regional-go-service: grant compute.networkUser to Cloud Run service

account.

This covers the case where the network may not be in the same project,
and the permission to use the network is not granted by the host project
run.serviceAgent role.

modules/regional-go-service/main.tf

@@ -155,3 +155,16 @@ resource "google_cloud_run_v2_service_iam_member" "public-services-are-unauthent
   role     = "roles/run.invoker"
   member   = "allUsers"
 }
+
+// Grant service account access to use subnet. This is typically granted with roles/run.serviceAgent,
+// but that role does not necessarily grant access if the network resides in another project.
+// See https://cloud.google.com/run/docs/configuring/vpc-direct-vpc#direct-vpc-service for more details.
+resource "google_compute_subnetwork_iam_member" "member" {
+  for_each = var.regions
+
+  project    = var.network-project ? var.network-project : var.project_id
+  region     = each.key
+  subnetwork = each.value.subnet
+  role       = "roles/compute.networkUser"
+  member     = "serviceAccount:${var.service_account}"
+}

modules/regional-go-service/variables.tf

@@ -88,3 +88,9 @@ variable "volumes" {
   }))
   default = []
 }
+
+variable "network-project" {
+  description = "The project in which the network and subnetworks reside. If not specified, var.project is used."
+  type        = string
+  default     = null
+}