From 8d51ccd491335cc9392ef7139eaa1aeddfedfe64 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Fri, 5 Dec 2025 18:36:52 +0100 Subject: [PATCH] Add Direct VPC Egress support to `modules/cloud-function-v2` (#3567) Fixes #3561 --- modules/cloud-function-v2/README.md | 54 ++++++++++++++----- modules/cloud-function-v2/main.tf | 16 ++++++ modules/cloud-function-v2/variables.tf | 20 ++++++- .../examples/direct-vpc-egress.yaml | 36 +++++++++++++ 4 files changed, 111 insertions(+), 15 deletions(-) create mode 100644 tests/modules/cloud_function_v2/examples/direct-vpc-egress.yaml diff --git a/modules/cloud-function-v2/README.md b/modules/cloud-function-v2/README.md index c8b41cc05..f56990774 100644 --- a/modules/cloud-function-v2/README.md +++ b/modules/cloud-function-v2/README.md @@ -15,6 +15,7 @@ Cloud Function management, with support for IAM roles, optional bucket creation - [Multiple Cloud Functions within project](#multiple-cloud-functions-within-project) - [Mounting secrets from Secret Manager](#mounting-secrets-from-secret-manager) - [VPC Access Connector](#vpc-access-connector) + - [Direct VPC Egress](#direct-vpc-egress) - [Variables](#variables) - [Outputs](#outputs) - [Fixtures](#fixtures) @@ -405,6 +406,30 @@ module "cf_http" { } # tftest fixtures=fixtures/shared-vpc.tf inventory=service-vpc-access-connector-create-sharedvpc.yaml ``` + +### Direct VPC Egress + +You can also configure Direct VPC Egress instead of using a VPC Access Connector. + +```hcl +module "cf_http" { + source = "./fabric/modules/cloud-function-v2" + project_id = var.project_id + region = var.region + name = "direct-vpc-egress" + bucket_name = var.bucket + bundle_config = { + path = "assets/sample-function/" + } + direct_vpc_egress = { + network = var.vpc.self_link + subnetwork = var.subnet.self_link + tags = ["tag1", "tag2"] + mode = "VPC_EGRESS_ALL_TRAFFIC" + } +} +# tftest inventory=direct-vpc-egress.yaml +``` ## Variables @@ -412,27 +437,28 @@ module "cf_http" { |---|---|:---:|:---:|:---:| | [bucket_name](variables.tf#L27) | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | string | ✓ | | | [bundle_config](variables.tf#L51) | Cloud function source. Path can point to a GCS object URI, or a local path. A local path to a zip archive will generate a GCS object using its basename, a folder will be zipped and the GCS object name inferred when not specified. | object({…}) | ✓ | | -| [name](variables.tf#L167) | Name used for cloud function and associated resources. | string | ✓ | | -| [project_id](variables.tf#L182) | Project id used for all resources. | string | ✓ | | -| [region](variables.tf#L187) | Region used for all resources. | string | ✓ | | +| [name](variables.tf#L185) | Name used for cloud function and associated resources. | string | ✓ | | +| [project_id](variables.tf#L200) | Project id used for all resources. | string | ✓ | | +| [region](variables.tf#L205) | Region used for all resources. | string | ✓ | | | [bucket_config](variables.tf#L17) | Enable and configure auto-created bucket. Set fields to null to use defaults. | object({…}) | | null | | [build_environment_variables](variables.tf#L33) | A set of key/value environment variable pairs available during build time. | map(string) | | {} | | [build_service_account](variables.tf#L39) | Build service account email. | string | | null | | [build_worker_pool](variables.tf#L45) | Build worker pool, in projects//locations//workerPools/ format. | string | | null | | [context](variables.tf#L84) | Context-specific interpolations. | object({…}) | | {} | | [description](variables.tf#L102) | Optional description. | string | | "Terraform managed." | -| [docker_repository_id](variables.tf#L108) | User managed repository created in Artifact Registry. | string | | null | -| [environment_variables](variables.tf#L114) | Cloud function environment variables. | map(string) | | {…} | -| [function_config](variables.tf#L122) | Cloud function configuration. Defaults to using main as entrypoint, 1 instance with 256MiB of memory, and 180 second timeout. | object({…}) | | {…} | -| [iam](variables.tf#L143) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | -| [ingress_settings](variables.tf#L149) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY . | string | | null | -| [kms_key](variables.tf#L155) | Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources in key id format. If specified, you must also provide an artifact registry repository using the docker_repository_id field that was created with the same KMS crypto key. | string | | null | -| [labels](variables.tf#L161) | Resource labels. | map(string) | | {} | -| [prefix](variables.tf#L172) | Optional prefix used for resource names. | string | | null | -| [secrets](variables.tf#L192) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | map(object({…})) | | {} | +| [direct_vpc_egress](variables.tf#L108) | Direct VPC egress configuration. | object({…}) | | null | +| [docker_repository_id](variables.tf#L126) | User managed repository created in Artifact Registry. | string | | null | +| [environment_variables](variables.tf#L132) | Cloud function environment variables. | map(string) | | {…} | +| [function_config](variables.tf#L140) | Cloud function configuration. Defaults to using main as entrypoint, 1 instance with 256MiB of memory, and 180 second timeout. | object({…}) | | {…} | +| [iam](variables.tf#L161) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | +| [ingress_settings](variables.tf#L167) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY . | string | | null | +| [kms_key](variables.tf#L173) | Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources in key id format. If specified, you must also provide an artifact registry repository using the docker_repository_id field that was created with the same KMS crypto key. | string | | null | +| [labels](variables.tf#L179) | Resource labels. | map(string) | | {} | +| [prefix](variables.tf#L190) | Optional prefix used for resource names. | string | | null | +| [secrets](variables.tf#L210) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | map(object({…})) | | {} | | [service_account_config](variables-serviceaccount.tf#L17) | Service account configurations. | object({…}) | | {} | -| [trigger_config](variables.tf#L204) | Function trigger configuration. Leave null for HTTP trigger. | object({…}) | | null | -| [vpc_connector](variables.tf#L222) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | object({…}) | | {} | +| [trigger_config](variables.tf#L222) | Function trigger configuration. Leave null for HTTP trigger. | object({…}) | | null | +| [vpc_connector](variables.tf#L240) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | object({…}) | | {} | | [vpc_connector_create](variables-vpcconnector.tf#L17) | VPC connector network configuration. Must be provided if new VPC connector is being created. | object({…}) | | null | ## Outputs diff --git a/modules/cloud-function-v2/main.tf b/modules/cloud-function-v2/main.tf index e1273aecc..37ff45447 100644 --- a/modules/cloud-function-v2/main.tf +++ b/modules/cloud-function-v2/main.tf @@ -105,6 +105,22 @@ resource "google_cloudfunctions2_function" "function" { timeout_seconds = var.function_config.timeout_seconds vpc_connector = local.vpc_connector vpc_connector_egress_settings = var.vpc_connector.egress_settings + direct_vpc_egress = try(var.direct_vpc_egress.mode, null) + + dynamic "direct_vpc_network_interface" { + for_each = var.direct_vpc_egress == null ? [] : [""] + content { + network = lookup( + local.ctx.networks, var.direct_vpc_egress.network, + var.direct_vpc_egress.network + ) + subnetwork = lookup( + local.ctx.subnets, var.direct_vpc_egress.subnetwork, + var.direct_vpc_egress.subnetwork + ) + tags = var.direct_vpc_egress.tags + } + } dynamic "secret_environment_variables" { for_each = { for k, v in var.secrets : k => v if !v.is_volume } diff --git a/modules/cloud-function-v2/variables.tf b/modules/cloud-function-v2/variables.tf index d8a115e23..1ed7d86ae 100644 --- a/modules/cloud-function-v2/variables.tf +++ b/modules/cloud-function-v2/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2022 Google LLC + * Copyright 2025 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -105,6 +105,24 @@ variable "description" { default = "Terraform managed." } +variable "direct_vpc_egress" { + description = "Direct VPC egress configuration." + type = object({ + mode = string + network = string + subnetwork = string + tags = optional(list(string)) + }) + default = null + validation { + condition = var.direct_vpc_egress == null || contains( + ["VPC_EGRESS_ALL_TRAFFIC", "VPC_EGRESS_PRIVATE_RANGES_ONLY"], + try(var.direct_vpc_egress.mode, "") + ) + error_message = "Direct VPC egress mode must be one of VPC_EGRESS_ALL_TRAFFIC, VPC_EGRESS_PRIVATE_RANGES_ONLY." + } +} + variable "docker_repository_id" { description = "User managed repository created in Artifact Registry." type = string diff --git a/tests/modules/cloud_function_v2/examples/direct-vpc-egress.yaml b/tests/modules/cloud_function_v2/examples/direct-vpc-egress.yaml new file mode 100644 index 000000000..0530e3620 --- /dev/null +++ b/tests/modules/cloud_function_v2/examples/direct-vpc-egress.yaml @@ -0,0 +1,36 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.cf_http.google_cloudfunctions2_function.function: + service_config: + - all_traffic_on_latest_revision: true + available_cpu: '0.166' + available_memory: 256M + binary_authorization_policy: null + direct_vpc_egress: VPC_EGRESS_ALL_TRAFFIC + direct_vpc_network_interface: + - network: projects/xxx/global/networks/aaa + subnetwork: subnet_self_link + tags: + - tag1 + - tag2 + +counts: + google_cloudfunctions2_function: 1 + google_project_iam_member: 2 + google_service_account: 1 + google_storage_bucket_object: 1 + modules: 1 + resources: 5