Accessing Cloud Run privately, first use case

blueprints/serverless/cloud-run-corporate/main.tf

@@ -0,0 +1,153 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+locals {
+  domain_cr_host = format("%s.",
+  trimprefix(module.cloud_run_host.service.status[0].url, "https://"))
+}
+
+###############################################################################
+#                                  Projects                                   #
+###############################################################################
+
+# Main or host project, depending on if there are service projects
+module "project_host" {
+  source          = "../../../modules/project"
+  name            = var.prj_host_id
+  project_create  = var.prj_host_create != null
+  billing_account = try(var.prj_host_create.billing_account_id, null)
+  parent          = try(var.prj_host_create.parent, null)
+  shared_vpc_host_config = {
+    enabled = true
+  }
+  services = [
+    "run.googleapis.com",
+    "compute.googleapis.com",
+    "dns.googleapis.com"
+  ]
+}
+
+###############################################################################
+#                                  Cloud Run                                  #
+###############################################################################
+
+# Cloud Run service in main project
+module "cloud_run_host" {
+  source     = "../../../modules/cloud-run"
+  project_id = module.project_host.project_id
+  name       = var.run_svc_name
+  region     = var.region
+  containers = [{
+    image         = var.image
+    options       = null
+    ports         = null
+    resources     = null
+    volume_mounts = null
+  }]
+  iam = {
+    "roles/run.invoker" = ["allUsers"]
+  }
+  ingress_settings = var.ingress_settings
+}
+
+###############################################################################
+#                                    VPCs                                     #
+###############################################################################
+
+# VPC in main or host project
+module "vpc_host" {
+  source     = "../../../modules/net-vpc"
+  project_id = module.project_host.project_id
+  name       = "vpc-host"
+  subnets = [
+    {
+      ip_cidr_range         = var.ip_ranges_host.subnet
+      name                  = "subnet-host"
+      region                = var.region
+      enable_private_access = true # PGA enabled
+    }
+  ]
+}
+
+# VPC Firewall with default config, IAP for SSH enabled
+module "firewall_host" {
+  source     = "../../../modules/net-vpc-firewall"
+  project_id = module.project_host.project_id
+  network    = module.vpc_host.name
+  default_rules_config = {
+    http_ranges  = []
+    https_ranges = []
+  }
+}
+
+###############################################################################
+#                                    PSC                                      #
+###############################################################################
+
+module "psc_addr_host" {
+  source     = "../../../modules/net-address"
+  project_id = module.project_host.project_id
+  psc_addresses = {
+    psc-addr-host = {
+      address = var.ip_ranges_host.psc_addr
+      network = module.vpc_host.self_link
+    }
+  }
+}
+
+resource "google_compute_global_forwarding_rule" "psc_endpoint_host" {
+  provider              = google-beta
+  project               = module.project_host.project_id
+  name                  = "pscaddrhost"
+  network               = module.vpc_host.self_link
+  ip_address            = module.psc_addr_host.psc_addresses["psc-addr-host"].self_link
+  target                = "vpc-sc"
+  load_balancing_scheme = ""
+}
+
+###############################################################################
+#                                    VMs                                      #
+###############################################################################
+
+module "vm_test_host" {
+  source        = "../../../modules/compute-vm"
+  project_id    = module.project_host.project_id
+  zone          = "${var.region}-b"
+  name          = "vm-test-host"
+  instance_type = "e2-micro"
+  network_interfaces = [{
+    network    = module.vpc_host.self_link
+    subnetwork = module.vpc_host.subnet_self_links["${var.region}/subnet-host"]
+  }]
+  tags = ["ssh"]
+}
+
+###############################################################################
+#                                    DNS                                      #
+###############################################################################
+
+module "private_dns_host" {
+  source          = "../../../modules/dns"
+  project_id      = module.project_host.project_id
+  type            = "private"
+  name            = "dns-host"
+  client_networks = [module.vpc_host.self_link]
+  domain          = local.domain_cr_host
+  recordsets = {
+    "A " = { records = [module.psc_addr_host.psc_addresses["psc-addr-host"].address] }
+  }
+}

blueprints/serverless/cloud-run-corporate/outputs.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "default_URL" {
+  description = "Cloud Run service default URL."
+  value       = module.cloud_run_host.service.status[0].url
+}

blueprints/serverless/cloud-run-corporate/variables.tf

@@ -0,0 +1,65 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "image" {
+  description = "Container image to deploy."
+  type        = string
+  default     = "us-docker.pkg.dev/cloudrun/container/hello"
+}
+
+variable "ingress_settings" {
+  description = "Ingress traffic sources allowed to call the service."
+  type        = string
+  default     = "all"
+}
+
+variable "ip_ranges_host" {
+  description = "IPs or IP ranges used by VPCs"
+  type = object({
+    subnet   = string
+    psc_addr = string
+  })
+  default = {
+    subnet   = "10.0.1.0/24"
+    psc_addr = "10.0.0.100"
+  }
+}
+
+variable "prj_host_create" {
+  description = "Parameters for the creation of a host project."
+  type = object({
+    billing_account_id = string
+    parent             = string
+  })
+  default = null
+}
+
+variable "prj_host_id" {
+  description = "Host Project ID."
+  type        = string
+}
+
+variable "region" {
+  description = "Cloud region where resource will be deployed."
+  type        = string
+  default     = "europe-west1"
+}
+
+variable "run_svc_name" {
+  description = "Cloud Run service name."
+  type        = string
+  default     = "hello"
+}