diff --git a/modules/cloud-run-v2/README.md b/modules/cloud-run-v2/README.md
index ac2408b23..2ef6008eb 100644
--- a/modules/cloud-run-v2/README.md
+++ b/modules/cloud-run-v2/README.md
@@ -19,6 +19,7 @@ Cloud Run Services and Jobs, with support for IAM roles and Eventarc trigger cre
- [Cloud Run Service Account](#cloud-run-service-account)
- [Creating Cloud Run Jobs](#creating-cloud-run-jobs)
- [Tag bindings](#tag-bindings)
+- [Tag bindings](#tag-bindings)
- [Variables](#variables)
- [Outputs](#outputs)
- [Fixtures](#fixtures)
@@ -808,14 +809,43 @@ module "cloud_run" {
}
# tftest modules=2 resources=7
```
+
+## IAP Configuration
+
+IAP is only supported for service. Refer to the [Configure IAP directly on cloud run](https://cloud.google.com/run/docs/securing/identity-aware-proxy-cloud-run) documentation for details on usage.
+
+```hcl
+module "cloud_run" {
+ source = "./fabric/modules/cloud-run-v2"
+ project_id = var.project_id
+ name = "hello"
+ region = var.region
+ launch_stage = "BETA"
+ containers = {
+ hello = {
+ image = "us-docker.pkg.dev/cloudrun/container/hello"
+ env = {
+ VAR1 = "VALUE1"
+ VAR2 = "VALUE2"
+ }
+ }
+ }
+
+ iap_config = {
+ iam = ["group:abc@domain.com"]
+ }
+
+}
+# tftest modules=1 resources=2
+```
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [name](variables.tf#L221) | Name used for Cloud Run service. | string | ✓ | |
-| [project_id](variables.tf#L236) | Project id used for all resources. | string | ✓ | |
-| [region](variables.tf#L241) | Region used for all resources. | string | ✓ | |
+| [name](variables.tf#L216) | Name used for Cloud Run service. | string | ✓ | |
+| [project_id](variables.tf#L231) | Project id used for all resources. | string | ✓ | |
+| [region](variables.tf#L236) | Region used for all resources. | string | ✓ | |
| [containers](variables.tf#L17) | Containers in name => attributes format. | map(object({…})) | | {} |
| [create_job](variables.tf#L80) | Create Cloud Run Job instead of Service. | bool | | false |
| [custom_audiences](variables.tf#L86) | Custom audiences for service. | list(string) | | null |
@@ -823,18 +853,18 @@ module "cloud_run" {
| [encryption_key](variables.tf#L98) | The full resource name of the Cloud KMS CryptoKey. | string | | null |
| [eventarc_triggers](variables.tf#L104) | Event arc triggers for different sources. | object({…}) | | {} |
| [iam](variables.tf#L122) | IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} |
-| [iap_config](variables.tf#L128) | <<-EOT If present, it turns on Identity-Aware Proxy (IAP) for this service. iam (resource google_iap_web_cloud_run_service_iam_binding) - list of iam emails (e.g. "group:abc@domain.com") to be granted with iap.httpsResourceAccessor role. iam_additive (resource google_iap_web_cloud_run_service_iam_member ) - list of iam emails (e.g. "group:abc@domain.com") to be granted with iap.httpsResourceAccessor. iam and iam_additive are mutually exclusive. EOT | object({…}) | | null |
-| [ingress](variables.tf#L168) | Ingress settings. | string | | null |
-| [invoker_iam_disabled](variables.tf#L185) | Disables IAM permission check for run.routes.invoke for callers of this service. | bool | | false |
-| [labels](variables.tf#L191) | Resource labels. | map(string) | | {} |
-| [launch_stage](variables.tf#L197) | The launch stage as defined by Google Cloud Platform Launch Stages. | string | | null |
-| [managed_revision](variables.tf#L214) | Whether the Terraform module should control the deployment of revisions. | bool | | true |
-| [prefix](variables.tf#L226) | Optional prefix used for resource names. | string | | null |
-| [revision](variables.tf#L246) | Revision template configurations. | object({…}) | | {} |
-| [service_account](variables.tf#L285) | Service account email. Unused if service account is auto-created. | string | | null |
-| [service_account_create](variables.tf#L291) | Auto-create service account. | bool | | false |
-| [tag_bindings](variables.tf#L297) | Tag bindings for this service, in key => tag value id format. | map(string) | | {} |
-| [volumes](variables.tf#L304) | Named volumes in containers in name => attributes format. | map(object({…})) | | {} |
+| [iap_config](variables.tf#L128) | If present, turns on Identity-Aware Proxy (IAP) for the Cloud Run service. | object({…}) | | null |
+| [ingress](variables.tf#L163) | Ingress settings. | string | | null |
+| [invoker_iam_disabled](variables.tf#L180) | Disables IAM permission check for run.routes.invoke for callers of this service. | bool | | false |
+| [labels](variables.tf#L186) | Resource labels. | map(string) | | {} |
+| [launch_stage](variables.tf#L192) | The launch stage as defined by Google Cloud Platform Launch Stages. | string | | null |
+| [managed_revision](variables.tf#L209) | Whether the Terraform module should control the deployment of revisions. | bool | | true |
+| [prefix](variables.tf#L221) | Optional prefix used for resource names. | string | | null |
+| [revision](variables.tf#L241) | Revision template configurations. | object({…}) | | {} |
+| [service_account](variables.tf#L280) | Service account email. Unused if service account is auto-created. | string | | null |
+| [service_account_create](variables.tf#L286) | Auto-create service account. | bool | | false |
+| [tag_bindings](variables.tf#L292) | Tag bindings for this service, in key => tag value id format. | map(string) | | {} |
+| [volumes](variables.tf#L299) | Named volumes in containers in name => attributes format. | map(object({…})) | | {} |
| [vpc_connector_create](variables-vpcconnector.tf#L17) | Populate this to create a Serverless VPC Access connector. | object({…}) | | null |
## Outputs
diff --git a/modules/cloud-run-v2/variables.tf b/modules/cloud-run-v2/variables.tf
index d6528192b..b289f4062 100644
--- a/modules/cloud-run-v2/variables.tf
+++ b/modules/cloud-run-v2/variables.tf
@@ -126,12 +126,7 @@ variable "iam" {
}
variable "iap_config" {
- description = <<-EOT
- If present, it turns on Identity-Aware Proxy (IAP) for this service.
- iam (resource google_iap_web_cloud_run_service_iam_binding) - list of iam emails (e.g. "group:abc@domain.com") to be granted with iap.httpsResourceAccessor role.
- iam_additive (resource google_iap_web_cloud_run_service_iam_member ) - list of iam emails (e.g. "group:abc@domain.com") to be granted with iap.httpsResourceAccessor.
- iam and iam_additive are mutually exclusive.
- EOT
+ description = "If present, turns on Identity-Aware Proxy (IAP) for the Cloud Run service."
type = object({
iam = optional(list(string))
iam_additive = optional(list(string))