ci: Add static IP to Cloud Run instance

.gitignore

@@ -209,4 +209,10 @@ terraform.rc
 .terragrunt-cache
 
 # Terraform plans
-tfplan
+tfplan
+
+# Certificate Authority
+cert.pem
+ca.pem
+
+*.sql

terraform/cloud_run.tf

@@ -31,8 +31,10 @@ resource "google_cloud_run_service" "fastapi" {
 
     metadata {
       annotations = {
-        "autoscaling.knative.dev/minScale" = "1"
-        "autoscaling.knative.dev/maxScale" = "1"
+        "autoscaling.knative.dev/minScale"        = "1"
+        "autoscaling.knative.dev/maxScale"        = "1"
+        "run.googleapis.com/vpc-access-connector" = google_vpc_access_connector.run_connector.name
+        "run.googleapis.com/vpc-access-egress"    = "all-traffic"
       }
     }
   }

terraform/network.tf

@@ -0,0 +1,60 @@
+# -----------------------------------------------------------------------------
+# VPC Configuration for Cloud Run Egress via NAT
+# -----------------------------------------------------------------------------
+
+# Creates a custom VPC network (no auto subnet creation)
+resource "google_compute_network" "run_vpc" {
+  name                    = "sightcall-qa-api-vpc"
+  auto_create_subnetworks = false
+}
+
+# Subnet used specifically for the Serverless VPC Access Connector
+resource "google_compute_subnetwork" "run_subnet" {
+  name          = "sightcall-qa-api-subnet"
+  ip_cidr_range = "10.10.0.0/28"
+  region        = var.region
+  network       = google_compute_network.run_vpc.id
+}
+
+# -----------------------------------------------------------------------------
+# Serverless VPC Access Connector
+# -----------------------------------------------------------------------------
+
+# Enables Cloud Run to access resources in the VPC
+resource "google_vpc_access_connector" "run_connector" {
+  name          = "sightcall-qa-api-connector"
+  region        = var.region
+  network       = google_compute_network.run_vpc.name
+  ip_cidr_range = "10.10.0.0/28" # must match subnet range
+}
+
+# -----------------------------------------------------------------------------
+# Static IP Address and NAT Configuration
+# -----------------------------------------------------------------------------
+
+# Reserves a static external IP address for outbound traffic
+resource "google_compute_address" "cloud_run_static_ip" {
+  name   = "sightcall-qa-api-static-ip"
+  region = var.region
+}
+
+# Creates a Cloud Router to support Cloud NAT
+resource "google_compute_router" "run_router" {
+  name    = "sightcall-qa-api-router"
+  region  = var.region
+  network = google_compute_network.run_vpc.id
+}
+
+# Configures Cloud NAT to route egress traffic through the static IP
+resource "google_compute_router_nat" "run_nat" {
+  name   = "sightcall-qa-api-nat"
+  router = google_compute_router.run_router.name
+  region = var.region
+
+  # Manually assign our reserved static IP
+  nat_ip_allocate_option = "MANUAL_ONLY"
+  nat_ips                = [google_compute_address.cloud_run_static_ip.id]
+
+  # Apply NAT to all subnetworks and IP ranges in the VPC
+  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
+}

terraform/outputs.tf

@@ -1,3 +1,8 @@
 output "cloud_run_url" {
   value = google_cloud_run_service.fastapi.status[0].url
-}
+}
+
+output "cloud_run_static_ip" {
+  value       = google_compute_address.cloud_run_static_ip.address
+  description = "Static IP used by Cloud Run through NAT"
+}

terraform/variables.tf

@@ -20,7 +20,8 @@ variable "enabled_apis" {
     "iam.googleapis.com",
     "serviceusage.googleapis.com",
     "logging.googleapis.com",
-    "monitoring.googleapis.com"
+    "monitoring.googleapis.com",
+    "vpcaccess.googleapis.com"
   ]
 }