From eadc1c22a4c3eb7fcab96f0c0a486a7956bb915b Mon Sep 17 00:00:00 2001 From: Julio Diez Date: Sat, 6 May 2023 13:03:20 +0200 Subject: [PATCH] New use case: Cloud Run services in service projects Shared VPC Ingress feature (public preview) allows to call a Cloud Run service revision from the Shared VPC network that it is connected to. --- .../serverless/cloud-run-corporate/main.tf | 40 +++++++++++++++++-- .../serverless/cloud-run-corporate/outputs.tf | 4 +- .../cloud-run-corporate/variables.tf | 7 ++-- 3 files changed, 43 insertions(+), 8 deletions(-) diff --git a/blueprints/serverless/cloud-run-corporate/main.tf b/blueprints/serverless/cloud-run-corporate/main.tf index d8f568d53..4266a6506 100644 --- a/blueprints/serverless/cloud-run-corporate/main.tf +++ b/blueprints/serverless/cloud-run-corporate/main.tf @@ -103,11 +103,20 @@ module "project_svc1" { parent = try(var.prj_svc1_create.parent, null) shared_vpc_service_config = { host_project = module.project_main.project_id + service_identity_iam = { + "roles/compute.networkUser" = [ + "vpcaccess" + ], + "roles/editor" = [ + "cloudservices" + ] + } } services = [ "compute.googleapis.com", "dns.googleapis.com", - "run.googleapis.com" + "run.googleapis.com", + "vpcaccess.googleapis.com" ] skip_delete = true } @@ -133,10 +142,24 @@ module "cloud_run_hello" { ingress_settings = var.ingress_settings } +# VPC Access connector in the service project. +# The Shared VPC Ingress feature needs a VPC connector. In the future, +# this need will be removed. +resource "google_vpc_access_connector" "connector" { + count = var.prj_svc1_id != null ? 1 : 0 + name = "connector" + project = module.project_svc1[0].project_id + region = var.region + subnet { + name = module.vpc_main.subnets["${var.region}/subnet-vpc-access"].name + project_id = module.project_main.project_id + } +} + # Cloud Run service 1 in service project module "cloud_run_cart" { source = "../../../modules/cloud-run" - count = var.custom_domain == null ? 0 : 1 + count = var.prj_svc1_id != null ? 1 : 0 project_id = module.project_svc1[0].project_id name = local.service_name_cr1 # "cart" region = var.region @@ -149,12 +172,15 @@ module "cloud_run_cart" { "roles/run.invoker" = ["allUsers"] } ingress_settings = var.ingress_settings + revision_annotations = { + vpcaccess_connector = google_vpc_access_connector.connector[0].name + } } # Cloud Run service 2 in service project module "cloud_run_checkout" { source = "../../../modules/cloud-run" - count = var.custom_domain == null ? 0 : 1 + count = var.prj_svc1_id != null ? 1 : 0 project_id = module.project_svc1[0].project_id name = local.service_name_cr2 # "checkout" region = var.region @@ -167,6 +193,9 @@ module "cloud_run_checkout" { "roles/run.invoker" = ["allUsers"] } ingress_settings = var.ingress_settings + revision_annotations = { + vpcaccess_connector = google_vpc_access_connector.connector[0].name + } } ############################################################################### @@ -183,6 +212,11 @@ module "vpc_main" { ip_cidr_range = var.ip_ranges["main"].subnet name = "subnet-main" region = var.region + }, + { + ip_cidr_range = var.ip_ranges["main"].subnet_vpc_access + name = "subnet-vpc-access" + region = var.region } ] subnets_proxy_only = [ diff --git a/blueprints/serverless/cloud-run-corporate/outputs.tf b/blueprints/serverless/cloud-run-corporate/outputs.tf index 6ffef1410..102afe8c1 100644 --- a/blueprints/serverless/cloud-run-corporate/outputs.tf +++ b/blueprints/serverless/cloud-run-corporate/outputs.tf @@ -16,13 +16,13 @@ output "default_URL_cart" { description = "Cloud Run service 'cart' default URL." - value = (var.custom_domain != null ? + value = (var.prj_svc1_id != null ? module.cloud_run_cart[0].service.status[0].url : "none") } output "default_URL_checkout" { description = "Cloud Run service 'checkout' default URL." - value = (var.custom_domain != null ? + value = (var.prj_svc1_id != null ? module.cloud_run_checkout[0].service.status[0].url : "none") } diff --git a/blueprints/serverless/cloud-run-corporate/variables.tf b/blueprints/serverless/cloud-run-corporate/variables.tf index c86c6784a..9ad54c2e3 100644 --- a/blueprints/serverless/cloud-run-corporate/variables.tf +++ b/blueprints/serverless/cloud-run-corporate/variables.tf @@ -52,9 +52,10 @@ variable "ip_ranges" { type = map(map(string)) default = { main = { - subnet = "10.0.1.0/24" - subnet_proxy = "10.10.0.0/24" - psc_addr = "10.0.0.100" + subnet = "10.0.1.0/24" + subnet_proxy = "10.10.0.0/24" + subnet_vpc_access = "10.10.10.0/28" + psc_addr = "10.0.0.100" } onprem = { subnet = "172.16.1.0/24"