feat: vpc user to run/functions + soft deletion policy

Author: diegolnasc

README.md

@@ -157,6 +157,7 @@ determining that location is as follows:
 | random\_project\_id\_length | Sets the length of `random_project_id` to the provided length, and uses a `random_string` for a larger collusion domain.  Recommended for use with CI. | `number` | `null` | no |
 | sa\_role | A role to give the default Service Account for the project (defaults to none) | `string` | `""` | no |
 | shared\_vpc\_subnets | List of subnets fully qualified subnet IDs (ie. projects/$project\_id/regions/$region/subnetworks/$subnet\_id) | `list(string)` | `[]` | no |
+| soft\_delete\_policy | Soft delete policies to apply | <pre>object({<br>    retention_duration_seconds = optional(number)<br>  })</pre> | `{}` | no |
 | svpc\_host\_project\_id | The ID of the host project which hosts the shared VPC | `string` | `""` | no |
 | tag\_binding\_values | Tag values to bind the project to. | `list(string)` | `[]` | no |
 | usage\_bucket\_name | Name of a GCS bucket to store GCE usage reports in (optional) | `string` | `""` | no |

main.tf

@@ -60,6 +60,7 @@ module "project-factory" {
   bucket_force_destroy               = var.bucket_force_destroy
   bucket_ula                         = var.bucket_ula
   bucket_pap                         = var.bucket_pap
+  soft_delete_policy                 = var.soft_delete_policy
   auto_create_network                = var.auto_create_network
   disable_services_on_destroy        = var.disable_services_on_destroy
   default_service_account            = var.default_service_account

modules/core_project_factory/main.tf

@@ -302,6 +302,13 @@ resource "google_storage_bucket" "project_bucket" {
   uniform_bucket_level_access = var.bucket_ula
   public_access_prevention    = var.bucket_pap
 
+  dynamic "soft_delete_policy" {
+    for_each = var.soft_delete_policy == {} ? [] : [var.soft_delete_policy]
+    content {
+      retention_duration_seconds = lookup(soft_delete_policy.value, "retention_duration_seconds", null)
+    }
+  }
+
   versioning {
     enabled = var.bucket_versioning
   }

modules/core_project_factory/variables.tf

@@ -194,6 +194,14 @@ variable "bucket_pap" {
   default     = "inherited"
 }
 
+variable "soft_delete_policy" {
+  description = "Soft delete policies to apply"
+  type = object({
+    retention_duration_seconds = optional(number)
+  })
+  default = {}
+}
+
 variable "auto_create_network" {
   description = "Create the default network"
   type        = bool

modules/shared_vpc_access/main.tf

@@ -31,10 +31,12 @@ locals {
     "notebooks.googleapis.com" : format("service-%s@gcp-sa-notebooks.iam.gserviceaccount.com", local.service_project_number)
     "networkconnectivity.googleapis.com" : format("service-%s@gcp-sa-networkconnectivity.iam.gserviceaccount.com", local.service_project_number)
   }
-  gke_shared_vpc_enabled        = contains(var.active_apis, "container.googleapis.com")
-  composer_shared_vpc_enabled   = contains(var.active_apis, "composer.googleapis.com")
-  datastream_shared_vpc_enabled = contains(var.active_apis, "datastream.googleapis.com")
-  active_apis                   = [for api in keys(local.apis) : api if contains(var.active_apis, api)]
+  gke_shared_vpc_enabled           = contains(var.active_apis, "container.googleapis.com")
+  composer_shared_vpc_enabled      = contains(var.active_apis, "composer.googleapis.com")
+  datastream_shared_vpc_enabled    = contains(var.active_apis, "datastream.googleapis.com")
+  run_vpc_serverless_enabled       = contains(var.active_apis, "vpcaccess.googleapis.com") && contains(var.active_apis, "run.googleapis.com")
+  functions_vpc_serverless_enabled = contains(var.active_apis, "vpcaccess.googleapis.com") && contains(var.active_apis, "cloudfunctions.googleapis.com")
+  active_apis                      = [for api in keys(local.apis) : api if contains(var.active_apis, api)]
   # Can't use setproduct due to https://github.com/terraform-google-modules/terraform-google-project-factory/issues/635
   subnetwork_api = length(var.shared_vpc_subnets) != 0 ? flatten([
     for i, api in local.active_apis : [for i, subnet in var.shared_vpc_subnets : "${api},${subnet}"]
@@ -146,6 +148,28 @@ resource "google_project_iam_member" "gke_security_admin" {
   member  = format("serviceAccount:%s", local.apis["container.googleapis.com"])
 }
 
+/******************************************
+  roles/vpcaccess.user role granted to Cloud Run Service Agent for Run on shared VPC host project
+  See: https://cloud.google.com/run/docs/configuring/shared-vpc-host-project
+ *****************************************/
+resource "google_project_iam_member" "cloud_run_vpc_access" {
+  count   = local.run_vpc_serverless_enabled ? 1 : 0
+  project = var.host_project_id
+  role    = "roles/vpcaccess.user"
+  member  = format("serviceAccount:service-%s@serverless-robot-prod.iam.gserviceaccount.com", local.service_project_number)
+}
+
+/******************************************
+  roles/vpcaccess.user role granted to Cloud Functions Service Agent for Functions on shared VPC host project
+  See: https://cloud.google.com/functions/docs/networking/shared-vpc-host-project
+ *****************************************/
+resource "google_project_iam_member" "functions_run_vpc_access" {
+  count   = local.functions_vpc_serverless_enabled ? 1 : 0
+  project = var.host_project_id
+  role    = "roles/vpcaccess.user"
+  member  = format("serviceAccount:service-%s@gcf-admin-robot.iam.gserviceaccount.com", local.service_project_number)
+}
+
 /******************************************
   roles/compute.networkAdmin role granted to Datastream's service account for datastream connectivity configuration on shared VPC host project
   See: https://cloud.google.com/datastream/docs/create-a-private-connectivity-configuration

variables.tf

@@ -194,6 +194,14 @@ variable "bucket_pap" {
   default     = "inherited"
 }
 
+variable "soft_delete_policy" {
+  description = "Soft delete policies to apply"
+  type = object({
+    retention_duration_seconds = optional(number)
+  })
+  default = {}
+}
+
 variable "auto_create_network" {
   description = "Create the default network"
   type        = bool