metadata.annotations does not support annotation `run.googleapis.com/secrets`
Opened this issue · 2 comments
andrewmackett commented
Summary
Creating a new Cloud Run service that uses Secret Manager fails with this error:
╷
│ Error: Error creating Service: googleapi: Error 400: metadata.annotations: Annotation 'run.googleapis.com/secrets' is not supported on resources of kind 'Service'. Supported kinds are: Revision, Execution
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.BadRequest",
│ "fieldViolations": [
│ {
│ "description": "Annotation 'run.googleapis.com/secrets' is not supported on resources of kind 'Service'. Supported kinds are: Revision, Execution",
│ "field": "metadata.annotations"
│ }
│ ]
│ }
│ ]
│
│ with module.cloud_run.google_cloud_run_service.default,
│ on .terraform/modules/cloud_run/main.tf line 2, in resource "google_cloud_run_service" "default":
│ 2: resource google_cloud_run_service default {
│
╵
I believe this is happening because the run.googleapis.com/secrets
annotation is being set in metadata.annotations where it's not supported.
Removing the run.googleapis.com/secrets
annotation from here should fix the issue.
Example Code
Terraform to reproduce the error:
variable "project_id" {
type = string
description = "The GCP project ID where the resources will be created."
}
# Create a service account
resource "google_service_account" "this" {
project = var.project_id
account_id = "my-service-account"
display_name = "my-service-account"
}
# Create a secret in Secret Manager
resource "google_secret_manager_secret" "secret" {
project = var.project_id
secret_id = "my-secret"
replication {
automatic = true
}
}
# Store the secret value
resource "google_secret_manager_secret_version" "secret" {
secret = google_secret_manager_secret.secret.id
secret_data = "super-secret-value"
}
# Allow the service account to read the secret value from Secret Manager
resource "google_secret_manager_secret_iam_member" "secret" {
project = var.project_id
secret_id = google_secret_manager_secret.secret.secret_id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_service_account.this.email}"
}
module "cloud_run" {
source = "git::git@github.com:garbetjie/terraform-google-cloud-run.git//?ref=2.2.1"
project = var.project_id
location = "us-central1"
name = "my-cloud-run"
image = "us-docker.pkg.dev/cloudrun/container/hello"
service_account_email = google_service_account.this.email
env = [
{
key = "MY_SECRET"
secret = google_secret_manager_secret.secret.id
version = "latest"
},
]
}
garbetjie commented
Whoops. Somehow I missed this issue. I'll take a look at replicating it when I have a chance.
Are you still experiencing it?
silbinarywolf commented
I'm also experiencing it.
According to this issue, the fix should in theory be simply moving "metadata" out of the "template" block:
hashicorp/terraform-provider-google#10958 (comment)