Add Cloud Run Worker Pools

Refactor jobs and services parameters into separte variables Remove prefix (not needed, namespace is local to the project)
2025-08-10 19:58:03 +00:00
parent f02aa1f63f
commit b5cc01c598
14 changed files with 974 additions and 353 deletions
--- a/modules/cloud-run-v2/variables.tf
+++ b/modules/cloud-run-v2/variables.tf
@@ -77,18 +77,6 @@ variable "containers" {
  nullable = false
 }

-variable "create_job" {
-  description = "Create Cloud Run Job instead of Service."
-  type        = bool
-  default     = false
-}
-
-variable "custom_audiences" {
-  description = "Custom audiences for service."
-  type        = list(string)
-  default     = null
-}
-
 variable "deletion_protection" {
  description = "Deletion protection setting for this Cloud Run service."
  type        = string
@@ -101,80 +89,25 @@ variable "encryption_key" {
  default     = null
 }

-variable "eventarc_triggers" {
-  description = "Event arc triggers for different sources."
-  type = object({
-    audit_log = optional(map(object({
-      method  = string
-      service = string
-    })))
-    pubsub = optional(map(string))
-    storage = optional(map(object({
-      bucket = string
-      path   = optional(string)
-    })))
-    service_account_email  = optional(string)
-    service_account_create = optional(bool, false)
-  })
-  default = {}
-  validation {
-    condition     = var.eventarc_triggers.audit_log == null || (var.eventarc_triggers.audit_log != null && (var.eventarc_triggers.service_account_email != null || var.eventarc_triggers.service_account_create))
-    error_message = "When setting var.eventarc_triggers.audit_log provide either service_account_email or set service_account_create to true"
-  }
-}
-
 variable "iam" {
  description = "IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format."
  type        = map(list(string))
  default     = {}
 }

-variable "iap_config" {
-  description = "If present, turns on Identity-Aware Proxy (IAP) for the Cloud Run service."
+variable "job_config" {
+  description = "Cloud Run Job specific configuration."
  type = object({
-    iam          = optional(list(string), [])
-    iam_additive = optional(list(string), [])
+    max_retries = optional(number)
+    task_count  = optional(number)
+    timeout     = optional(string)
  })
-  default = null
-
+  default  = {}
+  nullable = false
  validation {
-    condition = !(length(try(var.iap_config.iam, [])) > 0 && length(try(var.iap_config.iam_additive, [])) > 0)
-
-    error_message = "Providing both 'iam' and 'iam_additive' in iap_config is not supported."
+    condition     = var.job_config.timeout == null ? true : endswith(var.job_config.timeout, "s")
+    error_message = "Timeout should follow format of number with up to nine fractional digits, ending with 's'. Example: '3.5s'."
  }
-
-  validation {
-    condition     = var.iap_config == null || !var.create_job
-    error_message = "IAP is only supported for Cloud Run services, not Cloud Run jobs. Set create_job to false when using iap_config."
-  }
-
-  validation {
-    condition     = var.iap_config == null || var.launch_stage != "GA"
-    error_message = "iap is currently not supported in GA. Set launch_stage to 'BETA' or lower."
-  }
-}
-
-variable "ingress" {
-  description = "Ingress settings."
-  type        = string
-  default     = null
-  validation {
-    condition = (
-      var.ingress == null ? true : contains(
-        ["INGRESS_TRAFFIC_ALL", "INGRESS_TRAFFIC_INTERNAL_ONLY",
-      "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER"], var.ingress)
-    )
-    error_message = <<EOF
-    Ingress should be one of INGRESS_TRAFFIC_ALL, INGRESS_TRAFFIC_INTERNAL_ONLY,
-    INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER.
-    EOF
-  }
-}
-
-variable "invoker_iam_disabled" {
-  description = "Disables IAM permission check for run.routes.invoke for callers of this service."
-  type        = bool
-  default     = false
 }

 variable "labels" {
@@ -212,16 +145,6 @@ variable "name" {
  type        = string
 }

-variable "prefix" {
-  description = "Optional prefix used for resource names."
-  type        = string
-  default     = null
-  validation {
-    condition     = var.prefix != ""
-    error_message = "Prefix cannot be empty, please use null instead."
-  }
-}
-
 variable "project_id" {
  description = "Project id used for all resources."
  type        = string
@@ -235,16 +158,8 @@ variable "region" {
 variable "revision" {
  description = "Revision template configurations."
  type = object({
-    labels                     = optional(map(string))
-    name                       = optional(string)
-    gen2_execution_environment = optional(bool)
-    max_concurrency            = optional(number)
-    max_instance_count         = optional(number)
-    min_instance_count         = optional(number)
-    job = optional(object({
-      max_retries = optional(number)
-      task_count  = optional(number)
-    }), {})
+    labels = optional(map(string))
+    name   = optional(string)
    vpc_access = optional(object({
      connector = optional(string)
      egress    = optional(string)
@@ -256,6 +171,31 @@ variable "revision" {
  })
  default  = {}
  nullable = false
+  validation {
+    condition     = !contains(keys(var.revision), "gen2_execution_environment")
+    error_message = "Field gen2_execution_environment moved to var.service_config."
+  }
+  validation {
+    condition     = !contains(keys(var.revision), "max_concurrency")
+    error_message = "Field max_concurrency moved to var.service_config."
+  }
+  validation {
+    condition     = !contains(keys(var.revision), "max_concurrency")
+    error_message = "Field max_concurrency moved to var.service_config."
+  }
+  validation {
+    condition     = !contains(keys(var.revision), "max_instance_count")
+    error_message = "Field max_instance_count moved to var.service_config."
+  }
+  validation {
+    condition     = !contains(keys(var.revision), "min_instance_count")
+    error_message = "Field min_instance_count moved to var.service_config."
+  }
+  validation {
+    condition     = !contains(keys(var.revision), "job")
+    error_message = "Field job moved to var.job_config."
+  }
+
  validation {
    condition = (
      try(var.revision.vpc_access.egress, null) == null ? true : contains(
@@ -283,6 +223,70 @@ variable "service_account_create" {
  default     = false
 }

+variable "service_config" {
+  description = "Cloud Run service specific configuration options."
+  type = object({
+    custom_audiences = optional(list(string), null)
+    eventarc_triggers = optional(
+      object({
+        audit_log = optional(map(object({
+          method  = string
+          service = string
+        })))
+        pubsub = optional(map(string))
+        storage = optional(map(object({
+          bucket = string
+          path   = optional(string)
+        })))
+        service_account_email  = optional(string)
+        service_account_create = optional(bool, false)
+    }), {})
+    gen2_execution_environment = optional(bool, false)
+    iap_config = optional(object({
+      iam          = optional(list(string), [])
+      iam_additive = optional(list(string), [])
+    }), null)
+    ingress              = optional(string, null)
+    invoker_iam_disabled = optional(bool, false)
+    max_concurrency      = optional(number)
+    scaling = optional(object({
+      max_instance_count = optional(number)
+      min_instance_count = optional(number)
+    }))
+    timeout = optional(string)
+  })
+  default  = {}
+  nullable = false
+
+  validation {
+    condition     = var.service_config.eventarc_triggers.audit_log == null || (var.service_config.eventarc_triggers.audit_log != null && (var.service_config.eventarc_triggers.service_account_email != null || var.service_config.eventarc_triggers.service_account_create))
+    error_message = "When setting var.eventarc_triggers.audit_log provide either service_account_email or set service_account_create to true"
+  }
+
+  validation {
+    condition     = !(length(try(var.service_config.iap_config.iam, [])) > 0 && length(try(var.service_config.iap_config.iam_additive, [])) > 0)
+    error_message = "Providing both 'iam' and 'iam_additive' in iap_config is not supported."
+  }
+
+  validation {
+    condition     = var.service_config.iap_config == null || var.launch_stage != "GA"
+    error_message = "iap is currently not supported in GA. Set launch_stage to 'BETA' or lower."
+  }
+
+  validation {
+    condition = (
+      var.service_config.ingress == null ? true : contains(
+        ["INGRESS_TRAFFIC_ALL", "INGRESS_TRAFFIC_INTERNAL_ONLY",
+      "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER"], var.service_config.ingress)
+    )
+    error_message = <<EOF
+    Ingress should be one of INGRESS_TRAFFIC_ALL, INGRESS_TRAFFIC_INTERNAL_ONLY,
+    INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER.
+    EOF
+  }
+}
+
+
 variable "tag_bindings" {
  description = "Tag bindings for this service, in key => tag value id format."
  type        = map(string)
@@ -290,6 +294,16 @@ variable "tag_bindings" {
  default     = {}
 }

+variable "type" {
+  description = "Type of Cloud Run resource to deploy: JOB, SERVICE or WORKERPOOL."
+  type        = string
+  default     = "SERVICE"
+  validation {
+    condition     = contains(["JOB", "WORKERPOOL", "SERVICE"], var.type)
+    error_message = "Allowed values for var.type are: 'JOB', 'SERVICE', 'WORKERPOOL'"
+  }
+}
+
 variable "volumes" {
  description = "Named volumes in containers in name => attributes format."
  type = map(object({
@@ -323,3 +337,17 @@ variable "volumes" {
    error_message = "Only one type of volume can be defined at a time."
  }
 }
+
+variable "workerpool_config" {
+  description = "Cloud Run Worker Pool specific configuration."
+  type = object({
+    scaling = optional(object({
+      manual_instance_count = optional(number)
+      max_instance_count    = optional(number)
+      min_instance_count    = optional(number)
+      mode                  = optional(string)
+    }))
+  })
+  default  = {}
+  nullable = false
+}