Terraform-provider-google: Support for Cloud Run VPC

Created on 5 May 2020  路  9Comments  路  Source: hashicorp/terraform-provider-google


Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Now that VPC is in beta for Cloud Run (https://ahmet.im/blog/cloud-run-vpc-to-kubernetes/#fnref:1), adding support for the resource to provide a vpc connector

New or Affected Resource(s)

  • google_cloud_run_service

Potential Terraform Configuration

resource "google_cloud_run_service" "cloudrun_service" {
  name     = "service-name"
  provider = "google-beta"
  location = "us-central1"
  vpc_connector = "projects/project-id/locations/us-central1/connectors/connector-name"

  template {
    spec {
      ...
    }
  }

  traffic {
    percent         = 100
    latest_revision = true
  }
}

References

enhancement sizS
Source
picture watchinharrison
👍19

Most helpful comment

VPC connectors are using a simple annotation, no specific work should be needed for Terraform to support them..
Can you try the following:

resource "google_cloud_run_service" "default" {
  name     = "cloudrun-srv"
  location = "us-central1"

  template {
    spec {
      containers {
        image = "gcr.io/cloudrun/hello"
      }
    }

    metadata {
      annotations = {
        "run.googleapis.com/vpc-access-connector" = "my-connector"
      }
    }
  }
}
picture steren on 11 May 2020
👍8

All 9 comments

VPC connectors are using a simple annotation, no specific work should be needed for Terraform to support them..
Can you try the following:

resource "google_cloud_run_service" "default" {
  name     = "cloudrun-srv"
  location = "us-central1"

  template {
    spec {
      containers {
        image = "gcr.io/cloudrun/hello"
      }
    }

    metadata {
      annotations = {
        "run.googleapis.com/vpc-access-connector" = "my-connector"
      }
    }
  }
}
steren picture steren on 11 May 2020
👍8

So, please confirm it works, maybe add it as part of the documentation example, then close the issue.

steren picture steren on 12 May 2020

So, please confirm it works, maybe add it as part of the documentation example, then close the issue.

thank you for the direction on this, I'll attempt a deploy shortly and confirm, then raise a PR to update the docs for beta

watchinharrison picture watchinharrison on 12 May 2020

@steren I've deployed an instance with that annotation and yeah that's all working, vpc connector is attached, where is best to raise a PR for a documentation change? here or magic modules?

watchinharrison picture watchinharrison on 12 May 2020

I'd prefer not to have one example per potential annotation (that'll make our docs a bit unruly) but if we don't already have one that sets annotations, a generic annotations example would make sense, as well as a link to a list of potential annotations that could be set.

Examples are done in magic-modules by adding to the examples/ folder and adding a reference to it in terraform.yaml.

danawillow picture danawillow on 12 May 2020

VPC connectors are using a simple annotation, no specific work should be needed for Terraform to support them..
Can you try the following:

resource "google_cloud_run_service" "default" {
  name     = "cloudrun-srv"
  location = "us-central1"

  template {
    spec {
      containers {
        image = "gcr.io/cloudrun/hello"
      }
    }

    metadata {
      annotations = {
        "run.googleapis.com/vpc-access-connector" = "my-connector"
      }
    }
  }
}

While the above example runs, by adding the setting for controlling all egress through the VPC connector in the snippet below, the build breaks with the following error:

Error: Error creating Service: googleapi: Error 400: The feature 'VPC egress all' is not supported in the declared launch stage on resource {resource name}. The launch stage annotation should be specified at least as BETA. Please visit https://cloud.google.com/run/docs/troubleshooting#launch-stage-validation for in-depth troubleshooting documentation.

    metadata {
      annotations = {
        "run.googleapis.com/launch-stage" : "BETA"
        "run.googleapis.com/vpc-access-egress" : "all"
        "run.googleapis.com/vpc-access-connector" = "vpc-connector"
      }
    }

This is the case even if the provider is set to the google beta provider. Is there a solution for associating the vpc connector in addition to controlling the vpc egress?

johnnymac6 picture johnnymac6 on 16 Oct 2020

The Google beta provider should probably set the Beta annotation on the Service as explained in the error message if it expects to access beta features.

steren picture steren on 16 Oct 2020

Ah sorry, the issue in your example is that the launch stage annotation should go on the Service itself, not the template.

steren picture steren on 16 Oct 2020
👍2

Ah sorry, the issue in your example is that the launch stage annotation should go on the Service itself, not the template.

Switching that to the service metadata worked perfectly. Appreciate the support!

johnnymac6 picture johnnymac6 on 16 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wmuizelaar picture wmuizelaar  路  4Comments
hashibot[bot] picture hashibot[bot]  路  3Comments
jcanseco picture jcanseco  路  3Comments
sho-abe picture sho-abe  路  3Comments
Evesy picture Evesy  路  3Comments