什麼是 IAP,他對應到的是 AWS Session manager,如果我們想要 Access 到私有環境,由於 CloudRun 我們是採用 ingress internal,所以直接使用 url 是無法測試的。這時可以建立一台 VM
先在 VPC 上建立 IAP 的 firewall rule
在此 VPC 上建立 VM
開啟 IAP API
將自己的角色設定成 # IAP Tunnel User
# IAP Firewall Rule
resource "google_compute_firewall" "allow_iap_ssh" {
name = "allow-iap-ssh"
network = "bi-portal-staging"
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = ["35.235.240.0/20"] # IAP's IP range
target_tags = ["allow-iap"]
}
# VM Instance
resource "google_compute_instance" "bi_portal_test_vm" {
name = "bi-portal-test-vm-alvin"
machine_type = "e2-medium"
zone = "asia-east1-a"
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
network_interface {
network = "bi-portal-staging"
subnetwork = "bi-portal-staging"
// This VM will not have an external IP
access_config {
// Ephemeral IP
}
}
service_account {
email = "sa@xxx.iam.gserviceaccount.com"
scopes = ["cloud-platform"]
}
metadata = {
enable-oslogin = "true"
}
tags = ["allow-iap"]
}
# IAP Tunnel User
resource "google_iap_tunnel_instance_iam_member" "instance_iam" {
project = "xxxx"
zone = google_compute_instance.bi_portal_test_vm.zone
instance = google_compute_instance.bi_portal_test_vm.name
role = "roles/iap.tunnelResourceAccessor"
member = "user:xxx@xxx.com" # Replace with your email
}
# Enable IAP API
resource "google_project_service" "iap_api" {
project = "xxx"
service = "iap.googleapis.com"
disable_on_destroy = false
}
# Output the internal IP of the instance
output "instance_internal_ip" {
value = google_compute_instance.bi_portal_test_vm.network_interface[0].network_ip
}
完成後就可以用 gcloud compute ssh 連線,然後就可以 curl 測試看看 Cloud Run 是否正常
gcloud compute ssh bi-xxx-test-vm-alvin \
--project=xxx \
--zone=asia-east1-a \
--tunnel-through-iap;