diff --git a/modules/cloud-function-v2/README.md b/modules/cloud-function-v2/README.md
index c8b41cc05..f56990774 100644
--- a/modules/cloud-function-v2/README.md
+++ b/modules/cloud-function-v2/README.md
@@ -15,6 +15,7 @@ Cloud Function management, with support for IAM roles, optional bucket creation
- [Multiple Cloud Functions within project](#multiple-cloud-functions-within-project)
- [Mounting secrets from Secret Manager](#mounting-secrets-from-secret-manager)
- [VPC Access Connector](#vpc-access-connector)
+ - [Direct VPC Egress](#direct-vpc-egress)
- [Variables](#variables)
- [Outputs](#outputs)
- [Fixtures](#fixtures)
@@ -405,6 +406,30 @@ module "cf_http" {
}
# tftest fixtures=fixtures/shared-vpc.tf inventory=service-vpc-access-connector-create-sharedvpc.yaml
```
+
+### Direct VPC Egress
+
+You can also configure Direct VPC Egress instead of using a VPC Access Connector.
+
+```hcl
+module "cf_http" {
+ source = "./fabric/modules/cloud-function-v2"
+ project_id = var.project_id
+ region = var.region
+ name = "direct-vpc-egress"
+ bucket_name = var.bucket
+ bundle_config = {
+ path = "assets/sample-function/"
+ }
+ direct_vpc_egress = {
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ tags = ["tag1", "tag2"]
+ mode = "VPC_EGRESS_ALL_TRAFFIC"
+ }
+}
+# tftest inventory=direct-vpc-egress.yaml
+```
## Variables
@@ -412,27 +437,28 @@ module "cf_http" {
|---|---|:---:|:---:|:---:|
| [bucket_name](variables.tf#L27) | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | string | ✓ | |
| [bundle_config](variables.tf#L51) | Cloud function source. Path can point to a GCS object URI, or a local path. A local path to a zip archive will generate a GCS object using its basename, a folder will be zipped and the GCS object name inferred when not specified. | object({…}) | ✓ | |
-| [name](variables.tf#L167) | Name used for cloud function and associated resources. | string | ✓ | |
-| [project_id](variables.tf#L182) | Project id used for all resources. | string | ✓ | |
-| [region](variables.tf#L187) | Region used for all resources. | string | ✓ | |
+| [name](variables.tf#L185) | Name used for cloud function and associated resources. | string | ✓ | |
+| [project_id](variables.tf#L200) | Project id used for all resources. | string | ✓ | |
+| [region](variables.tf#L205) | Region used for all resources. | string | ✓ | |
| [bucket_config](variables.tf#L17) | Enable and configure auto-created bucket. Set fields to null to use defaults. | object({…}) | | null |
| [build_environment_variables](variables.tf#L33) | A set of key/value environment variable pairs available during build time. | map(string) | | {} |
| [build_service_account](variables.tf#L39) | Build service account email. | string | | null |
| [build_worker_pool](variables.tf#L45) | Build worker pool, in projects//locations//workerPools/ format. | string | | null |
| [context](variables.tf#L84) | Context-specific interpolations. | object({…}) | | {} |
| [description](variables.tf#L102) | Optional description. | string | | "Terraform managed." |
-| [docker_repository_id](variables.tf#L108) | User managed repository created in Artifact Registry. | string | | null |
-| [environment_variables](variables.tf#L114) | Cloud function environment variables. | map(string) | | {…} |
-| [function_config](variables.tf#L122) | Cloud function configuration. Defaults to using main as entrypoint, 1 instance with 256MiB of memory, and 180 second timeout. | object({…}) | | {…} |
-| [iam](variables.tf#L143) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} |
-| [ingress_settings](variables.tf#L149) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY . | string | | null |
-| [kms_key](variables.tf#L155) | Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources in key id format. If specified, you must also provide an artifact registry repository using the docker_repository_id field that was created with the same KMS crypto key. | string | | null |
-| [labels](variables.tf#L161) | Resource labels. | map(string) | | {} |
-| [prefix](variables.tf#L172) | Optional prefix used for resource names. | string | | null |
-| [secrets](variables.tf#L192) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | map(object({…})) | | {} |
+| [direct_vpc_egress](variables.tf#L108) | Direct VPC egress configuration. | object({…}) | | null |
+| [docker_repository_id](variables.tf#L126) | User managed repository created in Artifact Registry. | string | | null |
+| [environment_variables](variables.tf#L132) | Cloud function environment variables. | map(string) | | {…} |
+| [function_config](variables.tf#L140) | Cloud function configuration. Defaults to using main as entrypoint, 1 instance with 256MiB of memory, and 180 second timeout. | object({…}) | | {…} |
+| [iam](variables.tf#L161) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} |
+| [ingress_settings](variables.tf#L167) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY . | string | | null |
+| [kms_key](variables.tf#L173) | Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources in key id format. If specified, you must also provide an artifact registry repository using the docker_repository_id field that was created with the same KMS crypto key. | string | | null |
+| [labels](variables.tf#L179) | Resource labels. | map(string) | | {} |
+| [prefix](variables.tf#L190) | Optional prefix used for resource names. | string | | null |
+| [secrets](variables.tf#L210) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | map(object({…})) | | {} |
| [service_account_config](variables-serviceaccount.tf#L17) | Service account configurations. | object({…}) | | {} |
-| [trigger_config](variables.tf#L204) | Function trigger configuration. Leave null for HTTP trigger. | object({…}) | | null |
-| [vpc_connector](variables.tf#L222) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | object({…}) | | {} |
+| [trigger_config](variables.tf#L222) | Function trigger configuration. Leave null for HTTP trigger. | object({…}) | | null |
+| [vpc_connector](variables.tf#L240) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | object({…}) | | {} |
| [vpc_connector_create](variables-vpcconnector.tf#L17) | VPC connector network configuration. Must be provided if new VPC connector is being created. | object({…}) | | null |
## Outputs
diff --git a/modules/cloud-function-v2/main.tf b/modules/cloud-function-v2/main.tf
index e1273aecc..37ff45447 100644
--- a/modules/cloud-function-v2/main.tf
+++ b/modules/cloud-function-v2/main.tf
@@ -105,6 +105,22 @@ resource "google_cloudfunctions2_function" "function" {
timeout_seconds = var.function_config.timeout_seconds
vpc_connector = local.vpc_connector
vpc_connector_egress_settings = var.vpc_connector.egress_settings
+ direct_vpc_egress = try(var.direct_vpc_egress.mode, null)
+
+ dynamic "direct_vpc_network_interface" {
+ for_each = var.direct_vpc_egress == null ? [] : [""]
+ content {
+ network = lookup(
+ local.ctx.networks, var.direct_vpc_egress.network,
+ var.direct_vpc_egress.network
+ )
+ subnetwork = lookup(
+ local.ctx.subnets, var.direct_vpc_egress.subnetwork,
+ var.direct_vpc_egress.subnetwork
+ )
+ tags = var.direct_vpc_egress.tags
+ }
+ }
dynamic "secret_environment_variables" {
for_each = { for k, v in var.secrets : k => v if !v.is_volume }
diff --git a/modules/cloud-function-v2/variables.tf b/modules/cloud-function-v2/variables.tf
index d8a115e23..1ed7d86ae 100644
--- a/modules/cloud-function-v2/variables.tf
+++ b/modules/cloud-function-v2/variables.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2022 Google LLC
+ * Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -105,6 +105,24 @@ variable "description" {
default = "Terraform managed."
}
+variable "direct_vpc_egress" {
+ description = "Direct VPC egress configuration."
+ type = object({
+ mode = string
+ network = string
+ subnetwork = string
+ tags = optional(list(string))
+ })
+ default = null
+ validation {
+ condition = var.direct_vpc_egress == null || contains(
+ ["VPC_EGRESS_ALL_TRAFFIC", "VPC_EGRESS_PRIVATE_RANGES_ONLY"],
+ try(var.direct_vpc_egress.mode, "")
+ )
+ error_message = "Direct VPC egress mode must be one of VPC_EGRESS_ALL_TRAFFIC, VPC_EGRESS_PRIVATE_RANGES_ONLY."
+ }
+}
+
variable "docker_repository_id" {
description = "User managed repository created in Artifact Registry."
type = string
diff --git a/tests/modules/cloud_function_v2/examples/direct-vpc-egress.yaml b/tests/modules/cloud_function_v2/examples/direct-vpc-egress.yaml
new file mode 100644
index 000000000..0530e3620
--- /dev/null
+++ b/tests/modules/cloud_function_v2/examples/direct-vpc-egress.yaml
@@ -0,0 +1,36 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.cf_http.google_cloudfunctions2_function.function:
+ service_config:
+ - all_traffic_on_latest_revision: true
+ available_cpu: '0.166'
+ available_memory: 256M
+ binary_authorization_policy: null
+ direct_vpc_egress: VPC_EGRESS_ALL_TRAFFIC
+ direct_vpc_network_interface:
+ - network: projects/xxx/global/networks/aaa
+ subnetwork: subnet_self_link
+ tags:
+ - tag1
+ - tag2
+
+counts:
+ google_cloudfunctions2_function: 1
+ google_project_iam_member: 2
+ google_service_account: 1
+ google_storage_bucket_object: 1
+ modules: 1
+ resources: 5