Created
February 7, 2023 12:05
-
-
Save marcingolenia/dd8d0c6e7ae425a6f31359a72e049ac5 to your computer and use it in GitHub Desktop.
Terraform for cloudrun + secrets from secret manager mounted as env variables (with loop).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # vars.tf: | |
| variable "docker_image" { | |
| type = string | |
| } | |
| variable "project_id" { | |
| type = string | |
| default = "{YOUR GOOGLE PROJECT ID}" | |
| } | |
| variable "region" { | |
| type = string | |
| default = "europe-north1" | |
| } | |
| variable "name" { | |
| type = string | |
| default = "your-service" | |
| } | |
| variable "secrets" { | |
| type = list(string) | |
| description = "Grant acceess to user maanged secrets" | |
| default = [ | |
| "TEST_SECRET", | |
| "TEST_CERT", | |
| ] | |
| } | |
| # main.tf | |
| # https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account | |
| resource "google_service_account" "sa" { | |
| project = var.project_id | |
| account_id = "cr-${var.name}" | |
| display_name = "cr-${var.name}" | |
| description = "Service account for ${var.name} cloud run" | |
| } | |
| # https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam | |
| resource "google_secret_manager_secret_iam_member" "secrets" { | |
| for_each = toset(var.secrets) | |
| project = var.project_id | |
| role = "roles/secretmanager.secretAccessor" | |
| secret_id = each.key | |
| member = "serviceAccount:${google_service_account.sa.email}" | |
| } | |
| resource "google_cloud_run_service_iam_member" "member" { | |
| project = google_cloud_run_service.default.project | |
| service = google_cloud_run_service.default.name | |
| location = google_cloud_run_service.default.location | |
| role = "roles/run.developer" | |
| member = "serviceAccount:${google_service_account.sa.email}" | |
| } | |
| data "google_cloud_run_service" "run-service" { | |
| name = var.name | |
| location = var.region | |
| } | |
| resource "google_cloud_run_service" "default" { | |
| name = var.name | |
| location = var.region | |
| autogenerate_revision_name = true | |
| template { | |
| spec { | |
| service_account_name = google_service_account.sa.email | |
| containers { | |
| image = var.docker_image | |
| dynamic "env" { | |
| for_each = var.secrets | |
| content { | |
| name = env.value | |
| value_from { | |
| secret_key_ref { | |
| key = "latest" | |
| name = env.value | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| data "google_iam_policy" "noauth" { | |
| binding { | |
| role = "roles/run.invoker" | |
| members = [ | |
| "allUsers", | |
| ] | |
| } | |
| } | |
| resource "google_cloud_run_service_iam_policy" "noauth" { | |
| location = google_cloud_run_service.default.location | |
| project = google_cloud_run_service.default.project | |
| service = google_cloud_run_service.default.name | |
| policy_data = data.google_iam_policy.noauth.policy_data | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment