Terraform Cloud Run Module

This module handles the basic deployment of containerized applications on Cloud Run, along with domain mapping and IAM policy for the service.

The resources/services/activations/deletions that this module will create/trigger are:

• Creates a Cloud Run service with provided name and container
• Creates Domain mapping for the deployed service
• Applies Cloud Run Invoker role to members

Assumptions and Prerequisites

This module assumes that below mentioned prerequisites are in place before consuming the module.

• All required APIs are enabled in the GCP Project
• Cloud SQL (optional)
• VPC Connector (optional)
• Environment Variables in Secret Manager (optional)

Usage

Basic usage of this module is as follows:

module "cloud_run" {
  source  = "GoogleCloudPlatform/cloud-run/google"
  version = "~> 0.2.0"

  # Required variables
  service_name           = "<SERVICE NAME>"
  project_id             = "<PROJECT ID>"
  location               = "<LOCATION>"
  image                  = "gcr.io/cloudrun/hello"
}

Inputs

Name	Description	Type	Default	Required
argument	Arguments passed to the ENTRYPOINT command, include these only if image entrypoint needs arguments	list(string)	[]	no
certificate_mode	The mode of the certificate (NONE or AUTOMATIC)	string	"NONE"	no
container_command	Leave blank to use the ENTRYPOINT command defined in the container image, include these only if image entrypoint should be overwritten	list(string)	[]	no
container_concurrency	Concurrent request limits to the service	number	null	no
domain_map_annotations	Annotations to the domain map	map(string)	{}	no
domain_map_labels	A set of key/value label pairs to assign to the Domain mapping	map(string)	{}	no
encryption_key	CMEK encryption key self-link expected in the format projects/PROJECT/locations/LOCATION/keyRings/KEY-RING/cryptoKeys/CRYPTO-KEY.	string	null	no
env_secret_vars	[Beta] Environment variables (Secret Manager)	list(object({ name = string value_from = set(object({ secret_key_ref = map(string) })) }))	[]	no
env_vars	Environment variables (cleartext)	list(object({ value = string name = string }))	[]	no
force_override	Option to force override existing mapping	bool	false	no
generate_revision_name	Option to enable revision name generation	bool	true	no
image	GCR hosted image URL to deploy	string	n/a	yes
limits	Resource limits to the container	map(string)	null	no
location	Cloud Run service deployment location	string	n/a	yes
members	Users/SAs to be given invoker access to the service	list(string)	[]	no
ports	Port which the container listens to (http1 or h2c)	object({ name = string port = number })	{ "name": "http1", "port": 8080 }	no
project_id	The project ID to deploy to	string	n/a	yes
requests	Resource requests to the container	map(string)	{}	no
service_account_email	Service Account email needed for the service	string	""	no
service_annotations	Annotations to the service. Acceptable values all, internal, internal-and-cloud-load-balancing	map(string)	{ "run.googleapis.com/ingress": "all" }	no
service_labels	A set of key/value label pairs to assign to the service	map(string)	{}	no
service_name	The name of the Cloud Run service to create	string	n/a	yes
template_annotations	Annotations to the container metadata including VPC Connector and SQL. See more details	map(string)	{ "autoscaling.knative.dev/maxScale": 2, "autoscaling.knative.dev/minScale": 1, "generated-by": "terraform", "run.googleapis.com/client-name": "terraform" }	no
template_labels	A set of key/value label pairs to assign to the container metadata	map(string)	{}	no
timeout_seconds	Timeout for each request	number	120	no
traffic_split	Managing traffic routing to the service	list(object({ latest_revision = bool percent = number revision_name = string }))	[ { "latest_revision": true, "percent": 100, "revision_name": "v1-0-0" } ]	no
verified_domain_name	Custom Domain Name	string	""	no
volume_mounts	[Beta] Volume Mounts to be attached to the container (when using secret)	list(object({ mount_path = string name = string }))	[]	no
volumes	[Beta] Volumes needed for environment variables (when using secret)	list(object({ name = string secret = set(object({ secret_name = string items = map(string) })) }))	[]	no

Outputs

Name	Description
domain_map_id	Unique Identifier for the created domain map
domain_map_status	Status of Domain mapping
location	Location in which the Cloud Run service was created
project_id	Google Cloud project in which the service was created
revision	Deployed revision for the service
service_id	Unique Identifier for the created service
service_name	Name of the created service
service_status	Status of the created service
service_url	The URL on which the deployed service is available

Requirements

These sections describe requirements for using this module.

Software

• Terraform ~> v0.13+
• Terraform Provider for GCP >= 3.53, < 5.0
• Terraform Provider for GCP Beta >= 3.53, < 5.0

Service Account

A service account can be used with required roles to execute this module:

• Cloud Run Admin: roles/run.admin

Know more about Cloud Run Deployment Permissions.

The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.

APIs

A project with the following APIs enabled must be used to host the main resource of this module:

• Google Cloud Run: run.googleapis.com
• Serverless VPC Access (optional): vpcaccess.googleapis.com
• Cloud SQL (optional): sqladmin.googleapis.com

Contributing

Refer to the contribution guidelines for information on contributing to this module.