Add support of CLOUDSQL_USE_PRIVATE_IP

[echo-chamber0]

Add configuration to enable Cloud Run services to connect to MySQL via private IP (internal VPC) instead of public IP.

Changes:

Enable Service Networking API conditionally
Allocate /24 IP range for VPC peering
Create private VPC connection with route configuration
Update Cloud SQL ip_configuration:
Disable public IP when private enabled
Set private_network and allocated_ip_range
Enable private path for Google Cloud services
Add CLOUDSQL_USE_PRIVATE_IP env var to Cloud Run
Add mysql_use_private_ip variable (default: false)

[gemini-code-assist]

Summary of Changes

Hello @echo-chamber0, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a significant enhancement by allowing Cloud Run services to securely connect to Cloud SQL MySQL instances using private IP addresses within a Virtual Private Cloud (VPC). This change involves setting up conditional service networking, allocating dedicated IP ranges, and configuring the Cloud SQL instance to leverage private connectivity, thereby improving network security and efficiency by keeping database traffic off the public internet.

Highlights

• Private IP for Cloud SQL: This PR introduces the capability for Cloud Run services to connect to Cloud SQL MySQL instances using a private IP address via an internal VPC, enhancing security and potentially performance.
• Conditional Service Networking Setup: The Service Networking API is now conditionally enabled, along with the allocation of a /24 IP range for VPC peering and the creation of a private VPC connection, all activated only when private IP is configured for MySQL.
• Cloud SQL IP Configuration Update: The Cloud SQL instance's IP configuration is updated to disable public IP when private IP is enabled, set the private network and allocated IP range, and enable the private path for Google Cloud services.
• New Configuration Variables: A new environment variable CLOUDSQL_USE_PRIVATE_IP is added to Cloud Run, and a Terraform variable mysql_use_private_ip (defaulting to false) is introduced to control this private IP feature.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds support for connecting Cloud Run services to Cloud SQL using a private IP address. The changes are well-structured and correctly use conditional resource creation based on the new mysql_use_private_ip variable. The necessary resources for VPC peering, such as enabling the Service Networking API, allocating an IP range, and creating the network connection, are all included. The Cloud SQL instance configuration is also correctly updated to use the private network when enabled.

I have one suggestion to improve flexibility by making the IP range prefix length configurable, as the hardcoded /24 might not be suitable for all environments. Overall, this is a solid implementation of the feature.

[echo-chamber0]

@gemini-code-assist

[gemini-code-assist]

Code Review

This pull request adds support for connecting Cloud Run services to Cloud SQL using a private IP, which is a great improvement for security. The changes are well-structured, using a feature flag variable to conditionally create the necessary networking resources. The Terraform code is clean and correctly uses conditional logic. I have one suggestion to make the configuration more robust by programmatically handling an IAM permission that the comments suggest might require manual intervention.

[gemini-code-assist]

Thanks for the ping, @echo-chamber0! I'm currently finalizing the detailed review comments and will post them shortly. Please bear with me for a few more moments.

[echo-chamber0]

@gemini-code-assist

[gemini-code-assist]

Thanks for your patience, @echo-chamber0! I'm still working on compiling the detailed review comments and will post them as soon as they are ready. Appreciate you bearing with me.

[dwnoble]

Thanks @echo-chamber0 ! How did you test these changes? Can you ensure you can deploy two custom DC instances to the same GCP account with different "namespace" values?

[echo-chamber0]

@dwnoble Thanks for the question! Everything depends on the GCP project and networking layer setup. Which ranges you can afford for your PSA connection. Minimum for CloudSQL is /24 for one instance. If you need several instances, you should have greater range available before CloudSQL is going to be deployed. This solution mostly aimed for users with network restrictions. However, in terms of spinning up numerours cloud run instances - it can be a quite non-easy. One of possible solutions then, to have bigger CloudSQL instance itself with different databases for each cloud run.

[dwnoble]

@dwnoble Thanks for the question! Everything depends on the GCP project and networking layer setup. Which ranges you can afford for your PSA connection. Minimum for CloudSQL is /24 for one instance. If you need several instances, you should have greater range available before CloudSQL is going to be deployed. This solution mostly aimed for users with network restrictions. However, in terms of spinning up numerours cloud run instances - it can be a quite non-easy. One of possible solutions then, to have bigger CloudSQL instance itself with different databases for each cloud run.

Thanks @echo-chamber0 - what about in a GCP account with minimal or no organizational security policies? Can you test doing back-to-back deployments to the same account with different "namespace" values?