/terraform-google-cloud-run

Deploys apps to Cloud Run, along with option to map custom domain

Primary LanguageHCLApache License 2.0Apache-2.0

Terraform Cloud Run Module

This module handles the basic deployment of containerized applications on Cloud Run, along with domain mapping and IAM policy for the service.

The resources/services/activations/deletions that this module will create/trigger are:

  • Creates a Cloud Run service with provided name and container
  • Creates Domain mapping for the deployed service
  • Applies Cloud Run Invoker role to members

Mapping custom domains and subdomains

You can map multiple custom domains and subdomains to the same Cloud Run service. If you want to register a domain with Cloud Domains, see Registering a domain with Cloud Domains within the Cloud Run console.

To add a custom domain or subdomain to your Cloud Run service, you need to add the values to the verified_domain_name variable.

Before you've mapped your service to a custom domain in Cloud Run, you need to update your DNS records at your domain registry. If you're using Cloud DNS as your DNS provider, see Adding a record.

In case your DNS is not managed by Google Cloud Domains, the ownership of your domain needs to be verified adding a txt record on your DNS configuration. This verification can be done following the steps from this documentation.

Assumptions and Prerequisites

This module assumes that below mentioned prerequisites are in place before consuming the module.

  • All required APIs are enabled in the GCP Project
  • Cloud SQL (optional)
  • VPC Connector (optional)
  • Environment Variables in Secret Manager (optional)

Usage

Basic usage of this module is as follows:

module "cloud_run" {
  source  = "GoogleCloudPlatform/cloud-run/google"
  version = "~> 0.10.0"

  # Required variables
  service_name           = "<SERVICE NAME>"
  project_id             = "<PROJECT ID>"
  location               = "<LOCATION>"
  image                  = "gcr.io/cloudrun/hello"
}

Inputs

Name Description Type Default Required
argument Arguments passed to the ENTRYPOINT command, include these only if image entrypoint needs arguments list(string) [] no
certificate_mode The mode of the certificate (NONE or AUTOMATIC) string "NONE" no
container_command Leave blank to use the ENTRYPOINT command defined in the container image, include these only if image entrypoint should be overwritten list(string) [] no
container_concurrency Concurrent request limits to the service number null no
domain_map_annotations Annotations to the domain map map(string) {} no
domain_map_labels A set of key/value label pairs to assign to the Domain mapping map(string) {} no
encryption_key CMEK encryption key self-link expected in the format projects/PROJECT/locations/LOCATION/keyRings/KEY-RING/cryptoKeys/CRYPTO-KEY. string null no
env_secret_vars [Beta] Environment variables (Secret Manager)
list(object({
name = string
value_from = set(object({
secret_key_ref = map(string)
}))
}))
[] no
env_vars Environment variables (cleartext)
list(object({
value = string
name = string
}))
[] no
force_override Option to force override existing mapping bool false no
generate_revision_name Option to enable revision name generation bool true no
image GCR hosted image URL to deploy string n/a yes
limits Resource limits to the container map(string) null no
liveness_probe Periodic probe of container liveness. Container will be restarted if the probe fails.
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
object({
failure_threshold = optional(number, null)
initial_delay_seconds = optional(number, null)
timeout_seconds = optional(number, null)
period_seconds = optional(number, null)
http_get = optional(object({
path = optional(string)
http_headers = optional(list(object({
name = string
value = string
})), null)
}), null)
grpc = optional(object({
port = optional(number)
service = optional(string)
}), null)
})
null no
location Cloud Run service deployment location string n/a yes
members Users/SAs to be given invoker access to the service list(string) [] no
ports Port which the container listens to (http1 or h2c)
object({
name = string
port = number
})
{
"name": "http1",
"port": 8080
}
no
project_id The project ID to deploy to string n/a yes
requests Resource requests to the container map(string) {} no
service_account_email Service Account email needed for the service string "" no
service_annotations Annotations to the service. Acceptable values all, internal, internal-and-cloud-load-balancing map(string)
{
"run.googleapis.com/ingress": "all"
}
no
service_labels A set of key/value label pairs to assign to the service map(string) {} no
service_name The name of the Cloud Run service to create string n/a yes
startup_probe Startup probe of application within the container.
All other probes are disabled if a startup probe is provided, until it succeeds.
Container will not be added to service endpoints if the probe fails.
More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
object({
failure_threshold = optional(number, null)
initial_delay_seconds = optional(number, null)
timeout_seconds = optional(number, null)
period_seconds = optional(number, null)
http_get = optional(object({
path = optional(string)
http_headers = optional(list(object({
name = string
value = string
})), null)
}), null)
tcp_socket = optional(object({
port = optional(number)
}), null)
grpc = optional(object({
port = optional(number)
service = optional(string)
}), null)
})
null no
template_annotations Annotations to the container metadata including VPC Connector and SQL. See more details map(string)
{
"autoscaling.knative.dev/maxScale": 2,
"autoscaling.knative.dev/minScale": 1,
"generated-by": "terraform",
"run.googleapis.com/client-name": "terraform"
}
no
template_labels A set of key/value label pairs to assign to the container metadata map(string) {} no
timeout_seconds Timeout for each request number 120 no
traffic_split Managing traffic routing to the service
list(object({
latest_revision = bool
percent = number
revision_name = string
tag = string
}))
[
{
"latest_revision": true,
"percent": 100,
"revision_name": "v1-0-0",
"tag": null
}
]
no
verified_domain_name List of Custom Domain Name list(string) [] no
volume_mounts [Beta] Volume Mounts to be attached to the container (when using secret)
list(object({
mount_path = string
name = string
}))
[] no
volumes [Beta] Volumes needed for environment variables (when using secret)
list(object({
name = string
secret = set(object({
secret_name = string
items = map(string)
}))
}))
[] no

Outputs

Name Description
apphub_service_uri Service URI in CAIS style to be used by Apphub.
domain_map_id Unique Identifier for the created domain map
domain_map_status Status of Domain mapping
location Location in which the Cloud Run service was created
project_id Google Cloud project in which the service was created
revision Deployed revision for the service
service_id Unique Identifier for the created service
service_name Name of the created service
service_status Status of the created service
service_url The URL on which the deployed service is available
verified_domain_name List of Custom Domain Name

Requirements

These sections describe requirements for using this module.

Software

Service Account

A service account can be used with required roles to execute this module:

  • Cloud Run Admin: roles/run.admin

Know more about Cloud Run Deployment Permissions.

The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.

APIs

A project with the following APIs enabled must be used to host the main resource of this module:

  • Google Cloud Run: run.googleapis.com
  • Serverless VPC Access (optional): vpcaccess.googleapis.com
  • Cloud SQL (optional): sqladmin.googleapis.com

Contributing

Refer to the contribution guidelines for information on contributing to this module.