90360c591e
* Add confidential compute support to google_dataproc_cluster in the dataproc module * fix parent id lookup for networking and security stages (#2744) * Add optional automated MD5 generation in net-vlan-attachment module (#2745) * Bump path-to-regexp and express in /blueprints/gke/binauthz/image (#2749) Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) to 0.1.12 and updates ancestor dependency [express](https://github.com/expressjs/express). These dependencies need to be updated together. Updates `path-to-regexp` from 0.1.10 to 0.1.12 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.12) Updates `express` from 4.21.1 to 4.21.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md) - [Commits](https://github.com/expressjs/express/compare/4.21.1...4.21.2) --- updated-dependencies: - dependency-name: path-to-regexp dependency-type: indirect - dependency-name: express dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add ability to autogenerate md5 keys in net-vpn-ha (#2748) * Add ability to optionally generate MD5 secrets in VPN module * Add ability to autogenerate MD5 keys in net-vpn-ha module * restore missing output * fix test counts --------- Co-authored-by: Luca Prete <lucaprete@google.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> * update changelog * Bump path-to-regexp and express (#2752) Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) and [express](https://github.com/expressjs/express). These dependencies needed to be updated together. Updates `path-to-regexp` from 0.1.10 to 0.1.12 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.12) Updates `express` from 4.21.1 to 4.21.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md) - [Commits](https://github.com/expressjs/express/compare/4.21.1...4.21.2) --- updated-dependencies: - dependency-name: path-to-regexp dependency-type: indirect - dependency-name: express dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * add support for routing mode to net-swp module (#2751) Co-authored-by: Julio Castillo <jccb@google.com> * remove default location in tag value - cloud-run-v2 tags.tf (#2755) The Parent resource has a default to europe-west1 when it should be for the resource block from where the cloud run actually is. Changed to use the var.region instead * Add path_template_match and path_template_rewrite support to net-lb-app-ext (required for React apps for example). * Add rest of load balancers. * Add path_template_match and path_template_rewrite support to internal load balancers * Add disk encyption key to the google_compute_instance_template - Sovereign support (#2750) * add disk encyption key to the google_compute_instance_template * add a condition to the kms_key_self_link * use dynamic variable for disk_encryption_key * remove the getpip from the repo --------- Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> * Add support for password validation policy to cloudsql module (#2740) * add support for password validation policy to cloudsql module * fix defaults * update changelog * bump provider version constraint --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> Co-authored-by: Luca Prete <preteluca@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Luca Prete <lucaprete@google.com> Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: Matthew Callinan <47421139+Mattible@users.noreply.github.com> Co-authored-by: Taneli Leppä <taneli@google.com> Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com> Co-authored-by: Kovács Dávid <david-kovacs@t-systems.com>
Cloud Run Module
Cloud Run Services and Jobs, with support for IAM roles and Eventarc trigger creation. This module uses provider default value for deletion_protection, which means service is by default protected from removal (or reprovisioning).
- IAM and environment variables
- Mounting secrets as volumes
- Mounting GCS buckets
- Connecting to Cloud SQL database
- Direct VPC Egress
- VPC Access Connector
- Using Customer-Managed Encryption Key
- Eventarc triggers
- Cloud Run Service Account
- Creating Cloud Run Jobs
- Tag bindings
- Variables
- Outputs
- Fixtures
IAM and environment variables
IAM bindings support the usual syntax. Container environment values can be declared as key-value strings or as references to Secret Manager secrets. Both can be combined as long as there is no duplication of keys:
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = var.project_id
name = "hello"
region = var.region
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
env = {
VAR1 = "VALUE1"
VAR2 = "VALUE2"
}
env_from_key = {
SECRET1 = {
secret = module.secret-manager.secrets["credentials"].name
version = module.secret-manager.version_versions["credentials:v1"]
}
}
}
}
iam = {
"roles/run.invoker" = ["allUsers"]
}
deletion_protection = false
}
# tftest modules=2 resources=5 fixtures=fixtures/secret-credentials.tf inventory=service-iam-env.yaml e2e
Mounting secrets as volumes
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = var.project_id
name = "hello"
region = var.region
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
volume_mounts = {
"credentials" = "/credentials"
}
}
}
volumes = {
credentials = {
secret = {
name = module.secret-manager.secrets["credentials"].id
path = "my-secret"
version = "latest" # TODO: should be optional, but results in API error
}
}
}
deletion_protection = false
}
# tftest modules=2 resources=4 fixtures=fixtures/secret-credentials.tf inventory=service-volume-secretes.yaml e2e
Mounting GCS buckets
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = var.project_id
name = "hello"
region = var.region
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
volume_mounts = {
bucket = "/bucket"
}
}
}
revision = {
gen2_execution_environment = true
}
volumes = {
bucket = {
gcs = {
bucket = var.bucket
is_read_only = false
mount_options = [ # Beta feature
"metadata-cache-ttl-secs=120s",
"type-cache-max-size-mb=4",
]
}
}
}
deletion_protection = false
}
# tftest inventory=gcs-mount.yaml e2e
Connecting to Cloud SQL database
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
volume_mounts = {
cloudsql = "/cloudsql"
}
}
}
volumes = {
"cloudsql" = {
cloud_sql_instances = [module.cloudsql-instance.connection_name]
}
}
deletion_protection = false
}
# tftest fixtures=fixtures/cloudsql-instance.tf inventory=cloudsql.yaml e2e
Direct VPC Egress
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = var.project_id
name = "hello"
region = var.region
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
revision = {
gen2_execution_environment = true
max_instance_count = 20
vpc_access = {
egress = "ALL_TRAFFIC"
subnet = var.subnet.name
tags = ["tag1", "tag2", "tag3"]
}
}
deletion_protection = false
}
# tftest modules=1 resources=1 inventory=service-direct-vpc.yaml e2e
VPC Access Connector
You can use an existing VPC Access Connector to connect to a VPC from Cloud Run.
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
revision = {
vpc_access = {
connector = google_vpc_access_connector.connector.id
egress = "ALL_TRAFFIC"
}
}
deletion_protection = false
}
# tftest modules=1 resources=2 fixtures=fixtures/vpc-connector.tf inventory=service-vpc-access-connector.yaml e2e
If creation of the VPC Access Connector is required, use the vpc_connector_create variable which also supports optional attributes like number of instances, machine type, or throughput. The connector will be used automatically.
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
vpc_connector_create = {
ip_cidr_range = "10.10.10.0/28"
network = var.vpc.self_link
instances = {
max = 10
min = 3
}
}
deletion_protection = false
}
# tftest modules=1 resources=2 inventory=service-vpc-access-connector-create.yaml e2e
Note that if you are using a Shared VPC for the connector, you need to specify a subnet and the host project if this is not where the Cloud Run service is deployed.
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = module.project-service.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
vpc_connector_create = {
machine_type = "e2-standard-4"
subnet = {
name = module.net-vpc-host.subnets["${var.region}/fixture-subnet-28"].name
project_id = module.project-host.project_id
}
throughput = {
max = 300
min = 200
}
}
deletion_protection = false
}
# tftest modules=4 resources=55 fixtures=fixtures/shared-vpc.tf inventory=service-vpc-access-connector-create-sharedvpc.yaml e2e
Using Customer-Managed Encryption Key
Deploy a Cloud Run service with environment variables encrypted using a Customer-Managed Encryption Key (CMEK). Ensure you specify the encryption_key with the full resource identifier of your Cloud KMS CryptoKey and that Cloud Run Service agent (service-<PROJECT_NUMBER>@serverless-robot-prod.iam.gserviceaccount.com) has permission to use the key, for example roles/cloudkms.cryptoKeyEncrypterDecrypter IAM role. This setup adds an extra layer of security by utilizing your own encryption keys.
module "project" {
source = "./fabric/modules/project"
name = "cloudrun"
billing_account = var.billing_account_id
prefix = var.prefix
parent = var.folder_id
services = [
"cloudkms.googleapis.com",
"run.googleapis.com",
]
}
module "kms" {
source = "./fabric/modules/kms"
project_id = module.project.project_id
keyring = {
location = var.region
name = "keyring"
}
keys = {
"key-regional" = {
}
}
iam = {
"roles/cloudkms.cryptoKeyEncrypterDecrypter" = [
module.project.service_agents.run.iam_email
]
}
}
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = module.project.project_id
region = var.region
name = "hello"
encryption_key = module.kms.keys.key-regional.id
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
deletion_protection = false
}
# tftest modules=3 resources=11 e2e
Eventarc triggers
PubSub
This deploys a Cloud Run service that will be triggered when messages are published to Pub/Sub topics.
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
eventarc_triggers = {
pubsub = {
topic-1 = module.pubsub.topic.name
}
}
deletion_protection = false
}
# tftest modules=2 resources=4 fixtures=fixtures/pubsub.tf inventory=service-eventarc-pubsub.yaml e2e
Audit logs
This deploys a Cloud Run service that will be triggered when specific log events are written to Google Cloud audit logs.
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
eventarc_triggers = {
audit_log = {
setiampolicy = {
method = "SetIamPolicy"
service = "cloudresourcemanager.googleapis.com"
}
}
service_account_create = true
}
deletion_protection = false
}
# tftest modules=1 resources=4 inventory=service-eventarc-auditlogs-sa-create.yaml
Using custom service accounts for triggers
By default Compute default service account is used to trigger Cloud Run. If you want to use custom Service Accounts you can either provide your own in eventarc_triggers.service_account_email or set eventarc_triggers.service_account_create to true and service account named tf-cr-trigger-${var.name} will be created with roles/run.invoker granted on this Cloud Run service.
Example using provided service account:
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
eventarc_triggers = {
audit_log = {
setiampolicy = {
method = "SetIamPolicy"
service = "cloudresourcemanager.googleapis.com"
}
}
service_account_email = "cloud-run-trigger@my-project.iam.gserviceaccount.com"
}
}
# tftest modules=1 resources=2 inventory=service-eventarc-auditlogs-external-sa.yaml
Example using automatically created service account:
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
eventarc_triggers = {
pubsub = {
topic-1 = module.pubsub.topic.name
}
service_account_create = true
}
deletion_protection = false
}
# tftest modules=2 resources=6 fixtures=fixtures/pubsub.tf inventory=service-eventarc-pubsub-sa-create.yaml e2e
Cloud Run Service Account
To use a custom service account managed by the module, set service_account_create to true and leave service_account set to null (default).
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
service_account_create = true
deletion_protection = false
}
# tftest modules=1 resources=2 inventory=service-sa-create.yaml e2e
To use an externally managed service account, use its email in service_account and leave service_account_create to false (default).
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
service_account = module.iam-service-account.email
deletion_protection = false
}
# tftest modules=2 resources=2 fixtures=fixtures/iam-service-account.tf inventory=service-external-sa.yaml e2e
Creating Cloud Run Jobs
To create a job instead of service set create_job to true. Jobs support all functions above apart from triggers.
Unsupported variables / attributes:
- ingress
- revision.gen2_execution_environment (they run by default in gen2)
- revision.name
- containers.liveness_probe
- containers.startup_probe
- containers.resources.cpu_idle
- containers.resources.startup_cpu_boost
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = var.project_id
name = "hello"
region = var.region
create_job = true
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
env = {
VAR1 = "VALUE1"
VAR2 = "VALUE2"
}
}
}
iam = {
"roles/run.invoker" = ["group:${var.group_email}"]
}
deletion_protection = false
}
# tftest modules=1 resources=2 inventory=job-iam-env.yaml e2e
Tag bindings
Tag bindings are not yet supported for jobs. Refer to the Creating and managing tags documentation for details on usage.
module "org" {
source = "./fabric/modules/organization"
organization_id = var.organization_id
tags = {
environment = {
description = "Environment specification."
values = {
dev = {}
prod = {}
sandbox = {}
}
}
}
}
module "cloud_run" {
source = "./fabric/modules/cloud-run-v2"
project_id = var.project_id
name = "hello"
region = var.region
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
env = {
VAR1 = "VALUE1"
VAR2 = "VALUE2"
}
}
}
iam = {
"roles/run.invoker" = ["allUsers"]
}
tag_bindings = {
env-sandbox = module.org.tag_values["environment/sandbox"].id
}
}
# tftest modules=2 resources=7
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| name | Name used for Cloud Run service. | string |
✓ | |
| project_id | Project id used for all resources. | string |
✓ | |
| region | Region used for all resources. | string |
✓ | |
| containers | Containers in name => attributes format. | map(object({…})) |
{} |
|
| create_job | Create Cloud Run Job instead of Service. | bool |
false |
|
| custom_audiences | Custom audiences for service. | list(string) |
null |
|
| deletion_protection | Deletion protection setting for this Cloud Run service. | string |
null |
|
| encryption_key | The full resource name of the Cloud KMS CryptoKey. | string |
null |
|
| eventarc_triggers | Event arc triggers for different sources. | object({…}) |
{} |
|
| iam | IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
| ingress | Ingress settings. | string |
null |
|
| labels | Resource labels. | map(string) |
{} |
|
| launch_stage | The launch stage as defined by Google Cloud Platform Launch Stages. | string |
null |
|
| prefix | Optional prefix used for resource names. | string |
null |
|
| revision | Revision template configurations. | object({…}) |
{} |
|
| service_account | Service account email. Unused if service account is auto-created. | string |
null |
|
| service_account_create | Auto-create service account. | bool |
false |
|
| tag_bindings | Tag bindings for this service, in key => tag value id format. | map(string) |
{} |
|
| volumes | Named volumes in containers in name => attributes format. | map(object({…})) |
{} |
|
| vpc_connector_create | Populate this to create a Serverless VPC Access connector. | object({…}) |
null |
Outputs
| name | description | sensitive |
|---|---|---|
| id | Fully qualified job or service id. | |
| job | Cloud Run Job. | |
| service | Cloud Run Service. | |
| service_account | Service account resource. | |
| service_account_email | Service account email. | |
| service_account_iam_email | Service account email. | |
| service_name | Cloud Run service name. | |
| service_uri | Main URI in which the service is serving traffic. | |
| vpc_connector | VPC connector resource if created. |