A Terraform module to create a wrapper around a Google Cloud Run Service or Job. The Cloud Run workload will be deployed using Helmless instead of Terraform. The module purely exists to have a reference to the cloud resource in order to apply IAM policies to it.
This repository has a .tools-versions file used by asdf to install the necessary tools. For this you need the following additional plugins:
asdf plugin add terraform-docs https://github.com/looztra/asdf-terraform-docs
asdf plugin add tflint https://github.com/skyzyx/asdf-tflint
asdf install
module "github_federation" {
source = "github.com/helmless/google-workload-identity-federation-terraform-module?ref=v0.1.0"
id = "github"
github_organization = "helmless"
}
module "cloudrun_service" {
# source = "github.com/helmless/google-cloudrun-service-terraform-module?ref=v0.1.2" # x-release-please-version
source = "../"
name = "example-service"
create_service_account = true
deployment_accounts = ["${module.github_federation.repository_principal_set_id_prefix}/example-repository"]
}The following input variables are required:
Description: The name of the Cloud Run service. Must be unique within the project and region.
Type: string
The following input variables are optional (have default values):
Description: Whether to create a service account for the Cloud Run service with the same name as the service. If not provided, the default service account will be used.
Type: bool
Default: true
Description: Whether to enable deletion protection for the Cloud Run service.
Type: bool
Default: true
Description: A list of accounts that are allowed to deploy the Cloud Run service. Must be in the format of 'serviceAccount:ACCOUNT_EMAIL' or principalSet:PRINCIPAL_SET_ID. The accounts will get the roles/run.admin role on the Cloud Run service and the roles/iam.workloadIdentityUser role on the service account.
Type: list(string)
Default: []
Description: An optional description of the Cloud Run service.
Type: string
Default: ""
Description: A list of IAM bindings to apply to the Cloud Run service.
Type:
list(object({
role = string
members = list(string)
}))Default: []
Description: Labels to apply to the Cloud Run service.
Type: map(string)
Default: {}
Description: The project to deploy the Cloud Run service to.
Type: string
Default: null
Description: The region to deploy the Cloud Run service to.
Type: string
Default: "us-central1"
Description: The service account email to use for the Cloud Run service. If not provided, the default service account will be used.
Type: string
Default: null
The following outputs are exported:
Description: The full Cloud Run service object and all attributes.
Description: The service account used by the Cloud Run service. Uses the provided service account if create_service_account is false, otherwise creates a new service account.
The following requirements are needed by this module:
The following providers are used by this module:
- google (6.27.0)
No modules.
The following resources are used by this module:
- google_cloud_run_v2_service.cloud_run_service (resource)
- google_cloud_run_v2_service_iam_binding.custom_iam (resource)
- google_cloud_run_v2_service_iam_member.run_admin (resource)
- google_service_account.cloud_run_service_account (resource)
- google_service_account_iam_member.service_account_user (resource)
- google_project.current (data source)
- google_service_account.cloud_run_service_account (data source)