# Cloud Run Module
Cloud Run management, with support for IAM roles, revision annotations and optional Eventarc trigger creation.
## Examples
- [Examples](#examples)
- [IAM and environment variables](#iam-and-environment-variables)
- [Mounting secrets as volumes](#mounting-secrets-as-volumes)
- [Revision annotations](#revision-annotations)
- [Second generation execution environment](#second-generation-execution-environment)
- [VPC Access Connector creation](#vpc-access-connector-creation)
- [Traffic split](#traffic-split)
- [Eventarc triggers](#eventarc-triggers)
- [PubSub](#pubsub)
- [Audit logs](#audit-logs)
- [Using custom service accounts for triggers](#using-custom-service-accounts-for-triggers)
- [Service account](#service-account)
- [Variables](#variables)
- [Outputs](#outputs)
### IAM and environment variables
IAM bindings support the usual syntax. Container environment values can be declared as key-value strings or as references to Secret Manager secrets. Both can be combined as long as there's no duplication of keys:
```hcl
module "secret-manager" {
source = "./fabric/modules/secret-manager"
project_id = var.project_id
secrets = {
credentials = {}
}
iam = {
credentials = {
"roles/secretmanager.secretAccessor" = [module.cloud_run.service_account_iam_email]
}
}
}
module "cloud_run" {
source = "./fabric/modules/cloud-run"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
env = {
VAR1 = "VALUE1"
VAR2 = "VALUE2"
}
env_from = {
SECRET1 = {
name = module.secret-manager.ids["credentials"]
key = "latest"
}
}
}
}
iam = {
"roles/run.invoker" = ["allUsers"]
}
service_account_create = true
}
# tftest modules=2 resources=5 inventory=simple.yaml e2e
```
### Mounting secrets as volumes
```hcl
module "secret-manager" {
source = "./fabric/modules/secret-manager"
project_id = var.project_id
secrets = {
credentials = {}
}
versions = {
credentials = {
v1 = { enabled = true, data = "foo bar baz" }
}
}
iam = {
credentials = {
"roles/secretmanager.secretAccessor" = [module.cloud_run.service_account_iam_email]
}
}
}
module "cloud_run" {
source = "./fabric/modules/cloud-run"
project_id = var.project_id
name = "hello"
region = var.region
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
volume_mounts = {
"credentials" = "/credentials"
}
}
}
service_account_create = true
volumes = {
credentials = {
name = module.secret-manager.secrets["credentials"].name
secret_name = "credentials" # TODO: module.secret-manager.secrets["credentials"].name
items = {
latest = { path = "v1.txt" }
}
}
}
}
# tftest modules=2 resources=5 inventory=secrets.yaml e2e
```
### Revision annotations
Annotations can be specified via the `revision_annotations` variable:
```hcl
module "cloud_run" {
source = "./fabric/modules/cloud-run"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
revision_annotations = {
autoscaling = {
max_scale = 10
min_scale = 1
}
cloudsql_unstances = ["sql-0", "sql-1"]
vpcaccess_connector = "foo"
vpcaccess_egress = "all-traffic"
}
}
# tftest modules=1 resources=1 inventory=revision-annotations.yaml
```
### Second generation execution environment
Second generation execution environment (gen2) can be enabled by setting the `gen2_execution_environment` variable to true:
```hcl
module "cloud_run" {
source = "./fabric/modules/cloud-run"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
gen2_execution_environment = true
}
# tftest modules=1 resources=1 inventory=gen2.yaml e2e
```
### VPC Access Connector creation
If creation of a [VPC Access Connector](https://cloud.google.com/vpc/docs/serverless-vpc-access) is required, use the `vpc_connector_create` variable which also support optional attributes for number of instances, machine type, and throughput (not shown here). The annotation to use the connector will be added automatically.
```hcl
module "cloud_run" {
source = "./fabric/modules/cloud-run"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
vpc_connector_create = {
ip_cidr_range = "10.10.10.0/28"
vpc_self_link = var.vpc.self_link
}
}
# tftest modules=1 resources=2 inventory=connector.yaml e2e
```
Note that if you are using Shared VPC you need to specify a subnet:
```hcl
module "cloud_run" {
source = "./fabric/modules/cloud-run"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
vpc_connector_create = {
subnet = {
name = "subnet-vpc-access"
project_id = "host-project"
}
}
}
# tftest modules=1 resources=2 inventory=connector-shared.yaml
```
### Traffic split
This deploys a Cloud Run service with traffic split between two revisions.
```hcl
module "cloud_run" {
source = "./fabric/modules/cloud-run"
project_id = var.project_id
region = var.region
name = "hello"
revision_name = "green"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
traffic = {
blue = { percent = 25 }
green = { percent = 75 }
}
}
# tftest modules=1 resources=1 inventory=traffic.yaml
```
### Eventarc triggers
#### PubSub
This deploys a Cloud Run service that will be triggered when messages are published to Pub/Sub topics.
```hcl
module "pubsub" {
source = "./fabric/modules/pubsub"
project_id = var.project_id
name = "pubsub_sink"
}
module "cloud_run" {
source = "./fabric/modules/cloud-run"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
eventarc_triggers = {
pubsub = {
topic-1 = module.pubsub.id
}
}
}
# tftest modules=2 resources=3 inventory=eventarc.yaml e2e
```
#### Audit logs
This deploys a Cloud Run service that will be triggered when specific log events are written to Google Cloud audit logs.
```hcl
module "sa" {
source = "./fabric/modules/iam-service-account"
project_id = var.project_id
name = "eventarc-trigger"
iam_project_roles = {
(var.project_id) = ["roles/eventarc.eventReceiver"]
}
}
module "cloud_run" {
source = "./fabric/modules/cloud-run"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
eventarc_triggers = {
audit_log = {
setiampolicy = {
method = "SetIamPolicy"
service = "cloudresourcemanager.googleapis.com"
}
}
service_account_email = module.sa.email
}
iam = {
"roles/run.invoker" = [module.sa.iam_email]
}
}
# tftest modules=2 resources=5 inventory=audit-logs.yaml
```
#### Using custom service accounts for triggers
By default `Compute default service account` is used to trigger Cloud Run. If you want to use custom Service Account you can either provide your own in `eventarc_triggers.service_account_email` or set `eventarc_triggers.service_account_create` to true and service account named `tf-cr-trigger-${var.name}` will be created with `roles/run.invoker` granted on this Cloud Run service.
For example using provided service account refer to [Audit logs](#audit-logs) example.
Example using automatically created service account:
```hcl
module "pubsub" {
source = "./fabric/modules/pubsub"
project_id = var.project_id
name = "pubsub_sink"
}
module "cloud_run" {
source = "./fabric/modules/cloud-run"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
eventarc_triggers = {
pubsub = {
topic-1 = module.pubsub.id
}
service_account_create = true
}
}
# tftest modules=2 resources=5 inventory=trigger-service-account.yaml e2e
```
### Service account
To use a custom service account managed by the module, set `service_account_create` to `true` and leave `service_account` set to `null` value (default).
```hcl
module "cloud_run" {
source = "./fabric/modules/cloud-run"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
service_account_create = true
}
# tftest modules=1 resources=2 inventory=service-account.yaml e2e
```
To use an externally managed service account, pass its email in `service_account` and leave `service_account_create` to `false` (the default).
```hcl
module "cloud_run" {
source = "./fabric/modules/cloud-run"
project_id = var.project_id
region = var.region
name = "hello"
containers = {
hello = {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
service_account = var.service_account.email
}
# tftest modules=1 resources=1 inventory=service-account-external.yaml e2e
```
## Variables
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L144) | Name used for cloud run service. | string | ✓ | |
| [project_id](variables.tf#L159) | Project id used for all resources. | string | ✓ | |
| [region](variables.tf#L164) | Region used for all resources. | string | ✓ | |
| [container_concurrency](variables.tf#L18) | Maximum allowed in-flight (concurrent) requests per container of the revision. | string | | null |
| [containers](variables.tf#L24) | Containers in arbitrary key => attributes format. | map(object({…})) | | {} |
| [eventarc_triggers](variables.tf#L91) | Event arc triggers for different sources. | object({…}) | | {} |
| [gen2_execution_environment](variables.tf#L113) | Use second generation execution environment. | bool | | false |
| [iam](variables.tf#L119) | IAM bindings for Cloud Run service in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} |
| [ingress_settings](variables.tf#L125) | Ingress settings. | string | | null |
| [labels](variables.tf#L138) | Resource labels. | map(string) | | {} |
| [prefix](variables.tf#L149) | Optional prefix used for resource names. | string | | null |
| [revision_annotations](variables.tf#L169) | Configure revision template annotations. | object({…}) | | {} |
| [revision_name](variables.tf#L184) | Revision name. | string | | null |
| [service_account](variables.tf#L190) | Service account email. Unused if service account is auto-created. | string | | null |
| [service_account_create](variables.tf#L196) | Auto-create service account. | bool | | false |
| [startup_cpu_boost](variables.tf#L202) | Enable startup cpu boost. | bool | | false |
| [timeout_seconds](variables.tf#L208) | Maximum duration the instance is allowed for responding to a request. | number | | null |
| [traffic](variables.tf#L214) | Traffic steering configuration. If revision name is null the latest revision will be used. | map(object({…})) | | {} |
| [volumes](variables.tf#L225) | Named volumes in containers in name => attributes format. | map(object({…})) | | {} |
| [vpc_connector_create](variables.tf#L239) | Populate this to create a VPC connector. You can then refer to it in the template annotations. | object({…}) | | null |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| [id](outputs.tf#L18) | Fully qualified service id. | |
| [service](outputs.tf#L23) | Cloud Run service. | |
| [service_account](outputs.tf#L28) | Service account resource. | |
| [service_account_email](outputs.tf#L33) | Service account email. | |
| [service_account_iam_email](outputs.tf#L38) | Service account email. | |
| [service_name](outputs.tf#L46) | Cloud Run service name. | |
| [vpc_connector](outputs.tf#L52) | VPC connector resource if created. | |