Files

Jason Steenblik 90360c591e Add confidential compute support to google_dataproc_cluster in the da… (#2736 )

* Add confidential compute support to google_dataproc_cluster in the dataproc module

* fix parent id lookup for networking and security stages (#2744)

* Add optional automated MD5 generation in net-vlan-attachment module (#2745)

* Bump path-to-regexp and express in /blueprints/gke/binauthz/image (#2749)

Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) to 0.1.12 and updates ancestor dependency [express](https://github.com/expressjs/express). These dependencies need to be updated together.


Updates `path-to-regexp` from 0.1.10 to 0.1.12
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md)
- [Commits](https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.12)

Updates `express` from 4.21.1 to 4.21.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md)
- [Commits](https://github.com/expressjs/express/compare/4.21.1...4.21.2)

---
updated-dependencies:
- dependency-name: path-to-regexp
  dependency-type: indirect
- dependency-name: express
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add ability to autogenerate md5 keys in net-vpn-ha (#2748)

* Add ability to optionally generate MD5 secrets in VPN module

* Add ability to autogenerate MD5 keys in net-vpn-ha module

* restore missing output

* fix test counts

---------

Co-authored-by: Luca Prete <lucaprete@google.com>
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>

* update changelog

* Bump path-to-regexp and express (#2752)

Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) and [express](https://github.com/expressjs/express). These dependencies needed to be updated together.

Updates `path-to-regexp` from 0.1.10 to 0.1.12
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md)
- [Commits](https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.12)

Updates `express` from 4.21.1 to 4.21.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md)
- [Commits](https://github.com/expressjs/express/compare/4.21.1...4.21.2)

---
updated-dependencies:
- dependency-name: path-to-regexp
  dependency-type: indirect
- dependency-name: express
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* add support for routing mode to net-swp module (#2751)

Co-authored-by: Julio Castillo <jccb@google.com>

* remove default location in tag value - cloud-run-v2 tags.tf (#2755)

The Parent resource has a default to europe-west1 when it should be for the resource block from where the cloud run actually is.

Changed to use the var.region instead

* Add path_template_match and path_template_rewrite support to net-lb-app-ext (required for React apps for example).

* Add rest of load balancers.

* Add path_template_match and path_template_rewrite support to internal load balancers

* Add disk encyption key to the google_compute_instance_template - Sovereign support (#2750)

* add disk encyption key to the google_compute_instance_template

* add a condition to the kms_key_self_link

* use dynamic variable for disk_encryption_key

* remove the getpip from the repo

---------

Co-authored-by: Julio Castillo <jccb@google.com>
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>

* Add support for password validation policy to cloudsql module (#2740)

* add support for password validation policy to cloudsql module

* fix defaults

* update changelog

* bump provider version constraint

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
Co-authored-by: Luca Prete <preteluca@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Luca Prete <lucaprete@google.com>
Co-authored-by: Julio Castillo <jccb@google.com>
Co-authored-by: Matthew Callinan <47421139+Mattible@users.noreply.github.com>
Co-authored-by: Taneli Leppä <taneli@google.com>
Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com>
Co-authored-by: Kovács Dávid <david-kovacs@t-systems.com>

2024-12-10 16:39:48 +01:00

main.tf

Add tflint to pipelines (#2220 )

2024-04-17 10:23:48 +02:00

outputs.tf

Add tflint to pipelines (#2220 )

2024-04-17 10:23:48 +02:00

README.md

Fix e2e testsss for cloud run

2024-09-10 12:04:39 +02:00

tags.tf

Extend support for tag bindings to more modules (#2307 )

2024-05-25 10:42:45 +02:00

variables.tf

Extend support for tag bindings to more modules (#2307 )

2024-05-25 10:42:45 +02:00

versions.tf

Add confidential compute support to google_dataproc_cluster in the da… (#2736 )

2024-12-10 16:39:48 +01:00

README.md

Cloud Run Module

Cloud Run management, with support for IAM roles, revision annotations and optional Eventarc trigger creation.

IAM and environment variables
Mounting secrets as volumes
Revision annotations
Second generation execution environment
VPC Access Connector creation
Traffic split
Eventarc triggers
Service account
Tag bindings
Variables
Outputs

IAM and environment variables

IAM bindings support the usual syntax. Container environment values can be declared as key-value strings or as references to Secret Manager secrets. Both can be combined as long as there's no duplication of keys:


module "secret-manager" {
  source     = "./fabric/modules/secret-manager"
  project_id = var.project_id
  secrets = {
    credentials = {}
  }
  iam = {
    credentials = {
      "roles/secretmanager.secretAccessor" = [module.cloud_run.service_account_iam_email]
    }
  }
}

module "cloud_run" {
  source     = "./fabric/modules/cloud-run"
  project_id = var.project_id
  region     = var.region
  name       = "hello"
  containers = {
    hello = {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
      env = {
        VAR1 = "VALUE1"
        VAR2 = "VALUE2"
      }
      env_from = {
        SECRET1 = {
          name = module.secret-manager.ids["credentials"]
          key  = "latest"
        }
      }
    }
  }
  iam = {
    "roles/run.invoker" = ["allUsers"]
  }
  service_account_create = true
}
# tftest modules=2 resources=5 inventory=simple.yaml e2e

Mounting secrets as volumes

module "secret-manager" {
  source     = "./fabric/modules/secret-manager"
  project_id = var.project_id
  secrets = {
    credentials = {}
  }
  versions = {
    credentials = {
      v1 = { enabled = true, data = "foo bar baz" }
    }
  }
  iam = {
    credentials = {
      "roles/secretmanager.secretAccessor" = [module.cloud_run.service_account_iam_email]
    }
  }
}


module "cloud_run" {
  source     = "./fabric/modules/cloud-run"
  project_id = var.project_id
  name       = "hello"
  region     = var.region
  containers = {
    hello = {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
      volume_mounts = {
        "credentials" = "/credentials"
      }
    }
  }
  service_account_create = true
  volumes = {
    credentials = {
      name        = module.secret-manager.secrets["credentials"].name
      secret_name = "credentials" # TODO: module.secret-manager.secrets["credentials"].name
      items = {
        latest = { path = "v1.txt" }
      }
    }
  }
}
# tftest modules=2 resources=5 inventory=secrets.yaml e2e

Revision annotations

Annotations can be specified via the revision_annotations variable:

module "cloud_run" {
  source     = "./fabric/modules/cloud-run"
  project_id = var.project_id
  region     = var.region
  name       = "hello"
  containers = {
    hello = {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
  revision_annotations = {
    autoscaling = {
      max_scale = 10
      min_scale = 1
    }
    cloudsql_unstances  = ["sql-0", "sql-1"]
    vpcaccess_connector = "foo"
    vpcaccess_egress    = "all-traffic"
  }
}
# tftest modules=1 resources=1 inventory=revision-annotations.yaml

Second generation execution environment

Second generation execution environment (gen2) can be enabled by setting the gen2_execution_environment variable to true:

module "cloud_run" {
  source     = "./fabric/modules/cloud-run"
  project_id = var.project_id
  region     = var.region
  name       = "hello"
  containers = {
    hello = {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
  gen2_execution_environment = true
}
# tftest modules=1 resources=1 inventory=gen2.yaml e2e

VPC Access Connector creation

If creation of a VPC Access Connector is required, use the vpc_connector_create variable which also support optional attributes for number of instances, machine type, and throughput (not shown here). The annotation to use the connector will be added automatically.

module "cloud_run" {
  source     = "./fabric/modules/cloud-run"
  project_id = var.project_id
  region     = var.region
  name       = "hello"
  containers = {
    hello = {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
  vpc_connector_create = {
    ip_cidr_range = "10.10.10.0/28"
    throughput = {
      max = 300
      min = 200
    }
    vpc_self_link = var.vpc.self_link
  }
}
# tftest modules=1 resources=2 inventory=connector.yaml e2e

Note that if you are using Shared VPC you need to specify a subnet:

module "cloud_run" {
  source     = "./fabric/modules/cloud-run"
  project_id = var.project_id
  region     = var.region
  name       = "hello"
  containers = {
    hello = {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
  vpc_connector_create = {
    subnet = {
      name       = "subnet-vpc-access"
      project_id = "host-project"
    }
  }
}
# tftest modules=1 resources=2 inventory=connector-shared.yaml

Traffic split

This deploys a Cloud Run service with traffic split between two revisions.

module "cloud_run" {
  source        = "./fabric/modules/cloud-run"
  project_id    = var.project_id
  region        = var.region
  name          = "hello"
  revision_name = "green"
  containers = {
    hello = {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
  traffic = {
    blue  = { percent = 25 }
    green = { percent = 75 }
  }
}
# tftest modules=1 resources=1 inventory=traffic.yaml

Eventarc triggers

PubSub

This deploys a Cloud Run service that will be triggered when messages are published to Pub/Sub topics.

module "pubsub" {
  source     = "./fabric/modules/pubsub"
  project_id = var.project_id
  name       = "pubsub_sink"
}

module "cloud_run" {
  source     = "./fabric/modules/cloud-run"
  project_id = var.project_id
  region     = var.region
  name       = "hello"
  containers = {
    hello = {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
  eventarc_triggers = {
    pubsub = {
      topic-1 = module.pubsub.id
    }
  }
}
# tftest modules=2 resources=3 inventory=eventarc.yaml e2e

Audit logs

This deploys a Cloud Run service that will be triggered when specific log events are written to Google Cloud audit logs.

module "sa" {
  source     = "./fabric/modules/iam-service-account"
  project_id = var.project_id
  name       = "eventarc-trigger"
  iam_project_roles = {
    (var.project_id) = ["roles/eventarc.eventReceiver"]
  }
}

module "cloud_run" {
  source     = "./fabric/modules/cloud-run"
  project_id = var.project_id
  region     = var.region
  name       = "hello"
  containers = {
    hello = {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
  eventarc_triggers = {
    audit_log = {
      setiampolicy = {
        method  = "SetIamPolicy"
        service = "cloudresourcemanager.googleapis.com"
      }
    }
    service_account_email = module.sa.email
  }
  iam = {
    "roles/run.invoker" = [module.sa.iam_email]
  }
}
# tftest modules=2 resources=5 inventory=audit-logs.yaml

Using custom service accounts for triggers

By default Compute default service account is used to trigger Cloud Run. If you want to use custom Service Account you can either provide your own in eventarc_triggers.service_account_email or set eventarc_triggers.service_account_create to true and service account named tf-cr-trigger-${var.name} will be created with roles/run.invoker granted on this Cloud Run service.

For example using provided service account refer to Audit logs example.

Example using automatically created service account:

module "pubsub" {
  source     = "./fabric/modules/pubsub"
  project_id = var.project_id
  name       = "pubsub_sink"
}

module "cloud_run" {
  source     = "./fabric/modules/cloud-run"
  project_id = var.project_id
  region     = var.region
  name       = "hello"
  containers = {
    hello = {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
  eventarc_triggers = {
    pubsub = {
      topic-1 = module.pubsub.id
    }
    service_account_create = true
  }
}
# tftest modules=2 resources=5 inventory=trigger-service-account.yaml e2e

Service account

To use a custom service account managed by the module, set service_account_create to true and leave service_account set to null value (default).

module "cloud_run" {
  source     = "./fabric/modules/cloud-run"
  project_id = var.project_id
  region     = var.region
  name       = "hello"
  containers = {
    hello = {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
  service_account_create = true
}
# tftest modules=1 resources=2 inventory=service-account.yaml e2e

To use an externally managed service account, pass its email in service_account and leave service_account_create to false (the default).

module "cloud_run" {
  source     = "./fabric/modules/cloud-run"
  project_id = var.project_id
  region     = var.region
  name       = "hello"
  containers = {
    hello = {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
  service_account = var.service_account.email
}
# tftest modules=1 resources=1 inventory=service-account-external.yaml e2e

Tag bindings

Refer to the Creating and managing tags documentation for details on usage.

module "org" {
  source          = "./fabric/modules/organization"
  organization_id = var.organization_id
  tags = {
    environment = {
      description = "Environment specification."
      values = {
        dev     = {}
        prod    = {}
        sandbox = {}
      }
    }
  }
}

module "cloud_run" {
  source     = "./fabric/modules/cloud-run"
  project_id = var.project_id
  region     = var.region
  name       = "hello"
  containers = {
    hello = {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
  tag_bindings = {
    env-sandbox = module.org.tag_values["environment/sandbox"].id
  }
}
# tftest modules=2 resources=6

Variables

name	description	type	required	default
name	Name used for cloud run service.	`string`	✓
project_id	Project id used for all resources.	`string`	✓
region	Region used for all resources.	`string`	✓
container_concurrency	Maximum allowed in-flight (concurrent) requests per container of the revision.	`string`		`null`
containers	Containers in arbitrary key => attributes format.	`map(object({…}))`		`{}`
eventarc_triggers	Event arc triggers for different sources.	`object({…})`		`{}`
gen2_execution_environment	Use second generation execution environment.	`bool`		`false`
iam	IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format.	`map(list(string))`		`{}`
ingress_settings	Ingress settings.	`string`		`null`
labels	Resource labels.	`map(string)`		`{}`
prefix	Optional prefix used for resource names.	`string`		`null`
revision_annotations	Configure revision template annotations.	`object({…})`		`{}`
revision_name	Revision name.	`string`		`null`
service_account	Service account email. Unused if service account is auto-created.	`string`		`null`
service_account_create	Auto-create service account.	`bool`		`false`
startup_cpu_boost	Enable startup cpu boost.	`bool`		`false`
tag_bindings	Tag bindings for this service, in key => tag value id format.	`map(string)`		`{}`
timeout_seconds	Maximum duration the instance is allowed for responding to a request.	`number`		`null`
traffic	Traffic steering configuration. If revision name is null the latest revision will be used.	`map(object({…}))`		`{}`
volumes	Named volumes in containers in name => attributes format.	`map(object({…}))`		`{}`
vpc_connector_create	Populate this to create a VPC connector. You can then refer to it in the template annotations.	`object({…})`		`null`

Outputs

name	description	sensitive
id	Fully qualified service id.
service	Cloud Run service.
service_account	Service account resource.
service_account_email	Service account email.
service_account_iam_email	Service account email.
service_name	Cloud Run service name.
vpc_connector	VPC connector resource if created.