hunfabric/modules/cloud-run

Cloud Run Module

Cloud Run management, with support for IAM roles and optional Eventarc trigger creation.

Examples

Environment variables

This deploys a Cloud Run service and sets some environment variables.

module "cloud_run" {
  source     = "./modules/cloud-run"
  project_id = "my-project"
  name       = "hello"
  containers = [{
    image   = "us-docker.pkg.dev/cloudrun/container/hello"
    options = {
      command = null
      args    = null
      env     = {
        "VAR1": "VALUE1",
        "VAR2": "VALUE2",
      }
      env_from = null
    }
    ports = null
    resources = null
    volume_mounts = null
  }]
}
# tftest:modules=1:resources=1

Environment variables (value read from secret)

module "cloud_run" {
  source     = "./modules/cloud-run"
  project_id = "my-project"
  name       = "hello"
  containers = [{
    image = "us-docker.pkg.dev/cloudrun/container/hello"
    options = {
      command   = null
      args      = null
      env       = null
      env_from  = {
        "CREDENTIALS": {
          name = "credentials"
          key = "1"
        }
      }
    }
    ports = null
    resources = null
    volume_mounts = null
  }]
}
# tftest:modules=1:resources=1

Secret mounted as volume

module "cloud_run" {
  source     = "./modules/cloud-run"
  project_id = var.project_id
  name       = "hello"
  region     = var.region
  revision_name = "green"
  containers = [{
    image         = "us-docker.pkg.dev/cloudrun/container/hello"
    options       = null
    ports         = null
    resources     = null
    volume_mounts = {
      "credentials": "/credentials"
    }
  }]
  volumes = [
    {
      name = "credentials"
      secret_name = "credentials"
      items = [{
        key = "1"
        path = "v1.txt"
      }]
    }
  ]
}
# tftest:modules=1:resources=1

Traffic split

This deploys a Cloud Run service with traffic split between two revisions.

module "cloud_run" {
  source     = "./modules/cloud-run"
  project_id = "my-project"
  name       = "hello"
  revision_name = "green"
  containers = [{
    image         = "us-docker.pkg.dev/cloudrun/container/hello"
    options       = null
    ports         = null
    resources     = null
    volume_mounts = null
  }]
  traffic = {
    "blue" = 25
    "green" = 75
  }
}
# tftest:modules=1:resources=1

Eventarc trigger (Pub/Sub)

This deploys a Cloud Run service that will be triggered when messages are published to Pub/Sub topics.

module "cloud_run" {
  source     = "./modules/cloud-run"
  project_id = "my-project"
  name       = "hello"
  containers = [{
    image         = "us-docker.pkg.dev/cloudrun/container/hello"
    options       = null
    ports         = null
    resources     = null
    volume_mounts = null
  }]
  pubsub_triggers = [
    "topic1",
    "topic2"
  ]
}
# tftest:modules=1:resources=3

Eventarc trigger (Audit logs)

This deploys a Cloud Run service that will be triggered when specific log events are written to Google Cloud audit logs.

module "cloud_run" {
  source     = "./modules/cloud-run"
  project_id = "my-project"
  name       = "hello"
  containers = [{
    image         = "us-docker.pkg.dev/cloudrun/container/hello"
    options       = null
    ports         = null
    resources     = null
    volume_mounts = null
  }]
  audit_log_triggers = [
    {
      service_name  = "cloudresourcemanager.googleapis.com"
      method_name   = "SetIamPolicy"
    }
  ]
}
# tftest:modules=1:resources=2

Service account management

To use a custom service account managed by the module, set service_account_create to true and leave service_account set to null value (default).

module "cloud_run" {
  source     = "./modules/cloud-run"
  project_id = "my-project"
  name       = "hello"
  containers = [{
    image         = "us-docker.pkg.dev/cloudrun/container/hello"
    options       = null
    ports         = null
    resources     = null
    volume_mounts = null
  }]
  service_account_create = true
}
# tftest:modules=1:resources=2

To use an externally managed service account, pass its email in service_account and leave service_account_create to false (the default).

module "cloud_run" {
  source     = "./modules/cloud-run"
  project_id = "my-project"
  name       = "hello"
  containers = [{
    image         = "us-docker.pkg.dev/cloudrun/container/hello"
    options       = null
    ports         = null
    resources     = null
    volume_mounts = null
  }]
  service_account = "cloud-run@my-project.iam.gserviceaccount.com"
}
# tftest:modules=1:resources=1

Variables

name	description	type	required	default
containers	Containers	list(object({...}))	✓
name	Name used for cloud run service	string	✓
project_id	Project id used for all resources.	string	✓
audit_log_triggers	Event arc triggers (Audit log)	list(object({...}))		null
iam	IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format.	map(list(string))		{}
ingress_settings	Ingress settings	string		null
labels	Resource labels	map(string)		{}
prefix	Optional prefix used for resource names.	string		null
pubsub_triggers	Eventarc triggers (Pub/Sub)	list(string)		null
region	Region used for all resources.	string		europe-west1
revision_name	Revision name	string		null
service_account	Service account email. Unused if service account is auto-created.	string		null
service_account_create	Auto-create service account.	bool		false
traffic	Traffic	map(number)		null
volumes	Volumes	list(object({...}))		null
vpc_connector	None	object({...})		null
vpc_connector_config	VPC connector network configuration. Must be provided if new VPC connector is being created	object({...})		null

Outputs

name	description	sensitive
service	Cloud Run service
service_account	Service account resource.
service_account_email	Service account email.
service_account_iam_email	Service account email.
service_name	Cloud Run service name
vpc_connector	VPC connector resource if created.