google_cloud_run_v2_service and google_cloud_run_v2_job do not support Direct VPC egress with a VPC network

[le0pard]

Description

Cloud Run v2 have in preview "Direct VPC egress", which based on this comparison https://cloud.google.com/run/docs/configuring/vpc-connect-comparison much better than "Serverless VPC Access connectors"

Problem, that "google_cloud_run_v2_service" in "vpc_access" support only "connector" for "Serverless VPC Access connectors" and "egress" settings. Even if I am try to skip "connector" and only have "egress", I will get error:

│ Error: Error updating Service "projects/tests/locations/us-central1/services/test-service": googleapi: Error 400: Violation in UpdateServiceRequest.service.template.vpc_access.connector: one and only one of connector and network_interfaces must be set.
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.BadRequest",
│     "fieldViolations": [
│       {
│         "description": "one and only one of connector and network_interfaces must be set.",
│         "field": "Violation in UpdateServiceRequest.service.template.vpc_access.connector"
│       }
│     ]
│   }
│ ]
│
│   with google_cloud_run_v2_service.test_service,
│   on cloud_run.tf line 251, in resource "google_cloud_run_v2_service" "test_service":
│  251: resource "google_cloud_run_v2_service" "test_service" {

Same issue have "google_cloud_run_v2_job" resource.

More info about "Direct VPC egress": https://cloud.google.com/run/docs/configuring/vpc-direct-vpc

New or Affected Resource(s)

• google_cloud_run_v2_service
• google_cloud_run_v2_job

Potential Terraform Configuration

I cannot find API call attributes, but I see this payload part, which json payload send GCP UI

// ...
"vpcSettings": {
  "vpcAccessEgress": "private-ranges-only",
  "directVpc": {
    "vpcNetworkInterfaces": [
      {
        "network": "test-vpc",
        "subnetwork": "test-vpc-subnet",
        "tags": [
          "cloud-run"
        ]
      }
    ]
  }
}

References

• https://cloud.google.com/run/docs/configuring/vpc-connect-comparison
• https://cloud.google.com/run/docs/configuring/vpc-direct-vpc

b/298050505

[mrak-]

Please tell me what is known about this problem? How can it be solved, maybe there is an example?

[le0pard]

Hello, right now I solve this by YML file:

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  ...
spec:
  template:
    metadata:
      annotations:
        autoscaling.knative.dev/minScale: '1'
        autoscaling.knative.dev/maxScale: '4'
        run.googleapis.com/network-interfaces: '[{"network":"private-network","subnetwork":"subnet","tags":["net"]}]'
        run.googleapis.com/vpc-access-egress: private-ranges-only
        run.googleapis.com/cpu-throttling: 'true'
        run.googleapis.com/startup-cpu-boost: 'true'
        run.googleapis.com/sessionAffinity: 'false'
        run.googleapis.com/execution-environment: gen2
    spec:
      containerConcurrency: 20
      timeoutSeconds: '60'
      ...

Major parts here is "run.googleapis.com/network-interfaces" and "run.googleapis.com/vpc-access-egress"

and apply this changes by gcloud run services replace service.yml. Also this option available in UI (as I show in screenshot). But not options for terraform @mrak-

[mrak-]

Thanks to Vasily @le0pard.
Yes, it works manually, and so it works from gcloud cli and like a YAML file, but I need it that it would work from the terraform since my entire infrastructure is automated by the terraform. I would not want to perform part of the infra manually.
Sad my soul (((

[le0pard]

@mrak- that is why this issue exists

[skadecl]

@le0pard have you been able to find a way to make this work?

[le0pard]

@skadecl I already wrote how I resolved this issue in this comment - #15568 (comment)

No solution for terraform right now

[skadecl]

@skadecl I already wrote how I resolved this issue in this comment - #15568 (comment)

No solution for terraform right now

so for the yaml approach, are you deploying the cloud run instance entirely through gcloud cli or are you deploying it with terraform and then setting the vpc egress setting with gcloud?

[le0pard]

@skadecl terraform don't manage cloud run at all, because if option will be change by yml, terraform cloud run resource will be broken and terraform will fail to apply cloud run. So gcloud cli with yml files manage cloud run resources

[skadecl]

@melinath @roaks3 any idea of when this could be supported?

[melinath]

If the API supports setting up direct egress with a VPC network, then it should be possible to support in Terraform. That would be the easiest fix. However, there is no specific timeline at the moment.

[yanweiguo]

Direct VPC egress support was just added to Cloud Run v2 API. The public document hasn't been updated yet.

Terraform support is WIP.

[mrak-]

whoa, Support appeared https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_service
Thank you ))

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.