Terraform deployment is failling while creating cloud run service with env_vars for HTTP_PROXY(capital) . If iam using http_proxy it is getting success , but our requirement is to have env var HTTP_PROXY.

However it is allowing us to create env var with HTTP_PROXY in google console, no issue at google end.

Please help us in resolving this issue.

We should try to hardcode as much as possible in examples. For instance
https://github.com/GoogleCloudPlatform/terraform-google-cloud-run/blob/main/examples/simple_cloud_run/main.tf
we can hard code everything except project_id.

------------8<--------------8<------------
Authentication *

Allow unauthenticated invocations
Check this if you are creating a public API or website.

Require authentication
Manage authorized users with Cloud IAM.
------------8<--------------8<------------

It always defaults to "Require authentication"

We should standardize variable defaults and not have example values like

I am using this cloud-run module to create my service. In my use case, I have to mount a secret as a volume.
Following is my code snippet

  env_vars = [
    {
      name  = "CONFIG_FILE"
      value = "/opt/config/service-conf.yaml"
    },
  ]
  volumes =[{
    name = "service-volume"
     secret = [{
      secret_name = google_secret_manager_secret_version.service-conf.id
      items       = {path: "/opt/config/service-conf.yaml", key: "latest"}
    }]
  }]

  volume_mounts = [{
    mount_path = "/opt/config/service-conf.yaml"
    name = "service-volume"
  }]

I didn't find any references to the usage of the above inputs, this is what I derived from the source code.
I would appreciate it if a good usage example is given. Also what values am I putting wrong in the above terraform code?
Awaiting quick response
FYI @proppy @olegshaldybin @dazuma @nikhilk @jskeet

It would be helpful to allow setting the Cloud Run Execution Environment.

Terraform GCP provider supports the functionality:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_service#execution_environment

so exposing it in the module should be possible

Guessing just a typo, this ruleset is specifically addressing Remote Code Execution vulnerabilities. Canary in this context refers to the 'preview' rule set (vs. Stable).

When I ran this I got an error as the organization constraint for the virtual machine when running secure-cloud-run-net/network.tf and cloud_run_vpc_connector/network.tf. I adjusted the policy to exception them out....is there a way to apply a CMEK to the instances used in the background

Hi,
it looks like the encryption_key argument is missing in Cloud Run Job terraform module. Is it possible to add as it was done in Cloud Run Service?

I face an issue when reapplying TF code for cloud run module where Terraform tries to replace the resource which triggers a downtime because the Google certificate must be reprovisionned.

I am using the latest google provider version at this date (4.59)

 # module.cloud_run.google_cloud_run_domain_mapping.domain_map["XXXXXXXXXXXXXXXXXXXXXX"] must be replaced
-/+ resource "google_cloud_run_domain_mapping" "domain_map" {
      ~ id       = "locations/europe-west1/namespaces/XXXXXXXXXXXXXXXXXXXXXX/domainmappings/XXXXXXXXXXXXXXXXXXXXXX" -> (known after apply)
        name     = "XXXXXXXXXXXXXXXXXXXXXX"
      ~ status   = [
          - {
              - conditions          = [
                  - {
                      - message = ""
                      - reason  = ""
                      - status  = "True"
                      - type    = "Ready"
                    },
                  - {
                      - message = ""
                      - reason  = ""
                      - status  = "True"
                      - type    = "CertificateProvisioned"
                    },
                  - {
                      - message = ""
                      - reason  = ""
                      - status  = "True"
                      - type    = "DomainRoutable"
                    },
                ]
              - mapped_route_name   = "XXXXXXXXXXXXXXXXXXXXXX"
              - observed_generation = 1
              - resource_records    = [
                  - {
                      - name   = "XXXXXXXXXXXXXXXXXXXXXX"
                      - rrdata = "ghs.googlehosted.com."
                      - type   = "CNAME"
                    },
                ]
            },
        ] -> (known after apply)
        # (2 unchanged attributes hidden)

      ~ metadata {
          ~ annotations      = {
              - "run.googleapis.com/operation-id"  = "98643836-60a4-4842-93cc-e701331efcff"
              - "serving.knative.dev/creator"      = "XXXXXXXXXXXXXXXXXXXXXX"
              - "serving.knative.dev/lastModifier" = "XXXXXXXXXXXXXXXXXXXXXX"
            } -> (known after apply) # forces replacement
          ~ generation       = 1 -> (known after apply)
          ~ labels           = {
              - "cloud.googleapis.com/location" = "europe-west1"
              - "run.googleapis.com/overrideAt" = "2023-03-31T19:15:34.884Z"
            } -> (known after apply)
          ~ resource_version = "AAX4N0PSVkY" -> (known after apply)
          ~ self_link        = "/apis/domains.cloudrun.com/v1/namespaces/529599333961/domainmappings/XXXXXXXXXXXXXXXXXXXXXX" -> (known after apply)
          ~ uid              = "937a3f7a-e194-4e6f-b53c-2ae3f816ddbb" -> (known after apply)
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: no

I think this commit tried to fix the issue but the ignore_changes have not been place on every ressource needed.

The ignore change on operation-id should be placed on the ressource google_cloud_run_domain_mapping too.

When I run terraform apply after deploying my cloudrun code via gcloud run deploy, even if there are no changes to my terraform config, it shows a diff to client.knative.dev/nonce. Example below:

 ~ template {
          ~ metadata {
              ~ labels      = {
                  - "client.knative.dev/nonce"            = "xyz" -> null
                    # (1 unchanged element hidden)
                }
                # (2 unchanged attributes hidden)
            }

            # (1 unchanged block hidden)
        }

Would it make sense to add this label to the lifeycle ignore_changes? (https://github.com/GoogleCloudPlatform/terraform-google-cloud-run/blob/main/main.tf#L191-L202)

Hi there,

Is there a way to enable HTTP -> HTTPS redirect using the secure-cloud-run-core module?

Thanks!

Hi,

I am trying to apply the Cloud Run module with the following configuration:

module "cloud_run" {
  source  = "GoogleCloudPlatform/cloud-run/google"
  version = "~> 0.1.1"

  # Required variables
  service_name = "${var.project}-service"
  project_id   = module.project.project_id
  location     = var.region
  image        = "gcr.io/cloudrun/hello"

  depends_on = [google_artifact_registry_repository.docker-registry]
}

But I am getting the following error on applying:

Error creating Service: googleapi: Error 403: Google Cloud Run Service Agent does not have permission to get access tokens for the service account [email protected]. Please give service-711987267850@serverless-robot-prod.iam.gserviceaccount.com permission iam.serviceAccounts.getAccessToken on the service account. Alternatively, if the service account is unspecified or in the same project you are deploying in, ensure that the Service Agent is assigned the Google Cloud Run Service Agent role roles/run.serviceAgent.
│
│   with module.cloud_run.google_cloud_run_service.main,
│   on .terraform\modules\cloud_run\main.tf line 17, in resource "google_cloud_run_service" "main":
│   17: resource "google_cloud_run_service" "main" {
│
╵

It seems that the service account is being created, but without the Cloud Run Agent role. The module is being applied from the owner user.

There is also another user with same account postfix, but I am not sure exactly why and how it's being created:

Currently prerequisites include

Cloud SQL
VPC Connector
Environment Variables in Secret Manager

IIUC these are not necessary for core module usage. We can showcase examples using these additional features in examples/. Would be nice to showcase how this works with https://github.com/terraform-google-modules/terraform-google-network/tree/master/modules/vpc-serverless-connector-beta

If the cloud run module is used in a basic fashion, such as:

module "cloud_run" {
  source  = "GoogleCloudPlatform/cloud-run/google"
  version = "~> 0.2.0"

  # Required variables
  service_name           = "my-service"
  project_id             = var.project_id
  location               = var.region
  image                  = "gcr.io/${var.project_id}/my-image"
}

Terraform will always try to update the cloud run resource with a new revision as the default variables for limits and concurrency of "null" are different from the defaults cloud run implements of:

• "cpu" = "1000m"
• "memory" = "512Mi"

Recommend we update default variables to match cloud run defaults to prevent unnecessary redeployment.

As the documentation states here : https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service#annotations

If terraform plan shows a diff where a server-side annotation is added, you can add it to your config or apply the lifecycle.ignore_changes rule to the metadata.0.annotations field.

I've deployed my CloudRun service through TF. My CI/CD chain triggers pulls from new latest image.
When I manipulate my TF code, a plan/apply command shows a drift as the annotations are not the same :

  # module.cloud-run-main.google_cloud_run_service.main will be updated in-place
  ~ resource "google_cloud_run_service" "main" {
        id                         = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        name                       = "xxxxxxxxxxxxxxx-cloudrun"
        # (4 unchanged attributes hidden)

      ~ metadata {
          ~ annotations      = {
              - "client.knative.dev/user-image"     = "xxxxxxxxxxxxxxxxxxxxxxx:latest" -> null
              - "run.googleapis.com/client-name"    = "gcloud" -> null
              - "run.googleapis.com/client-version" = "412.0.0" -> null
              - "run.googleapis.com/operation-id"   = "36e1a984-b8c3-4390-bbd7-927053d1b33e" -> null
                # (4 unchanged elements hidden)
            }
            # (6 unchanged attributes hidden)
        }

      ~ template {
          ~ metadata {
              ~ annotations = {
                  - "client.knative.dev/user-image"           = "xxxxxxxxxxxxxxxxxxxxxx:latest" -> null
                  - "run.googleapis.com/client-name"          = "gcloud" -> null
                  - "run.googleapis.com/client-version"       = "412.0.0" -> null
                    # (5 unchanged elements hidden)
                }
                name        = "xxxxxxxxxxxxxxxxxxxx-cloudrun-00015-yas"
                # (2 unchanged attributes hidden)
            }

            # (1 unchanged block hidden)
        }

        # (1 unchanged block hidden)
    }

This is a legit drift that I want to ignore.
Is it possible to add an internal "lifecyle" section in the module ?

I mean, I would like to have some of this code :

module "cloud_run" {
  source  = "GoogleCloudPlatform/cloud-run/google"
  version = "~> 0.2.0"

  # Required variables
  service_name           = "<SERVICE NAME>"
  project_id             = "<PROJECT ID>"
  location               = "<LOCATION>"
  image                  = "gcr.io/cloudrun/hello"

  # Optionnal
  ignore_annotations_changes = true // true or false
}

To enable tests in this repo, please create a PR similar to example PR

GoogleCloudPlatform/cloud-foundation-toolkit#933

Current release is 5.6

https://github.com/hashicorp/terraform-provider-google/releases

I have a couple of cloud run services in my terraform project. When i'm trying to increase memory limit, i wait for 10 minutes and the task still doesn't complete.

resource "google_cloud_run_service" "name" {
name = "name"
location = "europe-west2"

traffic {
percent = 100
latest_revision = true
}

lifecycle {
ignore_changes = [
    template["metadata.annotations.client.knative.dev/user-image"],
    template["metadata.annotations.run.googleapis.com/client-name"],
    template["metadata.annotations.run.googleapis.com/client-version"]
]

}

template {
metadata {
annotations = {
"run.googleapis.com/client-name" = "cloud-console"
"autoscaling.knative.${var.project_key}/maxScale" = "1"
"autoscaling.knative.${var.project_key}/minScale" = "1"
"client.knative.${var.project_key}/user-image" = "europe-west2-docker.pkg.dev/${var.project_name}/fname/name:latest"
"run.googleapis.com/cpu-throttling" = "false"
"run.googleapis.com/vpc-access-connector" = "projects/${var.project_name}/locations/${var.region}/connectors/vpc-${var.project_key}-connector"
"run.googleapis.com/vpc-access-egress" = "private-ranges-only"
}
}

spec {
  timeout_seconds = "3600"
  container_concurrency = "10"
  service_account_name = "cloud-run-sa@${var.project_name}.iam.gserviceaccount.com"

  containers {
    image = "europe-west2-docker.pkg.dev/${var.project_name}/name-images/name:latest"

    ports {
      container_port = "8080"
    }

    resources {
      limits = {
        cpu = "1000m"
        memory = "512Mi"
      }
    }
  
  env {
      name ="GCP_BUCKET_NAME"
      value ="${var.bucket_key}"
  }
}

}
}
}

output "name_cloudrun_instance_url" {
value = google_cloud_run_service.name.status[0].url
}

When i run the tf apply i get following changes memory 512mi => 1Gi but it takes 10-12 minutes and the task still doesn't complete.

Any recommendation?

There is available gen2 in preview which is not possible to select using this TF templates https://cloud.google.com/run/docs/about-execution-environments

Problem: Currently, template_annotations and some vpc-parameters are being set directly in the secure-cloud-run-core submodule. Because this, the users need to know magic strings like autoscaling.knative.de/maxScale for controlling something as a simple scaling.

Proposal: Adding variables to receive additional parameters for scale, vpc-connector and vpc-egrees in the cloud run main module would be more transparent to the users.

An example can be found on this discussion.

nit: we usually prefer service_account_email as that is what the provider usually expects.

It would be great to add support for ignore_changes on the image parameter.

This would allow to use this module to deploy a cloud run service with a default image and then to use a cloud build to do continuous deployment in this cloud run.

Now if we do that every terraform apply will want to reset to default image. So if we can specify to ignore changes on image parameters it would solve this problem (in this workflow). Terraform have a ignore_changes in lifecycle of resources so we can use this feature.

What do you think?

Mainly a question, but I'm wondering what the difference is between the GCP provider service and this entirely separate module?

Submodule documentation points to wrong submodule: https://registry.terraform.io/modules/GoogleCloudPlatform/cloud-run/google/latest/submodules/job-exec

The basic usage block says

```hcl
module "cloud_run_core" {
  source = "GoogleCloudPlatform/cloud-run/google//modules/secure-cloud-run-core"
  version = "~> 0.3.0"

  project_id = var.project_id
  name       = "simple-job"
  location   = "us-central1"
  image      = "us-docker.pkg.dev/cloudrun/container/job"
  exec       = true
}

I am getting error when creating simple cloudrun module

module "service_account" {
source = "terraform-google-modules/service-accounts/google"
version = "~> 4.1.1"
project_id = var.project_id
prefix = "sa-cloud-run"
names = ["simple"]
}

module "cloud-run" {
source = "GoogleCloudPlatform/cloud-run/google"
version = "0.4.0"
service_name = var.service_name
project_id = var.project_id
location = var.location
image = var.image
service_account_email = module.service_account.email
}

module.cloud-run.google_cloud_run_service.main: Creating...
╷
│ Error: Error creating Service: Post "https://-run.googleapis.com/apis/serving.knative.dev/v1/namespaces//services?alt=json": dial tcp: lookup -run.googleapis.com: no such host
│
│ with module.cloud-run.google_cloud_run_service.main,
│ on .terraform/modules/cloud-run/main.tf line 22, in resource "google_cloud_run_service" "main":
│ 22: resource "google_cloud_run_service" "main" {

Please review and provide feedback .

Hi guys, viewing the examples I won't find a way to mapping domain and subdomain in the same module

Example: I have enmanuelmoreira.com which mapping to root srv and www mapping as well to root srv, but i am able to mapping just the root domain.

Any help is welcome.

Regards.

The Cloud Run team produces official terraform resources for all Cloud Run resources. Every GA feature is guaranteed by design and process to be available in the terraform resource, see TF docs

This module is not in sync with the latest features added to Cloud Run. For example: containers should now accept a list of containers.

It is unclear what the value of this module is, compared to the drawbacks of it not capturing all Cloud Run features.

At a minimum, I would suggest to point at the TF resource from this module README. So that users are aware they could directly use the TF resource.

startup_probe is missing as possible inputs in the module.
This prevents some applications to start correctly.

Wondering what is the need for modifying lifecycle hooks

Terraform has tag attribute under traffic object that seems to be missing from traffic_split of this module

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service#example-usage---cloud-run-service-add-tag

Hi Team,
Iam getting below error while creating Cloud Run Service using Terraform. We dont need tag manager for our current requirement. Could you please suggest a way how to resolve this issue with out using CONTAINER_CONFIG environment variable or the container_config command line option.

Error: Missing container config. Please provide the CONTAINER_CONFIG environment variable or the container_config command line option.

Hey folks,

The integration tests are failing. The cause is:

• The examples don't specify an service account to run Cloud Run version/
• The default service account of the project - compute SA is disabled by Project factory when creating the test project.
• Cloud Run is not able to create the service using a disabled service account.

Cloud Run svc and domain mapping seems to use google-beta provider. We should add provider_meta to capture attribution for those resources as well

example
https://github.com/terraform-google-modules/terraform-google-project-factory/blob/f54adbfb86201069f94e28c14b20a693e3595329/versions.tf#L19-L24

In order to use secrets, the Cloud Run service account needs to have the Secret Accessor role:
https://cloud.google.com/run/docs/configuring/secrets#access-secret

Currently this blueprint/module requires hashicorp/google ~> 3.53, while 4.6.0 is the latest.

Cloud run supports tagging a revision to create a unique url for the revision. The url will always point to an exact revision.

The gcloud command for it

gcloud beta run services update --tag=test ....

But I could not find it anywhere in the terraform module. Is it there or am I missing something?

This module helps users set up a domain while creating Cloud Run services.

The DomainMapping feature of Cloud Run is a preview feature, it will unfortunately not reach GA and we are trying to steer users away from it.

The module should make this clear to users.

Add variable to CMEK self-link and configure it in template annotations.

service_perimeter.tf defines a list of 6 services to restrict, with the option for the user to customize additional_restricted_services. This is a contradiction of Google recommended best practices for VPC service controls.

From Best practices for VPC Service Controls for enterprises...
We recommend that you enable all protected services when you create a perimeter, which helps to reduce complexity and exfiltration vectors. There is no reason to protect one API and not all others,
Stated more explicitly, a VPCSC perimeter that protects only a few services does not protect against data exfiltration, because an insider could use any other GCP service to copy data read by Cloud Run to other services.

Please update the module to include all services supported by VPCSC by default.

Is there a reason behind exposing args and command as string vars vs just exposing the array itself?

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): Update go modules and/or dev-tools (cft/developer-tools, github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test, go)
• fix(deps)!: Update Terraform GoogleCloudPlatform/lb-http/google to v10
• fix(deps)!: Update Terraform terraform-google-modules/vpc-service-controls/google to v6
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

allUsers is potentially dangerous, so we should not make this aa default. We should instead use var.members to allow a list of members access to the service.

Should we be using a dynamic block for ports? There could be cases where ports are unnecessary like Cloud Run triggered via pubsub.

We manage all our Cloud Armor rules at the same place in a centralised way but we want to be able to follow the evolutions of the other part of the module secure-cloud-run-core.

I want to be able to use an already provisioned rule for the load balancer.