Access from another project, with VPC SC

blueprints/serverless/cloud-run-corporate/main.tf

@@ -14,10 +14,11 @@
  * limitations under the License.
  */
 
-
 locals {
   domain_cr_main = format("%s.",
   trimprefix(module.cloud_run_main.service.status[0].url, "https://"))
+  vpc_sc_create = (length(module.project_prj1) > 0 &&
+  (var.access_policy != null || var.access_policy_create != null)) ? 1 : 0
 }
 
 ###############################################################################
@@ -38,7 +39,9 @@ module "project_main" {
   services = [
     "run.googleapis.com",
     "compute.googleapis.com",
-    "dns.googleapis.com"
+    "dns.googleapis.com",
+    "cloudresourcemanager.googleapis.com",
+    "accesscontextmanager.googleapis.com"
   ]
   skip_delete = true
 }
@@ -316,6 +319,28 @@ module "private_dns_prj1" {
   }
 }
 
+###############################################################################
+#                                   VPC SC                                    #
+###############################################################################
+
+module "vpc_sc" {
+  source               = "../../../modules/vpc-sc"
+  count                = local.vpc_sc_create
+  access_policy        = var.access_policy_create == null ? var.access_policy : null
+  access_policy_create = var.access_policy_create
+  service_perimeters_regular = {
+    cloudrun = {
+      status = {
+        resources = [
+          "projects/${module.project_main.number}",
+          "projects/${module.project_prj1[0].number}"
+        ]
+        restricted_services = ["run.googleapis.com"]
+      }
+    }
+  }
+}
+
 ###############################################################################
 #                                    VPN                                      #
 ###############################################################################

blueprints/serverless/cloud-run-corporate/provider.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+  user_project_override = true
+  billing_project       = var.prj_main_id
+}

blueprints/serverless/cloud-run-corporate/variables.tf

@@ -14,6 +14,21 @@
  * limitations under the License.
  */
 
+variable "access_policy" {
+  description = "VPC SC access policy, if it exists."
+  type        = string
+  default     = null
+}
+
+variable "access_policy_create" {
+  description = "Parameters for the creation of a VPC SC access policy."
+  type = object({
+    parent = string
+    title  = string
+  })
+  default = null
+}
+
 variable "image" {
   description = "Container image to deploy."
   type        = string
@@ -23,7 +38,7 @@ variable "image" {
 variable "ingress_settings" {
   description = "Ingress traffic sources allowed to call the service."
   type        = string
-  default     = "all"
+  default     = "internal"
 }
 
 variable "ip_ranges" {