This module handles the basic deployment core configurations for Cloud Run module.
The resources/services/activations/deletions that this module will create/trigger are:
- Creates a Cloud Run Service.
- Adds "Secret Manager Secret Accessor" role on the Secret for the Service Account used to run Cloud Run.
- Creates a Load Balancer Service using Google-managed SSL certificates.
- Creates Cloud Armor Service only including the pre-configured rules for SQLi, XSS, LFI, RCE, RFI, Scanner Detection, Protocol Attack and Session Fixation.
module "cloud_run_core" {
source = "GoogleCloudPlatform/cloud-run/google//modules/secure-cloud-run-core"
version = "~> 0.3.0"
service_name = <SERVICE NAME>
location = <SERVICE LOCATION>
region = <REGION>
domain = <YOUR-DOMAIN>
serverless_project_id = <SERVICE PROJECT ID>
image = <IMAGE URL>
cloud_run_sa = <CLOUD RUN SERVICE ACCOUNT EMAIL>
vpc_connector_id = <VPC CONNECTOR ID>
encryption_key = <KMS KEY>
env_vars = <ENV VARIABLES>
members = <MEMBERS ALLOWED TO CALL SERVICE>
}
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| argument | Arguments passed to the ENTRYPOINT command, include these only if image entrypoint needs arguments. | list(string) |
[] |
no |
| certificate_mode | The mode of the certificate (NONE or AUTOMATIC). | string |
"NONE" |
no |
| cloud_armor_policies_name | Cloud Armor policy name already created in the project. If create_cloud_armor_policies is false, this variable must be provided, If create_cloud_armor_policies is true, this variable will be ignored. |
string |
null |
no |
| cloud_run_sa | Service account to be used on Cloud Run. | string |
n/a | yes |
| container_command | Leave blank to use the ENTRYPOINT command defined in the container image, include these only if image entrypoint should be overwritten. | list(string) |
[] |
no |
| container_concurrency | Concurrent request limits to the service. | number |
null |
no |
| create_cloud_armor_policies | When true, the terraform will create the Cloud Armor policies. When false, the user must provide their own Cloud Armor name in cloud_armor_policies_name. |
bool |
true |
no |
| default_rules | Default rule for Cloud Armor. | map(object({ |
{ |
no |
| domain_map_annotations | Annotations to the domain map. | map(string) |
{} |
no |
| domain_map_labels | A set of key/value label pairs to assign to the Domain mapping. | map(string) |
{} |
no |
| encryption_key | CMEK encryption key self-link expected in the format projects/PROJECT/locations/LOCATION/keyRings/KEY-RING/cryptoKeys/CRYPTO-KEY. | string |
n/a | yes |
| env_vars | Environment variables. | list(object({ |
[] |
no |
| force_override | Option to force override existing mapping. | bool |
false |
no |
| generate_revision_name | Option to enable revision name generation. | bool |
true |
no |
| image | GAR hosted image URL to deploy. | string |
n/a | yes |
| lb_name | Name for load balancer and associated resources. | string |
"tf-cr-lb" |
no |
| limits | Resource limits to the container. | map(string) |
null |
no |
| location | The location where resources are going to be deployed. | string |
n/a | yes |
| max_scale_instances | Sets the maximum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this documentation. | number |
2 |
no |
| members | Users/SAs to be given invoker access to the service with the prefix serviceAccount:' for SAs and user: for users. |
list(string) |
[] |
no |
| min_scale_instances | Sets the minimum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this documentation. | number |
1 |
no |
| owasp_rules | These are additional Cloud Armor rules for SQLi, XSS, LFI, RCE, RFI, Scannerdetection, Protocolattack and Sessionfixation (requires Cloud Armor default_rule). | map(object({ |
{ |
no |
| ports | Port which the container listens to (http1 or h2c). | object({ |
{ |
no |
| project_id | The project where cloud run is going to be deployed. | string |
n/a | yes |
| region | Location for load balancer and Cloud Run resources. | string |
n/a | yes |
| requests | Resource requests to the container. | map(string) |
{} |
no |
| service_labels | A set of key/value label pairs to assign to the service. | map(string) |
{} |
no |
| service_name | The name of the Cloud Run service to create. | string |
n/a | yes |
| ssl_certificates | A object with a list of domains to auto-generate SSL certificates or a list of SSL Certificates self-links in the pattern projects/<PROJECT-ID>/global/sslCertificates/<CERT-NAME> to be used by Load Balancer. |
object({ |
n/a | yes |
| template_labels | A set of key/value label pairs to assign to the container metadata. | map(string) |
{} |
no |
| timeout_seconds | Timeout for each request. | number |
120 |
no |
| traffic_split | Managing traffic routing to the service. | list(object({ |
[ |
no |
| verified_domain_name | List of custom Domain Name. | list(string) |
n/a | yes |
| volume_mounts | [Beta] Volume Mounts to be attached to the container (when using secret). | list(object({ |
[] |
no |
| volumes | [Beta] Volumes needed for environment variables (when using secret). | list(object({ |
[] |
no |
| vpc_connector_id | VPC Connector id in the format projects/PROJECT/locations/LOCATION/connectors/NAME. | string |
n/a | yes |
| vpc_egress_value | Sets VPC Egress firewall rule. Supported values are all-traffic, all (deprecated), and private-ranges-only. all-traffic and all provide the same functionality. all is deprecated but will continue to be supported. Prefer all-traffic. | string |
"private-ranges-only" |
no |
| Name | Description |
|---|---|
| domain_map_id | Unique Identifier for the created domain map. |
| domain_map_status | Status of Domain mapping. |
| load_balancer_ip | IP Address used by Load Balancer. |
| revision | Deployed revision for the service. |
| service_id | Unique Identifier for the created service. |
| service_status | Status of the created service. |
| service_url | The URL on which the deployed service is available. |
The following dependencies must be available:
- Terraform >= 0.13.0
- Terraform Provider for GCP plugin < 5.0
A project with the following APIs enabled must be used to host the resources of this module:
- Serverless Project
- Google Cloud Run Service:
run.googleapis.com - Google Compute Service:
compute.googleapis.com
- Google Cloud Run Service:
A service account with the following roles must be used to provision the resources of this module:
- Cloud Run Developer:
roles/run.developer - Compute Network User:
roles/compute.networkUser - Artifact Registry Reader:
roles/artifactregistry.reader