This module handles the basic deployment of containerized applications on Cloud Run, along with domain mapping and IAM policy for the service.
The resources/services/activations/deletions that this module will create/trigger are:
- Creates a Cloud Run service with provided name and container
- Creates Domain mapping for the deployed service
- Applies Cloud Run Invoker role to members
You can map multiple custom domains and subdomains to the same Cloud Run service. If you want to register a domain with Cloud Domains, see Registering a domain with Cloud Domains within the Cloud Run console.
To add a custom domain or subdomain to your Cloud Run service, you need to add the values to the verified_domain_name
variable.
Before you've mapped your service to a custom domain in Cloud Run, you need to update your DNS records at your domain registry. If you're using Cloud DNS as your DNS provider, see Adding a record.
In case your DNS is not managed by Google Cloud Domains, the ownership of your domain needs to be verified adding a txt record
on your DNS configuration. This verification can be done following the steps from this documentation.
This module assumes that below mentioned prerequisites are in place before consuming the module.
- All required APIs are enabled in the GCP Project
- Cloud SQL (optional)
- VPC Connector (optional)
- Environment Variables in Secret Manager (optional)
Basic usage of this module is as follows:
module "cloud_run" {
source = "GoogleCloudPlatform/cloud-run/google"
version = "~> 0.2.0"
# Required variables
service_name = "<SERVICE NAME>"
project_id = "<PROJECT ID>"
location = "<LOCATION>"
image = "gcr.io/cloudrun/hello"
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
argument | Arguments passed to the ENTRYPOINT command, include these only if image entrypoint needs arguments | list(string) |
[] |
no |
certificate_mode | The mode of the certificate (NONE or AUTOMATIC) | string |
"NONE" |
no |
container_command | Leave blank to use the ENTRYPOINT command defined in the container image, include these only if image entrypoint should be overwritten | list(string) |
[] |
no |
container_concurrency | Concurrent request limits to the service | number |
null |
no |
domain_map_annotations | Annotations to the domain map | map(string) |
{} |
no |
domain_map_labels | A set of key/value label pairs to assign to the Domain mapping | map(string) |
{} |
no |
encryption_key | CMEK encryption key self-link expected in the format projects/PROJECT/locations/LOCATION/keyRings/KEY-RING/cryptoKeys/CRYPTO-KEY. | string |
null |
no |
env_secret_vars | [Beta] Environment variables (Secret Manager) | list(object({ |
[] |
no |
env_vars | Environment variables (cleartext) | list(object({ |
[] |
no |
force_override | Option to force override existing mapping | bool |
false |
no |
generate_revision_name | Option to enable revision name generation | bool |
true |
no |
image | GCR hosted image URL to deploy | string |
n/a | yes |
limits | Resource limits to the container | map(string) |
null |
no |
liveness_probe | Periodic probe of container liveness. Container will be restarted if the probe fails. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
object({ |
null |
no |
location | Cloud Run service deployment location | string |
n/a | yes |
members | Users/SAs to be given invoker access to the service | list(string) |
[] |
no |
ports | Port which the container listens to (http1 or h2c) | object({ |
{ |
no |
project_id | The project ID to deploy to | string |
n/a | yes |
requests | Resource requests to the container | map(string) |
{} |
no |
service_account_email | Service Account email needed for the service | string |
"" |
no |
service_annotations | Annotations to the service. Acceptable values all, internal, internal-and-cloud-load-balancing | map(string) |
{ |
no |
service_labels | A set of key/value label pairs to assign to the service | map(string) |
{} |
no |
service_name | The name of the Cloud Run service to create | string |
n/a | yes |
startup_probe | Startup probe of application within the container. All other probes are disabled if a startup probe is provided, until it succeeds. Container will not be added to service endpoints if the probe fails. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
object({ |
null |
no |
template_annotations | Annotations to the container metadata including VPC Connector and SQL. See more details | map(string) |
{ |
no |
template_labels | A set of key/value label pairs to assign to the container metadata | map(string) |
{} |
no |
timeout_seconds | Timeout for each request | number |
120 |
no |
traffic_split | Managing traffic routing to the service | list(object({ |
[ |
no |
verified_domain_name | List of Custom Domain Name | list(string) |
[] |
no |
volume_mounts | [Beta] Volume Mounts to be attached to the container (when using secret) | list(object({ |
[] |
no |
volumes | [Beta] Volumes needed for environment variables (when using secret) | list(object({ |
[] |
no |
Name | Description |
---|---|
domain_map_id | Unique Identifier for the created domain map |
domain_map_status | Status of Domain mapping |
location | Location in which the Cloud Run service was created |
project_id | Google Cloud project in which the service was created |
revision | Deployed revision for the service |
service_id | Unique Identifier for the created service |
service_name | Name of the created service |
service_status | Status of the created service |
service_url | The URL on which the deployed service is available |
verified_domain_name | List of Custom Domain Name |
These sections describe requirements for using this module.
- Terraform ~> v0.13+
- Terraform Provider for GCP >= 3.53, < 5.0
- Terraform Provider for GCP Beta >= 3.53, < 5.0
A service account can be used with required roles to execute this module:
- Cloud Run Admin:
roles/run.admin
Know more about Cloud Run Deployment Permissions.
The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.
A project with the following APIs enabled must be used to host the main resource of this module:
- Google Cloud Run:
run.googleapis.com
- Serverless VPC Access (optional):
vpcaccess.googleapis.com
- Cloud SQL (optional):
sqladmin.googleapis.com
Refer to the contribution guidelines for information on contributing to this module.