Deploy original Docker image to Cloud Run using Terraform and GitHub Actions. It uses Workload Identity for authentication with Github Actions.
- Google Cloud account
- gcloud CLI
- Terraform Cloud account
- Terraform CLI
terraform {
...
cloud {
organization = "<your organization name>"
workspaces {
name = "<your workspace name>"
}
}
}Authoricate and get google credentials.
cd terraform
gcloud auth application-default login...
Credentials saved to file: [/<your path>/application_default_credentials.json]
...Copy JSON file and set environment vavariable GOOGLE_CREDENTIALS from https://app.terraform.io/app/<organization name>/workspaces/<workspace name>/variables.
And create Terraform API token here and set environment vavariable TFE_TOKEN.
Get outputs from https://app.terraform.io/app/<organization name>/workspaces/<workspace name>.
.github/workflows/deploy.yml
...
- id: 'auth'
uses: 'google-github-actions/auth@v0'
with:
token_format: 'access_token'
workload_identity_provider: '<Google workload identity provider>'
service_account: '<Google service account>'
...
- name: Build and push
uses: docker/build-push-action@v3
with:
context: "{{defaultContext}}:app"
push: true
tags: asia-northeast1-docker.pkg.dev/<Google Cloud project id>/playground/fastapi:latest
- id: 'deploy'
uses: 'google-github-actions/deploy-cloudrun@v1'
with:
region: 'asia-northeast1'
service: 'fastapi'
image: 'asia-northeast1-docker.pkg.dev/<Google Cloud project id>/playground/fastapi'
- Google Provider Configuration Reference: Authentication
- Workload Identityを使ってJSONキーなしでGitHubActionsからGCPにアクセスする(Terraform編)
- How to push tagged Docker releases to Google Artifact Registry with a GitHub Action
- 公開(未認証)アクセスを許可する
- Cloud Run revision already exists
- Bootstrapping trust between a TFC workspace and GCP
- Dynamic Credentials with the GCP Provider
- garbetjie/terraform-google-cloud-run