VPC Connector alignment to Cloud Run v2 + contexts

2025-10-20 21:46:11 +00:00
parent b67b121a28
commit d9029e47a0
38 changed files with 1588 additions and 173 deletions
--- a/modules/cloud-function-v1/README.md
+++ b/modules/cloud-function-v1/README.md
@@ -15,6 +15,7 @@ Cloud Function management, with support for IAM roles, optional bucket creation
  - [Multiple Cloud Functions within project](#multiple-cloud-functions-within-project)
  - [Mounting secrets from Secret Manager](#mounting-secrets-from-secret-manager)
  - [Using CMEK to encrypt function resources](#using-cmek-to-encrypt-function-resources)
+- [VPC Access Connector](#vpc-access-connector)
 - [Variables](#variables)
 - [Outputs](#outputs)
 - [Fixtures](#fixtures)
@@ -393,6 +394,85 @@ module "cf-http" {
 }
 # tftest inventory=cmek.yaml
 ```
+
+## VPC Access Connector
+
+You can use an existing [VPC Access Connector](https://cloud.google.com/vpc/docs/serverless-vpc-access) to connect to a VPC from Cloud Run.
+
+```hcl
+module "cf_http" {
+  source      = "./fabric/modules/cloud-function-v1"
+  project_id  = var.project_id
+  region      = var.region
+  name        = "test-cf-http"
+  bucket_name = var.bucket
+  bundle_config = {
+    path = "assets/sample-function/"
+  }
+  vpc_connector = {
+    name           = google_vpc_access_connector.connector.id
+    egress_setting = "ALL_TRAFFIC"
+  }
+}
+# tftest fixtures=fixtures/vpc-connector.tf inventory=service-vpc-access-connector.yaml e2e
+```
+
+If creation of the VPC Access Connector is required, use the `vpc_connector.create` and `vpc_connector_create` variable which also supports optional attributes like number of instances, machine type, or throughput.
+
+```hcl
+module "cf_http" {
+  source      = "./fabric/modules/cloud-function-v1"
+  project_id  = var.project_id
+  region      = var.region
+  name        = "test-cf-http"
+  bucket_name = var.bucket
+  bundle_config = {
+    path = "assets/sample-function/"
+  }
+  vpc_connector = {
+    create = true
+  }
+  vpc_connector_create = {
+    ip_cidr_range = "10.10.10.0/28"
+    network       = var.vpc.self_link
+    instances = {
+      max = 10
+      min = 3
+    }
+  }
+}
+# tftest inventory=service-vpc-access-connector-create.yaml e2e
+```
+
+Note that if you are using a Shared VPC for the connector, you need to specify a subnet and the host project if this is not where the Cloud Run service is deployed.
+
+```hcl
+module "cf_http" {
+  source      = "./fabric/modules/cloud-function-v1"
+  project_id  = var.project_id
+  region      = var.region
+  name        = "test-cf-http"
+  bucket_name = var.bucket
+  bundle_config = {
+    path = "assets/sample-function/"
+  }
+  vpc_connector = {
+    create = true
+  }
+  vpc_connector_create = {
+    machine_type = "e2-standard-4"
+    subnet = {
+      name       = module.net-vpc-host.subnets["${var.region}/fixture-subnet-28"].name
+      project_id = module.project-host.project_id
+    }
+    throughput = {
+      max = 300
+      min = 200
+    }
+  }
+}
+# tftest fixtures=fixtures/shared-vpc.tf inventory=service-vpc-access-connector-create-sharedvpc.yaml e2e
+```
 <!-- BEGIN TFDOC -->
 ## Variables

@@ -420,8 +500,8 @@ module "cf-http" {
 | [secrets](variables.tf#L194) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <code title="map&#40;object&#40;&#123;&#10;  is_volume  &#61; bool&#10;  project_id &#61; string&#10;  secret     &#61; string&#10;  versions   &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [service_account_config](variables-serviceaccount.tf#L17) | Service account configurations. | <code title="object&#40;&#123;&#10;  create       &#61; optional&#40;bool, true&#41;&#10;  display_name &#61; optional&#40;string&#41;&#10;  email        &#61; optional&#40;string&#41;&#10;  name         &#61; optional&#40;string&#41;&#10;  roles &#61; optional&#40;list&#40;string&#41;, &#91;&#10;    &#34;roles&#47;logging.logWriter&#34;,&#10;    &#34;roles&#47;monitoring.metricWriter&#34;&#10;  &#93;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [trigger_config](variables.tf#L206) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object&#40;&#123;&#10;  event    &#61; string&#10;  resource &#61; string&#10;  retry    &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
-| [vpc_connector](variables.tf#L216) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object&#40;&#123;&#10;  create          &#61; optional&#40;bool, false&#41;&#10;  name            &#61; optional&#40;string&#41;&#10;  egress_settings &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [vpc_connector_config](variables.tf#L227) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object&#40;&#123;&#10;  ip_cidr_range &#61; string&#10;  network       &#61; string&#10;  instances &#61; optional&#40;object&#40;&#123;&#10;    max &#61; optional&#40;number&#41;&#10;    min &#61; optional&#40;number, 2&#41;&#10;  &#125;&#41;&#41;&#10;  throughput &#61; optional&#40;object&#40;&#123;&#10;    max &#61; optional&#40;number, 300&#41;&#10;    min &#61; optional&#40;number, 200&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
+| [vpc_connector](variables-vpcconnector.tf#L17) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object&#40;&#123;&#10;  create          &#61; optional&#40;bool, false&#41;&#10;  name            &#61; optional&#40;string&#41;&#10;  egress_settings &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [vpc_connector_create](variables-vpcconnector.tf#L28) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object&#40;&#123;&#10;  ip_cidr_range &#61; optional&#40;string&#41;&#10;  machine_type  &#61; optional&#40;string&#41;&#10;  name          &#61; optional&#40;string&#41;&#10;  network       &#61; optional&#40;string&#41;&#10;  instances &#61; optional&#40;object&#40;&#123;&#10;    max &#61; optional&#40;number&#41;&#10;    min &#61; optional&#40;number&#41;&#10;    &#125;&#41;, &#123;&#125;&#10;  &#41;&#10;  throughput &#61; optional&#40;object&#40;&#123;&#10;    max &#61; optional&#40;number&#41;&#10;    min &#61; optional&#40;number&#41;&#10;    &#125;&#41;, &#123;&#125;&#10;  &#41;&#10;  subnet &#61; optional&#40;object&#40;&#123;&#10;    name       &#61; optional&#40;string&#41;&#10;    project_id &#61; optional&#40;string&#41;&#10;  &#125;&#41;, &#123;&#125;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |

 ## Outputs

@@ -443,4 +523,6 @@ module "cf-http" {
 - [cloudbuild-custom-pool.tf](../../tests/fixtures/cloudbuild-custom-pool.tf)
 - [functions-default-sa-iam-grants.tf](../../tests/fixtures/functions-default-sa-iam-grants.tf)
 - [pubsub.tf](../../tests/fixtures/pubsub.tf)
+- [shared-vpc.tf](../../tests/fixtures/shared-vpc.tf)
+- [vpc-connector.tf](../../tests/fixtures/vpc-connector.tf)
 <!-- END TFDOC -->