From d3154462f2caef349337ee008ac577bcccabab68 Mon Sep 17 00:00:00 2001
From: wolfthom <wolfthom@mediamarktsaturn.com>
Date: Wed, 27 Mar 2024 21:22:27 +0100
Subject: [PATCH] Support direct VPC egress

---
 README.MD     |  7 +++++--
 action.yml    | 12 ++++++++++++
 entrypoint.sh | 25 +++++++++++++++++++++++++
 3 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/README.MD b/README.MD
index e5c3a31..c11d6c9 100644
--- a/README.MD
+++ b/README.MD
@@ -31,8 +31,11 @@ A Github Action that deploys a service to Google Cloud Run (GCP managed Knative-
 | `no_traffic` | Set to true to just deploy a new revision without shifting traffic | `false` | false | [gcloud run deploy](https://cloud.google.com/sdk/gcloud/reference/run/deploy#--no-traffic) |
 | `cloudsql_instances` | Comma separated list of CloudSQL instances to connect to | | false | [gcloud run deploy](https://cloud.google.com/sdk/gcloud/reference/run/deploy#--set-cloudsql-instances) |
 | `vpc_connector` | Name of the Serverless VPC Access connector to use with this service | | false | [gcloud run deploy](https://cloud.google.com/sdk/gcloud/reference/run/deploy#--vpc-connector) |
-| `vpc_egress` | Outbound traffic configuration, if a vpc_connector is configured; options are: `private-ranges-only`, `all-traffic`  | `private-ranges-only` | false | [gcloud run deploy](https://cloud.google.com/sdk/gcloud/reference/run/deploy#--vpc-egress) |
-| `ingress` | Allowed ingress traffic sources; options are: `all`, `internal`, `internal-and-cloud-load-balancing`  | `all` | false | [gcloud run deploy](https://cloud.google.com/sdk/gcloud/reference/run/deploy#--ingress) |
+| `vpc_egress` | Outbound traffic configuration, if a vpc_connector is configured; options are: `private-ranges-only`, `all-traffic` | `private-ranges-only` | false | [gcloud run deploy](https://cloud.google.com/sdk/gcloud/reference/run/deploy#--vpc-egress) |
+| `vpc_network` | Name of VPC network when using direct VPC egress w/o vpc connector | | false | [gcloud run deploy](https://cloud.google.com/run/docs/configuring/vpc-direct-vpc#direct-vpc-service) |
+| `vpc_subnet` | Name of VPC network's subnet when using direct VPC egress w/o vpc connector | | false | [gcloud run deploy](https://cloud.google.com/run/docs/configuring/vpc-direct-vpc#direct-vpc-service) |
+| `vpc_network_tags` | Comma-separated list of network tags for the VPC network to be used | | false | [gcloud run deploy](https://cloud.google.com/run/docs/configuring/vpc-direct-vpc#direct-vpc-service)|
+| `ingress` | Allowed ingress traffic sources; options are: `all`, `internal`, `internal-and-cloud-load-balancing` | `all` | false | [gcloud run deploy](https://cloud.google.com/sdk/gcloud/reference/run/deploy#--ingress) |
 | `execution_environment` | Selects the execution environment where the application will run; options are: `gen1`, `gen2` | | false | [gcloud run deploy](https://cloud.google.com/sdk/gcloud/reference/run/deploy#--execution-environment), [cloud run docs](https://cloud.google.com/run/docs/about-execution-environments) |
 | `debug` | Whether the gcloud commands should be printed to output | `false` | false | | 
 
diff --git a/action.yml b/action.yml
index 4e74634..8a44005 100644
--- a/action.yml
+++ b/action.yml
@@ -84,6 +84,18 @@ inputs:
     description: 'Outbound traffic configuration, if a vpc_connector is configured'
     required: false
     default: 'private-ranges-only'
+  vpc_network:
+    description: 'Name of VPC network when using direct VPC egress'
+    required: false
+    default: ''
+  vpc_subnet:
+    description: 'Name of VPC network''s subnet'
+    required: false
+    default: ''
+  vpc_network_tags:
+    description: 'Comma-separated list of network tags'
+    required: false
+    default: ''
   ingress:
     description: 'Allowed ingress traffic sources'
     required: false
diff --git a/entrypoint.sh b/entrypoint.sh
index ee0e337..5d9aea5 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -149,6 +149,30 @@ if [ -n "$INPUT_VPC_CONNECTOR" ]; then
   fi
 fi
 
+# Network and Network Tags can/must be cleared. There is no --clear-subnet flag
+# At most one of --clear-network | --network --subnet --clear-network-tags | --network-tags can be specified
+VPC_NETWORK="--clear-network"
+VPC_SUBNET=""
+VPC_NETWORK_TAGS=""
+
+if [ -n "$INPUT_VPC_NETWORK" ]; then
+  VPC_NETWORK="--network=$INPUT_VPC_NETWORK"
+  VPC_NETWORK_TAGS="--clear-network-tags"     # if VPC_NETWORK is set and NETWORK_TAGS is not
+
+  if [ -n "$INPUT_VPC_SUBNET" ]; then
+  VPC_SUBNET="--subnet=$INPUT_VPC_SUBNET"
+  fi
+
+  if [ -n "$INPUT_VPC_NETWORK_TAGS" ]; then
+  VPC_NETWORK_TAGS="--network-tags=$INPUT_VPC_NETWORK_TAGS"
+  fi
+
+  if [ -n "${INPUT_VPC_EGRESS}" ]; then
+    VPC_EGRESS="--vpc-egress=$INPUT_VPC_EGRESS"
+  fi
+
+fi
+
 INGRESS=""
 if [ -n "$INPUT_INGRESS" ]; then
   INGRESS="--ingress=$INPUT_INGRESS"
@@ -193,6 +217,7 @@ gcloud beta run deploy "$SERVICE_NAME" \
   $SERVICE_ACCOUNT \
   $CLOUDSQL_INSTANCES \
   $VPC_CONNECTOR $VPC_EGRESS \
+  $VPC_NETWORK $VPC_SUBNET $VPC_NETWORK_TAGS \
   $INGRESS \
   $EXECUTION_ENVIRONMENT \
   $ENV_VARS \