From 355a4458c9dd3811c82ea3cd6c80c7459fcb09aa Mon Sep 17 00:00:00 2001
From: Charles-Meldhine Madi Mnemoi <icdk5b4zf@relay.firefox.com>
Date: Mon, 19 May 2025 20:34:47 +0200
Subject: [PATCH 1/2] ci: Add static IP to Cloud Run instance

---
 .gitignore             | 8 +++++++-
 terraform/cloud_run.tf | 6 ++++--
 terraform/outputs.tf   | 7 ++++++-
 terraform/variables.tf | 3 ++-
 4 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/.gitignore b/.gitignore
index b2c81dc..9b9dbbf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -209,4 +209,10 @@ terraform.rc
 .terragrunt-cache
 
 # Terraform plans
-tfplan
\ No newline at end of file
+tfplan
+
+# Certificate Authority
+cert.pem
+ca.pem
+
+*.sql
\ No newline at end of file
diff --git a/terraform/cloud_run.tf b/terraform/cloud_run.tf
index 94038c8..754fd76 100644
--- a/terraform/cloud_run.tf
+++ b/terraform/cloud_run.tf
@@ -31,8 +31,10 @@ resource "google_cloud_run_service" "fastapi" {
 
     metadata {
       annotations = {
-        "autoscaling.knative.dev/minScale" = "1"
-        "autoscaling.knative.dev/maxScale" = "1"
+        "autoscaling.knative.dev/minScale"        = "1"
+        "autoscaling.knative.dev/maxScale"        = "1"
+        "run.googleapis.com/vpc-access-connector" = google_vpc_access_connector.run_connector.name
+        "run.googleapis.com/vpc-access-egress"    = "all-traffic"
       }
     }
   }
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
index 2020daa..d1a20cf 100644
--- a/terraform/outputs.tf
+++ b/terraform/outputs.tf
@@ -1,3 +1,8 @@
 output "cloud_run_url" {
   value = google_cloud_run_service.fastapi.status[0].url
-}
\ No newline at end of file
+}
+
+output "cloud_run_static_ip" {
+  value       = google_compute_address.cloud_run_static_ip.address
+  description = "Static IP used by Cloud Run through NAT"
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 7b366a0..1812987 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -20,7 +20,8 @@ variable "enabled_apis" {
     "iam.googleapis.com",
     "serviceusage.googleapis.com",
     "logging.googleapis.com",
-    "monitoring.googleapis.com"
+    "monitoring.googleapis.com",
+    "vpcaccess.googleapis.com"
   ]
 }
 

From 429d8c473fce31de3c8ed16afb1d176bde3728de Mon Sep 17 00:00:00 2001
From: Charles-Meldhine Madi Mnemoi <icdk5b4zf@relay.firefox.com>
Date: Mon, 19 May 2025 20:39:46 +0200
Subject: [PATCH 2/2] ci: add missing network.tf

---
 terraform/network.tf | 60 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 terraform/network.tf

diff --git a/terraform/network.tf b/terraform/network.tf
new file mode 100644
index 0000000..1ad7f77
--- /dev/null
+++ b/terraform/network.tf
@@ -0,0 +1,60 @@
+# -----------------------------------------------------------------------------
+# VPC Configuration for Cloud Run Egress via NAT
+# -----------------------------------------------------------------------------
+
+# Creates a custom VPC network (no auto subnet creation)
+resource "google_compute_network" "run_vpc" {
+  name                    = "sightcall-qa-api-vpc"
+  auto_create_subnetworks = false
+}
+
+# Subnet used specifically for the Serverless VPC Access Connector
+resource "google_compute_subnetwork" "run_subnet" {
+  name          = "sightcall-qa-api-subnet"
+  ip_cidr_range = "10.10.0.0/28"
+  region        = var.region
+  network       = google_compute_network.run_vpc.id
+}
+
+# -----------------------------------------------------------------------------
+# Serverless VPC Access Connector
+# -----------------------------------------------------------------------------
+
+# Enables Cloud Run to access resources in the VPC
+resource "google_vpc_access_connector" "run_connector" {
+  name          = "sightcall-qa-api-connector"
+  region        = var.region
+  network       = google_compute_network.run_vpc.name
+  ip_cidr_range = "10.10.0.0/28" # must match subnet range
+}
+
+# -----------------------------------------------------------------------------
+# Static IP Address and NAT Configuration
+# -----------------------------------------------------------------------------
+
+# Reserves a static external IP address for outbound traffic
+resource "google_compute_address" "cloud_run_static_ip" {
+  name   = "sightcall-qa-api-static-ip"
+  region = var.region
+}
+
+# Creates a Cloud Router to support Cloud NAT
+resource "google_compute_router" "run_router" {
+  name    = "sightcall-qa-api-router"
+  region  = var.region
+  network = google_compute_network.run_vpc.id
+}
+
+# Configures Cloud NAT to route egress traffic through the static IP
+resource "google_compute_router_nat" "run_nat" {
+  name   = "sightcall-qa-api-nat"
+  router = google_compute_router.run_router.name
+  region = var.region
+
+  # Manually assign our reserved static IP
+  nat_ip_allocate_option = "MANUAL_ONLY"
+  nat_ips                = [google_compute_address.cloud_run_static_ip.id]
+
+  # Apply NAT to all subnetworks and IP ranges in the VPC
+  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
+}