A Terraform module for creating and managing Google Cloud Run with optional Custom Domain Mapping.
This module supports Terraform version 1 and is compatible with the Terraform Google Provider version 4.
This module is part of our Infrastructure as Code (IaC) framework that enables our users and customers to easily deploy and manage reusable, secure, and production-grade cloud infrastructure.
- Module Features
- Getting Started
- Module Argument Reference
- Module Outputs
- External Documentation
- Module Versioning
- About Mineiros
- Reporting Issues
- Contributing
- Makefile Targets
- License
This module implements the following Terraform resources
google_cloud_run_service
google_cloud_run_domain_mapping
and supports additional features of the following modules:
Most common usage of the module:
module "terraform-google-cloud-run" {
source = "github.com/mineiros-io/terraform-google-cloud-run?ref=v0.2.1"
name = "example-name"
location = "us-central1"
template = {
spec = {
containers = [
{
image = "gcr.io/cloudrun/hello:latest"
}
]
}
}
}
See variables.tf and examples/ for details and use-cases.
-
name
: (Requiredstring
)Name must be unique within a namespace, within a Cloud Run region. Is required when creating resources. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated.
-
location
: (Requiredstring
)The location of the cloud run instance. eg
us-central1
. -
project
: (Optionalstring
)The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
-
autogenerate_revision_name
: (Optionalbool
)If set to
true
, the revision name (template.metadata.name
) will be omitted and autogenerated by Cloud Run. This cannot be set to true whiletemplate.metadata.name
is also set. (For legacy support, iftemplate.metadata.name
is unset in state while this field is set tofalse
, the revision name will still autogenerate.). -
template
: (Optionalobject(template)
)A template holds the latest specification for the Revision to be stamped out. The template references the container image, and may also include labels and annotations that should be attached to the Revision. To correlate a Revision, and/or to force a Revision to be created when the spec doesn't otherwise change, a nonce label may be provided in the template metadata.
Default is
{}
.The
template
object accepts the following attributes:-
metadata
: (Optionalobject(metadata)
)Optional metadata for this Revision, including labels and annotations. Name will be generated by the Configuration. To set minimum instances for this revision, use the
autoscaling.knative.dev/minScale
annotation key. To set maximum instances for this revision, use theautoscaling.knative.dev/maxScale
annotation key. To set Cloud SQL connections for the revision, use therun.googleapis.com/cloudsql-instances
annotation key.Default is
{}
.The
metadata
object accepts the following attributes:-
name
: (Optionalstring
)Name must be unique within a namespace, within a Cloud Run region. Is required when creating resources. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names
-
namespace
: (Optionalstring
)In Cloud Run the namespace must be equal to either the project ID or project number. It will default to the resource's project.
-
labels
: (Optionalmap(string)
)Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and routes. More info: http://kubernetes.io/docs/user-guide/labels
-
annotations
: (Optionalmap(string)
)Annotations is a key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. More info: http://kubernetes.io/docs/user-guide/annotations Note: The Cloud Run API may add additional annotations that were not provided in your config. If terraform plan shows a diff where a server-side annotation is added, you can add it to your config or apply the
lifecycle.ignore_changes
rule to themetadata.0.annotations
field.
-
-
spec
: (Requiredobject(spec)
)RevisionSpec holds the desired state of the Revision (from the client).
The
spec
object accepts the following attributes:-
container_concurrency
: (Optionalnumber
)ContainerConcurrency specifies the maximum allowed in-flight (concurrent) requests per container of the Revision. Values are:
- 0 thread-safe, the system should manage the max concurrency. This is the default value.
- 1 not-thread-safe. Single concurrency
- 2-N thread-safe, max concurrency of N
-
timeout_seconds
: (Optionalnumber
)TimeoutSeconds holds the max duration the instance is allowed for responding to a request.
-
service_account_name
: (Optionalstring
)Email address of the IAM service account associated with the revision of the service. The service account represents the identity of the running revision, and determines what permissions the revision has. If not provided, the revision will use the project's default service account.
-
containers
: (Requiredlist(container)
)Container defines the unit of execution for this Revision. In the context of a Revision, we disallow a number of the fields of this Container, including: name, ports, and volumeMounts. The runtime contract is documented here: https://github.com/knative/serving/blob/master/docs/runtime-contract.md
Each
container
object in the list accepts the following attributes:-
args
: (Optionallist(string)
)Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references
$(VAR_NAME)
are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The$(VAR_NAME)
syntax can be escaped with a double$$
, ie:$$(VAR_NAME)
. Escaped references will never be expanded, regardless of whether the variable exists or not. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell -
image
: (Requiredstring
)Docker image name. This is most often a reference to a container located in the container registry, such as
gcr.io/cloudrun/helloMore
info: https://kubernetes.io/docs/concepts/containers/images -
command
: (Optionallist(string)
)Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references
$(VAR_NAME)
are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The$(VAR_NAME)
syntax can be escaped with a double$$
, ie:$$(VAR_NAME)
. Escaped references will never be expanded, regardless of whether the variable exists or not. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell -
env
: (Optionalobject(env)
)List of environment variables to set in the container.
Default is
{}
.The
env
object accepts the following attributes:-
name
: (Optionalstring
)Name of the environment variable.
-
value
: (Optionalstring
)Variable references
$(VAR_NAME)
are expanded using the previous defined environment variables in the container and any route environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The$(VAR_NAME)
syntax can be escaped with a double$$
, ie:$$(VAR_NAME)
. Escaped references will never be expanded, regardless of whether the variable exists or not. -
value_from
: (Optionalobject(value_from)
)Source for the environment variable's value. Only supports
secret_key_ref
.The
value_from
object accepts the following attributes:-
secret_key_ref
: (Requiredobject(secret_key_ref)
)Selects a key (version) of a secret in Secret Manager.
The
secret_key_ref
object accepts the following attributes:-
key
: (Optionalstring
)A Cloud Secret Manager secret version. Must be
"latest"
for the latest version or an integer for a specific version. -
name
: (Optionalstring
)The name of the secret in Cloud Secret Manager. By default, the secret is assumed to be in the same project. If the secret is in another project, you must define an alias. You set the in this field, and create an annotation with the following structure
"run.googleapis.com/secrets" = ":projects//secrets/"
. If multiple alias definitions are needed, they must be separated by commas in the annotation field.
-
-
-
-
ports
: (Optionallist(port)
)List of open ports in the container. More Info: https://cloud.google.com/run/docs/reference/rest/v1/RevisionSpec#ContainerPort
Default is
[]
.Each
port
object in the list accepts the following attributes:-
name
: (Optionalstring
)Name of the port.
-
protocol
: (Optionalstring
)Protocol used on port.
-
container_port
: (Requirednumber
)Port number.
-
-
resources
: (Optionalobject(resource)
)Compute Resources required by this container. Used to set values such as max memory More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
Default is
{}
.The
resource
object accepts the following attributes:-
limits
: (Optionalmap(string)
)Limits describes the maximum amount of compute resources allowed. The values of the map is string form of the 'quantity' k8s type: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apimachinery/pkg/api/resource/quantity.go
-
requests
: (Optionalmap(string)
)Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. The values of the map is string form of the 'quantity' k8s type: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apimachinery/pkg/api/resource/quantity.go
-
-
-
-
-
traffic
: (Optionallist(traffic)
)A list of traffic specifies how to distribute traffic over a collection of Knative Revisions and Configurations Structure.
Default is
[]
.Each
traffic
object in the list accepts the following attributes:-
revision_name
: (Optionalstring
)RevisionName of a specific revision to which to send this portion of traffic.
-
percent
: (Requirednumber
)Percent specifies percent of the traffic to this Revision or Configuration.
-
latest_revision
: (Optionalbool
)LatestRevision may be optionally provided to indicate that the latest ready Revision of the Configuration should be used for this traffic target. When provided LatestRevision must be
true
ifRevisionName
is empty; it must befalse
whenRevisionName
is non-empty.
-
-
metadata
: (Optionalobject(metadata)
)Optional metadata for this Revision, including labels and annotations. Name will be generated by the Configuration. To set minimum instances for this revision, use the
autoscaling.knative.dev/minScale
annotation key. To set maximum instances for this revision, use theautoscaling.knative.dev/maxScale
annotation key. To set Cloud SQL connections for the revision, use therun.googleapis.com/cloudsql-instances
annotation key.Default is
{}
.The
metadata
object accepts the following attributes:-
namespace
: (Optionalstring
)In Cloud Run the namespace must be equal to either the project ID or project number. It will default to the resource's project.
-
labels
: (Optionalmap(string)
)Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and routes. More info: http://kubernetes.io/docs/user-guide/labels
-
generation
: (Optionalnumber
)A sequence number representing a specific generation of the desired state.
-
resource_version
: (Optionalstring
)An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. They may only be valid for a particular resource or set of resources. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency
-
self_link
: (Optionalstring
)SelfLink is a URL representing this object.
-
uid
: (Optionalstring
)UID is a unique id generated by the server on successful creation of a resource and is not allowed to change on PUT operations. More info: http://kubernetes.io/docs/user-guide/identifiers#uids
-
annotations
: (Optionalmap(string)
)Annotations is a key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. More info: http://kubernetes.io/docs/user-guide/annotations Note: The Cloud Run API may add additional annotations that were not provided in your config. If terraform plan shows a diff where a server-side annotation is added, you can add it to your config or apply the
lifecycle.ignore_changes
rule to themetadata.0.annotations
field.
-
-
domain_mapping
: (Optionalobject(domain_mapping)
)An Object that holds the state and status of a user's domain mapping.
The
domain_mapping
object accepts the following attributes:-
spec
: (Optionalobject(spec)
)RevisionSpec holds the desired state of the Revision (from the client).
Default is
{}
.The
spec
object accepts the following attributes:-
force_override
: (Optionalbool
)If set, the mapping will override any mapping set before this spec was set. It is recommended that the user leaves this empty to receive an error warning about a potential conflict and only set it once the respective UI has given such a warning.
-
certificate_mode
: (Optionalstring
)The mode of the certificate. Possible values are
NONE
andAUTOMATIC
.Default is
"AUTOMATIC"
.
-
-
metadata
: (Optionalobject(metadata)
)Optional metadata for this Revision, including labels and annotations. Name will be generated by the Configuration. To set minimum instances for this revision, use the
autoscaling.knative.dev/minScale
annotation key. To set maximum instances for this revision, use theautoscaling.knative.dev/maxScale
annotation key. To set Cloud SQL connections for the revision, use therun.googleapis.com/cloudsql-instances
annotation key.Default is
{}
.The
metadata
object accepts the following attributes:-
namespace
: (Optionalstring
)In Cloud Run the namespace must be equal to either the project ID or project number. It will default to the resource's project.
-
labels
: (Optionalmap(string)
)Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and routes. More info: http://kubernetes.io/docs/user-guide/labels
-
generation
: (Optionalnumber
)A sequence number representing a specific generation of the desired state.
-
resource_version
: (Optionalstring
)An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. They may only be valid for a particular resource or set of resources. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency
-
self_link
: (Optionalstring
)SelfLink is a URL representing this object.
-
uid
: (Optionalstring
)UID is a unique id generated by the server on successful creation of a resource and is not allowed to change on PUT operations. More info: http://kubernetes.io/docs/user-guide/identifiers#uids
-
annotations
: (Optionalmap(string)
)Annotations is a key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. More info: http://kubernetes.io/docs/user-guide/annotations Note: The Cloud Run API may add additional annotations that were not provided in your config. If terraform plan shows a diff where a server-side annotation is added, you can add it to your config or apply the
lifecycle.ignore_changes
rule to themetadata.0.annotations
field.
-
-
-
iam
: (Optionallist(iam)
)A list of IAM access to apply to the created secret.
Default is
[]
.Each
iam
object in the list accepts the following attributes:-
role
: (Optionalstring
)The role that should be applied. Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}
. -
members
: (Optionalset(string)
)Identities that will be granted the privilege in role. Each entry can have one of the following values:
allUsers
: A special identifier that represents anyone who is on the internet; with or without a Google account.allAuthenticatedUsers
: A special identifier that represents anyone who is authenticated with a Google account or a service account.user:{emailid}
: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.serviceAccount:{emailid}
: An email address that represents a service account. For example,my-other-app@appspot.gserviceaccount.com
.group:{emailid}
: An email address that represents a Google group. For example,admins@example.com
.domain:{domain}
: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.projectOwner:projectid
: Owners of the given project. For example,projectOwner:my-example-project
projectEditor:projectid
: Editors of the given project. For example,projectEditor:my-example-project
projectViewer:projectid
: Viewers of the given project. For example,projectViewer:my-example-project
-
authoritative
: (Optionalbool
)Whether to exclusively set (authoritative mode) or add (non-authoritative/additive mode) members to the role.
Default is
true
.
-
-
policy_bindings
: (Optionallist(policy_binding)
)A list of IAM policy bindings.
Example:
policy_bindings = [{ role = "roles/viewer" members = ["user:member@example.com"] }]
Each
policy_binding
object in the list accepts the following attributes:-
role
: (Requiredstring
)The role that should be applied.
-
members
: (Optionalset(string)
)Identities that will be granted the privilege in
role
.Default is
var.members
. -
condition
: (Optionalobject(condition)
)An IAM Condition for a given binding.
Example:
condition = { expression = "request.time < timestamp(\"2022-01-01T00:00:00Z\")" title = "expires_after_2021_12_31" }
The
condition
object accepts the following attributes:-
expression
: (Requiredstring
)Textual representation of an expression in Common Expression Language syntax.
-
title
: (Requiredstring
)A title for the expression, i.e. a short string describing its purpose.
-
description
: (Optionalstring
)An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
-
-
-
module_enabled
: (Optionalbool
)Specifies whether resources in the module will be created.
Default is
true
. -
module_timeouts
: (Optionalobject(module_timeouts)
)A map of timeout objects that is keyed by Terraform resource name defining timeouts for
create
,update
anddelete
Terraform operations.Supported resources are:
google_cloud_run_service
,google_cloud_run_domain_mapping
Default is
{}
.Example:
module_timeouts = { null_resource = { create = "4m" update = "4m" delete = "4m" } }
The
module_timeouts
object accepts the following attributes: -
module_depends_on
: (Optionallist(dependency)
)A list of dependencies. Any object can be assigned to this list to define a hidden external dependency.
Default is
[]
.Example:
module_depends_on = [ null_resource.name ]
The following attributes are exported in the outputs of the module:
-
iam
: (list(iam)
)The iam resource objects that define the access to the secret.
-
service
: (object(service)
)All
google_cloud_run_service
resource attributes. -
domain_mapping
: (object(domain_mapping)
)All
google_cloud_run_domain_mapping
resource attributes. -
module_enabled
: (bool
)Whether this module is enabled.
- Cloud Run - https://cloud.google.com/run/docs/
- Mapping Custom Domains - https://cloud.google.com/run/docs/mapping-custom-domains
- Run Services - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service
- Domain Mapping - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_domain_mapping
This Module follows the principles of Semantic Versioning (SemVer).
Given a version number MAJOR.MINOR.PATCH
, we increment the:
MAJOR
version when we make incompatible changes,MINOR
version when we add functionality in a backwards compatible manner, andPATCH
version when we make backwards compatible bug fixes.
- Backwards compatibility in versions
0.0.z
is not guaranteed whenz
is increased. (Initial development) - Backwards compatibility in versions
0.y.z
is not guaranteed wheny
is increased. (Pre-release)
Mineiros is a remote-first company headquartered in Berlin, Germany that solves development, automation and security challenges in cloud infrastructure.
Our vision is to massively reduce time and overhead for teams to manage and deploy production-grade and secure cloud infrastructure.
We offer commercial support for all of our modules and encourage you to reach out if you have any questions or need help. Feel free to email us at hello@mineiros.io or join our Community Slack channel.
We use GitHub Issues to track community reported issues and missing features.
Contributions are always encouraged and welcome! For the process of accepting changes, we use Pull Requests. If you'd like more information, please see our Contribution Guidelines.
This repository comes with a handy Makefile.
Run make help
to see details on each available target.
This module is licensed under the Apache License Version 2.0, January 2004. Please see LICENSE for full details.
Copyright © 2020-2022 Mineiros GmbH