- A Terraform module for creating and managing Google Cloud Run with optional Filestore
- This module use to connect the Filestore with Cloud Run
This module implements the following Terraform resources
- google_cloud_run_v2_service (module_name: cloud-runV2)
- google_filestore_instance (module_name: filestore)
- google_vpc_access_connector (module_name: serverless-vpc-access-connector)
Note: While building the docker image you have to update the Dockerfile CMD like the following
CMD echo "Mounting Cloud Filestore." && mount -o nolock $FILE_STORE_ENDPOINT <target-dir> && echo "Mounting completed." && <application stating command>
# $FILE_STORE_ENDPOINT => this variable value will get from the module output "module.filestore.nfs_mount_point"
We can give the following variables and values in main.tf file with respective modules.
-
name
: (Requiredsting
)Name must be unique within a namespace, within a Cloud Run region. Is required when creating resources. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated.
-
location
: (Requiredstring
)The location of the cloud run instance. eg us-central1.
-
project_id
: (Optionalstring
)The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
-
execution_environment
: (Optionalstring
)The sandbox environment to host this Revision. Possible values are: EXECUTION_ENVIRONMENT_GEN1, EXECUTION_ENVIRONMENT_GEN2.
-
ingress
: (Optionalstring
)Provides the ingress settings for this Service. On output, returns the currently observed ingress settings, or INGRESS_TRAFFIC_UNSPECIFIED if no revision is active. Possible values are: INGRESS_TRAFFIC_ALL, INGRESS_TRAFFIC_INTERNAL_ONLY, INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER.
-
scaling_config
: (Optionallist
)Scaling settings for this Revision.
Default is {}.
The
scaling_config
object accepts the following attributes:-
min_instance_count
: (Optionalnubmer
)Minimum number of serving instances that this resource should have.
Default is 0.
-
max_instance_count
: (Optionalnubmer
)Maximum number of serving instances that this resource should have.
Default is 100.
-
-
service_account
: (Optionalstring
)Email address of the IAM service account associated with the revision of the service. The service account represents the identity of the running revision, and determines what permissions the revision has. If not provided, the revision will use the project's default service account.
-
labels: (Optional
map(string)
)Unstructured key value map that can be used to organize and categorize objects. User-provided labels are shared with Google's billing system, so they can be used to filter, or break down billing charges by team, component, environment, state, etc. For more information, visit https://cloud.google.com/resource-manager/docs/creating-managing-labels or https://cloud.google.com/run/docs/configuring/labels. Cloud Run API v2 does not support labels with run.googleapis.com, cloud.googleapis.com, serving.knative.dev, or autoscaling.knative.dev namespaces, and they will be rejected. All system labels in v1 now have a corresponding field in v2 RevisionTemplate.
-
annotations: (Optional
map(string)
)Unstructured key value map that may be set by external tools to store and arbitrary metadata. They are not queryable and should be preserved when modifying objects. Cloud Run API v2 does not support annotations with run.googleapis.com, cloud.googleapis.com, serving.knative.dev, or autoscaling.knative.dev namespaces, and they will be rejected. All system annotations in v1 now have a corresponding field in v2 RevisionTemplate. This field follows Kubernetes annotations' namespacing, limits, and rules.
-
containers_temp: (Optional
list
)Holds the containers that define the unit of execution for this Service.
The
containers_temp
object accepts the following attributes:-
image: (Optional
string
)URL of the Container image in Google Container Registry or Google Artifact Registry. More info: https://kubernetes.io/docs/concepts/containers/images
-
name: (Optional
string
)Name of the container specified as a DNS_LABEL.
-
command: (Optional
list
)Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
-
args: (Optional
list
)Arguments to the entrypoint. The docker image's CMD is used if this is not provided. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
-
env: (Optional
list(object)
)List of environment variables to set in the container. The
env
object accepts the following attributes:-
name: (Required
string
)Name of the environment variable. Must be a C_IDENTIFIER, and mnay not exceed 32768 characters
-
value: (Optional
string
)Variable references
$(VAR_NAME)
are expanded using the previous defined environment variables in the container and any route environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The$(VAR_NAME)
syntax can be escaped with a double$$
, ie:$$(VAR_NAME)
. Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "", and the maximum length is 32768 bytes
-
-
value_source: (Optional
list(object)
)Source for the environment variable's value.
The
value_source
object accepts the following attributes:-
secret: (Required
string
)The name of the secret in Cloud Secret Manager. Format: {secretName} if the secret is in the same project. projects/{project}/secrets/{secretName} if the secret is in a different project.
-
version: (Optional
string
)The Cloud Secret Manager secret version. Can be 'latest' for the latest value or an integer for a specific version.
-
-
resources: (Optional
list
)Compute Resource requirements by this container.
The
resources
object accepts the following attributes:-
limits: (Optional
string
)Only memory and CPU are supported. Note: The only supported values for CPU are '1', '2', '4', and '8'. Setting 4 CPU requires at least 2Gi of memory. The values of the map is string form of the 'quantity' k8s type: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apimachinery/pkg/api/resource/quantity.go
-
cpu_idle: (Optional
string
)Determines whether CPU should be throttled or not outside of requests.
-
startup_cpu_boost: (Optional
string
) Determines whether CPU should be boosted on startup of a new container instance above the requested CPU threshold, this can help reduce cold-start latency.
-
-
ports: (Optional
list
)List of ports to expose from the container. Only a single port can be specified. The specified ports must be listening on all interfaces (0.0.0.0) within the container to be accessible. If omitted, a port number will be chosen and passed to the container through the PORT environment variable for the container to listen on
The
ports
object accepts the following attributes:-
name: (Optional
string
)If specified, used to specify which protocol to use. Allowed values are "http1" and "h2c".
-
container_port: (Optional
list
)Port number the container listens on. This must be a valid TCP port number, 0 < containerPort < 65536
-
-
volume_mounts: (Optional
list
)Volume to mount into the container's filesystem
The
volume_mounts
object accepts the following attributes:-
name: (Required
string
)This must match the Name of a Volume.
-
mount_path: (Required
list
)Path within the container at which the volume should be mounted. Must not contain ':'. For Cloud SQL volumes, it can be left empty, or must otherwise be /cloudsql. All instances defined in the Volume will be available as /cloudsql/[instance]. For more information on Cloud SQL volumes, visit https://cloud.google.com/sql/docs/mysql/connect-run
-
-
working_dir: (Optional
string
)Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image.
-
-
name: (Required
string
)The resource name of the instance.
-
tier: (Required
string
)The service tier of the instance. Possible values include: STANDARD, PREMIUM, BASIC_HDD, BASIC_SSD, HIGH_SCALE_SSD, ZONAL and ENTERPRISE
-
file_shares: (Required
string
)File system shares on the instance. For this version, only a single file share is supported
The
file_shares
object accepts the following attributes:-
name: (Required
string
)The name of the fileshare (16 characters or less)
-
capacity_gb: (Required
string
)File share capacity in GiB. This must be at least 1024 GiB for the standard tier, or 2560 GiB for the premium tier.
-
source_backup: (Optional
string
)The resource name of the backup, in the format projects/{projectId}/locations/{locationId}/backups/{backupId}, that this file share has been restored from.
-
nfs_export_options: (Optional
list(object)
)Nfs Export Options. There is a limit of 10 export options per file share
The
nfs_export_options
object accepts the following attributes:-
ip_ranges: (Optional
list
)List of either IPv4 addresses, or ranges in CIDR notation which may mount the file share. Overlapping IP ranges are not allowed, both within and across NfsExportOptions. An error will be returned. The limit is 64 IP ranges/addresses for each FileShareConfig among all NfsExportOptions.
-
access_mode: (Optional
string
)Either READ_ONLY, for allowing only read requests on the exported directory, or READ_WRITE, for allowing both read and write requests. The default is READ_WRITE. Default value is READ_WRITE. Possible values are: READ_ONLY, READ_WRITE.
-
squash_mode: (Optional
string
)Either NO_ROOT_SQUASH, for allowing root access on the exported directory, or ROOT_SQUASH, for not allowing root access. The default is NO_ROOT_SQUASH. Default value is NO_ROOT_SQUASH. Possible values are: NO_ROOT_SQUASH, ROOT_SQUASH.
-
anon_uid: (Optional
Number
)An integer representing the anonymous user id with a default value of 65534. Anon_uid may only be set with squashMode of ROOT_SQUASH. An error will be returned if this field is specified for other squashMode settings.
-
anon_gid: (Optional
Number
)An integer representing the anonymous group id with a default value of 65534. Anon_gid may only be set with squashMode of ROOT_SQUASH. An error will be returned if this field is specified for other squashMode settings.
-
-
-
network: (Optional
string
)VPC networks to which the instance is connected. For this version, only a single network is supported.
The
network
object accepts the following attributes:-
network: (Required
String
)The name of the GCE VPC network to which the instance is connected.
-
modes: (Requried
String
)IP versions for which the instance has IP addresses assigned. Each value may be one of: ADDRESS_MODE_UNSPECIFIED, MODE_IPV4, MODE_IPV6.
-
reserved_ip_range: (Optional
String
)A /29 CIDR block that identifies the range of IP addresses reserved for this instance.
-
ip_addresses: (Optional
String
)A list of IPv4 or IPv6 addresses.
-
connect_mode: (Optional
String
)The network connect mode of the Filestore instance. If not provided, the connect mode defaults to DIRECT_PEERING. Default value is DIRECT_PEERING. Possible values are: DIRECT_PEERING, PRIVATE_SERVICE_ACCESS
-
-
project_id: (Optional
string
)The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
-
location: (Optional
string
)The name of the location of the instance. This can be a region for ENTERPRISE tier instances.
-
labels: (Optional
map(string)
)Resource labels to represent user-provided metadata.
Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.
-
kms_key_name: (Optional
string
)KMS key name used for data encryption.
-
description: (Optional
string
)A description of the instance
-
name: (Required
string
)The name of the resource (Max 25 characters).
-
ip_cidr_range: (Optional
string
)The range of internal addresses that follows RFC 4632 notation. Example: 10.132.0.0/28.
-
project_id: (Optional
string
)The ID of the project in which the resource belongs. If it is not provided, the provider project is used
-
network_vpc: (Optional
string
)Name or self_link of the VPC network. Required if ip_cidr_range is set.
-
region: (Optional
string
)Region where the VPC Access connector resides. If it is not provided, the provider region is used.
-
machine_type: (Optional
string
)Machine type of VM Instance underlying connector. Default is e2-micro
-
min_throughput: (Optional
string
)Minimum throughput of the connector in Mbps. Default and min is 200.
-
max_throughput: (Optional
string
)Maximum throughput of the connector in Mbps, must be greater than min_throughput. Default is 300.
-
min_instances: (Optional
string
)Minimum value of instances in autoscaling group underlying the connector.
-
max_instances: (Optional
string
)Maximum value of instances in autoscaling group underlying the connector.
-
subnet: (Optional
string
)The subnet in which to house the connector
The
subnet
object accepts the following attributes:-
name: (Optional
string
)Subnet name (relative, not fully qualified). E.g. if the full subnet selfLink is https://compute.googleapis.com/compute/v1/projects/{project}/regions/{region}/subnetworks/{subnetName} the correct input for this field would be {subnetName}"
-
project_id: (Optional
string
)Project in which the subnet exists. If not set, this project is assumed to be the project for which the connector create request was issued.
Note: if you have provided the
ip_cidr_range
value, then don't provide thesubnet
configuration, it both get conflict when we give the both configuration -
-
module_enabled
: (Optionalbool
)Specifies whether resources in the module will be created. note: this variable not for google_project_service
Default is
true
. -
module_timeouts
: (Optionalobject(module_timeouts)
)A map of timeout objects that is keyed by Terraform resource name defining timeouts for
create
,update
anddelete
Terraform operations.Supported resources are:
google_cloud_run_v2_service
,google_filestore_instance
,google_vpc_access_connector
,google_project_service
Default is
{}
.Example:
module_timeouts = { null_resource = { create = "4m" update = "4m" delete = "4m" } }
The
module_timeouts
object accepts the following attributes: -
module_depends_on
: (Optionallist(dependency)
)A list of dependencies. Any object can be assigned to this list to define a hidden external dependency.
Default is
[]
.Example:
module_depends_on = [ null_resource.name ]
- We can get the following output from the modules.
- google_cloud_run_v2_service
- URL:
- we can get the cloud run url (module.cloud-runV2.url)
- URL:
- google_filestore_instance
- nfs-endpoint
- We can get the filestore endpoint (module.filestore.nfs_mount_point)
- nfs-endpoint
- google_vpc_access_connector
- Connector self_link
- We can get the serverless vpc access connector self_link(module.serverless-vpc-access-connector.self_link)
- Connector self_link
- google_cloud_run_v2_service
- Once run the Terraform module it will setup the VPC connector, Filestore, and Cloud Run. Then, you get the filestore nfs mount ip with share file (like ip:/fileshare).
- Open the Dockerfile and add the following command alongwith the entrypoint or cmd " mount -o nolock FILESTORE_IP_ADDRESS:/FILE_SHARE_NAME MNT_DIR " (ex: like your CMD is "npm run start", you can add the mount command like this "CMD mount -o nolock $FILESTORE_IP_ADDRESS:/$FILE_SHARE_NAME $MNT_DIR && npm run start")
- Afterware, Build the docker image and push it to GCP Artifact hub
- Once pushed, replace that docker image link into the cloud run module and run again the terraform apply. Note: When we try to mount the filestore with cloudrun you have to choose the "Execution environment" is " Second generation". on cloud run module