From fd8f659a3ab3f1bd11e9b122bb47af0fbcfa33a5 Mon Sep 17 00:00:00 2001 From: Maciej Sikora Date: Mon, 16 Jun 2025 14:58:31 +0200 Subject: [PATCH] docs && fmt --- modules/cloud-run-v2/README.md | 31 +++++++++++++++---------------- modules/cloud-run-v2/service.tf | 4 ++-- modules/cloud-run-v2/variables.tf | 8 ++++---- 3 files changed, 21 insertions(+), 22 deletions(-) diff --git a/modules/cloud-run-v2/README.md b/modules/cloud-run-v2/README.md index 91ef4887e..ac2408b23 100644 --- a/modules/cloud-run-v2/README.md +++ b/modules/cloud-run-v2/README.md @@ -813,9 +813,9 @@ module "cloud_run" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [name](variables.tf#L223) | Name used for Cloud Run service. | string | ✓ | | -| [project_id](variables.tf#L238) | Project id used for all resources. | string | ✓ | | -| [region](variables.tf#L243) | Region used for all resources. | string | ✓ | | +| [name](variables.tf#L221) | Name used for Cloud Run service. | string | ✓ | | +| [project_id](variables.tf#L236) | Project id used for all resources. | string | ✓ | | +| [region](variables.tf#L241) | Region used for all resources. | string | ✓ | | | [containers](variables.tf#L17) | Containers in name => attributes format. | map(object({…})) | | {} | | [create_job](variables.tf#L80) | Create Cloud Run Job instead of Service. | bool | | false | | [custom_audiences](variables.tf#L86) | Custom audiences for service. | list(string) | | null | @@ -823,19 +823,18 @@ module "cloud_run" { | [encryption_key](variables.tf#L98) | The full resource name of the Cloud KMS CryptoKey. | string | | null | | [eventarc_triggers](variables.tf#L104) | Event arc triggers for different sources. | object({…}) | | {} | | [iam](variables.tf#L122) | IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | -| [iap_enabled](variables.tf#L128) | <<-EOT Enables Identity-Aware Proxy (IAP) for this service. IAP can only be enabled for Cloud Run services (create_job = false). EOT | bool | | false | -| [iap_http_resource_accessors_config](variables.tf#L142) | <<-EOT IAP HTTP resource accessors configuration. When authoritative_mode is true, the google_iap_web_cloud_run_service_iam_binding resource is used which replaces any existing IAM policy attached to the IAP web service. When authoritative_mode is false (default), the google_iap_web_cloud_run_service_iam_member resource is used which adds the IAM policies to the service. EOT | object({…}) | | null | -| [ingress](variables.tf#L166) | Ingress settings. | string | | null | -| [invoker_iam_disabled](variables.tf#L183) | Disables IAM permission check for run.routes.invoke for callers of this service. | bool | | false | -| [labels](variables.tf#L189) | Resource labels. | map(string) | | {} | -| [launch_stage](variables.tf#L195) | The launch stage as defined by Google Cloud Platform Launch Stages. | string | | null | -| [managed_revision](variables.tf#L216) | Whether the Terraform module should control the deployment of revisions. | bool | | true | -| [prefix](variables.tf#L228) | Optional prefix used for resource names. | string | | null | -| [revision](variables.tf#L248) | Revision template configurations. | object({…}) | | {} | -| [service_account](variables.tf#L287) | Service account email. Unused if service account is auto-created. | string | | null | -| [service_account_create](variables.tf#L293) | Auto-create service account. | bool | | false | -| [tag_bindings](variables.tf#L299) | Tag bindings for this service, in key => tag value id format. | map(string) | | {} | -| [volumes](variables.tf#L306) | Named volumes in containers in name => attributes format. | map(object({…})) | | {} | +| [iap_config](variables.tf#L128) | <<-EOT If present, it turns on Identity-Aware Proxy (IAP) for this service. iam (resource google_iap_web_cloud_run_service_iam_binding) - list of iam emails (e.g. "group:abc@domain.com") to be granted with iap.httpsResourceAccessor role. iam_additive (resource google_iap_web_cloud_run_service_iam_member ) - list of iam emails (e.g. "group:abc@domain.com") to be granted with iap.httpsResourceAccessor. iam and iam_additive are mutually exclusive. EOT | object({…}) | | null | +| [ingress](variables.tf#L168) | Ingress settings. | string | | null | +| [invoker_iam_disabled](variables.tf#L185) | Disables IAM permission check for run.routes.invoke for callers of this service. | bool | | false | +| [labels](variables.tf#L191) | Resource labels. | map(string) | | {} | +| [launch_stage](variables.tf#L197) | The launch stage as defined by Google Cloud Platform Launch Stages. | string | | null | +| [managed_revision](variables.tf#L214) | Whether the Terraform module should control the deployment of revisions. | bool | | true | +| [prefix](variables.tf#L226) | Optional prefix used for resource names. | string | | null | +| [revision](variables.tf#L246) | Revision template configurations. | object({…}) | | {} | +| [service_account](variables.tf#L285) | Service account email. Unused if service account is auto-created. | string | | null | +| [service_account_create](variables.tf#L291) | Auto-create service account. | bool | | false | +| [tag_bindings](variables.tf#L297) | Tag bindings for this service, in key => tag value id format. | map(string) | | {} | +| [volumes](variables.tf#L304) | Named volumes in containers in name => attributes format. | map(object({…})) | | {} | | [vpc_connector_create](variables-vpcconnector.tf#L17) | Populate this to create a Serverless VPC Access connector. | object({…}) | | null | ## Outputs diff --git a/modules/cloud-run-v2/service.tf b/modules/cloud-run-v2/service.tf index 7451412c1..b93f2efe3 100644 --- a/modules/cloud-run-v2/service.tf +++ b/modules/cloud-run-v2/service.tf @@ -529,8 +529,8 @@ locals { iap_member_list = toset(coalesce(var.iap_config.iam_additive, [])) - use_iap_iam_binding = var.iap_config != null && var.iap_config.iam != null - iap_binding_dict = local.use_iap_iam_binding ? { "iap" = var.iap_config.iam } : {} + use_iap_iam_binding = var.iap_config != null && var.iap_config.iam != null + iap_binding_dict = local.use_iap_iam_binding ? { "iap" = var.iap_config.iam } : {} } diff --git a/modules/cloud-run-v2/variables.tf b/modules/cloud-run-v2/variables.tf index a23d81eb4..8f507c54c 100644 --- a/modules/cloud-run-v2/variables.tf +++ b/modules/cloud-run-v2/variables.tf @@ -137,7 +137,7 @@ variable "iap_config" { iam_additive = optional(list(string)) }) default = null - + validation { condition = var.iap_config == null || ( (var.iap_config.iam != null && var.iap_config.iam_additive == null) || @@ -145,7 +145,7 @@ variable "iap_config" { ) error_message = "When iap_config is provided, exactly one of 'iam' or 'iam_additive' must be specified." } - + validation { condition = var.iap_config == null || ( (var.iap_config.iam != null ? length(var.iap_config.iam) > 0 : true) && @@ -153,12 +153,12 @@ variable "iap_config" { ) error_message = "When 'iam' or 'iam_additive' lists are provided in iap_config, they must not be empty." } - + validation { condition = var.iap_config == null || !var.create_job error_message = "IAP is only supported for Cloud Run services, not Cloud Run jobs. Set create_job to false when using iap_config." } - + validation { condition = var.iap_config == null || var.launch_stage != "GA" error_message = "iap is currently not supported in GA. Set launch_stage to 'BETA' or lower."