add private subnet access

Author: Adam-D-Lewis

README.md

@@ -169,6 +169,7 @@ No modules.
 | [google_cloud_run_domain_mapping.main_app](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_domain_mapping) | resource |
 | [google_cloud_run_service.main_app](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service) | resource |
 | [google_cloud_run_service_iam_member.main_app_public](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service_iam_member) | resource |
+| [google_cloud_run_service_iam_member.main_app_subnet](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service_iam_member) | resource |
 | [google_compute_firewall.allow_health_checks](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource |
 | [google_compute_firewall.allow_internal](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) | resource |
 | [google_compute_global_address.private_ip_address](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_address) | resource |

cloud-run.tf

@@ -249,6 +249,21 @@ resource "google_cloud_run_service_iam_member" "main_app_public" {
   member   = "allUsers"
 }
 
+# IAM policy to allow subnet access
+resource "google_cloud_run_service_iam_member" "main_app_subnet" {
+  location = google_cloud_run_service.main_app.location
+  project  = google_cloud_run_service.main_app.project
+  service  = google_cloud_run_service.main_app.name
+  role     = "roles/run.invoker"
+  member   = "allUsers"
+
+  condition {
+    title       = "Subnet access"
+    description = "Allow access from the private subnet"
+    expression  = "inIpRange(origin.ip, \"${var.private_subnet_cidr}\")"
+  }
+}
+
 # Domain mapping for the hrafnar application (if Cloudflare DNS is enabled)
 # Domain mapping for the application
 resource "google_cloud_run_domain_mapping" "main_app" {