什麼是 IAP，他對應到的是 AWS Session manager，如果我們想要 Access 到私有環境，由於 CloudRun 我們是採用 ingress internal，所以直接使用 url 是無法測試的。這時可以建立一台 VM

• 先在 VPC 上建立 IAP 的 firewall rule

• 在此 VPC 上建立 VM

• 開啟 IAP API

• 將自己的角色設定成 # IAP Tunnel User

# IAP Firewall Rule
resource "google_compute_firewall" "allow_iap_ssh" {
  name    = "allow-iap-ssh"
  network = "bi-portal-staging"

  allow {
    protocol = "tcp"
    ports    = ["22"]
  }

  source_ranges = ["35.235.240.0/20"]  # IAP's IP range
  target_tags   = ["allow-iap"]
}

# VM Instance
resource "google_compute_instance" "bi_portal_test_vm" {
  name         = "bi-portal-test-vm-alvin"
  machine_type = "e2-medium"
  zone         = "asia-east1-a"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"
    }
  }

  network_interface {
    network    = "bi-portal-staging"
    subnetwork = "bi-portal-staging"
    
    // This VM will not have an external IP
    access_config {
      // Ephemeral IP
    }
  }

  service_account {
    email  = "sa@xxx.iam.gserviceaccount.com"
    scopes = ["cloud-platform"]
  }

  metadata = {
    enable-oslogin = "true"
  }

  tags = ["allow-iap"]
}

# IAP Tunnel User
resource "google_iap_tunnel_instance_iam_member" "instance_iam" {
  project = "xxxx"
  zone    = google_compute_instance.bi_portal_test_vm.zone
  instance = google_compute_instance.bi_portal_test_vm.name
  role     = "roles/iap.tunnelResourceAccessor"
  member   = "user:xxx@xxx.com"  # Replace with your email
}

# Enable IAP API
resource "google_project_service" "iap_api" {
  project = "xxx"
  service = "iap.googleapis.com"

  disable_on_destroy = false
}

# Output the internal IP of the instance
output "instance_internal_ip" {
  value = google_compute_instance.bi_portal_test_vm.network_interface[0].network_ip
}

完成後就可以用 gcloud compute ssh 連線，然後就可以 curl 測試看看 Cloud Run 是否正常

gcloud compute ssh bi-xxx-test-vm-alvin \
    --project=xxx \
    --zone=asia-east1-a \
    --tunnel-through-iap;