From 78095063f7144751823b9189d710231bf7b1735a Mon Sep 17 00:00:00 2001 From: Mikhail Filipchuk Date: Wed, 9 Aug 2023 22:04:16 +0100 Subject: [PATCH 1/2] feat(modules/cloud-run): add gen2 exec env support (#1582) --- modules/cloud-run/README.md | 53 +++++++++++++++------- modules/cloud-run/main.tf | 3 ++ modules/cloud-run/variables.tf | 6 +++ tests/modules/cloud_run/examples/gen2.yaml | 40 ++++++++++++++++ 4 files changed, 85 insertions(+), 17 deletions(-) create mode 100644 tests/modules/cloud_run/examples/gen2.yaml diff --git a/modules/cloud-run/README.md b/modules/cloud-run/README.md index a16f45b2..0db9d114 100644 --- a/modules/cloud-run/README.md +++ b/modules/cloud-run/README.md @@ -9,6 +9,7 @@ Cloud Run management, with support for IAM roles, revision annotations and optio - [IAM and environment variables](#iam-and-environment-variables) - [Mounting secrets as volumes](#mounting-secrets-as-volumes) - [Revision annotations](#revision-annotations) + - [Second generation execution environment](#second-generation-execution-environment) - [VPC Access Connector creation](#vpc-access-connector-creation) - [Traffic split](#traffic-split) - [Eventarc triggers](#eventarc-triggers) @@ -107,6 +108,25 @@ module "cloud_run" { # tftest modules=1 resources=1 inventory=revision-annotations.yaml ``` +### Second generation execution environment + +Second generation execution environment (gen2) can be enabled by setting the `gen2_execution_environment` variable to true: + +```hcl +module "cloud_run" { + source = "./fabric/modules/cloud-run" + project_id = var.project_id + name = "hello" + containers = { + hello = { + image = "us-docker.pkg.dev/cloudrun/container/hello" + } + } + gen2_execution_environment = true +} +# tftest modules=1 resources=1 inventory=gen2.yaml +``` + ### VPC Access Connector creation If creation of a [VPC Access Connector](https://cloud.google.com/vpc/docs/serverless-vpc-access) is required, use the `vpc_connector_create` variable which also support optional attributes for number of instances, machine type, and throughput (not shown here). The annotation to use the connector will be added automatically. @@ -313,29 +333,29 @@ module "cloud_run" { # tftest modules=1 resources=1 inventory=service-account-external.yaml ``` - ## Variables | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [name](variables.tf#L130) | Name used for cloud run service. | string | ✓ | | -| [project_id](variables.tf#L145) | Project id used for all resources. | string | ✓ | | +| [name](variables.tf#L136) | Name used for cloud run service. | string | ✓ | | +| [project_id](variables.tf#L151) | Project id used for all resources. | string | ✓ | | | [container_concurrency](variables.tf#L18) | Maximum allowed in-flight (concurrent) requests per container of the revision. | string | | null | | [containers](variables.tf#L24) | Containers in arbitrary key => attributes format. | map(object({…})) | | {} | | [eventarc_triggers](variables.tf#L91) | Event arc triggers for different sources. | object({…}) | | {} | -| [iam](variables.tf#L105) | IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | -| [ingress_settings](variables.tf#L111) | Ingress settings. | string | | null | -| [labels](variables.tf#L124) | Resource labels. | map(string) | | {} | -| [prefix](variables.tf#L135) | Optional prefix used for resource names. | string | | null | -| [region](variables.tf#L150) | Region used for all resources. | string | | "europe-west1" | -| [revision_annotations](variables.tf#L156) | Configure revision template annotations. | object({…}) | | {} | -| [revision_name](variables.tf#L171) | Revision name. | string | | null | -| [service_account](variables.tf#L177) | Service account email. Unused if service account is auto-created. | string | | null | -| [service_account_create](variables.tf#L183) | Auto-create service account. | bool | | false | -| [timeout_seconds](variables.tf#L189) | Maximum duration the instance is allowed for responding to a request. | number | | null | -| [traffic](variables.tf#L195) | Traffic steering configuration. If revision name is null the latest revision will be used. | map(object({…})) | | {} | -| [volumes](variables.tf#L206) | Named volumes in containers in name => attributes format. | map(object({…})) | | {} | -| [vpc_connector_create](variables.tf#L220) | Populate this to create a VPC connector. You can then refer to it in the template annotations. | object({…}) | | null | +| [gen2_execution_environment](variables.tf#L105) | Use second generation execution environment. | bool | | false | +| [iam](variables.tf#L111) | IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | +| [ingress_settings](variables.tf#L117) | Ingress settings. | string | | null | +| [labels](variables.tf#L130) | Resource labels. | map(string) | | {} | +| [prefix](variables.tf#L141) | Optional prefix used for resource names. | string | | null | +| [region](variables.tf#L156) | Region used for all resources. | string | | "europe-west1" | +| [revision_annotations](variables.tf#L162) | Configure revision template annotations. | object({…}) | | {} | +| [revision_name](variables.tf#L177) | Revision name. | string | | null | +| [service_account](variables.tf#L183) | Service account email. Unused if service account is auto-created. | string | | null | +| [service_account_create](variables.tf#L189) | Auto-create service account. | bool | | false | +| [timeout_seconds](variables.tf#L195) | Maximum duration the instance is allowed for responding to a request. | number | | null | +| [traffic](variables.tf#L201) | Traffic steering configuration. If revision name is null the latest revision will be used. | map(object({…})) | | {} | +| [volumes](variables.tf#L212) | Named volumes in containers in name => attributes format. | map(object({…})) | | {} | +| [vpc_connector_create](variables.tf#L226) | Populate this to create a VPC connector. You can then refer to it in the template annotations. | object({…}) | | null | ## Outputs @@ -348,5 +368,4 @@ module "cloud_run" { | [service_account_iam_email](outputs.tf#L38) | Service account email. | | | [service_name](outputs.tf#L46) | Cloud Run service name. | | | [vpc_connector](outputs.tf#L52) | VPC connector resource if created. | | - diff --git a/modules/cloud-run/main.tf b/modules/cloud-run/main.tf index 6b1177b3..e5371273 100644 --- a/modules/cloud-run/main.tf +++ b/modules/cloud-run/main.tf @@ -69,6 +69,9 @@ locals { var.revision_annotations.vpcaccess_egress ) }, + var.gen2_execution_environment ? { + "run.googleapis.com/execution-environment" = "gen2" + } : {}, ) revision_name = ( try(var.revision_name, null) == null diff --git a/modules/cloud-run/variables.tf b/modules/cloud-run/variables.tf index f176ae40..09d10296 100644 --- a/modules/cloud-run/variables.tf +++ b/modules/cloud-run/variables.tf @@ -102,6 +102,12 @@ variable "eventarc_triggers" { default = {} } +variable "gen2_execution_environment" { + description = "Use second generation execution environment." + type = bool + default = false +} + variable "iam" { description = "IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format." type = map(list(string)) diff --git a/tests/modules/cloud_run/examples/gen2.yaml b/tests/modules/cloud_run/examples/gen2.yaml new file mode 100644 index 00000000..e38bffad --- /dev/null +++ b/tests/modules/cloud_run/examples/gen2.yaml @@ -0,0 +1,40 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.cloud_run.google_cloud_run_service.service: + autogenerate_revision_name: false + location: europe-west1 + metadata: + - {} + name: hello + project: project-id + template: + - metadata: + - annotations: + run.googleapis.com/execution-environment: gen2 + spec: + - containers: + - args: null + command: null + env: [] + env_from: [] + image: us-docker.pkg.dev/cloudrun/container/hello + liveness_probe: [] + volume_mounts: [] + working_dir: null + volumes: [] + +counts: + google_cloud_run_service: 1 From c5a77ebfe3d44c2a51e23ffb104bb112c9b78ec8 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Wed, 9 Aug 2023 23:41:56 +0200 Subject: [PATCH 2/2] fix module path for teams cicd (#1583) --- fast/stages/1-resman/cicd-teams.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fast/stages/1-resman/cicd-teams.tf b/fast/stages/1-resman/cicd-teams.tf index f604a085..cbfc0780 100644 --- a/fast/stages/1-resman/cicd-teams.tf +++ b/fast/stages/1-resman/cicd-teams.tf @@ -19,7 +19,7 @@ # source repository module "branch-teams-team-cicd-repo" { - source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/source-repository?ref=v24.0.0" + source = "../../../modules/source-repository" for_each = { for k, v in coalesce(local.team_cicd_repositories, {}) : k => v if v.cicd.type == "sourcerepo" @@ -50,7 +50,7 @@ module "branch-teams-team-cicd-repo" { # SA used by CI/CD workflows to impersonate automation SAs module "branch-teams-team-sa-cicd" { - source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/iam-service-account?ref=v24.0.0" + source = "../../../modules/iam-service-account" for_each = ( try(local.team_cicd_repositories, null) != null ? local.team_cicd_repositories