bucket_obj_dependencies_tar_gz.name}" + pickle_object_gcs_uri = "${google_storage_bucket.bucket.url}/${google_storage_bucket_object.bucket_obj_pickle.name}" + requirements_gcs_uri = "${google_storage_bucket.bucket.url}/${google_storage_bucket_object.bucket_obj_requirements_txt.name}" + } + + deployment_spec { + + psc_interface_config { + network_attachment = google_compute_network_attachment.network_attachment.id + + dns_peering_configs { + domain = "example.com." + target_project = data.google_project.project.project_id + target_network = google_compute_network.network.name + } + } + } + } + + depends_on = [ + time_sleep.wait_35_minutes + ] +} + +resource "google_storage_bucket_object" "bucket_obj_requirements_txt" { + name = "requirements.txt" + bucket = google_storage_bucket.bucket.id + source = "./test-fixtures/requirements_adk.txt" +} + +resource "google_storage_bucket_object" "bucket_obj_pickle" { + name = "code.pkl" + bucket = google_storage_bucket.bucket.id + source = "./test-fixtures/pickle_adk.pkl" +} + +resource "google_storage_bucket_object" "bucket_obj_dependencies_tar_gz" { + name = "dependencies.tar.gz" + bucket = google_storage_bucket.bucket.id + source = "./test-fixtures/dependencies_adk.tar.gz" +} + +resource "google_storage_bucket" "bucket" { + name = "{{index $.Vars "bucket_name"}}" + location = "us-central1" + uniform_bucket_level_access = true + force_destroy = true +} + +# Destroy network attachment 35 minutes after reasoning engine is deleted. +# It guarantees that the network attachment has no more active PSC interfaces. +resource "time_sleep" "wait_35_minutes" { + destroy_duration = "35m" + + depends_on = [ + google_compute_network_attachment.network_attachment + ] +} + +resource "google_compute_network_attachment" "network_attachment" { + name = "{{index $.Vars "network_attachment_name"}}" + region = "us-central1" + connection_preference = "ACCEPT_MANUAL" + + subnetworks = [ + google_compute_subnetwork.subnetwork.id + ] +} + +resource "google_compute_subnetwork" "subnetwork" { + name = "{{index $.Vars "subnetwork_name"}}" + region = "us-central1" + ip_cidr_range = "10.0.0.0/16" + network = google_compute_network.network.id +} + +resource "google_compute_network" "network" { + name = "{{index $.Vars "network_name"}}" + auto_create_subnetworks = false +} + +data "google_project" "project" { +}