Extend support for tag bindings to more modules (#2307)
* fix kms tag bindings * bigquery dataset * fix bigquery * cloud run * normalize variable type * rename gcs heading * kms example test * fix bigquery * fix cloud run * cloud run v2
This commit is contained in:
Ludovico Magnocavallo
GitHub
parent
735fd79cce
commit
c80af8de66
|
|
@ -2,14 +2,19 @@
|
|||
|
||||
This module allows managing a single BigQuery dataset, including access configuration, tables and views.
|
||||
|
||||
## TODO
|
||||
<!-- BEGIN TOC -->
|
||||
- [Simple dataset with access configuration](#simple-dataset-with-access-configuration)
|
||||
- [IAM roles](#iam-roles)
|
||||
- [Authorized Views, Datasets, and Routines](#authorized-views-datasets-and-routines)
|
||||
- [Dataset options](#dataset-options)
|
||||
- [Tables and views](#tables-and-views)
|
||||
- [Tag bindings](#tag-bindings)
|
||||
- [TODO](#todo)
|
||||
- [Variables](#variables)
|
||||
- [Outputs](#outputs)
|
||||
<!-- END TOC -->
|
||||
|
||||
- [ ] check for dynamic values in tables and views
|
||||
- [ ] add support for external tables
|
||||
|
||||
## Examples
|
||||
|
||||
### Simple dataset with access configuration
|
||||
## Simple dataset with access configuration
|
||||
|
||||
Access configuration defaults to using the separate `google_bigquery_dataset_access` resource, so as to leave the default dataset access rules untouched.
|
||||
|
||||
|
|
@ -38,7 +43,7 @@ module "bigquery-dataset" {
|
|||
# tftest modules=1 resources=5 inventory=simple.yaml
|
||||
```
|
||||
|
||||
### IAM roles
|
||||
## IAM roles
|
||||
|
||||
Access configuration can also be specified via IAM instead of basic roles via the `iam` variable. When using IAM, basic roles cannot be used via the `access` family variables.
|
||||
|
||||
|
|
@ -54,7 +59,7 @@ module "bigquery-dataset" {
|
|||
# tftest modules=1 resources=2 inventory=iam.yaml
|
||||
```
|
||||
|
||||
### Authorized Views, Datasets, and Routines
|
||||
## Authorized Views, Datasets, and Routines
|
||||
|
||||
You can specify authorized [views](https://cloud.google.com/bigquery/docs/authorized-views), [datasets](https://cloud.google.com/bigquery/docs/authorized-datasets?hl=en), and [routines](https://cloud.google.com/bigquery/docs/authorized-routines) via the `authorized_views`, `authorized_datasets` and `authorized_routines` variables, respectively.
|
||||
|
||||
|
|
@ -168,7 +173,7 @@ module "bigquery-dataset" {
|
|||
# tftest modules=1 resources=4 inventory=authorized_resources_views.yaml
|
||||
```
|
||||
|
||||
### Dataset options
|
||||
## Dataset options
|
||||
|
||||
Dataset options are set via the `options` variable. all options must be specified, but a `null` value can be set to options that need to use defaults.
|
||||
|
||||
|
|
@ -187,7 +192,7 @@ module "bigquery-dataset" {
|
|||
# tftest modules=1 resources=1 inventory=options.yaml
|
||||
```
|
||||
|
||||
### Tables and views
|
||||
## Tables and views
|
||||
|
||||
Tables are created via the `tables` variable, or the `view` variable for views. Support for external tables will be added in a future release.
|
||||
|
||||
|
|
@ -275,6 +280,42 @@ module "bigquery-dataset" {
|
|||
|
||||
# tftest modules=1 resources=3 inventory=views.yaml
|
||||
```
|
||||
|
||||
## Tag bindings
|
||||
|
||||
Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage.
|
||||
|
||||
```hcl
|
||||
module "org" {
|
||||
source = "./fabric/modules/organization"
|
||||
organization_id = var.organization_id
|
||||
tags = {
|
||||
environment = {
|
||||
description = "Environment specification."
|
||||
values = {
|
||||
dev = {}
|
||||
prod = {}
|
||||
sandbox = {}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "bigquery-dataset" {
|
||||
source = "./fabric/modules/bigquery-dataset"
|
||||
project_id = "my-project"
|
||||
id = "my_dataset"
|
||||
tag_bindings = {
|
||||
env-sandbox = module.org.tag_values["environment/sandbox"].id
|
||||
}
|
||||
}
|
||||
# tftest modules=2 resources=6
|
||||
```
|
||||
|
||||
## TODO
|
||||
|
||||
- [ ] check for dynamic values in tables and views
|
||||
- [ ] add support for external tables
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
|
|
@ -297,7 +338,8 @@ module "bigquery-dataset" {
|
|||
| [materialized_views](variables.tf#L115) | Materialized views definitions. | <code title="map(object({ query = string allow_non_incremental_definition = optional(bool) deletion_protection = optional(bool) description = optional(string, "Terraform managed.") enable_refresh = optional(bool) friendly_name = optional(string) labels = optional(map(string), {}) refresh_interval_ms = optional(bool) require_partition_filter = optional(bool) options = optional(object({ clustering = optional(list(string)) expiration_time = optional(number) }), {}) partitioning = optional(object({ field = optional(string) range = optional(object({ end = number interval = number start = number })) time = optional(object({ type = string expiration_ms = optional(number) field = optional(string) })) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [options](variables.tf#L148) | Dataset options. | <code title="object({ default_collation = optional(string) default_table_expiration_ms = optional(number) default_partition_expiration_ms = optional(number) delete_contents_on_destroy = optional(bool, false) is_case_insensitive = optional(bool) max_time_travel_hours = optional(number, 168) storage_billing_model = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [tables](variables.tf#L167) | Table definitions. Options and partitioning default to null. Partitioning can only use `range` or `time`, set the unused one to null. | <code title="map(object({ deletion_protection = optional(bool) description = optional(string, "Terraform managed.") friendly_name = optional(string) labels = optional(map(string), {}) require_partition_filter = optional(bool) schema = optional(string) external_data_configuration = optional(object({ autodetect = bool source_uris = list(string) avro_logical_types = optional(bool) compression = optional(string) connection_id = optional(string) file_set_spec_type = optional(string) ignore_unknown_values = optional(bool) metadata_cache_mode = optional(string) object_metadata = optional(string) json_options_encoding = optional(string) reference_file_schema_uri = optional(string) schema = optional(string) source_format = optional(string) max_bad_records = optional(number) csv_options = optional(object({ quote = string allow_jagged_rows = optional(bool) allow_quoted_newlines = optional(bool) encoding = optional(string) field_delimiter = optional(string) skip_leading_rows = optional(number) })) google_sheets_options = optional(object({ range = optional(string) skip_leading_rows = optional(number) })) hive_partitioning_options = optional(object({ mode = optional(string) require_partition_filter = optional(bool) source_uri_prefix = optional(string) })) parquet_options = optional(object({ enum_as_string = optional(bool) enable_list_inference = optional(bool) })) })) options = optional(object({ clustering = optional(list(string)) encryption_key = optional(string) expiration_time = optional(number) max_staleness = optional(string) }), {}) partitioning = optional(object({ field = optional(string) range = optional(object({ end = number interval = number start = number })) time = optional(object({ type = string expiration_ms = optional(number) field = optional(string) })) })) table_constraints = optional(object({ primary_key_columns = optional(list(string)) foreign_keys = optional(object({ referenced_table = object({ project_id = string dataset_id = string table_id = string }) column_references = object({ referencing_column = string referenced_column = string }) name = optional(string) })) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [views](variables.tf#L252) | View definitions. | <code title="map(object({ query = string deletion_protection = optional(bool) description = optional(string, "Terraform managed.") friendly_name = optional(string) labels = optional(map(string), {}) use_legacy_sql = optional(bool) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tag_bindings](variables.tf#L252) | Tag bindings for this dataset, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [views](variables.tf#L259) | View definitions. | <code title="map(object({ query = string deletion_protection = optional(bool) description = optional(string, "Terraform managed.") friendly_name = optional(string) labels = optional(map(string), {}) use_legacy_sql = optional(bool) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,22 @@
|
|||
/**
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
resource "google_tags_location_tag_binding" "binding" {
|
||||
for_each = var.tag_bindings
|
||||
parent = "//bigquery.googleapis.com/${google_bigquery_dataset.default.id}"
|
||||
tag_value = each.value
|
||||
location = var.location
|
||||
}
|
||||
|
|
@ -249,6 +249,13 @@ variable "tables" {
|
|||
default = {}
|
||||
}
|
||||
|
||||
variable "tag_bindings" {
|
||||
description = "Tag bindings for this dataset, in key => tag value id format."
|
||||
type = map(string)
|
||||
nullable = false
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "views" {
|
||||
description = "View definitions."
|
||||
type = map(object({
|
||||
|
|
|
|||
|
|
@ -3,26 +3,24 @@
|
|||
Cloud Run Services and Jobs, with support for IAM roles and Eventarc trigger creation.
|
||||
|
||||
<!-- BEGIN TOC -->
|
||||
- [Examples](#examples)
|
||||
- [IAM and environment variables](#iam-and-environment-variables)
|
||||
- [Mounting secrets as volumes](#mounting-secrets-as-volumes)
|
||||
- [Beta features](#beta-features)
|
||||
- [VPC Access Connector](#vpc-access-connector)
|
||||
- [Using Customer-Managed Encryption Key](#using-customer-managed-encryption-key)
|
||||
- [Eventarc triggers](#eventarc-triggers)
|
||||
- [PubSub](#pubsub)
|
||||
- [Audit logs](#audit-logs)
|
||||
- [Using custom service accounts for triggers](#using-custom-service-accounts-for-triggers)
|
||||
- [Cloud Run Service Account](#cloud-run-service-account)
|
||||
- [Creating Cloud Run Jobs](#creating-cloud-run-jobs)
|
||||
- [IAM and environment variables](#iam-and-environment-variables)
|
||||
- [Mounting secrets as volumes](#mounting-secrets-as-volumes)
|
||||
- [Beta features](#beta-features)
|
||||
- [VPC Access Connector](#vpc-access-connector)
|
||||
- [Using Customer-Managed Encryption Key](#using-customer-managed-encryption-key)
|
||||
- [Eventarc triggers](#eventarc-triggers)
|
||||
- [PubSub](#pubsub)
|
||||
- [Audit logs](#audit-logs)
|
||||
- [Using custom service accounts for triggers](#using-custom-service-accounts-for-triggers)
|
||||
- [Cloud Run Service Account](#cloud-run-service-account)
|
||||
- [Creating Cloud Run Jobs](#creating-cloud-run-jobs)
|
||||
- [Tag bindings](#tag-bindings)
|
||||
- [Variables](#variables)
|
||||
- [Outputs](#outputs)
|
||||
- [Fixtures](#fixtures)
|
||||
<!-- END TOC -->
|
||||
|
||||
## Examples
|
||||
|
||||
### IAM and environment variables
|
||||
## IAM and environment variables
|
||||
|
||||
IAM bindings support the usual syntax. Container environment values can be declared as key-value strings or as references to Secret Manager secrets. Both can be combined as long as there is no duplication of keys:
|
||||
|
||||
|
|
@ -54,7 +52,7 @@ module "cloud_run" {
|
|||
# tftest modules=2 resources=5 fixtures=fixtures/secret-credentials.tf inventory=service-iam-env.yaml e2e
|
||||
```
|
||||
|
||||
### Mounting secrets as volumes
|
||||
## Mounting secrets as volumes
|
||||
|
||||
```hcl
|
||||
module "cloud_run" {
|
||||
|
|
@ -83,7 +81,7 @@ module "cloud_run" {
|
|||
# tftest modules=2 resources=4 fixtures=fixtures/secret-credentials.tf inventory=service-volume-secretes.yaml e2e
|
||||
```
|
||||
|
||||
### Beta features
|
||||
## Beta features
|
||||
|
||||
To use beta features like Direct VPC Egress, set the launch stage to a preview stage.
|
||||
|
||||
|
|
@ -112,7 +110,7 @@ module "cloud_run" {
|
|||
# tftest modules=1 resources=1 inventory=service-beta-features.yaml
|
||||
```
|
||||
|
||||
### VPC Access Connector
|
||||
## VPC Access Connector
|
||||
|
||||
You can use an existing [VPC Access Connector](https://cloud.google.com/vpc/docs/serverless-vpc-access) to connect to a VPC from Cloud Run.
|
||||
|
||||
|
|
@ -186,7 +184,7 @@ module "cloud_run" {
|
|||
# tftest modules=4 resources=40 fixtures=fixtures/shared-vpc.tf inventory=service-vpc-access-connector-create-sharedvpc.yaml e2e
|
||||
```
|
||||
|
||||
### Using Customer-Managed Encryption Key
|
||||
## Using Customer-Managed Encryption Key
|
||||
|
||||
Deploy a Cloud Run service with environment variables encrypted using a Customer-Managed Encryption Key (CMEK). Ensure you specify the encryption_key with the full resource identifier of your Cloud KMS CryptoKey and that Cloud Run Service agent (`service-<PROJECT_NUMBER>@serverless-robot-prod.iam.gserviceaccount.com`) has permission to use the key, for example `roles/cloudkms.cryptoKeyEncrypterDecrypter` IAM role. This setup adds an extra layer of security by utilizing your own encryption keys.
|
||||
|
||||
|
|
@ -206,9 +204,9 @@ module "cloud_run" {
|
|||
# tftest modules=1 resources=2 fixtures=fixtures/cloud-run-kms-iam-grant.tf e2e
|
||||
```
|
||||
|
||||
### Eventarc triggers
|
||||
## Eventarc triggers
|
||||
|
||||
#### PubSub
|
||||
### PubSub
|
||||
|
||||
This deploys a Cloud Run service that will be triggered when messages are published to Pub/Sub topics.
|
||||
|
||||
|
|
@ -232,7 +230,7 @@ module "cloud_run" {
|
|||
# tftest modules=2 resources=4 fixtures=fixtures/pubsub.tf inventory=service-eventarc-pubsub.yaml e2e
|
||||
```
|
||||
|
||||
#### Audit logs
|
||||
### Audit logs
|
||||
|
||||
This deploys a Cloud Run service that will be triggered when specific log events are written to Google Cloud audit logs.
|
||||
|
||||
|
|
@ -260,7 +258,7 @@ module "cloud_run" {
|
|||
# tftest modules=1 resources=4 inventory=service-eventarc-auditlogs-sa-create.yaml
|
||||
```
|
||||
|
||||
#### Using custom service accounts for triggers
|
||||
### Using custom service accounts for triggers
|
||||
|
||||
By default `Compute default service account` is used to trigger Cloud Run. If you want to use custom Service Accounts you can either provide your own in `eventarc_triggers.service_account_email` or set `eventarc_triggers.service_account_create` to true and service account named `tf-cr-trigger-${var.name}` will be created with `roles/run.invoker` granted on this Cloud Run service.
|
||||
|
||||
|
|
@ -313,7 +311,7 @@ module "cloud_run" {
|
|||
# tftest modules=2 resources=6 fixtures=fixtures/pubsub.tf inventory=service-eventarc-pubsub-sa-create.yaml e2e
|
||||
```
|
||||
|
||||
### Cloud Run Service Account
|
||||
## Cloud Run Service Account
|
||||
|
||||
To use a custom service account managed by the module, set `service_account_create` to `true` and leave `service_account` set to `null` (default).
|
||||
|
||||
|
|
@ -351,17 +349,19 @@ module "cloud_run" {
|
|||
# tftest modules=2 resources=2 fixtures=fixtures/iam-service-account.tf inventory=service-external-sa.yaml e2e
|
||||
```
|
||||
|
||||
### Creating Cloud Run Jobs
|
||||
## Creating Cloud Run Jobs
|
||||
|
||||
To create a job instead of service set `create_job` to `true`. Jobs support all functions above apart from triggers.
|
||||
|
||||
Unsupported variables / attributes:
|
||||
* ingress
|
||||
* revision.gen2_execution_environment (they run by default in gen2)
|
||||
* revision.name
|
||||
* containers.liveness_probe
|
||||
* containers.startup_probe
|
||||
* containers.resources.cpu_idle
|
||||
* containers.resources.startup_cpu_boost
|
||||
|
||||
- ingress
|
||||
- revision.gen2_execution_environment (they run by default in gen2)
|
||||
- revision.name
|
||||
- containers.liveness_probe
|
||||
- containers.startup_probe
|
||||
- containers.resources.cpu_idle
|
||||
- containers.resources.startup_cpu_boost
|
||||
|
||||
```hcl
|
||||
module "cloud_run" {
|
||||
|
|
@ -386,6 +386,50 @@ module "cloud_run" {
|
|||
|
||||
# tftest modules=1 resources=2 inventory=job-iam-env.yaml e2e
|
||||
```
|
||||
|
||||
## Tag bindings
|
||||
|
||||
Tag bindings are not yet supported for jobs. Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage.
|
||||
|
||||
```hcl
|
||||
module "org" {
|
||||
source = "./fabric/modules/organization"
|
||||
organization_id = var.organization_id
|
||||
tags = {
|
||||
environment = {
|
||||
description = "Environment specification."
|
||||
values = {
|
||||
dev = {}
|
||||
prod = {}
|
||||
sandbox = {}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "cloud_run" {
|
||||
source = "./fabric/modules/cloud-run-v2"
|
||||
project_id = var.project_id
|
||||
name = "hello"
|
||||
region = var.region
|
||||
containers = {
|
||||
hello = {
|
||||
image = "us-docker.pkg.dev/cloudrun/container/hello"
|
||||
env = {
|
||||
VAR1 = "VALUE1"
|
||||
VAR2 = "VALUE2"
|
||||
}
|
||||
}
|
||||
}
|
||||
iam = {
|
||||
"roles/run.invoker" = ["allUsers"]
|
||||
}
|
||||
tag_bindings = {
|
||||
env-sandbox = module.org.tag_values["environment/sandbox"].id
|
||||
}
|
||||
}
|
||||
# tftest modules=2 resources=7
|
||||
```
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
|
|
@ -406,7 +450,8 @@ module "cloud_run" {
|
|||
| [revision](variables.tf#L178) | Revision template configurations. | <code title="object({ name = optional(string) gen2_execution_environment = optional(bool) max_concurrency = optional(number) max_instance_count = optional(number) min_instance_count = optional(number) vpc_access = optional(object({ connector = optional(string) egress = optional(string) subnet = optional(string) tags = optional(list(string)) })) timeout = optional(string) })">object({…})</code> | | <code>{}</code> |
|
||||
| [service_account](variables.tf#L205) | Service account email. Unused if service account is auto-created. | <code>string</code> | | <code>null</code> |
|
||||
| [service_account_create](variables.tf#L211) | Auto-create service account. | <code>bool</code> | | <code>false</code> |
|
||||
| [volumes](variables.tf#L217) | Named volumes in containers in name => attributes format. | <code title="map(object({ secret = optional(object({ name = string default_mode = optional(string) path = optional(string) version = optional(string) mode = optional(string) })) cloud_sql_instances = optional(list(string)) empty_dir_size = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tag_bindings](variables.tf#L217) | Tag bindings for this service, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [volumes](variables.tf#L224) | Named volumes in containers in name => attributes format. | <code title="map(object({ secret = optional(object({ name = string default_mode = optional(string) path = optional(string) version = optional(string) mode = optional(string) })) cloud_sql_instances = optional(list(string)) empty_dir_size = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpc_connector_create](variables-vpcconnector.tf#L17) | Populate this to create a Serverless VPC Access connector. | <code title="object({ ip_cidr_range = optional(string) machine_type = optional(string) name = optional(string) network = optional(string) instances = optional(object({ max = optional(number) min = optional(number) }), {}) throughput = optional(object({ max = optional(number, 1000) # workaround for a wrong default in provider min = optional(number) }), {}) subnet = optional(object({ name = optional(string) project_id = optional(string) }), {}) })">object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
|
|
|||
|
|
@ -0,0 +1,24 @@
|
|||
/**
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
resource "google_tags_location_tag_binding" "binding" {
|
||||
for_each = var.create_job ? {} : var.tag_bindings
|
||||
parent = (
|
||||
"//run.googleapis.com/projects/${var.project_id}/locations/europe-west1/services/${google_cloud_run_v2_service.service[0].name}"
|
||||
)
|
||||
tag_value = each.value
|
||||
location = var.region
|
||||
}
|
||||
|
|
@ -214,6 +214,13 @@ variable "service_account_create" {
|
|||
default = false
|
||||
}
|
||||
|
||||
variable "tag_bindings" {
|
||||
description = "Tag bindings for this service, in key => tag value id format."
|
||||
type = map(string)
|
||||
nullable = false
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "volumes" {
|
||||
description = "Named volumes in containers in name => attributes format."
|
||||
type = map(object({
|
||||
|
|
|
|||
|
|
@ -2,26 +2,24 @@
|
|||
|
||||
Cloud Run management, with support for IAM roles, revision annotations and optional Eventarc trigger creation.
|
||||
|
||||
## Examples
|
||||
|
||||
<!-- BEGIN TOC -->
|
||||
- [Examples](#examples)
|
||||
- [IAM and environment variables](#iam-and-environment-variables)
|
||||
- [Mounting secrets as volumes](#mounting-secrets-as-volumes)
|
||||
- [Revision annotations](#revision-annotations)
|
||||
- [Second generation execution environment](#second-generation-execution-environment)
|
||||
- [VPC Access Connector creation](#vpc-access-connector-creation)
|
||||
- [Traffic split](#traffic-split)
|
||||
- [Eventarc triggers](#eventarc-triggers)
|
||||
- [PubSub](#pubsub)
|
||||
- [Audit logs](#audit-logs)
|
||||
- [Using custom service accounts for triggers](#using-custom-service-accounts-for-triggers)
|
||||
- [Service account](#service-account)
|
||||
- [IAM and environment variables](#iam-and-environment-variables)
|
||||
- [Mounting secrets as volumes](#mounting-secrets-as-volumes)
|
||||
- [Revision annotations](#revision-annotations)
|
||||
- [Second generation execution environment](#second-generation-execution-environment)
|
||||
- [VPC Access Connector creation](#vpc-access-connector-creation)
|
||||
- [Traffic split](#traffic-split)
|
||||
- [Eventarc triggers](#eventarc-triggers)
|
||||
- [PubSub](#pubsub)
|
||||
- [Audit logs](#audit-logs)
|
||||
- [Using custom service accounts for triggers](#using-custom-service-accounts-for-triggers)
|
||||
- [Service account](#service-account)
|
||||
- [Tag bindings](#tag-bindings)
|
||||
- [Variables](#variables)
|
||||
- [Outputs](#outputs)
|
||||
<!-- END TOC -->
|
||||
|
||||
### IAM and environment variables
|
||||
## IAM and environment variables
|
||||
|
||||
IAM bindings support the usual syntax. Container environment values can be declared as key-value strings or as references to Secret Manager secrets. Both can be combined as long as there's no duplication of keys:
|
||||
|
||||
|
|
@ -68,7 +66,7 @@ module "cloud_run" {
|
|||
# tftest modules=2 resources=5 inventory=simple.yaml e2e
|
||||
```
|
||||
|
||||
### Mounting secrets as volumes
|
||||
## Mounting secrets as volumes
|
||||
|
||||
```hcl
|
||||
module "secret-manager" {
|
||||
|
|
@ -117,7 +115,7 @@ module "cloud_run" {
|
|||
# tftest modules=2 resources=5 inventory=secrets.yaml e2e
|
||||
```
|
||||
|
||||
### Revision annotations
|
||||
## Revision annotations
|
||||
|
||||
Annotations can be specified via the `revision_annotations` variable:
|
||||
|
||||
|
|
@ -145,7 +143,7 @@ module "cloud_run" {
|
|||
# tftest modules=1 resources=1 inventory=revision-annotations.yaml
|
||||
```
|
||||
|
||||
### Second generation execution environment
|
||||
## Second generation execution environment
|
||||
|
||||
Second generation execution environment (gen2) can be enabled by setting the `gen2_execution_environment` variable to true:
|
||||
|
||||
|
|
@ -165,7 +163,7 @@ module "cloud_run" {
|
|||
# tftest modules=1 resources=1 inventory=gen2.yaml e2e
|
||||
```
|
||||
|
||||
### VPC Access Connector creation
|
||||
## VPC Access Connector creation
|
||||
|
||||
If creation of a [VPC Access Connector](https://cloud.google.com/vpc/docs/serverless-vpc-access) is required, use the `vpc_connector_create` variable which also support optional attributes for number of instances, machine type, and throughput (not shown here). The annotation to use the connector will be added automatically.
|
||||
|
||||
|
|
@ -211,7 +209,7 @@ module "cloud_run" {
|
|||
# tftest modules=1 resources=2 inventory=connector-shared.yaml
|
||||
```
|
||||
|
||||
### Traffic split
|
||||
## Traffic split
|
||||
|
||||
This deploys a Cloud Run service with traffic split between two revisions.
|
||||
|
||||
|
|
@ -235,9 +233,9 @@ module "cloud_run" {
|
|||
# tftest modules=1 resources=1 inventory=traffic.yaml
|
||||
```
|
||||
|
||||
### Eventarc triggers
|
||||
## Eventarc triggers
|
||||
|
||||
#### PubSub
|
||||
### PubSub
|
||||
|
||||
This deploys a Cloud Run service that will be triggered when messages are published to Pub/Sub topics.
|
||||
|
||||
|
|
@ -267,7 +265,7 @@ module "cloud_run" {
|
|||
# tftest modules=2 resources=3 inventory=eventarc.yaml e2e
|
||||
```
|
||||
|
||||
#### Audit logs
|
||||
### Audit logs
|
||||
|
||||
This deploys a Cloud Run service that will be triggered when specific log events are written to Google Cloud audit logs.
|
||||
|
||||
|
|
@ -307,7 +305,7 @@ module "cloud_run" {
|
|||
# tftest modules=2 resources=5 inventory=audit-logs.yaml
|
||||
```
|
||||
|
||||
#### Using custom service accounts for triggers
|
||||
### Using custom service accounts for triggers
|
||||
|
||||
By default `Compute default service account` is used to trigger Cloud Run. If you want to use custom Service Account you can either provide your own in `eventarc_triggers.service_account_email` or set `eventarc_triggers.service_account_create` to true and service account named `tf-cr-trigger-${var.name}` will be created with `roles/run.invoker` granted on this Cloud Run service.
|
||||
|
||||
|
|
@ -342,7 +340,7 @@ module "cloud_run" {
|
|||
# tftest modules=2 resources=5 inventory=trigger-service-account.yaml e2e
|
||||
```
|
||||
|
||||
### Service account
|
||||
## Service account
|
||||
|
||||
To use a custom service account managed by the module, set `service_account_create` to `true` and leave `service_account` set to `null` value (default).
|
||||
|
||||
|
|
@ -379,6 +377,43 @@ module "cloud_run" {
|
|||
}
|
||||
# tftest modules=1 resources=1 inventory=service-account-external.yaml e2e
|
||||
```
|
||||
|
||||
## Tag bindings
|
||||
|
||||
Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage.
|
||||
|
||||
```hcl
|
||||
module "org" {
|
||||
source = "./fabric/modules/organization"
|
||||
organization_id = var.organization_id
|
||||
tags = {
|
||||
environment = {
|
||||
description = "Environment specification."
|
||||
values = {
|
||||
dev = {}
|
||||
prod = {}
|
||||
sandbox = {}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "cloud_run" {
|
||||
source = "./fabric/modules/cloud-run"
|
||||
project_id = var.project_id
|
||||
region = var.region
|
||||
name = "hello"
|
||||
containers = {
|
||||
hello = {
|
||||
image = "us-docker.pkg.dev/cloudrun/container/hello"
|
||||
}
|
||||
}
|
||||
tag_bindings = {
|
||||
env-sandbox = module.org.tag_values["environment/sandbox"].id
|
||||
}
|
||||
}
|
||||
# tftest modules=2 resources=6
|
||||
```
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
|
|
@ -400,10 +435,11 @@ module "cloud_run" {
|
|||
| [service_account](variables.tf#L190) | Service account email. Unused if service account is auto-created. | <code>string</code> | | <code>null</code> |
|
||||
| [service_account_create](variables.tf#L196) | Auto-create service account. | <code>bool</code> | | <code>false</code> |
|
||||
| [startup_cpu_boost](variables.tf#L202) | Enable startup cpu boost. | <code>bool</code> | | <code>false</code> |
|
||||
| [timeout_seconds](variables.tf#L208) | Maximum duration the instance is allowed for responding to a request. | <code>number</code> | | <code>null</code> |
|
||||
| [traffic](variables.tf#L214) | Traffic steering configuration. If revision name is null the latest revision will be used. | <code title="map(object({ percent = number latest = optional(bool) tag = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [volumes](variables.tf#L225) | Named volumes in containers in name => attributes format. | <code title="map(object({ secret_name = string default_mode = optional(string) items = optional(map(object({ path = string mode = optional(string) }))) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpc_connector_create](variables.tf#L239) | Populate this to create a VPC connector. You can then refer to it in the template annotations. | <code title="object({ ip_cidr_range = optional(string) vpc_self_link = optional(string) machine_type = optional(string) name = optional(string) instances = optional(object({ max = optional(number) min = optional(number) }), {}) throughput = optional(object({ max = optional(number) min = optional(number) }), {}) subnet = optional(object({ name = optional(string) project_id = optional(string) }), {}) })">object({…})</code> | | <code>null</code> |
|
||||
| [tag_bindings](variables.tf#L208) | Tag bindings for this service, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [timeout_seconds](variables.tf#L215) | Maximum duration the instance is allowed for responding to a request. | <code>number</code> | | <code>null</code> |
|
||||
| [traffic](variables.tf#L221) | Traffic steering configuration. If revision name is null the latest revision will be used. | <code title="map(object({ percent = number latest = optional(bool) tag = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [volumes](variables.tf#L232) | Named volumes in containers in name => attributes format. | <code title="map(object({ secret_name = string default_mode = optional(string) items = optional(map(object({ path = string mode = optional(string) }))) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpc_connector_create](variables.tf#L246) | Populate this to create a VPC connector. You can then refer to it in the template annotations. | <code title="object({ ip_cidr_range = optional(string) vpc_self_link = optional(string) machine_type = optional(string) name = optional(string) instances = optional(object({ max = optional(number) min = optional(number) }), {}) throughput = optional(object({ max = optional(number) min = optional(number) }), {}) subnet = optional(object({ name = optional(string) project_id = optional(string) }), {}) })">object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,24 @@
|
|||
/**
|
||||
* Copyright 2023 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
resource "google_tags_location_tag_binding" "binding" {
|
||||
for_each = var.tag_bindings
|
||||
parent = (
|
||||
"//run.googleapis.com/projects/${var.project_id}/locations/europe-west1/services/${google_cloud_run_service.service.name}"
|
||||
)
|
||||
tag_value = each.value
|
||||
location = var.region
|
||||
}
|
||||
|
|
@ -205,6 +205,13 @@ variable "startup_cpu_boost" {
|
|||
default = false
|
||||
}
|
||||
|
||||
variable "tag_bindings" {
|
||||
description = "Tag bindings for this service, in key => tag value id format."
|
||||
type = map(string)
|
||||
nullable = false
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "timeout_seconds" {
|
||||
description = "Maximum duration the instance is allowed for responding to a request."
|
||||
type = number
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
- [GCS notifications](#gcs-notifications)
|
||||
- [Object upload](#object-upload)
|
||||
- [IAM](#iam)
|
||||
- [Tags](#tags)
|
||||
- [Tag Bindings](#tag-bindings)
|
||||
- [Variables](#variables)
|
||||
- [Outputs](#outputs)
|
||||
<!-- END TOC -->
|
||||
|
|
@ -247,7 +247,7 @@ module "bucket" {
|
|||
# tftest modules=1 resources=2 inventory=iam-bindings-additive.yaml e2e
|
||||
```
|
||||
|
||||
## Tags
|
||||
## Tag Bindings
|
||||
|
||||
Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage.
|
||||
|
||||
|
|
@ -307,10 +307,10 @@ module "bucket" {
|
|||
| [retention_policy](variables.tf#L236) | Bucket retention policy. | <code title="object({ retention_period = number is_locked = optional(bool) })">object({…})</code> | | <code>null</code> |
|
||||
| [soft_delete_retention](variables.tf#L245) | The duration in seconds that soft-deleted objects in the bucket will be retained and cannot be permanently deleted. Set to 0 to override the default and disable. | <code>number</code> | | <code>null</code> |
|
||||
| [storage_class](variables.tf#L251) | Bucket storage class. | <code>string</code> | | <code>"MULTI_REGIONAL"</code> |
|
||||
| [tag_bindings](variables.tf#L261) | Tag bindings for this folder, in key => tag value id format. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [uniform_bucket_level_access](variables.tf#L267) | Allow using object ACLs (false) or not (true, this is the recommended behavior) , defaults to true (which is the recommended practice, but not the behavior of storage API). | <code>bool</code> | | <code>true</code> |
|
||||
| [versioning](variables.tf#L273) | Enable versioning, defaults to false. | <code>bool</code> | | <code>false</code> |
|
||||
| [website](variables.tf#L279) | Bucket website. | <code title="object({ main_page_suffix = optional(string) not_found_page = optional(string) })">object({…})</code> | | <code>null</code> |
|
||||
| [tag_bindings](variables.tf#L261) | Tag bindings for this folder, in key => tag value id format. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [uniform_bucket_level_access](variables.tf#L268) | Allow using object ACLs (false) or not (true, this is the recommended behavior) , defaults to true (which is the recommended practice, but not the behavior of storage API). | <code>bool</code> | | <code>true</code> |
|
||||
| [versioning](variables.tf#L274) | Enable versioning, defaults to false. | <code>bool</code> | | <code>false</code> |
|
||||
| [website](variables.tf#L280) | Bucket website. | <code title="object({ main_page_suffix = optional(string) not_found_page = optional(string) })">object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@
|
|||
*/
|
||||
|
||||
resource "google_tags_location_tag_binding" "binding" {
|
||||
for_each = coalesce(var.tag_bindings, {})
|
||||
for_each = var.tag_bindings
|
||||
parent = "//storage.googleapis.com/projects/_/buckets/${local.prefix}${lower(var.name)}"
|
||||
tag_value = each.value
|
||||
location = var.location
|
||||
|
|
|
|||
|
|
@ -261,7 +261,8 @@ variable "storage_class" {
|
|||
variable "tag_bindings" {
|
||||
description = "Tag bindings for this folder, in key => tag value id format."
|
||||
type = map(string)
|
||||
default = null
|
||||
nullable = false
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "uniform_bucket_level_access" {
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ When using an existing keyring be mindful about applying IAM bindings, as all bi
|
|||
- [Using an existing keyring](#using-an-existing-keyring)
|
||||
- [Crypto key purpose](#crypto-key-purpose)
|
||||
- [Import job](#import-job)
|
||||
- [Tag Bindings](#tag-bindings)
|
||||
- [Variables](#variables)
|
||||
- [Outputs](#outputs)
|
||||
<!-- END TOC -->
|
||||
|
|
@ -114,6 +115,41 @@ module "kms" {
|
|||
}
|
||||
# tftest modules=1 resources=2 inventory=import-job.yaml e2e
|
||||
```
|
||||
|
||||
### Tag Bindings
|
||||
|
||||
Refer to the [Creating and managing tags](https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing) documentation for details on usage.
|
||||
|
||||
```hcl
|
||||
module "org" {
|
||||
source = "./fabric/modules/organization"
|
||||
organization_id = var.organization_id
|
||||
tags = {
|
||||
environment = {
|
||||
description = "Environment specification."
|
||||
values = {
|
||||
dev = {}
|
||||
prod = {}
|
||||
sandbox = {}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "kms" {
|
||||
source = "./fabric/modules/kms"
|
||||
project_id = var.project_id
|
||||
keyring = {
|
||||
location = var.region
|
||||
name = "test-3"
|
||||
}
|
||||
tag_bindings = {
|
||||
env-sandbox = module.org.tag_values["environment/sandbox"].id
|
||||
}
|
||||
}
|
||||
# tftest modules=2 resources=6
|
||||
```
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
||||
|
|
|
|||
|
|
@ -16,6 +16,6 @@
|
|||
|
||||
resource "google_tags_tag_binding" "binding" {
|
||||
for_each = var.tag_bindings
|
||||
parent = "//cloudresourcemanager.googleapis.com/${local.keyring.id}"
|
||||
parent = "//cloudkms.googleapis.com/${local.keyring.id}"
|
||||
tag_value = each.value
|
||||
}
|
||||
|
|
|
|||
|
|
@ -119,6 +119,6 @@ variable "project_id" {
|
|||
variable "tag_bindings" {
|
||||
description = "Tag bindings for this keyring, in key => tag value id format."
|
||||
type = map(string)
|
||||
default = {}
|
||||
nullable = false
|
||||
default = {}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue