Merge pull request #1870 from GoogleCloudPlatform/wiktorn-cloudrun-vpc-connector
* End to end tests for Cloud Run * fix reporting non-empty plan after apply in E2E tests * fix non-empty plan in Cloud Run in subnet and annotations Closes: #1867
This commit is contained in:
commit
c642c13a31
|
@ -26,6 +26,20 @@ Cloud Run management, with support for IAM roles, revision annotations and optio
|
|||
IAM bindings support the usual syntax. Container environment values can be declared as key-value strings or as references to Secret Manager secrets. Both can be combined as long as there's no duplication of keys:
|
||||
|
||||
```hcl
|
||||
|
||||
module "secret-manager" {
|
||||
source = "./fabric/modules/secret-manager"
|
||||
project_id = var.project_id
|
||||
secrets = {
|
||||
credentials = {}
|
||||
}
|
||||
iam = {
|
||||
credentials = {
|
||||
"roles/secretmanager.secretAccessor" = [module.cloud_run.service_account_iam_email]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "cloud_run" {
|
||||
source = "./fabric/modules/cloud-run"
|
||||
project_id = var.project_id
|
||||
|
@ -39,8 +53,8 @@ module "cloud_run" {
|
|||
}
|
||||
env_from = {
|
||||
SECRET1 = {
|
||||
name = "credentials"
|
||||
key = "1"
|
||||
name = module.secret-manager.ids["credentials"]
|
||||
key = "latest"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -48,13 +62,33 @@ module "cloud_run" {
|
|||
iam = {
|
||||
"roles/run.invoker" = ["allUsers"]
|
||||
}
|
||||
service_account_create = true
|
||||
}
|
||||
# tftest modules=1 resources=2 inventory=simple.yaml e2e
|
||||
# tftest modules=2 resources=5 inventory=simple.yaml e2e
|
||||
```
|
||||
|
||||
### Mounting secrets as volumes
|
||||
|
||||
```hcl
|
||||
module "secret-manager" {
|
||||
source = "./fabric/modules/secret-manager"
|
||||
project_id = var.project_id
|
||||
secrets = {
|
||||
credentials = {}
|
||||
}
|
||||
versions = {
|
||||
credentials = {
|
||||
v1 = { enabled = true, data = "foo bar baz" }
|
||||
}
|
||||
}
|
||||
iam = {
|
||||
credentials = {
|
||||
"roles/secretmanager.secretAccessor" = [module.cloud_run.service_account_iam_email]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
module "cloud_run" {
|
||||
source = "./fabric/modules/cloud-run"
|
||||
project_id = var.project_id
|
||||
|
@ -68,17 +102,18 @@ module "cloud_run" {
|
|||
}
|
||||
}
|
||||
}
|
||||
service_account_create = true
|
||||
volumes = {
|
||||
credentials = {
|
||||
name = "credentials"
|
||||
secret_name = "credentials"
|
||||
name = module.secret-manager.secrets["credentials"].name
|
||||
secret_name = "credentials" # TODO: module.secret-manager.secrets["credentials"].name
|
||||
items = {
|
||||
v1 = { path = "v1.txt" }
|
||||
latest = { path = "v1.txt" }
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=1 inventory=secrets.yaml
|
||||
# tftest modules=2 resources=5 inventory=secrets.yaml e2e
|
||||
```
|
||||
|
||||
### Revision annotations
|
||||
|
@ -124,7 +159,7 @@ module "cloud_run" {
|
|||
}
|
||||
gen2_execution_environment = true
|
||||
}
|
||||
# tftest modules=1 resources=1 inventory=gen2.yaml
|
||||
# tftest modules=1 resources=1 inventory=gen2.yaml e2e
|
||||
```
|
||||
|
||||
### VPC Access Connector creation
|
||||
|
@ -142,11 +177,11 @@ module "cloud_run" {
|
|||
}
|
||||
}
|
||||
vpc_connector_create = {
|
||||
ip_cidr_range = "10.10.10.0/24"
|
||||
vpc_self_link = "projects/example/host/global/networks/host"
|
||||
ip_cidr_range = "10.10.10.0/28"
|
||||
vpc_self_link = var.vpc.self_link
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=2 inventory=connector.yaml
|
||||
# tftest modules=1 resources=2 inventory=connector.yaml e2e
|
||||
```
|
||||
|
||||
Note that if you are using Shared VPC you need to specify a subnet:
|
||||
|
@ -178,7 +213,7 @@ This deploys a Cloud Run service with traffic split between two revisions.
|
|||
```hcl
|
||||
module "cloud_run" {
|
||||
source = "./fabric/modules/cloud-run"
|
||||
project_id = "my-project"
|
||||
project_id = var.project_id
|
||||
name = "hello"
|
||||
revision_name = "green"
|
||||
containers = {
|
||||
|
@ -201,9 +236,15 @@ module "cloud_run" {
|
|||
This deploys a Cloud Run service that will be triggered when messages are published to Pub/Sub topics.
|
||||
|
||||
```hcl
|
||||
module "pubsub" {
|
||||
source = "./fabric/modules/pubsub"
|
||||
project_id = var.project_id
|
||||
name = "pubsub_sink"
|
||||
}
|
||||
|
||||
module "cloud_run" {
|
||||
source = "./fabric/modules/cloud-run"
|
||||
project_id = "my-project"
|
||||
project_id = var.project_id
|
||||
name = "hello"
|
||||
containers = {
|
||||
hello = {
|
||||
|
@ -212,12 +253,11 @@ module "cloud_run" {
|
|||
}
|
||||
eventarc_triggers = {
|
||||
pubsub = {
|
||||
topic-1 = "topic1"
|
||||
topic-2 = "topic2"
|
||||
topic-1 = module.pubsub.id
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=3 inventory=eventarc.yaml
|
||||
# tftest modules=2 resources=3 inventory=eventarc.yaml e2e
|
||||
```
|
||||
|
||||
#### Audit logs
|
||||
|
@ -225,9 +265,18 @@ module "cloud_run" {
|
|||
This deploys a Cloud Run service that will be triggered when specific log events are written to Google Cloud audit logs.
|
||||
|
||||
```hcl
|
||||
module "sa" {
|
||||
source = "./fabric/modules/iam-service-account"
|
||||
project_id = var.project_id
|
||||
name = "eventarc-trigger"
|
||||
iam_project_roles = {
|
||||
(var.project_id) = ["roles/eventarc.eventReceiver"]
|
||||
}
|
||||
}
|
||||
|
||||
module "cloud_run" {
|
||||
source = "./fabric/modules/cloud-run"
|
||||
project_id = "my-project"
|
||||
project_id = var.project_id
|
||||
name = "hello"
|
||||
containers = {
|
||||
hello = {
|
||||
|
@ -241,46 +290,33 @@ module "cloud_run" {
|
|||
service = "cloudresourcemanager.googleapis.com"
|
||||
}
|
||||
}
|
||||
service_account_email = module.sa.email
|
||||
}
|
||||
iam = {
|
||||
"roles/run.invoker" = [module.sa.iam_email]
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=2 inventory=audit-logs.yaml
|
||||
# tftest modules=2 resources=5 inventory=audit-logs.yaml
|
||||
```
|
||||
|
||||
#### Using custom service accounts for triggers
|
||||
|
||||
By default `Compute default service account` is used to trigger Cloud Run. If you want to use custom Service Account you can either provide your own in `eventarc_triggers.service_account_email` or set `eventarc_triggers.service_account_create` to true and service account named `tf-cr-trigger-${var.name}` will be created with `roles/run.invoker` granted on this Cloud Run service.
|
||||
|
||||
Example using provided service account:
|
||||
|
||||
```hcl
|
||||
module "cloud_run" {
|
||||
source = "./fabric/modules/cloud-run"
|
||||
project_id = "my-project"
|
||||
name = "hello"
|
||||
containers = {
|
||||
hello = {
|
||||
image = "us-docker.pkg.dev/cloudrun/container/hello"
|
||||
}
|
||||
}
|
||||
eventarc_triggers = {
|
||||
audit_log = {
|
||||
setiampolicy = {
|
||||
method = "SetIamPolicy"
|
||||
service = "cloudresourcemanager.googleapis.com"
|
||||
}
|
||||
}
|
||||
service_account_email = "cloud-run-trigger@my-project.iam.gserviceaccount.com"
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=2 inventory=trigger-service-account-external.yaml
|
||||
```
|
||||
For example using provided service account refer to [Audit logs](#audit-logs) example.
|
||||
|
||||
Example using automatically created service account:
|
||||
|
||||
```hcl
|
||||
module "pubsub" {
|
||||
source = "./fabric/modules/pubsub"
|
||||
project_id = var.project_id
|
||||
name = "pubsub_sink"
|
||||
}
|
||||
|
||||
module "cloud_run" {
|
||||
source = "./fabric/modules/cloud-run"
|
||||
project_id = "my-project"
|
||||
project_id = var.project_id
|
||||
name = "hello"
|
||||
containers = {
|
||||
hello = {
|
||||
|
@ -289,13 +325,12 @@ module "cloud_run" {
|
|||
}
|
||||
eventarc_triggers = {
|
||||
pubsub = {
|
||||
topic-1 = "topic1"
|
||||
topic-2 = "topic2"
|
||||
topic-1 = module.pubsub.id
|
||||
}
|
||||
service_account_create = true
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=5 inventory=trigger-service-account.yaml
|
||||
# tftest modules=2 resources=5 inventory=trigger-service-account.yaml e2e
|
||||
```
|
||||
|
||||
### Service account
|
||||
|
@ -305,7 +340,7 @@ To use a custom service account managed by the module, set `service_account_crea
|
|||
```hcl
|
||||
module "cloud_run" {
|
||||
source = "./fabric/modules/cloud-run"
|
||||
project_id = "my-project"
|
||||
project_id = var.project_id
|
||||
name = "hello"
|
||||
containers = {
|
||||
hello = {
|
||||
|
@ -314,7 +349,7 @@ module "cloud_run" {
|
|||
}
|
||||
service_account_create = true
|
||||
}
|
||||
# tftest modules=1 resources=2 inventory=service-account.yaml
|
||||
# tftest modules=1 resources=2 inventory=service-account.yaml e2e
|
||||
```
|
||||
|
||||
To use an externally managed service account, pass its email in `service_account` and leave `service_account_create` to `false` (the default).
|
||||
|
@ -322,42 +357,42 @@ To use an externally managed service account, pass its email in `service_account
|
|||
```hcl
|
||||
module "cloud_run" {
|
||||
source = "./fabric/modules/cloud-run"
|
||||
project_id = "my-project"
|
||||
project_id = var.project_id
|
||||
name = "hello"
|
||||
containers = {
|
||||
hello = {
|
||||
image = "us-docker.pkg.dev/cloudrun/container/hello"
|
||||
}
|
||||
}
|
||||
service_account = "cloud-run@my-project.iam.gserviceaccount.com"
|
||||
service_account = var.service_account.email
|
||||
}
|
||||
# tftest modules=1 resources=1 inventory=service-account-external.yaml
|
||||
# tftest modules=1 resources=1 inventory=service-account-external.yaml e2e
|
||||
```
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [name](variables.tf#L136) | Name used for cloud run service. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L151) | Project id used for all resources. | <code>string</code> | ✓ | |
|
||||
| [name](variables.tf#L144) | Name used for cloud run service. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L159) | Project id used for all resources. | <code>string</code> | ✓ | |
|
||||
| [container_concurrency](variables.tf#L18) | Maximum allowed in-flight (concurrent) requests per container of the revision. | <code>string</code> | | <code>null</code> |
|
||||
| [containers](variables.tf#L24) | Containers in arbitrary key => attributes format. | <code title="map(object({ image = string args = optional(list(string)) command = optional(list(string)) env = optional(map(string), {}) env_from_key = optional(map(object({ key = string name = string })), {}) liveness_probe = optional(object({ action = object({ grpc = optional(object({ port = optional(number) service = optional(string) })) http_get = optional(object({ http_headers = optional(map(string), {}) path = optional(string) })) }) failure_threshold = optional(number) initial_delay_seconds = optional(number) period_seconds = optional(number) timeout_seconds = optional(number) })) ports = optional(map(object({ container_port = optional(number) name = optional(string) protocol = optional(string) })), {}) resources = optional(object({ limits = optional(object({ cpu = string memory = string })) requests = optional(object({ cpu = string memory = string })) })) startup_probe = optional(object({ action = object({ grpc = optional(object({ port = optional(number) service = optional(string) })) http_get = optional(object({ http_headers = optional(map(string), {}) path = optional(string) })) tcp_socket = optional(object({ port = optional(number) })) }) failure_threshold = optional(number) initial_delay_seconds = optional(number) period_seconds = optional(number) timeout_seconds = optional(number) })) volume_mounts = optional(map(string), {}) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [eventarc_triggers](variables.tf#L91) | Event arc triggers for different sources. | <code title="object({ audit_log = optional(map(object({ method = string service = string })), {}) pubsub = optional(map(string), {}) service_account_email = optional(string) service_account_create = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [gen2_execution_environment](variables.tf#L105) | Use second generation execution environment. | <code>bool</code> | | <code>false</code> |
|
||||
| [iam](variables.tf#L111) | IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [ingress_settings](variables.tf#L117) | Ingress settings. | <code>string</code> | | <code>null</code> |
|
||||
| [labels](variables.tf#L130) | Resource labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [prefix](variables.tf#L141) | Optional prefix used for resource names. | <code>string</code> | | <code>null</code> |
|
||||
| [region](variables.tf#L156) | Region used for all resources. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [revision_annotations](variables.tf#L162) | Configure revision template annotations. | <code title="object({ autoscaling = optional(object({ max_scale = number min_scale = number })) cloudsql_instances = optional(list(string), []) vpcaccess_connector = optional(string) vpcaccess_egress = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [revision_name](variables.tf#L177) | Revision name. | <code>string</code> | | <code>null</code> |
|
||||
| [service_account](variables.tf#L183) | Service account email. Unused if service account is auto-created. | <code>string</code> | | <code>null</code> |
|
||||
| [service_account_create](variables.tf#L189) | Auto-create service account. | <code>bool</code> | | <code>false</code> |
|
||||
| [startup_cpu_boost](variables.tf#L195) | Enable startup cpu boost. | <code>bool</code> | | <code>false</code> |
|
||||
| [timeout_seconds](variables.tf#L201) | Maximum duration the instance is allowed for responding to a request. | <code>number</code> | | <code>null</code> |
|
||||
| [traffic](variables.tf#L207) | Traffic steering configuration. If revision name is null the latest revision will be used. | <code title="map(object({ percent = number latest = optional(bool) tag = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [volumes](variables.tf#L218) | Named volumes in containers in name => attributes format. | <code title="map(object({ secret_name = string default_mode = optional(string) items = optional(map(object({ path = string mode = optional(string) }))) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpc_connector_create](variables.tf#L232) | Populate this to create a VPC connector. You can then refer to it in the template annotations. | <code title="object({ ip_cidr_range = optional(string) vpc_self_link = optional(string) machine_type = optional(string) name = optional(string) instances = optional(object({ max = optional(number) min = optional(number) }), {}) throughput = optional(object({ max = optional(number) min = optional(number) }), {}) subnet = optional(object({ name = optional(string) project_id = optional(string) }), {}) })">object({…})</code> | | <code>null</code> |
|
||||
| [gen2_execution_environment](variables.tf#L113) | Use second generation execution environment. | <code>bool</code> | | <code>false</code> |
|
||||
| [iam](variables.tf#L119) | IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [ingress_settings](variables.tf#L125) | Ingress settings. | <code>string</code> | | <code>null</code> |
|
||||
| [labels](variables.tf#L138) | Resource labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [prefix](variables.tf#L149) | Optional prefix used for resource names. | <code>string</code> | | <code>null</code> |
|
||||
| [region](variables.tf#L164) | Region used for all resources. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||
| [revision_annotations](variables.tf#L170) | Configure revision template annotations. | <code title="object({ autoscaling = optional(object({ max_scale = number min_scale = number })) cloudsql_instances = optional(list(string), []) vpcaccess_connector = optional(string) vpcaccess_egress = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [revision_name](variables.tf#L185) | Revision name. | <code>string</code> | | <code>null</code> |
|
||||
| [service_account](variables.tf#L191) | Service account email. Unused if service account is auto-created. | <code>string</code> | | <code>null</code> |
|
||||
| [service_account_create](variables.tf#L197) | Auto-create service account. | <code>bool</code> | | <code>false</code> |
|
||||
| [startup_cpu_boost](variables.tf#L203) | Enable startup cpu boost. | <code>bool</code> | | <code>false</code> |
|
||||
| [timeout_seconds](variables.tf#L209) | Maximum duration the instance is allowed for responding to a request. | <code>number</code> | | <code>null</code> |
|
||||
| [traffic](variables.tf#L215) | Traffic steering configuration. If revision name is null the latest revision will be used. | <code title="map(object({ percent = number latest = optional(bool) tag = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [volumes](variables.tf#L226) | Named volumes in containers in name => attributes format. | <code title="map(object({ secret_name = string default_mode = optional(string) items = optional(map(object({ path = string mode = optional(string) }))) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpc_connector_create](variables.tf#L240) | Populate this to create a VPC connector. You can then refer to it in the template annotations. | <code title="object({ ip_cidr_range = optional(string) vpc_self_link = optional(string) machine_type = optional(string) name = optional(string) instances = optional(object({ max = optional(number) min = optional(number) }), {}) throughput = optional(object({ max = optional(number) min = optional(number) }), {}) subnet = optional(object({ name = optional(string) project_id = optional(string) }), {}) })">object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -17,9 +17,19 @@
|
|||
locals {
|
||||
_vpcaccess_annotation = (
|
||||
local.vpc_connector_create
|
||||
? {
|
||||
? merge({
|
||||
"run.googleapis.com/vpc-access-connector" = google_vpc_access_connector.connector.0.id
|
||||
}
|
||||
},
|
||||
var.revision_annotations.vpcaccess_egress == null ? {
|
||||
# if creating a vpc connector and no explicit annotation is given,
|
||||
# add "private-ranges-only" annotation to prevent permanent diff
|
||||
"run.googleapis.com/vpc-access-egress" = "private-ranges-only"
|
||||
} : {
|
||||
"run.googleapis.com/vpc-access-egress" = (
|
||||
var.revision_annotations.vpcaccess_egress
|
||||
)
|
||||
},
|
||||
)
|
||||
: (
|
||||
var.revision_annotations.vpcaccess_connector == null
|
||||
? {}
|
||||
|
@ -82,8 +92,10 @@ locals {
|
|||
trigger_sa_create = try(
|
||||
var.eventarc_triggers.service_account_create, false
|
||||
)
|
||||
trigger_sa_email = try(
|
||||
google_service_account.trigger_service_account[0].email, null
|
||||
trigger_sa_email = (
|
||||
local.trigger_sa_create ?
|
||||
google_service_account.trigger_service_account[0].email
|
||||
: try(var.eventarc_triggers.service_account_email, null)
|
||||
)
|
||||
vpc_connector_create = var.vpc_connector_create != null
|
||||
}
|
||||
|
@ -104,9 +116,12 @@ resource "google_vpc_access_connector" "connector" {
|
|||
max_throughput = var.vpc_connector_create.throughput.max
|
||||
min_instances = var.vpc_connector_create.instances.min
|
||||
min_throughput = var.vpc_connector_create.throughput.min
|
||||
subnet {
|
||||
name = var.vpc_connector_create.subnet.name
|
||||
project_id = var.vpc_connector_create.subnet.project_id
|
||||
dynamic "subnet" {
|
||||
for_each = alltrue([for k, v in var.vpc_connector_create.subnet : (v == null)]) ? [] : [""]
|
||||
content {
|
||||
name = var.vpc_connector_create.subnet.name
|
||||
project_id = var.vpc_connector_create.subnet.project_id
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -100,6 +100,14 @@ variable "eventarc_triggers" {
|
|||
service_account_create = optional(bool, false)
|
||||
})
|
||||
default = {}
|
||||
validation {
|
||||
condition = (
|
||||
var.eventarc_triggers.service_account_email == null && length(var.eventarc_triggers.audit_log) == 0
|
||||
) || (
|
||||
var.eventarc_triggers.service_account_email != null
|
||||
)
|
||||
error_message = "service_account_email is required if providing audit_log"
|
||||
}
|
||||
}
|
||||
|
||||
variable "gen2_execution_environment" {
|
||||
|
|
|
@ -26,12 +26,15 @@ locals {
|
|||
"cloudkms.googleapis.com",
|
||||
"cloudresourcemanager.googleapis.com",
|
||||
"compute.googleapis.com",
|
||||
"eventarc.googleapis.com",
|
||||
"iam.googleapis.com",
|
||||
"run.googleapis.com",
|
||||
"secretmanager.googleapis.com",
|
||||
"serviceusage.googleapis.com",
|
||||
"stackdriver.googleapis.com",
|
||||
"storage-component.googleapis.com",
|
||||
"storage.googleapis.com",
|
||||
"vpcaccess.googleapis.com",
|
||||
]
|
||||
}
|
||||
|
||||
|
|
|
@ -307,20 +307,20 @@ def e2e_validator(module_path, extra_files, tf_var_files, basedir=None):
|
|||
changes = {}
|
||||
for resource_name, value in plan.resource_changes.items():
|
||||
if value.get('change', {}).get('actions') != ['no-op']:
|
||||
changes[resource_name] = value
|
||||
changes[resource_name] = value['change']
|
||||
|
||||
# compare before with after to raise more meaningful failure to the user, i.e one
|
||||
# that shows how resource will change
|
||||
plan_before_state = {k: v['before'] for k, v in changes.items()}
|
||||
plan_after_state = {k: v['after'] for k, v in changes.items()}
|
||||
plan_before_state = {k: v.get('before') for k, v in changes.items()}
|
||||
plan_after_state = {k: v.get('after') for k, v in changes.items()}
|
||||
|
||||
assert plan_before_state == plan_after_state, f'Plan not empty after apply for values'
|
||||
|
||||
plan_before_sensitive_state = {
|
||||
k: v['before_sensitive'] for k, v in changes.items()
|
||||
k: v.get('before_sensitive') for k, v in changes.items()
|
||||
}
|
||||
plan_after_sensitive_state = {
|
||||
k: v['after_sensitive'] for k, v in changes.items()
|
||||
k: v.get('after_sensitive') for k, v in changes.items()
|
||||
}
|
||||
assert plan_before_sensitive_state == plan_after_sensitive_state, f'Plan not empty after apply for sensitive values'
|
||||
|
||||
|
|
|
@ -13,7 +13,23 @@
|
|||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.cloud_run.google_cloud_run_service.service: {}
|
||||
module.cloud_run.google_cloud_run_service.service:
|
||||
name: hello
|
||||
project: project-id
|
||||
template:
|
||||
- spec:
|
||||
- containers:
|
||||
- image: us-docker.pkg.dev/cloudrun/container/hello
|
||||
|
||||
module.cloud_run.google_cloud_run_service_iam_binding.binding["roles/run.invoker"]:
|
||||
condition: []
|
||||
location: europe-west1
|
||||
members:
|
||||
- serviceAccount:eventarc-trigger@project-id.iam.gserviceaccount.com
|
||||
project: project-id
|
||||
role: roles/run.invoker
|
||||
service: hello
|
||||
|
||||
module.cloud_run.google_eventarc_trigger.audit_log_triggers["setiampolicy"]:
|
||||
destination:
|
||||
- cloud_function: null
|
||||
|
@ -35,8 +51,20 @@ values:
|
|||
operator: ''
|
||||
value: google.cloud.audit.log.v1.written
|
||||
name: audit-log-setiampolicy
|
||||
project: my-project
|
||||
project: project-id
|
||||
|
||||
module.sa.google_project_iam_member.project-roles["project-id-roles/eventarc.eventReceiver"]:
|
||||
condition: []
|
||||
project: project-id
|
||||
role: roles/eventarc.eventReceiver
|
||||
|
||||
module.sa.google_service_account.service_account[0]:
|
||||
account_id: eventarc-trigger
|
||||
project: project-id
|
||||
|
||||
counts:
|
||||
google_cloud_run_service: 1
|
||||
google_cloud_run_service_iam_binding: 1
|
||||
google_eventarc_trigger: 1
|
||||
google_project_iam_member: 1
|
||||
google_service_account: 1
|
||||
|
|
|
@ -35,16 +35,15 @@ values:
|
|||
working_dir: null
|
||||
volumes: []
|
||||
module.cloud_run.google_vpc_access_connector.connector[0]:
|
||||
ip_cidr_range: 10.10.10.0/24
|
||||
ip_cidr_range: 10.10.10.0/28
|
||||
machine_type: e2-micro
|
||||
max_throughput: 300
|
||||
min_throughput: 200
|
||||
name: hello
|
||||
network: projects/example/host/global/networks/host
|
||||
network: projects/xxx/global/networks/aaa
|
||||
project: project-id
|
||||
region: europe-west1
|
||||
subnet:
|
||||
- name: null
|
||||
subnet: []
|
||||
|
||||
counts:
|
||||
google_cloud_run_service: 1
|
||||
|
|
|
@ -13,7 +13,13 @@
|
|||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.cloud_run.google_cloud_run_service.service: {}
|
||||
module.cloud_run.google_cloud_run_service.service:
|
||||
name: hello
|
||||
project: project-id
|
||||
template:
|
||||
- spec:
|
||||
- containers:
|
||||
- image: us-docker.pkg.dev/cloudrun/container/hello
|
||||
module.cloud_run.google_eventarc_trigger.pubsub_triggers["topic-1"]:
|
||||
destination:
|
||||
- cloud_function: null
|
||||
|
@ -29,30 +35,17 @@ values:
|
|||
operator: ''
|
||||
value: google.cloud.pubsub.topic.v1.messagePublished
|
||||
name: pubsub-topic-1
|
||||
project: my-project
|
||||
project: project-id
|
||||
transport:
|
||||
- pubsub:
|
||||
- topic: topic1
|
||||
module.cloud_run.google_eventarc_trigger.pubsub_triggers["topic-2"]:
|
||||
destination:
|
||||
- cloud_function: null
|
||||
cloud_run_service:
|
||||
- path: null
|
||||
region: europe-west1
|
||||
service: hello
|
||||
gke: []
|
||||
workflow: null
|
||||
location: europe-west1
|
||||
matching_criteria:
|
||||
- attribute: type
|
||||
operator: ''
|
||||
value: google.cloud.pubsub.topic.v1.messagePublished
|
||||
name: pubsub-topic-2
|
||||
project: my-project
|
||||
transport:
|
||||
- pubsub:
|
||||
- topic: topic2
|
||||
- topic: projects/project-id/topics/pubsub_sink
|
||||
|
||||
module.pubsub.google_pubsub_topic.default:
|
||||
name: pubsub_sink
|
||||
project: project-id
|
||||
|
||||
|
||||
counts:
|
||||
google_cloud_run_service: 1
|
||||
google_eventarc_trigger: 2
|
||||
google_eventarc_trigger: 1
|
||||
google_pubsub_topic: 1
|
||||
|
|
|
@ -41,10 +41,24 @@ values:
|
|||
secret:
|
||||
- default_mode: null
|
||||
items:
|
||||
- key: v1
|
||||
- key: latest
|
||||
mode: null
|
||||
path: v1.txt
|
||||
secret_name: credentials
|
||||
|
||||
module.cloud_run.google_service_account.service_account[0]:
|
||||
account_id: tf-cr-hello
|
||||
project: project-id
|
||||
|
||||
module.secret-manager.google_secret_manager_secret.default["credentials"]:
|
||||
project: project-id
|
||||
secret_id: credentials
|
||||
|
||||
module.secret-manager.google_secret_manager_secret_iam_binding.default["credentials.roles/secretmanager.secretAccessor"]:
|
||||
condition: []
|
||||
role: roles/secretmanager.secretAccessor
|
||||
|
||||
counts:
|
||||
google_cloud_run_service: 1
|
||||
google_secret_manager_secret: 1
|
||||
google_secret_manager_secret_iam_binding: 1
|
||||
google_service_account: 1
|
||||
|
|
|
@ -19,7 +19,7 @@ values:
|
|||
metadata:
|
||||
- {}
|
||||
name: hello
|
||||
project: my-project
|
||||
project: project-id
|
||||
template:
|
||||
- metadata:
|
||||
- {}
|
||||
|
@ -33,7 +33,7 @@ values:
|
|||
liveness_probe: []
|
||||
volume_mounts: []
|
||||
working_dir: null
|
||||
service_account_name: cloud-run@my-project.iam.gserviceaccount.com
|
||||
service_account_name: service_account_email
|
||||
volumes: []
|
||||
|
||||
counts:
|
||||
|
|
|
@ -19,7 +19,7 @@ values:
|
|||
metadata:
|
||||
- {}
|
||||
name: hello
|
||||
project: my-project
|
||||
project: project-id
|
||||
template:
|
||||
- metadata:
|
||||
- {}
|
||||
|
@ -39,7 +39,7 @@ values:
|
|||
description: null
|
||||
disabled: false
|
||||
display_name: Terraform Cloud Run hello.
|
||||
project: my-project
|
||||
project: project-id
|
||||
|
||||
counts:
|
||||
google_cloud_run_service: 1
|
||||
|
|
|
@ -48,7 +48,22 @@ values:
|
|||
project: project-id
|
||||
role: roles/run.invoker
|
||||
service: hello
|
||||
module.cloud_run.google_service_account.service_account[0]:
|
||||
account_id: tf-cr-hello
|
||||
disabled: false
|
||||
display_name: Terraform Cloud Run hello.
|
||||
project: project-id
|
||||
module.secret-manager.google_secret_manager_secret.default["credentials"]:
|
||||
project: project-id
|
||||
secret_id: credentials
|
||||
module.secret-manager.google_secret_manager_secret_iam_binding.default["credentials.roles/secretmanager.secretAccessor"]:
|
||||
condition: []
|
||||
role: roles/secretmanager.secretAccessor
|
||||
|
||||
|
||||
counts:
|
||||
google_cloud_run_service: 1
|
||||
google_cloud_run_service_iam_binding: 1
|
||||
google_secret_manager_secret: 1
|
||||
google_secret_manager_secret_iam_binding: 1
|
||||
google_service_account: 1
|
||||
|
|
|
@ -1,72 +0,0 @@
|
|||
# Copyright 2023 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
values:
|
||||
module.cloud_run.google_cloud_run_service.service:
|
||||
autogenerate_revision_name: false
|
||||
location: europe-west1
|
||||
metadata:
|
||||
- {}
|
||||
name: hello
|
||||
project: my-project
|
||||
template:
|
||||
- metadata:
|
||||
- {}
|
||||
spec:
|
||||
- containers:
|
||||
- args: null
|
||||
command: null
|
||||
env: []
|
||||
env_from: []
|
||||
image: us-docker.pkg.dev/cloudrun/container/hello
|
||||
liveness_probe: []
|
||||
volume_mounts: []
|
||||
working_dir: null
|
||||
volumes: []
|
||||
timeouts: null
|
||||
module.cloud_run.google_eventarc_trigger.audit_log_triggers["setiampolicy"]:
|
||||
channel: null
|
||||
destination:
|
||||
- cloud_function: null
|
||||
cloud_run_service:
|
||||
- path: null
|
||||
region: europe-west1
|
||||
service: hello
|
||||
gke: []
|
||||
workflow: null
|
||||
labels: null
|
||||
location: europe-west1
|
||||
matching_criteria:
|
||||
- attribute: methodName
|
||||
operator: ''
|
||||
value: SetIamPolicy
|
||||
- attribute: serviceName
|
||||
operator: ''
|
||||
value: cloudresourcemanager.googleapis.com
|
||||
- attribute: type
|
||||
operator: ''
|
||||
value: google.cloud.audit.log.v1.written
|
||||
name: audit-log-setiampolicy
|
||||
project: my-project
|
||||
service_account: null
|
||||
timeouts: null
|
||||
|
||||
counts:
|
||||
google_cloud_run_service: 1
|
||||
google_eventarc_trigger: 1
|
||||
modules: 1
|
||||
resources: 2
|
||||
|
||||
outputs: {}
|
||||
|
|
@ -19,7 +19,7 @@ values:
|
|||
metadata:
|
||||
- {}
|
||||
name: hello
|
||||
project: my-project
|
||||
project: project-id
|
||||
template:
|
||||
- metadata:
|
||||
- {}
|
||||
|
@ -35,12 +35,14 @@ values:
|
|||
working_dir: null
|
||||
volumes: []
|
||||
timeouts: null
|
||||
|
||||
module.cloud_run.google_cloud_run_service_iam_member.default[0]:
|
||||
condition: []
|
||||
location: europe-west1
|
||||
project: my-project
|
||||
project: project-id
|
||||
role: roles/run.invoker
|
||||
service: hello
|
||||
|
||||
module.cloud_run.google_eventarc_trigger.pubsub_triggers["topic-1"]:
|
||||
channel: null
|
||||
destination:
|
||||
|
@ -58,48 +60,29 @@ values:
|
|||
operator: ''
|
||||
value: google.cloud.pubsub.topic.v1.messagePublished
|
||||
name: pubsub-topic-1
|
||||
project: my-project
|
||||
project: project-id
|
||||
timeouts: null
|
||||
transport:
|
||||
- pubsub:
|
||||
- topic: topic1
|
||||
module.cloud_run.google_eventarc_trigger.pubsub_triggers["topic-2"]:
|
||||
channel: null
|
||||
destination:
|
||||
- cloud_function: null
|
||||
cloud_run_service:
|
||||
- path: null
|
||||
region: europe-west1
|
||||
service: hello
|
||||
gke: []
|
||||
workflow: null
|
||||
labels: null
|
||||
location: europe-west1
|
||||
matching_criteria:
|
||||
- attribute: type
|
||||
operator: ''
|
||||
value: google.cloud.pubsub.topic.v1.messagePublished
|
||||
name: pubsub-topic-2
|
||||
project: my-project
|
||||
timeouts: null
|
||||
transport:
|
||||
- pubsub:
|
||||
- topic: topic2
|
||||
- topic: projects/project-id/topics/pubsub_sink
|
||||
|
||||
module.cloud_run.google_service_account.trigger_service_account[0]:
|
||||
account_id: tf-cr-trigger-hello
|
||||
description: null
|
||||
disabled: false
|
||||
display_name: Terraform trigger for Cloud Run hello.
|
||||
project: my-project
|
||||
timeouts: null
|
||||
project: project-id
|
||||
|
||||
module.pubsub.google_pubsub_topic.default:
|
||||
kms_key_name: null
|
||||
labels: null
|
||||
message_retention_duration: null
|
||||
name: pubsub_sink
|
||||
project: project-id
|
||||
|
||||
counts:
|
||||
google_cloud_run_service: 1
|
||||
google_cloud_run_service_iam_member: 1
|
||||
google_eventarc_trigger: 2
|
||||
google_eventarc_trigger: 1
|
||||
google_pubsub_topic: 1
|
||||
google_service_account: 1
|
||||
modules: 1
|
||||
resources: 5
|
||||
|
||||
outputs: {}
|
||||
|
||||
|
|
Loading…
Reference in New Issue