replace VPC connector with superior direct VPC egress

Author: Adam-D-Lewis

cloud-run.tf

@@ -11,11 +11,14 @@ resource "google_cloud_run_service" "main_app" {
         "autoscaling.knative.dev/minScale"         = tostring(var.app_min_instances)
         "autoscaling.knative.dev/maxScale"         = tostring(var.app_max_instances)
         "run.googleapis.com/execution-environment" = "gen2"
-        # VPC connector annotation (if enabled)
-        "run.googleapis.com/vpc-access-connector" = var.enable_vpc_connector ? google_vpc_access_connector.main[0].name : null
-        "run.googleapis.com/vpc-access-egress"    = var.enable_vpc_connector ? "private-ranges-only" : null
         # CPU allocation
-        "run.googleapis.com/cpu-throttling" = "false"
+        "run.googleapis.com/cpu-throttling" = "false",
+        # Direct VPC Egress
+        "run.googleapis.com/network-interfaces" = jsonencode([{
+          "network"    = google_compute_network.main.id
+          "subnetwork" = google_compute_subnetwork.private.id
+          "tags"       = ["cloud-run"]
+        }])
         }, {
         # Config hash annotations to force new revisions when config changes
         for name, config in var.app_config_files : "config.hash.${name}" => sha256(config.content)

locals.tf

@@ -33,9 +33,6 @@ locals {
   private_subnet_name = "${local.resource_prefix}-subnet-${random_id.network_suffix.hex}"
   nat_gateway_name    = "${local.resource_prefix}-nat-${random_id.network_suffix.hex}"
   router_name         = "${local.resource_prefix}-router-${random_id.network_suffix.hex}"
-  # VPC connector name must be <= 25 chars and match ^[a-z][-a-z0-9]{0,23}[a-z0-9]$
-  # Add random suffix to avoid naming collisions
-  vpc_connector_name = length("${local.resource_prefix}-conn-${random_id.network_suffix.hex}") <= 25 ? "${local.resource_prefix}-conn-${random_id.network_suffix.hex}" : "${substr(local.resource_prefix, 0, 11)}-conn-${random_id.network_suffix.hex}"
 
   # Cloud Run service names
   main_app_service_name = "${local.resource_prefix}-app"

networking.tf

@@ -43,26 +43,6 @@ resource "google_compute_router_nat" "main" {
   }
 }
 
-# VPC Connector for Cloud Run to VPC communication
-resource "google_vpc_access_connector" "main" {
-  count   = var.enable_vpc_connector ? 1 : 0
-  name    = local.vpc_connector_name
-  region  = var.region
-  project = var.project_id
-
-  subnet {
-    name       = google_compute_subnetwork.private.name
-    project_id = var.project_id
-  }
-
-  # Minimum instances for the connector
-  min_instances = 2
-  max_instances = 3
-
-  # Machine type for the connector
-  machine_type = "e2-micro"
-}
-
 # Firewall rule to allow health checks for Cloud Run
 resource "google_compute_firewall" "allow_health_checks" {
   name    = "${local.resource_prefix}-allow-health-checks"

outputs.tf

@@ -53,11 +53,6 @@ output "private_subnet_name" {
   value       = google_compute_subnetwork.private.name
 }
 
-output "vpc_connector_id" {
-  description = "ID of the VPC connector (if enabled)"
-  value       = var.enable_vpc_connector ? google_vpc_access_connector.main[0].id : null
-}
-
 # Service Account Outputs
 output "hrafnar_app_service_account_email" {
   description = "Email of the hrafnar application service account"

variables.tf

@@ -426,12 +426,6 @@ variable "log_level" {
 
 # Security Configuration
 
-variable "enable_vpc_connector" {
-  description = "Enable VPC Connector for Cloud Run to VPC communication"
-  type        = bool
-  default     = true
-}
-
 # Resource Tags
 variable "labels" {
   description = "Labels to apply to all resources"