Bug Description
gemini-enterprise/deploy.sh (configure_stage_0()) auto-enables only discoveryengine.googleapis.com and certificatemanager.googleapis.com on the g4g main project, but two later steps in the same Step-1 flow depend on APIs it never enables: (1) group validation runs gcloud identity groups describe <email>, which needs cloudidentity.googleapis.com, and prints WARNING: Cannot access or find <group> even when the group exists; (2) the "Disabling Implicit Model Data Caching" compliance step calls the Vertex AI REST API, which needs aiplatform.googleapis.com, and fails with HTTP 403 so the caching-disable never runs. Both are non-fatal to the run but produce false failure signals and skip a compliance control.
Environment and Deployment Context
- Stellar Engine Version/Commit:
main @ 3728fc98
- Deployment Type:
- Affected Component:
blueprints/fedramp-high/gemini-enterprise/deploy.sh — configure_stage_0() API-enablement (enables discoveryengine + certificatemanager only); group-validation step (gcloud identity groups describe); "Disabling Implicit Model Data Caching" Vertex REST step
- Terraform Version: deploy.sh pins Terraform 1.12.2 (tfenv)
Steps to Reproduce
- On a fresh tenant, run
./deploy.sh (Brownfield, Step 1) without pre-enabling cloudidentity / aiplatform.
- At the identity step, deploy.sh prints
WARNING: Cannot access or find <group> for both admin/user groups even though they exist.
- At the caching-disable step, the Vertex REST call fails with HTTP 403.
- Enable both APIs manually and re-run — both warnings/errors disappear, confirming root cause.
Expected Behavior
deploy.sh enables cloudidentity.googleapis.com and aiplatform.googleapis.com on the main project (as it already does for discoveryengine / certificatemanager), or the README documents them as prerequisites.
Actual Behavior
False "group not found" warnings and a 403 on the compliance caching-disable on every fresh tenant; the operator must discover and run gcloud services enable cloudidentity.googleapis.com aiplatform.googleapis.com --project=<main> manually.
Relevant Logs and Errors
WARNING: Cannot access or find group <admin-group>@...
WARNING: Cannot access or find group <user-group>@...
...
Disabling Implicit Model Data Caching... HTTP 403 (Vertex AI API has not been used in project ... or it is disabled)
Additional Context
Same class as #104 — a required API the framework doesn't enable).
Bug Description
gemini-enterprise/deploy.sh(configure_stage_0()) auto-enables onlydiscoveryengine.googleapis.comandcertificatemanager.googleapis.comon the g4g main project, but two later steps in the same Step-1 flow depend on APIs it never enables: (1) group validation runsgcloud identity groups describe <email>, which needscloudidentity.googleapis.com, and printsWARNING: Cannot access or find <group>even when the group exists; (2) the "Disabling Implicit Model Data Caching" compliance step calls the Vertex AI REST API, which needsaiplatform.googleapis.com, and fails with HTTP 403 so the caching-disable never runs. Both are non-fatal to the run but produce false failure signals and skip a compliance control.Environment and Deployment Context
main@3728fc98blueprints/fedramp-high/gemini-enterprise/deploy.sh—configure_stage_0()API-enablement (enables discoveryengine + certificatemanager only); group-validation step (gcloud identity groups describe); "Disabling Implicit Model Data Caching" Vertex REST stepSteps to Reproduce
./deploy.sh(Brownfield, Step 1) without pre-enablingcloudidentity/aiplatform.WARNING: Cannot access or find <group>for both admin/user groups even though they exist.Expected Behavior
deploy.sh enables
cloudidentity.googleapis.comandaiplatform.googleapis.comon the main project (as it already does fordiscoveryengine/certificatemanager), or the README documents them as prerequisites.Actual Behavior
False "group not found" warnings and a 403 on the compliance caching-disable on every fresh tenant; the operator must discover and run
gcloud services enable cloudidentity.googleapis.com aiplatform.googleapis.com --project=<main>manually.Relevant Logs and Errors
Additional Context
Same class as #104 — a required API the framework doesn't enable).