confluentinc · Bruno Dasilva (dasbruno) · Jul 15, 2025
@@ -11,27 +11,23 @@
 }
 
 resource "google_compute_address" "psc_endpoint_ip" {
-  for_each = var.subnet_name_by_zone
-
-  name         = "ccloud-endpoint-ip-${local.network_id}-${each.key}"
+  name         = "ccloud-endpoint-ip-${local.network_id}"
   subnetwork   = var.customer_subnetwork_name
   address_type = "INTERNAL"
 }
 
 # Private Service Connect endpoint
 resource "google_compute_forwarding_rule" "psc_endpoint_ilb" {
-  for_each = var.subnet_name_by_zone
-
-  name = "ccloud-endpoint-${local.network_id}-${each.key}"
+  name = "ccloud-endpoint-${local.network_id}"
 
-  target                = lookup(confluent_network.private-service-connect.gcp[0].private_service_connect_service_attachments, each.key, "\n\nerror: ${each.key} subnet is missing from CCN's Private Service Connect service attachments")
+  target                = var.privatelink_service_name
   load_balancing_scheme = "" # need to override EXTERNAL default when target is a service attachment
   network               = var.customer_vpc_network
-  ip_address            = google_compute_address.psc_endpoint_ip[each.key].id
+  ip_address            = google_compute_address.psc_endpoint_ip.id
 }
 
 # Private hosted zone for Private Service Connect endpoints
 resource "google_dns_managed_zone" "psc_endpoint_hz" {
  name     = "ccloud-endpoint-zone-${local.network_id}"
  dns_name = "${var.dns_domain}."

@@ -50,20 +46,7 @@
   ttl  = 60
 
   managed_zone = google_dns_managed_zone.psc_endpoint_hz.name
-  rrdatas = [
-    for zone, _ in var.subnet_name_by_zone : google_compute_address.psc_endpoint_ip[zone].address
-  ]
-}
-
-resource "google_dns_record_set" "psc_endpoint_zonal_rs" {
-  for_each = var.subnet_name_by_zone
-
-  name = "*.${each.key}.${google_dns_managed_zone.psc_endpoint_hz.dns_name}"
-  type = "A"
-  ttl  = 60
-
-  managed_zone = google_dns_managed_zone.psc_endpoint_hz.name
-  rrdatas      = [google_compute_address.psc_endpoint_ip[each.key].address]
+  rrdatas      = [google_compute_address.psc_endpoint_ip.address]
 }
 
 resource "google_compute_firewall" "allow-https-kafka" {

@@ -8,10 +8,6 @@ variable "customer_subnetwork_name" {
   type        = string
 }
 
-variable "subnet_name_by_zone" {
-  description = "A map of Zone to Subnet Name"
-  type        = map(string)
-}
 
 variable "dns_domain" {
   description = "The root DNS domain for the Private Link Attachment, for example, `pr123a.us-east-2.aws.confluent.cloud`"

@@ -64,11 +64,10 @@ resource "confluent_private_link_attachment" "pla" {
 
 module "private-service-connect" {
   source                   = "./gcp-private-service-connect-endpoint"
-  privatelink_service_name = confluent_private_link_attachment.pla.aws[0].vpc_endpoint_service_name
+  privatelink_service_name = confluent_private_link_attachment.pla.gcp[0].private_service_connect_service_attachment
   dns_domain               = confluent_private_link_attachment.pla.dns_domain
   customer_vpc_network     = var.customer_vpc_network
   customer_subnetwork_name = var.customer_subnetwork_name
-  subnet_name_by_zone      = var.subnet_name_by_zone
 }
 
 // 'app-manager' service account is required in this configuration to create 'orders' topic and grant ACLs

@@ -28,8 +28,3 @@ variable "customer_subnetwork_name" {
   description = "The subnetwork name to provision Private Service Connect endpoint to Confluent Cloud"
   type        = string
 }
-
-variable "subnet_name_by_zone" {
-  description = "A map of Zone to Subnet Name"
-  type        = map(string)
-}