cloud-run-v2 is missing support for "network" attribute of (direct) vpc_access.

[lyricnz]

Describe the bug
The module for cloud-run-v2 is missing support for "network" attribute of (direct) vpc_access.

The example in upstream module https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_service#example-usage---cloudrunv2-service-directvpc includes this:

resource "google_cloud_run_v2_service" "default" {
  name     = "cloudrun-service"
  template {
    vpc_access{
      network_interfaces {
        network = "default"
        subnetwork = "default"
        tags = ["tag1", "tag2", "tag3"]
      }
    }
  }
}

It should be optional. See structure at https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_service#network_interfaces-1

It says "If network is not specified, it will be looked up from the subnetwork." but subnet names are not guaranteed to be project-unique, are they?

I tried using subnetwork=default (in VPC/network=default) and it ended up with an invalid-looking configuration in the console

Environment

❯ terraform -version
OpenTofu v1.8.5
on darwin_amd64
+ provider registry.opentofu.org/hashicorp/google v6.11.1
+ provider registry.opentofu.org/hashicorp/google-beta v6.11.1

❯ git rev-parse --short HEAD
52e03ec9

To Reproduce
Sample config.

module "cloud_run" {
  source     = "../../../modules/cloud-run-v2"
  project_id = module.project.project_id
  name       = "${var.run_svc_name}-service"
  region     = var.region

  revision = {
    gen2_execution_environment = true
    vpc_access = {
      egress = "PRIVATE_RANGES_ONLY"
      subnet = "default"
    }
...

Expected behavior
Can specify "network" value

Result
No error, just strange situation per screenshot

Additional context
Add any other context about the problem here

[wiktorn]

Subnetwork name is not unique within the project, but it is unique within the region. You're deploying Cloud Run into specific region, so subnetwork is well defined.

I'm reluctant to add network field, as per docs, it results in the following:

• check that provided network exists
• lookup of the subnetwork with the same name in the region

Providing subnetwork is far more straightforward and won't result in errors such as subnetwork doesn't exists, when you provide just the network.

The UI flow is probably defined as such, to improve search for the subnetwork.

The following example deploys without issue:

module "cloud_run" {
  source       = "./fabric/modules/cloud-run-v2"
  project_id   = var.project_id
  name         = "hello"
  region       = var.region
  launch_stage = "BETA"
  containers = {
    hello = {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
  revision = {
    gen2_execution_environment = true
    max_instance_count         = 20
    vpc_access = {
      egress = "ALL_TRAFFIC"
      subnet = var.subnet.name
      tags   = ["tag1", "tag2", "tag3"]
    }
  }
  deletion_protection = false
}

[lyricnz]

I agree it "deploys without issue", it just looks invalid in the console (due to mandatory "network" field)

[ludoo]

@wiktorn if we add network as optional both use cases should be covered right? If no network is passed in we have the current behaviour (network is null), if users passes it in they get no warning in the console. WDYT?

[wiktorn]

Yes, I was worried about the case when user provides network and doesn't provide subnet. This fails in very user-unfriendly way (if there is no subnet with the same name as network) - deployment just hangs. But I excluded that by validation.

Also - it also looked weird in console 😄

[lyricnz]

Awesome. Thanks guys :)