Skip to content

モンハンAPIのMCPサーバーを実装#145

Merged
o-ga09 merged 25 commits intomainfrom
claude/issue-131-20250529_124751
May 30, 2025
Merged

モンハンAPIのMCPサーバーを実装#145
o-ga09 merged 25 commits intomainfrom
claude/issue-131-20250529_124751

Conversation

@o-ga09
Copy link
Copy Markdown
Owner

@o-ga09 o-ga09 commented May 29, 2025

close #131

実装内容

  • Add mcp-go dependency to go.mod
  • Implement cmd/mcp/main.go with 8 MCP tools:
    • get_monsters, get_monster_by_id (monster data)
    • get_weapons (weapon search functionality)
    • get_items, get_item_by_id, get_items_by_monster (item data)
    • get_skills, get_skill_by_id (skill data with levels)
  • Add comprehensive unit tests with mocks
  • Support streaming via mcp-go server
  • Compatible with existing API specifications
  • Proper error handling and JSON response formatting

動作確認

エビデンス

テスト結果

@claude @o-ga09
feat: Implement MCP server for Monster Hunter API
9bfaad1 
- Add mcp-go dependency to go.mod
- Implement cmd/mcp/main.go with 8 MCP tools:
  - get_monsters, get_monster_by_id (monster data)
  - get_weapons (weapon search functionality)  
  - get_items, get_item_by_id, get_items_by_monster (item data)
  - get_skills, get_skill_by_id (skill data with levels)
- Add comprehensive unit tests with mocks
- Support streaming via mcp-go server
- Compatible with existing API specifications
- Proper error handling and JSON response formatting

Issue #131

Co-authored-by: o-ga09 <o-ga09@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 29, 2025 13:01
Copilot AI reviewed May 29, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

このPRは、モンハンAPI向けのMCPサーバー実装を目的としており、mcp-goライブラリの依存関係追加、MCPツール8種類の実装、および各種エンドポイントの単体テストの追加を行っています。

  • mcp-goの依存関係をgo.modに追加
  • cmd/mcp/main.goで8つのMCPツールを実装
  • 単体テストにより各エンドポイントの動作確認を実施し、ストリーミングやエラーハンドリングも対応

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
go.mod mcp-go依存関係追加によりMCPサーバー実装をサポート
cmd/mcp/main_test.go 各種MCPツールの動作確認のためのモックおよびテスト追加

以下は、mermaid記法による処理フローの簡易図です:

graph LR
    A[クライアントリクエスト] --> B[MCPサーバー]
    B --> C{ツール種別判定}
    C --> D[Monsterサービス]
    C --> E[Weaponサービス]
    C --> F[Itemサービス]
    C --> G[Skillサービス]
    D --> H[レスポンス生成]
    E --> H
    F --> H
    G --> H
    H --> I[JSONレスポンス送信]
Loading
Comments suppressed due to low confidence (1)

cmd/mcp/main_test.go:40

  • MCPツール実装に対してアイテム関連のエンドポイント(get_items, get_item_by_id, get_items_by_monster)のテストが不足しているようです。これらのエンドポイント用のテストを追加すると、網羅性が向上します。
func (m *MockItemService) GetAllItems(ctx context.Context) (*items.ItemListResponseDTO, error) {

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 29, 2025

Terraform Format and Style failure

Terraform Initialization ⚙️success

Terraform Validation success

Validation Output ```

Success! The configuration is valid.

</details>
#### Terraform Plan `success`
<details><summary>Show Plan</summary>

terraform
google_project_service.enable_api["iamcredentials.googleapis.com"]: Refreshing state... [id=mh-api-389212/iamcredentials.googleapis.com]
data.google_iam_policy.auth: Reading...
data.google_service_account.terraform_sa: Reading...
google_project_service.enable_api["cloudresourcemanager.googleapis.com"]: Refreshing state... [id=mh-api-389212/cloudresourcemanager.googleapis.com]
google_project_service.enable_api["iam.googleapis.com"]: Refreshing state... [id=mh-api-389212/iam.googleapis.com]
google_project_service.enable_api["sts.googleapis.com"]: Refreshing state... [id=mh-api-389212/sts.googleapis.com]
data.google_iam_policy.auth: Read complete after 0s [id=2737878799]
google_cloud_run_service.stg-mh-api: Refreshing state... [id=locations/asia-northeast1/namespaces/mh-api-389212/services/mh-api]
google_iam_workload_identity_pool.terraform-pool: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool]
data.google_service_account.terraform_sa: Read complete after 0s [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com]
google_service_account_iam_member.terraform_sa: Refreshing state... [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/650836814988/locations/global/workloadIdentityPools/terraform-pool/attribute.repository/o-ga09/MH-API]
google_iam_workload_identity_pool_provider.terraform-provider: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool/providers/terraform-provider]
google_cloud_run_service_iam_policy.auth: Refreshing state... [id=v1/projects/mh-api-389212/locations/asia-northeast1/services/mh-api]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:

  • create
    ~ update in-place

Terraform will perform the following actions:

google_cloud_run_service.stg-mh-api will be updated in-place

~ resource "google_cloud_run_service" "stg-mh-api" {
id = "locations/asia-northeast1/namespaces/mh-api-389212/services/mh-api"
name = "mh-api"
# (4 unchanged attributes hidden)

  ~ template {
      ~ spec {
            # (5 unchanged attributes hidden)

          ~ containers {
              ~ image       = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-api:5306374f243c1ba1a4d2401e0b16fa86b50797cb" -> "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-api:6fad2fb60e8f47044b25ba75aa2971853da27c4f"
                name        = "mh-api-1"
                # (3 unchanged attributes hidden)

                # (10 unchanged blocks hidden)
            }
        }

        # (1 unchanged block hidden)
    }

    # (2 unchanged blocks hidden)
}

google_project_iam_member.cloud_run_trace_agent will be created

  • resource "google_project_iam_member" "cloud_run_trace_agent" {

Plan: 1 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.
Releasing state lock. This may take a few moments...

</details>
*Pusher: @o-ga09, Action: `pull_request`, Working Directory: ``, Workflow: `terraform`*

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 29, 2025

Terraform Format and Style failure

Terraform Initialization ⚙️success

Terraform Validation success

Validation Output ```

Success! The configuration is valid.

</details>
#### Terraform Plan `success`
<details><summary>Show Plan</summary>

terraform
Acquiring state lock. This may take a few moments...
data.google_service_account.terraform_sa: Reading...
data.google_iam_policy.auth: Reading...
google_project_service.enable_api["cloudresourcemanager.googleapis.com"]: Refreshing state... [id=mh-api-389212/cloudresourcemanager.googleapis.com]
google_project_service.enable_api["iamcredentials.googleapis.com"]: Refreshing state... [id=mh-api-389212/iamcredentials.googleapis.com]
google_project_service.enable_api["sts.googleapis.com"]: Refreshing state... [id=mh-api-389212/sts.googleapis.com]
google_project_service.enable_api["iam.googleapis.com"]: Refreshing state... [id=mh-api-389212/iam.googleapis.com]
data.google_iam_policy.auth: Read complete after 0s [id=2737878799]
google_cloud_run_service.stg-mh-api: Refreshing state... [id=locations/asia-northeast1/namespaces/mh-api-389212/services/mh-api]
google_iam_workload_identity_pool.terraform-pool: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool]
data.google_service_account.terraform_sa: Read complete after 0s [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com]
google_iam_workload_identity_pool_provider.terraform-provider: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool/providers/terraform-provider]
google_service_account_iam_member.terraform_sa: Refreshing state... [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/650836814988/locations/global/workloadIdentityPools/terraform-pool/attribute.repository/o-ga09/MH-API]
google_cloud_run_service_iam_policy.auth: Refreshing state... [id=v1/projects/mh-api-389212/locations/asia-northeast1/services/mh-api]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:

  • create
    ~ update in-place

Terraform will perform the following actions:

google_cloud_run_service.stg-mh-api will be updated in-place

~ resource "google_cloud_run_service" "stg-mh-api" {
id = "locations/asia-northeast1/namespaces/mh-api-389212/services/mh-api"
name = "mh-api"
# (4 unchanged attributes hidden)

  ~ template {
      ~ spec {
            # (5 unchanged attributes hidden)

          ~ containers {
              ~ image       = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-api:5306374f243c1ba1a4d2401e0b16fa86b50797cb" -> "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-api:e5003833c7d08017ecc5eef10c8d2d88f2b65cc0"
                name        = "mh-api-1"
                # (3 unchanged attributes hidden)

                # (10 unchanged blocks hidden)
            }
        }

        # (1 unchanged block hidden)
    }

    # (2 unchanged blocks hidden)
}

google_project_iam_member.cloud_run_trace_agent will be created

  • resource "google_project_iam_member" "cloud_run_trace_agent" {

Plan: 1 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

</details>
*Pusher: @o-ga09, Action: `pull_request`, Working Directory: ``, Workflow: `terraform`*

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 29, 2025

Terraform Format and Style failure

Terraform Initialization ⚙️success

Terraform Validation success

Validation Output ```

Success! The configuration is valid.

</details>
#### Terraform Plan `success`
<details><summary>Show Plan</summary>

terraform
google_iam_workload_identity_pool.terraform-pool: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool]
google_project_iam_member.cloud_run_trace_agent: Refreshing state... [id=mh-api-389212/roles/cloudtrace.agent/serviceAccount:auto-deploy@mh-api-389212.iam.gserviceaccount.com]
google_project_service.enable_api["sts.googleapis.com"]: Refreshing state... [id=mh-api-389212/sts.googleapis.com]
data.google_service_account.terraform_sa: Reading...
google_project_service.enable_api["iamcredentials.googleapis.com"]: Refreshing state... [id=mh-api-389212/iamcredentials.googleapis.com]
google_project_service.enable_api["cloudresourcemanager.googleapis.com"]: Refreshing state... [id=mh-api-389212/cloudresourcemanager.googleapis.com]
data.google_iam_policy.auth: Reading...
google_project_service.enable_api["iam.googleapis.com"]: Refreshing state... [id=mh-api-389212/iam.googleapis.com]
data.google_iam_policy.auth: Read complete after 0s [id=2737878799]
google_cloud_run_service.stg-mh-api: Refreshing state... [id=locations/asia-northeast1/namespaces/mh-api-389212/services/mh-api]
google_iam_workload_identity_pool_provider.terraform-provider: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool/providers/terraform-provider]
data.google_service_account.terraform_sa: Read complete after 0s [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com]
google_service_account_iam_member.terraform_sa: Refreshing state... [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/650836814988/locations/global/workloadIdentityPools/terraform-pool/attribute.repository/o-ga09/MH-API]
google_cloud_run_service_iam_policy.auth: Refreshing state... [id=v1/projects/mh-api-389212/locations/asia-northeast1/services/mh-api]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place

Terraform will perform the following actions:

google_cloud_run_service.stg-mh-api will be updated in-place

~ resource "google_cloud_run_service" "stg-mh-api" {
id = "locations/asia-northeast1/namespaces/mh-api-389212/services/mh-api"
name = "mh-api"
# (4 unchanged attributes hidden)

  ~ template {
      ~ spec {
            # (5 unchanged attributes hidden)

          ~ containers {
              ~ image       = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-api:055b0f3b07c6999d3149c03aaa44c8cfa2cedfca" -> "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-api:aae6f9965852b17d93d4b3cb516a59b9a61c22e0"
                name        = "mh-api-1"
                # (3 unchanged attributes hidden)

                # (10 unchanged blocks hidden)
            }
        }

        # (1 unchanged block hidden)
    }

    # (2 unchanged blocks hidden)
}

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

</details>
*Pusher: @o-ga09, Action: `pull_request`, Working Directory: ``, Workflow: `terraform`*

claude bot and others added 8 commits May 30, 2025 00:05
@claude @o-ga09
feat: Add MCP server infrastructure configuration
b6664bb 
- Add MCP server Docker build stages to Dockerfile
- Add terraform/local.tf with local variables definition
- Add terraform/mcp.tf with Cloud Run configuration for MCP server
- Add compose.mcp.yml for local MCP server development

Co-authored-by: o-ga09 <o-ga09@users.noreply.github.com>
@o-ga09
✨ feat: Dockerイメージの環境変数を整理し、ビルドステップを修正
7f82bbd
@o-ga09
✨ feat: コンテナイメージの設定を更新し、MCPサービス用の変数ファイルを追加
1a6bc8f
@o-ga09
🔧 fix: terraform.ymlとlocal.tfの修正、不要なterraform.tfvarsファイルを削除
97991b2
@o-ga09
✨ feat: terraform.ymlにローカル変数を追加し、不要なローカル変数処理を削除
ad72075
@o-ga09
✨ feat: local.tfとvariables.tfにプロジェクト設定を追加し、コンテナイメージのタグを変数化
2cec18b
@o-ga09
🔧 fix: API_IMAGEの設定を修正し、TF_VAR_service_nameを固定値に変更
980fda5
@o-ga09
Merge pull request #146 from o-ga09/claude/issue-131-20250530_000230
e57328c 
MCPサーバのCloudRunの設定を追加
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 30, 2025

Terraform Format and Style failure

Terraform Initialization ⚙️success

Terraform Validation success

Validation Output ```

Success! The configuration is valid.

</details>
#### Terraform Plan `success`
<details><summary>Show Plan</summary>

terraform
data.google_service_account.terraform_sa: Reading...
google_project_iam_member.cloud_run_trace_agent: Refreshing state... [id=mh-api-389212/roles/cloudtrace.agent/serviceAccount:auto-deploy@mh-api-389212.iam.gserviceaccount.com]
data.google_iam_policy.mcp_auth: Reading...
data.google_iam_policy.auth: Reading...
google_project_service.enable_api["iam.googleapis.com"]: Refreshing state... [id=mh-api-389212/iam.googleapis.com]
google_project_service.enable_api["iamcredentials.googleapis.com"]: Refreshing state... [id=mh-api-389212/iamcredentials.googleapis.com]
google_project_service.enable_api["sts.googleapis.com"]: Refreshing state... [id=mh-api-389212/sts.googleapis.com]
data.google_iam_policy.auth: Read complete after 0s [id=2066618159]
data.google_iam_policy.mcp_auth: Read complete after 0s [id=2066618159]
google_project_service.enable_api["cloudresourcemanager.googleapis.com"]: Refreshing state... [id=mh-api-389212/cloudresourcemanager.googleapis.com]
google_cloud_run_service.stg-mh-api: Refreshing state... [id=locations/asia-northeast1/namespaces/mh-api-389212/services/mh-api]
google_iam_workload_identity_pool.terraform-pool: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool]
data.google_service_account.terraform_sa: Read complete after 1s [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com]
google_service_account_iam_member.terraform_sa: Refreshing state... [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/650836814988/locations/global/workloadIdentityPools/terraform-pool/attribute.repository/o-ga09/MH-API]
google_iam_workload_identity_pool_provider.terraform-provider: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool/providers/terraform-provider]
google_cloud_run_service_iam_policy.auth: Refreshing state... [id=v1/projects/mh-api-389212/locations/asia-northeast1/services/mh-api]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:

  • create
  • destroy
    -/+ destroy and then create replacement

Terraform will perform the following actions:

google_cloud_run_service.stg-mh-api must be replaced

-/+ resource "google_cloud_run_service" "stg-mh-api" {
~ id = "locations/asia-northeast1/namespaces/mh-api-389212/services/mh-api" -> (known after apply)
~ name = "mh-api" -> "stg-mh-api" # forces replacement
~ status = [
- {
- conditions = [
- {
- status = "True"
- type = "Ready"
# (2 unchanged attributes hidden)
},
- {
- status = "True"
- type = "ConfigurationsReady"
# (2 unchanged attributes hidden)
},
- {
- status = "True"
- type = "RoutesReady"
# (2 unchanged attributes hidden)
},
]
- latest_created_revision_name = "mh-api-00033-qhw"
- latest_ready_revision_name = "mh-api-00033-qhw"
- observed_generation = 37
- traffic = [
- {
- latest_revision = true
- percent = 100
- revision_name = "mh-api-00033-qhw"
# (2 unchanged attributes hidden)
},
]
- url = "https://mh-api-xpzdc5i4rq-an.a.run.app"
},
] -> (known after apply)
# (3 unchanged attributes hidden)

  ~ metadata (known after apply)
  - metadata {
      - annotations           = {} -> null
      - effective_annotations = {
          - "run.googleapis.com/client-name"    = "cloud-console"
          - "run.googleapis.com/ingress"        = "all"
          - "run.googleapis.com/ingress-status" = "all"
          - "run.googleapis.com/operation-id"   = "2edd3108-b174-43dd-938b-d3db04e6daae"
          - "run.googleapis.com/urls"           = jsonencode(
                [
                  - "https://mh-api-650836814988.asia-northeast1.run.app",
                  - "https://mh-api-xpzdc5i4rq-an.a.run.app",
                ]
            )
          - "serving.knative.dev/creator"       = "taitiabe1997@gmail.com"
          - "serving.knative.dev/lastModifier"  = "terraform@mh-api-389212.iam.gserviceaccount.com"
        } -> null
      - effective_labels      = {
          - "cloud.googleapis.com/location" = "asia-northeast1"
        } -> null
      - generation            = 37 -> null
      - labels                = {} -> null
      - namespace             = "mh-api-389212" -> null
      - resource_version      = "AAY2Rq1xFNY" -> null
      - self_link             = "/apis/serving.knative.dev/v1/namespaces/650836814988/services/mh-api" -> null
      - terraform_labels      = {} -> null
      - uid                   = "db8b31de-ce38-476c-b4f8-b667ed8739f0" -> null
    }

  ~ template {
      ~ metadata {
          ~ generation       = 0 -> (known after apply)
          ~ labels           = {
              - "client.knative.dev/nonce"            = "86fed7cd-9f53-45bb-a25f-18595991e8e8"
              - "run.googleapis.com/startupProbeType" = "Default"
            } -> (known after apply)
          + name             = (known after apply)
          + namespace        = (known after apply)
          + resource_version = (known after apply)
          + self_link        = (known after apply)
          + uid              = (known after apply)
            # (1 unchanged attribute hidden)
        }
      ~ spec {
          - node_selector         = {} -> null
          ~ service_account_name  = "auto-deploy@mh-api-389212.iam.gserviceaccount.com" -> "mh-api-389212@appspot.gserviceaccount.com"
          + serving_state         = (known after apply)
          ~ timeout_seconds       = 300 -> (known after apply)
            # (1 unchanged attribute hidden)

          ~ containers {
              - args        = [] -> null
              - command     = [] -> null
              ~ image       = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-api:055b0f3b07c6999d3149c03aaa44c8cfa2cedfca" -> "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:ecde0705dd9221fd81efe755c102c376f8f8b36a"
              ~ name        = "mh-api-1" -> (known after apply)
                # (1 unchanged attribute hidden)

              ~ resources (known after apply)
              - resources {
                  - limits   = {
                      - "cpu"    = "1000m"
                      - "memory" = "512Mi"
                    } -> null
                  - requests = {} -> null
                }

                # (9 unchanged blocks hidden)
            }
        }
    }

  ~ traffic {
      + url             = (known after apply)
        # (4 unchanged attributes hidden)
    }
}

google_cloud_run_service.stg-mh-mcp will be created

  • resource "google_cloud_run_service" "stg-mh-mcp" {

    • autogenerate_revision_name = true

    • id = (known after apply)

    • location = "asia-northeast1"

    • name = "stg-mh-mcp"

    • project = "mh-api-389212"

    • status = (known after apply)

    • metadata (known after apply)

    • template {

      • metadata {
        • annotations = {
          • "autoscaling.knative.dev/maxScale" = "1"
            }
        • generation = (known after apply)
        • labels = (known after apply)
        • name = (known after apply)
        • namespace = (known after apply)
        • resource_version = (known after apply)
        • self_link = (known after apply)
        • uid = (known after apply)
          }
      • spec {

        • container_concurrency = 10

        • service_account_name = "mh-api-389212@appspot.gserviceaccount.com"

        • serving_state = (known after apply)

        • timeout_seconds = (known after apply)

        • containers {

          • image = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:ecde0705dd9221fd81efe755c102c376f8f8b36a"

          • name = (known after apply)

          • env {

            • name = "DATABASE_URL"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "DATABASE_URL"
                  }
                  }
                  }

          • env {

            • name = "ENV"
            • value = "PROD"
              }

          • env {

            • name = "GIN_MODE"
            • value = "release"
              }

          • env {

            • name = "LOG_LEVEL"
            • value = "INFO"
              }

          • env {

            • name = "PROJECTID"
            • value = "mh-api"
              }

          • env {

            • name = "SENTRY_DSN"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "SENTRY_DSN"
                  }
                  }
                  }

          • env {

            • name = "SERVICE_NAME"
            • value = "mh-mcp"
              }

          • ports {

            • container_port = 8080
            • name = "http1"
              }

          • resources (known after apply)

          • startup_probe {

            • failure_threshold = 1

            • initial_delay_seconds = 0

            • period_seconds = 240

            • timeout_seconds = 240

            • tcp_socket {

              • port = 8080
                }
                }
                }
                }
                }

    • traffic {

      • latest_revision = true
      • percent = 100
      • url = (known after apply)
        }
        }

google_cloud_run_service_iam_policy.auth must be replaced

-/+ resource "google_cloud_run_service_iam_policy" "auth" {
~ etag = "BwY0dJkdtNc=" -> (known after apply)
~ id = "v1/projects/mh-api-389212/locations/asia-northeast1/services/mh-api" -> (known after apply)
~ policy_data = jsonencode(
~ {
~ bindings = [
~ {
~ members = [
"allUsers",
~ "serviceAccount:auto-deploy@mh-api-389212.iam.gserviceaccount.com" -> "serviceAccount:mh-api-389212@appspot.gserviceaccount.com",
]
# (1 unchanged attribute hidden)
},
]
}
)
~ service = "v1/projects/mh-api-389212/locations/asia-northeast1/services/mh-api" -> "stg-mh-api" # forces replacement
# (2 unchanged attributes hidden)
}

google_cloud_run_service_iam_policy.mcp_auth will be created

  • resource "google_cloud_run_service_iam_policy" "mcp_auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:mh-api-389212@appspot.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-mcp"
      }

google_project_iam_member.cloud_run_trace_agent must be replaced

-/+ resource "google_project_iam_member" "cloud_run_trace_agent" {
~ etag = "BwY2Rq0RYXQ=" -> (known after apply)
~ id = "mh-api-389212/roles/cloudtrace.agent/serviceAccount:auto-deploy@mh-api-389212.iam.gserviceaccount.com" -> (known after apply)
~ member = "serviceAccount:auto-deploy@mh-api-389212.iam.gserviceaccount.com" -> "serviceAccount:mh-api-389212@appspot.gserviceaccount.com" # forces replacement
# (2 unchanged attributes hidden)
}

google_project_service.enable_api["artifactregistry.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "artifactregistry.googleapis.com"
      }

google_project_service.enable_api["cloudresourcemanager.googleapis.com"] will be destroyed

(because key ["cloudresourcemanager.googleapis.com"] is not in for_each map)

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true -> null
    • disable_on_destroy = true -> null
    • id = "mh-api-389212/cloudresourcemanager.googleapis.com" -> null
    • project = "mh-api-389212" -> null
    • service = "cloudresourcemanager.googleapis.com" -> null
      }

google_project_service.enable_api["cloudrun.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "cloudrun.googleapis.com"
      }

google_project_service.enable_api["sts.googleapis.com"] will be destroyed

(because key ["sts.googleapis.com"] is not in for_each map)

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true -> null
    • disable_on_destroy = true -> null
    • id = "mh-api-389212/sts.googleapis.com" -> null
    • project = "mh-api-389212" -> null
    • service = "sts.googleapis.com" -> null
      }

Plan: 7 to add, 0 to change, 5 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

</details>
*Pusher: @o-ga09, Action: `pull_request`, Working Directory: ``, Workflow: `terraform`*

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 30, 2025

Terraform Format and Style failure

Terraform Initialization ⚙️success

Terraform Validation success

Validation Output ```

Success! The configuration is valid.

</details>
#### Terraform Plan `failure`
<details><summary>Show Plan</summary>

terraform
Acquiring state lock. This may take a few moments...
google_iam_workload_identity_pool.terraform-pool: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool]
data.google_iam_policy.auth: Reading...
data.google_service_account.terraform_sa: Reading...
data.google_iam_policy.mcp_auth: Reading...
data.google_iam_policy.auth: Read complete after 0s [id=2066618159]
google_project_service.enable_api["artifactregistry.googleapis.com"]: Refreshing state... [id=mh-api-389212/artifactregistry.googleapis.com]
google_project_service.enable_api["iam.googleapis.com"]: Refreshing state... [id=mh-api-389212/iam.googleapis.com]
data.google_iam_policy.mcp_auth: Read complete after 0s [id=2066618159]
google_project_service.enable_api["iamcredentials.googleapis.com"]: Refreshing state... [id=mh-api-389212/iamcredentials.googleapis.com]
google_project_iam_member.cloud_run_trace_agent: Refreshing state... [id=mh-api-389212/roles/cloudtrace.agent/serviceAccount:auto-deploy@mh-api-389212.iam.gserviceaccount.com]
google_iam_workload_identity_pool_provider.terraform-provider: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool/providers/terraform-provider]
data.google_service_account.terraform_sa: Read complete after 0s [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com]
google_service_account_iam_member.terraform_sa: Refreshing state... [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/650836814988/locations/global/workloadIdentityPools/terraform-pool/attribute.repository/o-ga09/MH-API]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:

  • create

Terraform planned the following actions, but then encountered a problem:

google_cloud_run_service.stg-mh-api will be created

  • resource "google_cloud_run_service" "stg-mh-api" {

    • autogenerate_revision_name = true

    • id = (known after apply)

    • location = "asia-northeast1"

    • name = "stg-mh-api"

    • project = "mh-api-389212"

    • status = (known after apply)

    • metadata (known after apply)

    • template {

      • metadata {
        • annotations = {
          • "autoscaling.knative.dev/maxScale" = "1"
            }
        • generation = (known after apply)
        • labels = (known after apply)
        • name = (known after apply)
        • namespace = (known after apply)
        • resource_version = (known after apply)
        • self_link = (known after apply)
        • uid = (known after apply)
          }
      • spec {

        • container_concurrency = 10

        • service_account_name = "mh-api-389212@appspot.gserviceaccount.com"

        • serving_state = (known after apply)

        • timeout_seconds = (known after apply)

        • containers {

          • image = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:af2efc555d275fbef2ff5be371e51ceac24818f3"

          • name = (known after apply)

          • env {

            • name = "DATABASE_URL"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "DATABASE_URL"
                  }
                  }
                  }

          • env {

            • name = "ENV"
            • value = "PROD"
              }

          • env {

            • name = "GIN_MODE"
            • value = "release"
              }

          • env {

            • name = "LOG_LEVEL"
            • value = "INFO"
              }

          • env {

            • name = "PROJECTID"
            • value = "mh-api"
              }

          • env {

            • name = "SENTRY_DSN"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "SENTRY_DSN"
                  }
                  }
                  }

          • env {

            • name = "SERVICE_NAME"
            • value = "mh-api"
              }

          • ports {

            • container_port = 8080
            • name = "http1"
              }

          • resources (known after apply)

          • startup_probe {

            • failure_threshold = 1

            • initial_delay_seconds = 0

            • period_seconds = 240

            • timeout_seconds = 240

            • tcp_socket {

              • port = 8080
                }
                }
                }
                }
                }

    • traffic {

      • latest_revision = true
      • percent = 100
      • url = (known after apply)
        }
        }

google_cloud_run_service.stg-mh-mcp will be created

  • resource "google_cloud_run_service" "stg-mh-mcp" {

    • autogenerate_revision_name = true

    • id = (known after apply)

    • location = "asia-northeast1"

    • name = "stg-mh-mcp"

    • project = "mh-api-389212"

    • status = (known after apply)

    • metadata (known after apply)

    • template {

      • metadata {
        • annotations = {
          • "autoscaling.knative.dev/maxScale" = "1"
            }
        • generation = (known after apply)
        • labels = (known after apply)
        • name = (known after apply)
        • namespace = (known after apply)
        • resource_version = (known after apply)
        • self_link = (known after apply)
        • uid = (known after apply)
          }
      • spec {

        • container_concurrency = 10

        • service_account_name = "mh-api-389212@appspot.gserviceaccount.com"

        • serving_state = (known after apply)

        • timeout_seconds = (known after apply)

        • containers {

          • image = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:af2efc555d275fbef2ff5be371e51ceac24818f3"

          • name = (known after apply)

          • env {

            • name = "DATABASE_URL"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "DATABASE_URL"
                  }
                  }
                  }

          • env {

            • name = "ENV"
            • value = "PROD"
              }

          • env {

            • name = "GIN_MODE"
            • value = "release"
              }

          • env {

            • name = "LOG_LEVEL"
            • value = "INFO"
              }

          • env {

            • name = "PROJECTID"
            • value = "mh-api"
              }

          • env {

            • name = "SENTRY_DSN"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "SENTRY_DSN"
                  }
                  }
                  }

          • env {

            • name = "SERVICE_NAME"
            • value = "mh-mcp"
              }

          • ports {

            • container_port = 8080
            • name = "http1"
              }

          • resources (known after apply)

          • startup_probe {

            • failure_threshold = 1

            • initial_delay_seconds = 0

            • period_seconds = 240

            • timeout_seconds = 240

            • tcp_socket {

              • port = 8080
                }
                }
                }
                }
                }

    • traffic {

      • latest_revision = true
      • percent = 100
      • url = (known after apply)
        }
        }

google_cloud_run_service_iam_policy.auth will be created

  • resource "google_cloud_run_service_iam_policy" "auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:mh-api-389212@appspot.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-api"
      }

google_cloud_run_service_iam_policy.mcp_auth will be created

  • resource "google_cloud_run_service_iam_policy" "mcp_auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:mh-api-389212@appspot.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-mcp"
      }

google_project_iam_binding.cloud_run_invoker will be created

  • resource "google_project_iam_binding" "cloud_run_invoker" {

google_project_iam_binding.cloudtrace_agent will be created

  • resource "google_project_iam_binding" "cloudtrace_agent" {

google_project_iam_binding.service_account_user will be created

  • resource "google_project_iam_binding" "service_account_user" {

google_project_service.enable_api["cloudresourcemanager.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "cloudresourcemanager.googleapis.com"
      }

google_project_service.enable_api["cloudrun.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "cloudrun.googleapis.com"
      }

google_project_service.enable_api["serviceusage.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "serviceusage.googleapis.com"
      }

Plan: 10 to add, 0 to change, 0 to destroy.

</details>
*Pusher: @o-ga09, Action: `pull_request`, Working Directory: ``, Workflow: `terraform`*

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 30, 2025

Terraform Format and Style failure

Terraform Initialization ⚙️success

Terraform Validation success

Validation Output ```

Success! The configuration is valid.

</details>
#### Terraform Plan `failure`
<details><summary>Show Plan</summary>

terraform
data.google_iam_policy.auth: Reading...
data.google_iam_policy.mcp_auth: Reading...
data.google_service_account.terraform_sa: Reading...
google_project_iam_member.cloud_run_trace_agent: Refreshing state... [id=mh-api-389212/roles/cloudtrace.agent/serviceAccount:auto-deploy@mh-api-389212.iam.gserviceaccount.com]
data.google_iam_policy.auth: Read complete after 0s [id=2066618159]
data.google_iam_policy.mcp_auth: Read complete after 0s [id=2066618159]
google_project_service.enable_api["iamcredentials.googleapis.com"]: Refreshing state... [id=mh-api-389212/iamcredentials.googleapis.com]
google_project_service.enable_api["artifactregistry.googleapis.com"]: Refreshing state... [id=mh-api-389212/artifactregistry.googleapis.com]
google_iam_workload_identity_pool.terraform-pool: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool]
google_project_service.enable_api["iam.googleapis.com"]: Refreshing state... [id=mh-api-389212/iam.googleapis.com]
google_iam_workload_identity_pool_provider.terraform-provider: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool/providers/terraform-provider]
data.google_service_account.terraform_sa: Read complete after 0s [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com]
google_service_account_iam_member.terraform_sa: Refreshing state... [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/650836814988/locations/global/workloadIdentityPools/terraform-pool/attribute.repository/o-ga09/MH-API]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:

  • create

Terraform planned the following actions, but then encountered a problem:

google_cloud_run_service.stg-mh-api will be created

  • resource "google_cloud_run_service" "stg-mh-api" {

    • autogenerate_revision_name = true

    • id = (known after apply)

    • location = "asia-northeast1"

    • name = "stg-mh-api"

    • project = "mh-api-389212"

    • status = (known after apply)

    • metadata (known after apply)

    • template {

      • metadata {
        • annotations = {
          • "autoscaling.knative.dev/maxScale" = "1"
            }
        • generation = (known after apply)
        • labels = (known after apply)
        • name = (known after apply)
        • namespace = (known after apply)
        • resource_version = (known after apply)
        • self_link = (known after apply)
        • uid = (known after apply)
          }
      • spec {

        • container_concurrency = 10

        • service_account_name = "mh-api-389212@appspot.gserviceaccount.com"

        • serving_state = (known after apply)

        • timeout_seconds = (known after apply)

        • containers {

          • image = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:2c445315e44ca247657bac47136dfde95b089d32"

          • name = (known after apply)

          • env {

            • name = "DATABASE_URL"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "DATABASE_URL"
                  }
                  }
                  }

          • env {

            • name = "ENV"
            • value = "PROD"
              }

          • env {

            • name = "GIN_MODE"
            • value = "release"
              }

          • env {

            • name = "LOG_LEVEL"
            • value = "INFO"
              }

          • env {

            • name = "PROJECTID"
            • value = "mh-api"
              }

          • env {

            • name = "SENTRY_DSN"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "SENTRY_DSN"
                  }
                  }
                  }

          • env {

            • name = "SERVICE_NAME"
            • value = "mh-api"
              }

          • ports {

            • container_port = 8080
            • name = "http1"
              }

          • resources (known after apply)

          • startup_probe {

            • failure_threshold = 1

            • initial_delay_seconds = 0

            • period_seconds = 240

            • timeout_seconds = 240

            • tcp_socket {

              • port = 8080
                }
                }
                }
                }
                }

    • traffic {

      • latest_revision = true
      • percent = 100
      • url = (known after apply)
        }
        }

google_cloud_run_service.stg-mh-mcp will be created

  • resource "google_cloud_run_service" "stg-mh-mcp" {

    • autogenerate_revision_name = true

    • id = (known after apply)

    • location = "asia-northeast1"

    • name = "stg-mh-mcp"

    • project = "mh-api-389212"

    • status = (known after apply)

    • metadata (known after apply)

    • template {

      • metadata {
        • annotations = {
          • "autoscaling.knative.dev/maxScale" = "1"
            }
        • generation = (known after apply)
        • labels = (known after apply)
        • name = (known after apply)
        • namespace = (known after apply)
        • resource_version = (known after apply)
        • self_link = (known after apply)
        • uid = (known after apply)
          }
      • spec {

        • container_concurrency = 10

        • service_account_name = "mh-api-389212@appspot.gserviceaccount.com"

        • serving_state = (known after apply)

        • timeout_seconds = (known after apply)

        • containers {

          • image = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:2c445315e44ca247657bac47136dfde95b089d32"

          • name = (known after apply)

          • env {

            • name = "DATABASE_URL"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "DATABASE_URL"
                  }
                  }
                  }

          • env {

            • name = "ENV"
            • value = "PROD"
              }

          • env {

            • name = "GIN_MODE"
            • value = "release"
              }

          • env {

            • name = "LOG_LEVEL"
            • value = "INFO"
              }

          • env {

            • name = "PROJECTID"
            • value = "mh-api"
              }

          • env {

            • name = "SENTRY_DSN"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "SENTRY_DSN"
                  }
                  }
                  }

          • env {

            • name = "SERVICE_NAME"
            • value = "mh-mcp"
              }

          • ports {

            • container_port = 8080
            • name = "http1"
              }

          • resources (known after apply)

          • startup_probe {

            • failure_threshold = 1

            • initial_delay_seconds = 0

            • period_seconds = 240

            • timeout_seconds = 240

            • tcp_socket {

              • port = 8080
                }
                }
                }
                }
                }

    • traffic {

      • latest_revision = true
      • percent = 100
      • url = (known after apply)
        }
        }

google_cloud_run_service_iam_policy.auth will be created

  • resource "google_cloud_run_service_iam_policy" "auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:mh-api-389212@appspot.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-api"
      }

google_cloud_run_service_iam_policy.mcp_auth will be created

  • resource "google_cloud_run_service_iam_policy" "mcp_auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:mh-api-389212@appspot.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-mcp"
      }

google_project_iam_binding.cloud_run_invoker will be created

  • resource "google_project_iam_binding" "cloud_run_invoker" {

google_project_iam_binding.cloudtrace_agent will be created

  • resource "google_project_iam_binding" "cloudtrace_agent" {

google_project_iam_binding.service_account_user will be created

  • resource "google_project_iam_binding" "service_account_user" {

google_project_service.cloudresourcemanager will be created

  • resource "google_project_service" "cloudresourcemanager" {
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "cloudresourcemanager.googleapis.com"
      }

google_project_service.enable_api["cloudrun.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "cloudrun.googleapis.com"
      }

google_project_service.enable_api["serviceusage.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "serviceusage.googleapis.com"
      }

Plan: 10 to add, 0 to change, 0 to destroy.

</details>
*Pusher: @o-ga09, Action: `pull_request`, Working Directory: ``, Workflow: `terraform`*

@o-ga09
Copy link
Copy Markdown
Owner Author

o-ga09 commented May 30, 2025

@claude
github actionsのエラーである、terraform planを修正できますか?

@claude
Copy link
Copy Markdown
Contributor

claude bot commented May 30, 2025
edited
Loading

Claude finished @o-ga09's task —— View job

Terraform Plan修正作業 ✅

GitHub ActionsでのTerraform planエラーを修正しました。

TODO

  • Terraformファイルを確認して現在の設定を理解する
  • GitHub Actionsのエラーログを分析する
  • Terraformの設定とフォーマットの問題を修正する
  • 修正をコミットする

修正内容

以下の問題を修正しました:

  1. google-betaプロバイダ追加: main.tfにgoogle-betaプロバイダを追加
  2. フォーマット修正: 全てのTerraformファイルのインデントと構文を正しく調整
  3. 重複権限設定削除: stg.tfgoogle_project_iam_member.cloud_run_trace_agentを削除し、main.tfgoogle_project_iam_binding.cloudtrace_agentに統一
  4. 権限対象変更: Cloud Traceエージェント権限をcloud_run_invoke_service_accountに修正
  5. disable_on_destroy追加: リソース管理の一貫性向上

コミット

修正をコミットしました: 309f4ad 🔧 fix: Terraform planエラーを修正

これにより、terraform fmtチェックエラーとplan実行時の権限重複エラーが解決されるはずです。GitHub Actionsで再度実行されるテラフォームplanが成功することを期待します。

@claude @o-ga09
🔧 fix: Terraform planエラーを修正
309f4ad 
- google-betaプロバイダを追加
- 全てのTerraformファイルのフォーマットを修正
- 重複するCloud Traceエージェント権限設定を統一
- disable_on_destroyオプションを追加
- terraform fmtチェックが通るように調整

Co-authored-by: o-ga09 <o-ga09@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 30, 2025

Terraform Format and Style failure

Terraform Initialization ⚙️success

Terraform Validation success

Validation Output ```

Success! The configuration is valid.

</details>
#### Terraform Plan `failure`
<details><summary>Show Plan</summary>

terraform
google_iam_workload_identity_pool.terraform-pool: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool]
data.google_iam_policy.mcp_auth: Reading...
data.google_iam_policy.auth: Reading...
google_project_iam_member.cloud_run_trace_agent: Refreshing state... [id=mh-api-389212/roles/cloudtrace.agent/serviceAccount:auto-deploy@mh-api-389212.iam.gserviceaccount.com]
data.google_service_account.terraform_sa: Reading...
data.google_iam_policy.auth: Read complete after 0s [id=2066618159]
data.google_iam_policy.mcp_auth: Read complete after 0s [id=2066618159]
google_project_service.enable_api["iamcredentials.googleapis.com"]: Refreshing state... [id=mh-api-389212/iamcredentials.googleapis.com]
google_project_service.enable_api["artifactregistry.googleapis.com"]: Refreshing state... [id=mh-api-389212/artifactregistry.googleapis.com]
google_project_service.enable_api["iam.googleapis.com"]: Refreshing state... [id=mh-api-389212/iam.googleapis.com]
data.google_service_account.terraform_sa: Read complete after 0s [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com]
google_service_account_iam_member.terraform_sa: Refreshing state... [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/650836814988/locations/global/workloadIdentityPools/terraform-pool/attribute.repository/o-ga09/MH-API]
google_iam_workload_identity_pool_provider.terraform-provider: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool/providers/terraform-provider]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:

  • create

Terraform planned the following actions, but then encountered a problem:

google_cloud_run_service.stg-mh-api will be created

  • resource "google_cloud_run_service" "stg-mh-api" {

    • autogenerate_revision_name = true

    • id = (known after apply)

    • location = "asia-northeast1"

    • name = "stg-mh-api"

    • project = "mh-api-389212"

    • status = (known after apply)

    • metadata (known after apply)

    • template {

      • metadata {
        • annotations = {
          • "autoscaling.knative.dev/maxScale" = "1"
            }
        • generation = (known after apply)
        • labels = (known after apply)
        • name = (known after apply)
        • namespace = (known after apply)
        • resource_version = (known after apply)
        • self_link = (known after apply)
        • uid = (known after apply)
          }
      • spec {

        • container_concurrency = 10

        • service_account_name = "mh-api-389212@appspot.gserviceaccount.com"

        • serving_state = (known after apply)

        • timeout_seconds = (known after apply)

        • containers {

          • image = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:0756726225200c84a1e4ad76e91e79fd8c8cd7da"

          • name = (known after apply)

          • env {

            • name = "DATABASE_URL"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "DATABASE_URL"
                  }
                  }
                  }

          • env {

            • name = "ENV"
            • value = "PROD"
              }

          • env {

            • name = "GIN_MODE"
            • value = "release"
              }

          • env {

            • name = "LOG_LEVEL"
            • value = "INFO"
              }

          • env {

            • name = "PROJECTID"
            • value = "mh-api"
              }

          • env {

            • name = "SENTRY_DSN"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "SENTRY_DSN"
                  }
                  }
                  }

          • env {

            • name = "SERVICE_NAME"
            • value = "mh-api"
              }

          • ports {

            • container_port = 8080
            • name = "http1"
              }

          • resources (known after apply)

          • startup_probe {

            • failure_threshold = 1

            • initial_delay_seconds = 0

            • period_seconds = 240

            • timeout_seconds = 240

            • tcp_socket {

              • port = 8080
                }
                }
                }
                }
                }

    • traffic {

      • latest_revision = true
      • percent = 100
      • url = (known after apply)
        }
        }

google_cloud_run_service.stg-mh-mcp will be created

  • resource "google_cloud_run_service" "stg-mh-mcp" {

    • autogenerate_revision_name = true

    • id = (known after apply)

    • location = "asia-northeast1"

    • name = "stg-mh-mcp"

    • project = "mh-api-389212"

    • status = (known after apply)

    • metadata (known after apply)

    • template {

      • metadata {
        • annotations = {
          • "autoscaling.knative.dev/maxScale" = "1"
            }
        • generation = (known after apply)
        • labels = (known after apply)
        • name = (known after apply)
        • namespace = (known after apply)
        • resource_version = (known after apply)
        • self_link = (known after apply)
        • uid = (known after apply)
          }
      • spec {

        • container_concurrency = 10

        • service_account_name = "mh-api-389212@appspot.gserviceaccount.com"

        • serving_state = (known after apply)

        • timeout_seconds = (known after apply)

        • containers {

          • image = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:0756726225200c84a1e4ad76e91e79fd8c8cd7da"

          • name = (known after apply)

          • env {

            • name = "DATABASE_URL"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "DATABASE_URL"
                  }
                  }
                  }

          • env {

            • name = "ENV"
            • value = "PROD"
              }

          • env {

            • name = "GIN_MODE"
            • value = "release"
              }

          • env {

            • name = "LOG_LEVEL"
            • value = "INFO"
              }

          • env {

            • name = "PROJECTID"
            • value = "mh-api"
              }

          • env {

            • name = "SENTRY_DSN"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "SENTRY_DSN"
                  }
                  }
                  }

          • env {

            • name = "SERVICE_NAME"
            • value = "mh-mcp"
              }

          • ports {

            • container_port = 8080
            • name = "http1"
              }

          • resources (known after apply)

          • startup_probe {

            • failure_threshold = 1

            • initial_delay_seconds = 0

            • period_seconds = 240

            • timeout_seconds = 240

            • tcp_socket {

              • port = 8080
                }
                }
                }
                }
                }

    • traffic {

      • latest_revision = true
      • percent = 100
      • url = (known after apply)
        }
        }

google_cloud_run_service_iam_policy.auth will be created

  • resource "google_cloud_run_service_iam_policy" "auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:mh-api-389212@appspot.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-api"
      }

google_cloud_run_service_iam_policy.mcp_auth will be created

  • resource "google_cloud_run_service_iam_policy" "mcp_auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:mh-api-389212@appspot.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-mcp"
      }

google_project_iam_binding.cloud_run_invoker will be created

  • resource "google_project_iam_binding" "cloud_run_invoker" {

google_project_iam_binding.cloudtrace_agent will be created

  • resource "google_project_iam_binding" "cloudtrace_agent" {

google_project_iam_binding.service_account_user will be created

  • resource "google_project_iam_binding" "service_account_user" {

google_project_service.cloudresourcemanager will be created

  • resource "google_project_service" "cloudresourcemanager" {
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "cloudresourcemanager.googleapis.com"
      }

google_project_service.enable_api["cloudrun.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "cloudrun.googleapis.com"
      }

google_project_service.enable_api["serviceusage.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "serviceusage.googleapis.com"
      }

Plan: 10 to add, 0 to change, 0 to destroy.

</details>
*Pusher: @claude[bot], Action: `pull_request`, Working Directory: ``, Workflow: `terraform`*

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 30, 2025

Terraform Format and Style failure

Terraform Initialization ⚙️success

Terraform Validation success

Validation Output ```

Success! The configuration is valid.

</details>
#### Terraform Plan `failure`
<details><summary>Show Plan</summary>

terraform
Acquiring state lock. This may take a few moments...
google_iam_workload_identity_pool.terraform-pool: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool]
google_project_iam_member.cloud_run_trace_agent: Refreshing state... [id=mh-api-389212/roles/cloudtrace.agent/serviceAccount:auto-deploy@mh-api-389212.iam.gserviceaccount.com]
google_project_service.enable_api["artifactregistry.googleapis.com"]: Refreshing state... [id=mh-api-389212/artifactregistry.googleapis.com]
data.google_iam_policy.mcp_auth: Reading...
google_project_service.enable_api["iam.googleapis.com"]: Refreshing state... [id=mh-api-389212/iam.googleapis.com]
data.google_iam_policy.mcp_auth: Read complete after 0s [id=2066618159]
data.google_iam_policy.auth: Reading...
data.google_service_account.terraform_sa: Reading...
google_project_service.enable_api["iamcredentials.googleapis.com"]: Refreshing state... [id=mh-api-389212/iamcredentials.googleapis.com]
data.google_iam_policy.auth: Read complete after 0s [id=2066618159]
data.google_service_account.terraform_sa: Read complete after 0s [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com]
google_service_account_iam_member.terraform_sa: Refreshing state... [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/650836814988/locations/global/workloadIdentityPools/terraform-pool/attribute.repository/o-ga09/MH-API]
google_iam_workload_identity_pool_provider.terraform-provider: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool/providers/terraform-provider]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:

  • create

Terraform planned the following actions, but then encountered a problem:

google_cloud_run_service.stg-mh-api will be created

  • resource "google_cloud_run_service" "stg-mh-api" {

    • autogenerate_revision_name = true

    • id = (known after apply)

    • location = "asia-northeast1"

    • name = "stg-mh-api"

    • project = "mh-api-389212"

    • status = (known after apply)

    • metadata (known after apply)

    • template {

      • metadata {
        • annotations = {
          • "autoscaling.knative.dev/maxScale" = "1"
            }
        • generation = (known after apply)
        • labels = (known after apply)
        • name = (known after apply)
        • namespace = (known after apply)
        • resource_version = (known after apply)
        • self_link = (known after apply)
        • uid = (known after apply)
          }
      • spec {

        • container_concurrency = 10

        • service_account_name = "mh-api-389212@appspot.gserviceaccount.com"

        • serving_state = (known after apply)

        • timeout_seconds = (known after apply)

        • containers {

          • image = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:ad4e63653921ea07800e9e8cb761a129157e1eed"

          • name = (known after apply)

          • env {

            • name = "DATABASE_URL"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "DATABASE_URL"
                  }
                  }
                  }

          • env {

            • name = "ENV"
            • value = "PROD"
              }

          • env {

            • name = "GIN_MODE"
            • value = "release"
              }

          • env {

            • name = "LOG_LEVEL"
            • value = "INFO"
              }

          • env {

            • name = "PROJECTID"
            • value = "mh-api"
              }

          • env {

            • name = "SENTRY_DSN"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "SENTRY_DSN"
                  }
                  }
                  }

          • env {

            • name = "SERVICE_NAME"
            • value = "mh-api"
              }

          • ports {

            • container_port = 8080
            • name = "http1"
              }

          • resources (known after apply)

          • startup_probe {

            • failure_threshold = 1

            • initial_delay_seconds = 0

            • period_seconds = 240

            • timeout_seconds = 240

            • tcp_socket {

              • port = 8080
                }
                }
                }
                }
                }

    • traffic {

      • latest_revision = true
      • percent = 100
      • url = (known after apply)
        }
        }

google_cloud_run_service.stg-mh-mcp will be created

  • resource "google_cloud_run_service" "stg-mh-mcp" {

    • autogenerate_revision_name = true

    • id = (known after apply)

    • location = "asia-northeast1"

    • name = "stg-mh-mcp"

    • project = "mh-api-389212"

    • status = (known after apply)

    • metadata (known after apply)

    • template {

      • metadata {
        • annotations = {
          • "autoscaling.knative.dev/maxScale" = "1"
            }
        • generation = (known after apply)
        • labels = (known after apply)
        • name = (known after apply)
        • namespace = (known after apply)
        • resource_version = (known after apply)
        • self_link = (known after apply)
        • uid = (known after apply)
          }
      • spec {

        • container_concurrency = 10

        • service_account_name = "mh-api-389212@appspot.gserviceaccount.com"

        • serving_state = (known after apply)

        • timeout_seconds = (known after apply)

        • containers {

          • image = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:ad4e63653921ea07800e9e8cb761a129157e1eed"

          • name = (known after apply)

          • env {

            • name = "DATABASE_URL"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "DATABASE_URL"
                  }
                  }
                  }

          • env {

            • name = "ENV"
            • value = "PROD"
              }

          • env {

            • name = "GIN_MODE"
            • value = "release"
              }

          • env {

            • name = "LOG_LEVEL"
            • value = "INFO"
              }

          • env {

            • name = "PROJECTID"
            • value = "mh-api"
              }

          • env {

            • name = "SENTRY_DSN"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "SENTRY_DSN"
                  }
                  }
                  }

          • env {

            • name = "SERVICE_NAME"
            • value = "mh-mcp"
              }

          • ports {

            • container_port = 8080
            • name = "http1"
              }

          • resources (known after apply)

          • startup_probe {

            • failure_threshold = 1

            • initial_delay_seconds = 0

            • period_seconds = 240

            • timeout_seconds = 240

            • tcp_socket {

              • port = 8080
                }
                }
                }
                }
                }

    • traffic {

      • latest_revision = true
      • percent = 100
      • url = (known after apply)
        }
        }

google_cloud_run_service_iam_policy.auth will be created

  • resource "google_cloud_run_service_iam_policy" "auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:mh-api-389212@appspot.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-api"
      }

google_cloud_run_service_iam_policy.mcp_auth will be created

  • resource "google_cloud_run_service_iam_policy" "mcp_auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:mh-api-389212@appspot.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-mcp"
      }

google_project_iam_binding.cloud_run_invoker will be created

  • resource "google_project_iam_binding" "cloud_run_invoker" {

google_project_iam_binding.cloudtrace_agent will be created

  • resource "google_project_iam_binding" "cloudtrace_agent" {

google_project_iam_binding.service_account_user will be created

  • resource "google_project_iam_binding" "service_account_user" {

google_project_service.enable_api["cloudrun.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "cloudrun.googleapis.com"
      }

google_project_service.enable_api["serviceusage.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "serviceusage.googleapis.com"
      }

Plan: 9 to add, 0 to change, 0 to destroy.

</details>
*Pusher: @o-ga09, Action: `pull_request`, Working Directory: ``, Workflow: `terraform`*

@github-actions

This comment has been minimized.

Sign in to view
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 30, 2025

Terraform Format and Style failure

Terraform Initialization ⚙️success

Terraform Validation success

Validation Output ```

Success! The configuration is valid.

</details>
#### Terraform Plan `failure`
<details><summary>Show Plan</summary>

terraform
google_project_iam_member.cloud_run_trace_agent: Refreshing state... [id=mh-api-389212/roles/cloudtrace.agent/serviceAccount:auto-deploy@mh-api-389212.iam.gserviceaccount.com]
data.google_iam_policy.mcp_auth: Reading...
data.google_service_account.terraform_sa: Reading...
data.google_iam_policy.auth: Reading...
data.google_iam_policy.mcp_auth: Read complete after 0s [id=2066618159]
google_project_service.enable_api["artifactregistry.googleapis.com"]: Refreshing state... [id=mh-api-389212/artifactregistry.googleapis.com]
google_project_service.enable_api["iamcredentials.googleapis.com"]: Refreshing state... [id=mh-api-389212/iamcredentials.googleapis.com]
google_project_service.enable_api["iam.googleapis.com"]: Refreshing state... [id=mh-api-389212/iam.googleapis.com]
data.google_iam_policy.auth: Read complete after 0s [id=2066618159]
google_iam_workload_identity_pool.terraform-pool: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool]
data.google_service_account.terraform_sa: Read complete after 0s [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com]
google_service_account_iam_member.terraform_sa: Refreshing state... [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/650836814988/locations/global/workloadIdentityPools/terraform-pool/attribute.repository/o-ga09/MH-API]
google_iam_workload_identity_pool_provider.terraform-provider: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool/providers/terraform-provider]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:

  • create

Terraform planned the following actions, but then encountered a problem:

google_cloud_run_service.stg-mh-api will be created

  • resource "google_cloud_run_service" "stg-mh-api" {

    • autogenerate_revision_name = true

    • id = (known after apply)

    • location = "asia-northeast1"

    • name = "stg-mh-api"

    • project = "mh-api-389212"

    • status = (known after apply)

    • metadata (known after apply)

    • template {

      • metadata {
        • annotations = {
          • "autoscaling.knative.dev/maxScale" = "1"
            }
        • generation = (known after apply)
        • labels = (known after apply)
        • name = (known after apply)
        • namespace = (known after apply)
        • resource_version = (known after apply)
        • self_link = (known after apply)
        • uid = (known after apply)
          }
      • spec {

        • container_concurrency = 10

        • service_account_name = "mh-api-389212@appspot.gserviceaccount.com"

        • serving_state = (known after apply)

        • timeout_seconds = (known after apply)

        • containers {

          • image = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:c1b20c5ccb6c66ddf214cd37edc2e7de0451d8a9"

          • name = (known after apply)

          • env {

            • name = "DATABASE_URL"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "DATABASE_URL"
                  }
                  }
                  }

          • env {

            • name = "ENV"
            • value = "PROD"
              }

          • env {

            • name = "GIN_MODE"
            • value = "release"
              }

          • env {

            • name = "LOG_LEVEL"
            • value = "INFO"
              }

          • env {

            • name = "PROJECTID"
            • value = "mh-api"
              }

          • env {

            • name = "SENTRY_DSN"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "SENTRY_DSN"
                  }
                  }
                  }

          • env {

            • name = "SERVICE_NAME"
            • value = "mh-api"
              }

          • ports {

            • container_port = 8080
            • name = "http1"
              }

          • resources (known after apply)

          • startup_probe {

            • failure_threshold = 1

            • initial_delay_seconds = 0

            • period_seconds = 240

            • timeout_seconds = 240

            • tcp_socket {

              • port = 8080
                }
                }
                }
                }
                }

    • traffic {

      • latest_revision = true
      • percent = 100
      • url = (known after apply)
        }
        }

google_cloud_run_service.stg-mh-mcp will be created

  • resource "google_cloud_run_service" "stg-mh-mcp" {

    • autogenerate_revision_name = true

    • id = (known after apply)

    • location = "asia-northeast1"

    • name = "stg-mh-mcp"

    • project = "mh-api-389212"

    • status = (known after apply)

    • metadata (known after apply)

    • template {

      • metadata {
        • annotations = {
          • "autoscaling.knative.dev/maxScale" = "1"
            }
        • generation = (known after apply)
        • labels = (known after apply)
        • name = (known after apply)
        • namespace = (known after apply)
        • resource_version = (known after apply)
        • self_link = (known after apply)
        • uid = (known after apply)
          }
      • spec {

        • container_concurrency = 10

        • service_account_name = "mh-api-389212@appspot.gserviceaccount.com"

        • serving_state = (known after apply)

        • timeout_seconds = (known after apply)

        • containers {

          • image = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:c1b20c5ccb6c66ddf214cd37edc2e7de0451d8a9"

          • name = (known after apply)

          • env {

            • name = "DATABASE_URL"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "DATABASE_URL"
                  }
                  }
                  }

          • env {

            • name = "ENV"
            • value = "PROD"
              }

          • env {

            • name = "GIN_MODE"
            • value = "release"
              }

          • env {

            • name = "LOG_LEVEL"
            • value = "INFO"
              }

          • env {

            • name = "PROJECTID"
            • value = "mh-api"
              }

          • env {

            • name = "SENTRY_DSN"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "SENTRY_DSN"
                  }
                  }
                  }

          • env {

            • name = "SERVICE_NAME"
            • value = "mh-mcp"
              }

          • ports {

            • container_port = 8080
            • name = "http1"
              }

          • resources (known after apply)

          • startup_probe {

            • failure_threshold = 1

            • initial_delay_seconds = 0

            • period_seconds = 240

            • timeout_seconds = 240

            • tcp_socket {

              • port = 8080
                }
                }
                }
                }
                }

    • traffic {

      • latest_revision = true
      • percent = 100
      • url = (known after apply)
        }
        }

google_cloud_run_service_iam_policy.auth will be created

  • resource "google_cloud_run_service_iam_policy" "auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:mh-api-389212@appspot.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-api"
      }

google_cloud_run_service_iam_policy.mcp_auth will be created

  • resource "google_cloud_run_service_iam_policy" "mcp_auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:mh-api-389212@appspot.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-mcp"
      }

google_project_iam_binding.cloud_run_invoker will be created

  • resource "google_project_iam_binding" "cloud_run_invoker" {

google_project_iam_binding.cloudtrace_agent will be created

  • resource "google_project_iam_binding" "cloudtrace_agent" {

google_project_iam_binding.service_account_user will be created

  • resource "google_project_iam_binding" "service_account_user" {

google_project_service.enable_api["run.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "run.googleapis.com"
      }

google_project_service.enable_api["serviceusage.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "serviceusage.googleapis.com"
      }

Plan: 9 to add, 0 to change, 0 to destroy.

</details>
*Pusher: @o-ga09, Action: `pull_request`, Working Directory: ``, Workflow: `terraform`*

@github-actions

This comment has been minimized.

Sign in to view
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 30, 2025

Terraform Format and Style failure

Terraform Initialization ⚙️success

Terraform Validation success

Validation Output ```

Success! The configuration is valid.

</details>
#### Terraform Plan `success`
<details><summary>Show Plan</summary>

terraform
google_iam_workload_identity_pool.terraform-pool: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool]
google_project_service.enable_api["iam.googleapis.com"]: Refreshing state... [id=mh-api-389212/iam.googleapis.com]
google_project_iam_member.cloud_run_trace_agent: Refreshing state... [id=mh-api-389212/roles/cloudtrace.agent/serviceAccount:auto-deploy@mh-api-389212.iam.gserviceaccount.com]
data.google_iam_policy.auth: Reading...
google_project_service.enable_api["artifactregistry.googleapis.com"]: Refreshing state... [id=mh-api-389212/artifactregistry.googleapis.com]
google_project_service.enable_api["iamcredentials.googleapis.com"]: Refreshing state... [id=mh-api-389212/iamcredentials.googleapis.com]
data.google_iam_policy.auth: Read complete after 0s [id=3450855414]
data.google_service_account.terraform_sa: Reading...
data.google_iam_policy.mcp_auth: Reading...
data.google_iam_policy.mcp_auth: Read complete after 0s [id=2066618159]
google_iam_workload_identity_pool_provider.terraform-provider: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool/providers/terraform-provider]
data.google_service_account.terraform_sa: Read complete after 0s [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com]
google_service_account_iam_member.terraform_sa: Refreshing state... [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/650836814988/locations/global/workloadIdentityPools/terraform-pool/attribute.repository/o-ga09/MH-API]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:

  • create
    -/+ destroy and then create replacement

Terraform will perform the following actions:

google_cloud_run_service.stg-mh-api will be created

  • resource "google_cloud_run_service" "stg-mh-api" {

    • autogenerate_revision_name = true

    • id = (known after apply)

    • location = "asia-northeast1"

    • name = "stg-mh-api"

    • project = "mh-api-389212"

    • status = (known after apply)

    • metadata (known after apply)

    • template {

      • metadata {
        • annotations = {
          • "autoscaling.knative.dev/maxScale" = "1"
            }
        • generation = (known after apply)
        • labels = (known after apply)
        • name = (known after apply)
        • namespace = (known after apply)
        • resource_version = (known after apply)
        • self_link = (known after apply)
        • uid = (known after apply)
          }
      • spec {

        • container_concurrency = 10

        • service_account_name = "mh-api-389212@appspot.gserviceaccount.com"

        • serving_state = (known after apply)

        • timeout_seconds = (known after apply)

        • containers {

          • image = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:76e46920456dce541c2cbaedb8b296ba47a30e1b"

          • name = (known after apply)

          • env {

            • name = "DATABASE_URL"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "DATABASE_URL"
                  }
                  }
                  }

          • env {

            • name = "ENV"
            • value = "PROD"
              }

          • env {

            • name = "GIN_MODE"
            • value = "release"
              }

          • env {

            • name = "LOG_LEVEL"
            • value = "INFO"
              }

          • env {

            • name = "PROJECTID"
            • value = "mh-api"
              }

          • env {

            • name = "SENTRY_DSN"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "SENTRY_DSN"
                  }
                  }
                  }

          • env {

            • name = "SERVICE_NAME"
            • value = "mh-api"
              }

          • ports {

            • container_port = 8080
            • name = "http1"
              }

          • resources (known after apply)

          • startup_probe {

            • failure_threshold = 1

            • initial_delay_seconds = 0

            • period_seconds = 240

            • timeout_seconds = 240

            • tcp_socket {

              • port = 8080
                }
                }
                }
                }
                }

    • traffic {

      • latest_revision = true
      • percent = 100
      • url = (known after apply)
        }
        }

google_cloud_run_service.stg-mh-mcp will be created

  • resource "google_cloud_run_service" "stg-mh-mcp" {

    • autogenerate_revision_name = true

    • id = (known after apply)

    • location = "asia-northeast1"

    • name = "stg-mh-mcp"

    • project = "mh-api-389212"

    • status = (known after apply)

    • metadata (known after apply)

    • template {

      • metadata {
        • annotations = {
          • "autoscaling.knative.dev/maxScale" = "1"
            }
        • generation = (known after apply)
        • labels = (known after apply)
        • name = (known after apply)
        • namespace = (known after apply)
        • resource_version = (known after apply)
        • self_link = (known after apply)
        • uid = (known after apply)
          }
      • spec {

        • container_concurrency = 10

        • service_account_name = "mh-api-389212@appspot.gserviceaccount.com"

        • serving_state = (known after apply)

        • timeout_seconds = (known after apply)

        • containers {

          • image = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:76e46920456dce541c2cbaedb8b296ba47a30e1b"

          • name = (known after apply)

          • env {

            • name = "DATABASE_URL"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "DATABASE_URL"
                  }
                  }
                  }

          • env {

            • name = "ENV"
            • value = "PROD"
              }

          • env {

            • name = "GIN_MODE"
            • value = "release"
              }

          • env {

            • name = "LOG_LEVEL"
            • value = "INFO"
              }

          • env {

            • name = "PROJECTID"
            • value = "mh-api"
              }

          • env {

            • name = "SENTRY_DSN"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "SENTRY_DSN"
                  }
                  }
                  }

          • env {

            • name = "SERVICE_NAME"
            • value = "mh-mcp"
              }

          • ports {

            • container_port = 8080
            • name = "http1"
              }

          • resources (known after apply)

          • startup_probe {

            • failure_threshold = 1

            • initial_delay_seconds = 0

            • period_seconds = 240

            • timeout_seconds = 240

            • tcp_socket {

              • port = 8080
                }
                }
                }
                }
                }

    • traffic {

      • latest_revision = true
      • percent = 100
      • url = (known after apply)
        }
        }

google_cloud_run_service_iam_policy.auth will be created

  • resource "google_cloud_run_service_iam_policy" "auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-api"
      }

google_cloud_run_service_iam_policy.mcp_auth will be created

  • resource "google_cloud_run_service_iam_policy" "mcp_auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:mh-api-389212@appspot.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-mcp"
      }

google_project_iam_member.cloud_run_trace_agent must be replaced

-/+ resource "google_project_iam_member" "cloud_run_trace_agent" {
~ etag = "BwY2Rq0RYXQ=" -> (known after apply)
~ id = "mh-api-389212/roles/cloudtrace.agent/serviceAccount:auto-deploy@mh-api-389212.iam.gserviceaccount.com" -> (known after apply)
~ member = "serviceAccount:auto-deploy@mh-api-389212.iam.gserviceaccount.com" -> "serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com" # forces replacement
# (2 unchanged attributes hidden)
}

google_project_iam_member.logging_writer will be created

  • resource "google_project_iam_member" "logging_writer" {

google_project_iam_member.service_account_user will be created

  • resource "google_project_iam_member" "service_account_user" {

google_project_service.enable_api["cloudresourcemanager.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "cloudresourcemanager.googleapis.com"
      }

google_project_service.enable_api["logging.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "logging.googleapis.com"
      }

google_project_service.enable_api["run.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "run.googleapis.com"
      }

google_project_service.enable_api["serviceusage.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "serviceusage.googleapis.com"
      }

Plan: 11 to add, 0 to change, 1 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

</details>
*Pusher: @o-ga09, Action: `pull_request`, Working Directory: ``, Workflow: `terraform`*

@github-actions

This comment has been minimized.

Sign in to view
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 30, 2025

Terraform Format and Style failure

Terraform Initialization ⚙️success

Terraform Validation success

Validation Output ```

Success! The configuration is valid.

</details>
#### Terraform Plan `success`
<details><summary>Show Plan</summary>

terraform
google_project_service.enable_api["serviceusage.googleapis.com"]: Refreshing state... [id=mh-api-389212/serviceusage.googleapis.com]
google_project_iam_member.logging_writer: Refreshing state... [id=mh-api-389212/roles/logging.logWriter/serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com]
google_project_iam_member.cloud_run_trace_agent: Refreshing state... [id=mh-api-389212/roles/cloudtrace.agent/serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com]
google_project_service.enable_api["cloudresourcemanager.googleapis.com"]: Refreshing state... [id=mh-api-389212/cloudresourcemanager.googleapis.com]
google_project_service.enable_api["logging.googleapis.com"]: Refreshing state... [id=mh-api-389212/logging.googleapis.com]
google_project_service.enable_api["artifactregistry.googleapis.com"]: Refreshing state... [id=mh-api-389212/artifactregistry.googleapis.com]
google_project_service.enable_api["iam.googleapis.com"]: Refreshing state... [id=mh-api-389212/iam.googleapis.com]
google_project_service.enable_api["iamcredentials.googleapis.com"]: Refreshing state... [id=mh-api-389212/iamcredentials.googleapis.com]
google_project_service.enable_api["run.googleapis.com"]: Refreshing state... [id=mh-api-389212/run.googleapis.com]
data.google_service_account.terraform_sa: Reading...
data.google_service_account.terraform_sa: Read complete after 1s [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com]
data.google_iam_policy.mcp_auth: Reading...
data.google_iam_policy.mcp_auth: Read complete after 0s [id=2054599854]
google_project_iam_member.service_account_user: Refreshing state... [id=mh-api-389212/roles/iam.serviceAccountUser/serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com]
data.google_iam_policy.auth: Reading...
data.google_iam_policy.auth: Read complete after 0s [id=3450855414]
google_iam_workload_identity_pool.terraform-pool: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool]
google_service_account_iam_member.terraform_sa: Refreshing state... [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/650836814988/locations/global/workloadIdentityPools/terraform-pool/attribute.repository/o-ga09/MH-API]
google_iam_workload_identity_pool_provider.terraform-provider: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool/providers/terraform-provider]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:

  • create

Terraform will perform the following actions:

google_cloud_run_service.stg-mh-api will be created

  • resource "google_cloud_run_service" "stg-mh-api" {

    • autogenerate_revision_name = true

    • id = (known after apply)

    • location = "asia-northeast1"

    • name = "stg-mh-api"

    • project = "mh-api-389212"

    • status = (known after apply)

    • metadata (known after apply)

    • template {

      • metadata {
        • annotations = {
          • "autoscaling.knative.dev/maxScale" = "1"
            }
        • generation = (known after apply)
        • labels = (known after apply)
        • name = (known after apply)
        • namespace = (known after apply)
        • resource_version = (known after apply)
        • self_link = (known after apply)
        • uid = (known after apply)
          }
      • spec {

        • container_concurrency = 10

        • service_account_name = "terraform@mh-api-389212.iam.gserviceaccount.com"

        • serving_state = (known after apply)

        • timeout_seconds = (known after apply)

        • containers {

          • image = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:69cd000c704ecbbc383b7c84baba13c7634c4d0c"

          • name = (known after apply)

          • env {

            • name = "DATABASE_URL"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "DATABASE_URL"
                  }
                  }
                  }

          • env {

            • name = "ENV"
            • value = "PROD"
              }

          • env {

            • name = "GIN_MODE"
            • value = "release"
              }

          • env {

            • name = "LOG_LEVEL"
            • value = "INFO"
              }

          • env {

            • name = "PROJECTID"
            • value = "mh-api"
              }

          • env {

            • name = "SENTRY_DSN"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "SENTRY_DSN"
                  }
                  }
                  }

          • env {

            • name = "SERVICE_NAME"
            • value = "mh-api"
              }

          • ports {

            • container_port = 8080
            • name = "http1"
              }

          • resources (known after apply)

          • startup_probe {

            • failure_threshold = 1

            • initial_delay_seconds = 0

            • period_seconds = 240

            • timeout_seconds = 240

            • tcp_socket {

              • port = 8080
                }
                }
                }
                }
                }

    • traffic {

      • latest_revision = true
      • percent = 100
      • url = (known after apply)
        }
        }

google_cloud_run_service.stg-mh-mcp will be created

  • resource "google_cloud_run_service" "stg-mh-mcp" {

    • autogenerate_revision_name = true

    • id = (known after apply)

    • location = "asia-northeast1"

    • name = "stg-mh-mcp"

    • project = "mh-api-389212"

    • status = (known after apply)

    • metadata (known after apply)

    • template {

      • metadata {
        • annotations = {
          • "autoscaling.knative.dev/maxScale" = "1"
            }
        • generation = (known after apply)
        • labels = (known after apply)
        • name = (known after apply)
        • namespace = (known after apply)
        • resource_version = (known after apply)
        • self_link = (known after apply)
        • uid = (known after apply)
          }
      • spec {

        • container_concurrency = 10

        • service_account_name = "terraform@mh-api-389212.iam.gserviceaccount.com"

        • serving_state = (known after apply)

        • timeout_seconds = (known after apply)

        • containers {

          • image = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:69cd000c704ecbbc383b7c84baba13c7634c4d0c"

          • name = (known after apply)

          • env {

            • name = "DATABASE_URL"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "DATABASE_URL"
                  }
                  }
                  }

          • env {

            • name = "ENV"
            • value = "PROD"
              }

          • env {

            • name = "GIN_MODE"
            • value = "release"
              }

          • env {

            • name = "LOG_LEVEL"
            • value = "INFO"
              }

          • env {

            • name = "PROJECTID"
            • value = "mh-api"
              }

          • env {

            • name = "SENTRY_DSN"

              (1 unchanged attribute hidden)

            • value_from {

              • secret_key_ref {
                • key = "latest"
                • name = "SENTRY_DSN"
                  }
                  }
                  }

          • env {

            • name = "SERVICE_NAME"
            • value = "mh-mcp"
              }

          • ports {

            • container_port = 8080
            • name = "http1"
              }

          • resources (known after apply)

          • startup_probe {

            • failure_threshold = 1

            • initial_delay_seconds = 0

            • period_seconds = 240

            • timeout_seconds = 240

            • tcp_socket {

              • port = 8080
                }
                }
                }
                }
                }

    • traffic {

      • latest_revision = true
      • percent = 100
      • url = (known after apply)
        }
        }

google_cloud_run_service_iam_policy.auth will be created

  • resource "google_cloud_run_service_iam_policy" "auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-api"
      }

google_cloud_run_service_iam_policy.mcp_auth will be created

  • resource "google_cloud_run_service_iam_policy" "mcp_auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-mcp"
      }

Plan: 4 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

</details>
*Pusher: @o-ga09, Action: `pull_request`, Working Directory: ``, Workflow: `terraform`*

@github-actions

This comment has been minimized.

Sign in to view
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 30, 2025

Terraform Format and Style failure

Terraform Initialization ⚙️success

Terraform Validation success

Validation Output ```

Success! The configuration is valid.

</details>
#### Terraform Plan `success`
<details><summary>Show Plan</summary>

terraform
google_iam_workload_identity_pool.terraform-pool: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool]
data.google_service_account.terraform_sa: Reading...
data.google_iam_policy.auth: Reading...
google_project_service.enable_api["artifactregistry.googleapis.com"]: Refreshing state... [id=mh-api-389212/artifactregistry.googleapis.com]
google_project_iam_member.logging_writer: Refreshing state... [id=mh-api-389212/roles/logging.logWriter/serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com]
google_project_service.enable_api["serviceusage.googleapis.com"]: Refreshing state... [id=mh-api-389212/serviceusage.googleapis.com]
google_project_iam_member.cloud_run_trace_agent: Refreshing state... [id=mh-api-389212/roles/cloudtrace.agent/serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com]
google_project_service.enable_api["iamcredentials.googleapis.com"]: Refreshing state... [id=mh-api-389212/iamcredentials.googleapis.com]
data.google_iam_policy.auth: Read complete after 0s [id=3450855414]
data.google_iam_policy.mcp_auth: Reading...
google_project_service.enable_api["iam.googleapis.com"]: Refreshing state... [id=mh-api-389212/iam.googleapis.com]
data.google_iam_policy.mcp_auth: Read complete after 0s [id=2054599854]
google_project_service.enable_api["logging.googleapis.com"]: Refreshing state... [id=mh-api-389212/logging.googleapis.com]
google_cloud_run_service.stg-mh-api: Refreshing state... [id=locations/asia-northeast1/namespaces/mh-api-389212/services/stg-mh-api]
data.google_service_account.terraform_sa: Read complete after 1s [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com]
google_project_service.enable_api["run.googleapis.com"]: Refreshing state... [id=mh-api-389212/run.googleapis.com]
google_project_service.enable_api["cloudresourcemanager.googleapis.com"]: Refreshing state... [id=mh-api-389212/cloudresourcemanager.googleapis.com]
google_cloud_run_service.stg-mh-mcp: Refreshing state... [id=locations/asia-northeast1/namespaces/mh-api-389212/services/stg-mh-mcp]
google_project_iam_member.service_account_user: Refreshing state... [id=mh-api-389212/roles/iam.serviceAccountUser/serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com]
google_service_account_iam_member.terraform_sa: Refreshing state... [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/650836814988/locations/global/workloadIdentityPools/terraform-pool/attribute.repository/o-ga09/MH-API]
google_iam_workload_identity_pool_provider.terraform-provider: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool/providers/terraform-provider]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:

  • create
    -/+ destroy and then create replacement

Terraform will perform the following actions:

google_cloud_run_service.stg-mh-api is tainted, so must be replaced

-/+ resource "google_cloud_run_service" "stg-mh-api" {
~ id = "locations/asia-northeast1/namespaces/mh-api-389212/services/stg-mh-api" -> (known after apply)
name = "stg-mh-api"
~ status = [
- {
- conditions = [
- {
- message = "Revision 'stg-mh-api-00001-r5s' is not ready and cannot serve traffic. Image 'asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:20a7b8d3bec3d11db54e8618277ea52b995b514f' not found."
- reason = "RevisionFailed"
- status = "False"
- type = "Ready"
},
- {
- message = "Image 'asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:20a7b8d3bec3d11db54e8618277ea52b995b514f' not found."
- status = "True"
- type = "ConfigurationsReady"
# (1 unchanged attribute hidden)
},
- {
- message = "Revision 'stg-mh-api-00001-r5s' is not ready and cannot serve traffic. Image 'asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:20a7b8d3bec3d11db54e8618277ea52b995b514f' not found."
- reason = "RevisionFailed"
- status = "False"
- type = "RoutesReady"
},
]
- latest_created_revision_name = "stg-mh-api-00001-r5s"
- observed_generation = 1
- traffic = []
# (2 unchanged attributes hidden)
},
] -> (known after apply)
# (3 unchanged attributes hidden)

  ~ metadata (known after apply)
  - metadata {
      - annotations           = {} -> null
      - effective_annotations = {
          - "run.googleapis.com/ingress"        = "all"
          - "run.googleapis.com/ingress-status" = "all"
          - "run.googleapis.com/operation-id"   = "9f39da7e-9f49-4e6b-b0fb-c5a4a9f879db"
          - "run.googleapis.com/urls"           = jsonencode(
                [
                  - "https://stg-mh-api-650836814988.asia-northeast1.run.app",
                ]
            )
          - "serving.knative.dev/creator"       = "terraform@mh-api-389212.iam.gserviceaccount.com"
          - "serving.knative.dev/lastModifier"  = "terraform@mh-api-389212.iam.gserviceaccount.com"
        } -> null
      - effective_labels      = {
          - "cloud.googleapis.com/location" = "asia-northeast1"
        } -> null
      - generation            = 1 -> null
      - labels                = {} -> null
      - namespace             = "mh-api-389212" -> null
      - resource_version      = "AAY2XJzw7yk" -> null
      - self_link             = "/apis/serving.knative.dev/v1/namespaces/650836814988/services/stg-mh-api" -> null
      - terraform_labels      = {} -> null
      - uid                   = "352015f0-fd06-4c72-bb98-5bcd2ef3c425" -> null
    }

  ~ template {
      ~ metadata {
          ~ generation       = 0 -> (known after apply)
          ~ labels           = {
              - "run.googleapis.com/startupProbeType" = "Default"
            } -> (known after apply)
          + name             = (known after apply)
          + namespace        = (known after apply)
          + resource_version = (known after apply)
          + self_link        = (known after apply)
          + uid              = (known after apply)
            # (1 unchanged attribute hidden)
        }
      ~ spec {
          - node_selector         = {} -> null
          + serving_state         = (known after apply)
          ~ timeout_seconds       = 300 -> (known after apply)
            # (2 unchanged attributes hidden)

          ~ containers {
              - args        = [] -> null
              - command     = [] -> null
              ~ image       = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:20a7b8d3bec3d11db54e8618277ea52b995b514f" -> "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:5e98f719f35e4967826e7cbfcd0c7cb57310fc98"
              + name        = (known after apply)
                # (1 unchanged attribute hidden)

              ~ resources (known after apply)
              - resources {
                  - limits   = {
                      - "cpu"    = "1000m"
                      - "memory" = "512Mi"
                    } -> null
                  - requests = {} -> null
                }

                # (9 unchanged blocks hidden)
            }
        }
    }

  ~ traffic {
      + url             = (known after apply)
        # (4 unchanged attributes hidden)
    }
}

google_cloud_run_service.stg-mh-mcp is tainted, so must be replaced

-/+ resource "google_cloud_run_service" "stg-mh-mcp" {
~ id = "locations/asia-northeast1/namespaces/mh-api-389212/services/stg-mh-mcp" -> (known after apply)
name = "stg-mh-mcp"
~ status = [
- {
- conditions = [
- {
- message = "Revision 'stg-mh-mcp-00001-wdw' is not ready and cannot serve traffic. Image 'asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:20a7b8d3bec3d11db54e8618277ea52b995b514f' not found."
- reason = "RevisionFailed"
- status = "False"
- type = "Ready"
},
- {
- message = "Image 'asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:20a7b8d3bec3d11db54e8618277ea52b995b514f' not found."
- status = "True"
- type = "ConfigurationsReady"
# (1 unchanged attribute hidden)
},
- {
- message = "Revision 'stg-mh-mcp-00001-wdw' is not ready and cannot serve traffic. Image 'asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:20a7b8d3bec3d11db54e8618277ea52b995b514f' not found."
- reason = "RevisionFailed"
- status = "False"
- type = "RoutesReady"
},
]
- latest_created_revision_name = "stg-mh-mcp-00001-wdw"
- observed_generation = 1
- traffic = []
# (2 unchanged attributes hidden)
},
] -> (known after apply)
# (3 unchanged attributes hidden)

  ~ metadata (known after apply)
  - metadata {
      - annotations           = {} -> null
      - effective_annotations = {
          - "run.googleapis.com/ingress"        = "all"
          - "run.googleapis.com/ingress-status" = "all"
          - "run.googleapis.com/operation-id"   = "28b86e60-8539-4170-bce0-0e6edd635b1e"
          - "run.googleapis.com/urls"           = jsonencode(
                [
                  - "https://stg-mh-mcp-650836814988.asia-northeast1.run.app",
                ]
            )
          - "serving.knative.dev/creator"       = "terraform@mh-api-389212.iam.gserviceaccount.com"
          - "serving.knative.dev/lastModifier"  = "terraform@mh-api-389212.iam.gserviceaccount.com"
        } -> null
      - effective_labels      = {
          - "cloud.googleapis.com/location" = "asia-northeast1"
        } -> null
      - generation            = 1 -> null
      - labels                = {} -> null
      - namespace             = "mh-api-389212" -> null
      - resource_version      = "AAY2XJzcCtA" -> null
      - self_link             = "/apis/serving.knative.dev/v1/namespaces/650836814988/services/stg-mh-mcp" -> null
      - terraform_labels      = {} -> null
      - uid                   = "f8cbcaea-0bf5-43df-89e2-df3c6b489785" -> null
    }

  ~ template {
      ~ metadata {
          ~ generation       = 0 -> (known after apply)
          ~ labels           = {
              - "run.googleapis.com/startupProbeType" = "Default"
            } -> (known after apply)
          + name             = (known after apply)
          + namespace        = (known after apply)
          + resource_version = (known after apply)
          + self_link        = (known after apply)
          + uid              = (known after apply)
            # (1 unchanged attribute hidden)
        }
      ~ spec {
          - node_selector         = {} -> null
          + serving_state         = (known after apply)
          ~ timeout_seconds       = 300 -> (known after apply)
            # (2 unchanged attributes hidden)

          ~ containers {
              - args        = [] -> null
              - command     = [] -> null
              ~ image       = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:20a7b8d3bec3d11db54e8618277ea52b995b514f" -> "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:5e98f719f35e4967826e7cbfcd0c7cb57310fc98"
              + name        = (known after apply)
                # (1 unchanged attribute hidden)

              ~ resources (known after apply)
              - resources {
                  - limits   = {
                      - "cpu"    = "1000m"
                      - "memory" = "512Mi"
                    } -> null
                  - requests = {} -> null
                }

                # (9 unchanged blocks hidden)
            }
        }
    }

  ~ traffic {
      + url             = (known after apply)
        # (4 unchanged attributes hidden)
    }
}

google_cloud_run_service_iam_policy.auth will be created

  • resource "google_cloud_run_service_iam_policy" "auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-api"
      }

google_cloud_run_service_iam_policy.mcp_auth will be created

  • resource "google_cloud_run_service_iam_policy" "mcp_auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-mcp"
      }

Plan: 4 to add, 0 to change, 2 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

</details>
*Pusher: @o-ga09, Action: `pull_request`, Working Directory: ``, Workflow: `terraform`*

@github-actions

This comment has been minimized.

Sign in to view
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 30, 2025

Terraform Format and Style failure

Terraform Initialization ⚙️success

Terraform Validation success

Validation Output ```

Success! The configuration is valid.

</details>
#### Terraform Plan `success`
<details><summary>Show Plan</summary>

terraform
data.google_iam_policy.auth: Reading...
google_project_service.enable_api["serviceusage.googleapis.com"]: Refreshing state... [id=mh-api-389212/serviceusage.googleapis.com]
google_project_service.enable_api["iam.googleapis.com"]: Refreshing state... [id=mh-api-389212/iam.googleapis.com]
google_project_service.enable_api["artifactregistry.googleapis.com"]: Refreshing state... [id=mh-api-389212/artifactregistry.googleapis.com]
google_project_service.enable_api["iamcredentials.googleapis.com"]: Refreshing state... [id=mh-api-389212/iamcredentials.googleapis.com]
google_project_iam_member.cloud_run_trace_agent: Refreshing state... [id=mh-api-389212/roles/cloudtrace.agent/serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com]
google_project_service.enable_api["run.googleapis.com"]: Refreshing state... [id=mh-api-389212/run.googleapis.com]
google_project_service.enable_api["logging.googleapis.com"]: Refreshing state... [id=mh-api-389212/logging.googleapis.com]
data.google_iam_policy.auth: Read complete after 0s [id=3450855414]
google_project_service.enable_api["cloudresourcemanager.googleapis.com"]: Refreshing state... [id=mh-api-389212/cloudresourcemanager.googleapis.com]
google_cloud_run_service.stg-mh-mcp: Refreshing state... [id=locations/asia-northeast1/namespaces/mh-api-389212/services/stg-mh-mcp]
data.google_iam_policy.mcp_auth: Reading...
data.google_iam_policy.mcp_auth: Read complete after 0s [id=2054599854]
google_project_iam_member.logging_writer: Refreshing state... [id=mh-api-389212/roles/logging.logWriter/serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com]
google_project_iam_member.service_account_user: Refreshing state... [id=mh-api-389212/roles/iam.serviceAccountUser/serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com]
data.google_service_account.terraform_sa: Reading...
data.google_service_account.terraform_sa: Read complete after 0s [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com]
google_cloud_run_service.stg-mh-api: Refreshing state... [id=locations/asia-northeast1/namespaces/mh-api-389212/services/stg-mh-api]
google_iam_workload_identity_pool.terraform-pool: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool]
google_service_account_iam_member.terraform_sa: Refreshing state... [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/650836814988/locations/global/workloadIdentityPools/terraform-pool/attribute.repository/o-ga09/MH-API]
google_iam_workload_identity_pool_provider.terraform-provider: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool/providers/terraform-provider]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:

  • create
    -/+ destroy and then create replacement

Terraform will perform the following actions:

google_cloud_run_service.stg-mh-api is tainted, so must be replaced

-/+ resource "google_cloud_run_service" "stg-mh-api" {
~ id = "locations/asia-northeast1/namespaces/mh-api-389212/services/stg-mh-api" -> (known after apply)
name = "stg-mh-api"
~ status = [
- {
- conditions = [
- {
- message = "Revision 'stg-mh-api-00001-sxt' is not ready and cannot serve traffic. Image 'asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:ddb1fe8a5a3062e97621f24a93ffa9afbe4284d3' not found."
- reason = "RevisionFailed"
- status = "False"
- type = "Ready"
},
- {
- message = "Image 'asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:ddb1fe8a5a3062e97621f24a93ffa9afbe4284d3' not found."
- status = "True"
- type = "ConfigurationsReady"
# (1 unchanged attribute hidden)
},
- {
- message = "Revision 'stg-mh-api-00001-sxt' is not ready and cannot serve traffic. Image 'asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:ddb1fe8a5a3062e97621f24a93ffa9afbe4284d3' not found."
- reason = "RevisionFailed"
- status = "False"
- type = "RoutesReady"
},
]
- latest_created_revision_name = "stg-mh-api-00001-sxt"
- observed_generation = 1
- traffic = []
# (2 unchanged attributes hidden)
},
] -> (known after apply)
# (3 unchanged attributes hidden)

  ~ metadata (known after apply)
  - metadata {
      - annotations           = {} -> null
      - effective_annotations = {
          - "run.googleapis.com/ingress"        = "all"
          - "run.googleapis.com/ingress-status" = "all"
          - "run.googleapis.com/operation-id"   = "018871a1-9c89-4883-baba-f4a6898ea714"
          - "run.googleapis.com/urls"           = jsonencode(
                [
                  - "https://stg-mh-api-650836814988.asia-northeast1.run.app",
                ]
            )
          - "serving.knative.dev/creator"       = "terraform@mh-api-389212.iam.gserviceaccount.com"
          - "serving.knative.dev/lastModifier"  = "terraform@mh-api-389212.iam.gserviceaccount.com"
        } -> null
      - effective_labels      = {
          - "cloud.googleapis.com/location" = "asia-northeast1"
        } -> null
      - generation            = 1 -> null
      - labels                = {} -> null
      - namespace             = "mh-api-389212" -> null
      - resource_version      = "AAY2XNTie34" -> null
      - self_link             = "/apis/serving.knative.dev/v1/namespaces/650836814988/services/stg-mh-api" -> null
      - terraform_labels      = {} -> null
      - uid                   = "7566a445-1416-4d37-b2a3-8baf5de87cc8" -> null
    }

  ~ template {
      ~ metadata {
          ~ generation       = 0 -> (known after apply)
          ~ labels           = {
              - "run.googleapis.com/startupProbeType" = "Default"
            } -> (known after apply)
          + name             = (known after apply)
          + namespace        = (known after apply)
          + resource_version = (known after apply)
          + self_link        = (known after apply)
          + uid              = (known after apply)
            # (1 unchanged attribute hidden)
        }
      ~ spec {
          - node_selector         = {} -> null
          + serving_state         = (known after apply)
          ~ timeout_seconds       = 300 -> (known after apply)
            # (2 unchanged attributes hidden)

          ~ containers {
              - args        = [] -> null
              - command     = [] -> null
              ~ image       = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-api:ddb1fe8a5a3062e97621f24a93ffa9afbe4284d3" -> "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-api:73add2df6156219aa56e97b1d216b089e893bacc"
              + name        = (known after apply)
                # (1 unchanged attribute hidden)

              ~ resources (known after apply)
              - resources {
                  - limits   = {
                      - "cpu"    = "1000m"
                      - "memory" = "512Mi"
                    } -> null
                  - requests = {} -> null
                }

                # (9 unchanged blocks hidden)
            }
        }
    }

  ~ traffic {
      + url             = (known after apply)
        # (4 unchanged attributes hidden)
    }
}

google_cloud_run_service.stg-mh-mcp is tainted, so must be replaced

-/+ resource "google_cloud_run_service" "stg-mh-mcp" {
~ id = "locations/asia-northeast1/namespaces/mh-api-389212/services/stg-mh-mcp" -> (known after apply)
name = "stg-mh-mcp"
~ status = [
- {
- conditions = [
- {
- message = "Revision 'stg-mh-mcp-00001-4ds' is not ready and cannot serve traffic. Image 'asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:ddb1fe8a5a3062e97621f24a93ffa9afbe4284d3' not found."
- reason = "RevisionFailed"
- status = "False"
- type = "Ready"
},
- {
- message = "Image 'asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:ddb1fe8a5a3062e97621f24a93ffa9afbe4284d3' not found."
- status = "True"
- type = "ConfigurationsReady"
# (1 unchanged attribute hidden)
},
- {
- message = "Revision 'stg-mh-mcp-00001-4ds' is not ready and cannot serve traffic. Image 'asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:ddb1fe8a5a3062e97621f24a93ffa9afbe4284d3' not found."
- reason = "RevisionFailed"
- status = "False"
- type = "RoutesReady"
},
]
- latest_created_revision_name = "stg-mh-mcp-00001-4ds"
- observed_generation = 1
- traffic = []
# (2 unchanged attributes hidden)
},
] -> (known after apply)
# (3 unchanged attributes hidden)

  ~ metadata (known after apply)
  - metadata {
      - annotations           = {} -> null
      - effective_annotations = {
          - "run.googleapis.com/ingress"        = "all"
          - "run.googleapis.com/ingress-status" = "all"
          - "run.googleapis.com/operation-id"   = "c3f5bfa9-7c56-4552-b190-1b55a29b1e30"
          - "run.googleapis.com/urls"           = jsonencode(
                [
                  - "https://stg-mh-mcp-650836814988.asia-northeast1.run.app",
                ]
            )
          - "serving.knative.dev/creator"       = "terraform@mh-api-389212.iam.gserviceaccount.com"
          - "serving.knative.dev/lastModifier"  = "terraform@mh-api-389212.iam.gserviceaccount.com"
        } -> null
      - effective_labels      = {
          - "cloud.googleapis.com/location" = "asia-northeast1"
        } -> null
      - generation            = 1 -> null
      - labels                = {} -> null
      - namespace             = "mh-api-389212" -> null
      - resource_version      = "AAY2XNUNxK8" -> null
      - self_link             = "/apis/serving.knative.dev/v1/namespaces/650836814988/services/stg-mh-mcp" -> null
      - terraform_labels      = {} -> null
      - uid                   = "73fa01f4-f2b1-4acb-96b3-35ba4392c362" -> null
    }

  ~ template {
      ~ metadata {
          ~ generation       = 0 -> (known after apply)
          ~ labels           = {
              - "run.googleapis.com/startupProbeType" = "Default"
            } -> (known after apply)
          + name             = (known after apply)
          + namespace        = (known after apply)
          + resource_version = (known after apply)
          + self_link        = (known after apply)
          + uid              = (known after apply)
            # (1 unchanged attribute hidden)
        }
      ~ spec {
          - node_selector         = {} -> null
          + serving_state         = (known after apply)
          ~ timeout_seconds       = 300 -> (known after apply)
            # (2 unchanged attributes hidden)

          ~ containers {
              - args        = [] -> null
              - command     = [] -> null
              ~ image       = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api-389212/mh-mcp:ddb1fe8a5a3062e97621f24a93ffa9afbe4284d3" -> "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-mcp:73add2df6156219aa56e97b1d216b089e893bacc"
              + name        = (known after apply)
                # (1 unchanged attribute hidden)

              ~ resources (known after apply)
              - resources {
                  - limits   = {
                      - "cpu"    = "1000m"
                      - "memory" = "512Mi"
                    } -> null
                  - requests = {} -> null
                }

                # (9 unchanged blocks hidden)
            }
        }
    }

  ~ traffic {
      + url             = (known after apply)
        # (4 unchanged attributes hidden)
    }
}

google_cloud_run_service_iam_policy.auth will be created

  • resource "google_cloud_run_service_iam_policy" "auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-api"
      }

google_cloud_run_service_iam_policy.mcp_auth will be created

  • resource "google_cloud_run_service_iam_policy" "mcp_auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-mcp"
      }

Plan: 4 to add, 0 to change, 2 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

</details>
*Pusher: @o-ga09, Action: `pull_request`, Working Directory: ``, Workflow: `terraform`*

@github-actions

This comment has been minimized.

Sign in to view
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 30, 2025

Terraform Format and Style failure

Terraform Initialization ⚙️success

Terraform Validation success

Validation Output ```

Success! The configuration is valid.

</details>
#### Terraform Plan `success`
<details><summary>Show Plan</summary>

terraform
google_project_service.enable_api["logging.googleapis.com"]: Refreshing state... [id=mh-api-389212/logging.googleapis.com]
data.google_iam_policy.mcp_auth: Reading...
google_project_iam_member.logging_writer: Refreshing state... [id=mh-api-389212/roles/logging.logWriter/serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com]
google_project_service.enable_api["run.googleapis.com"]: Refreshing state... [id=mh-api-389212/run.googleapis.com]
data.google_service_account.terraform_sa: Reading...
data.google_iam_policy.auth: Reading...
google_project_service.enable_api["iam.googleapis.com"]: Refreshing state... [id=mh-api-389212/iam.googleapis.com]
data.google_iam_policy.mcp_auth: Read complete after 0s [id=2054599854]
data.google_iam_policy.auth: Read complete after 0s [id=3450855414]
google_project_service.enable_api["serviceusage.googleapis.com"]: Refreshing state... [id=mh-api-389212/serviceusage.googleapis.com]
google_project_service.enable_api["cloudresourcemanager.googleapis.com"]: Refreshing state... [id=mh-api-389212/cloudresourcemanager.googleapis.com]
google_project_service.enable_api["artifactregistry.googleapis.com"]: Refreshing state... [id=mh-api-389212/artifactregistry.googleapis.com]
google_cloud_run_service.stg-mh-mcp: Refreshing state... [id=locations/asia-northeast1/namespaces/mh-api-389212/services/stg-mh-mcp]
google_project_service.enable_api["iamcredentials.googleapis.com"]: Refreshing state... [id=mh-api-389212/iamcredentials.googleapis.com]
data.google_service_account.terraform_sa: Read complete after 1s [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com]
google_project_iam_member.cloud_run_trace_agent: Refreshing state... [id=mh-api-389212/roles/cloudtrace.agent/serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com]
google_cloud_run_service.stg-mh-api: Refreshing state... [id=locations/asia-northeast1/namespaces/mh-api-389212/services/stg-mh-api]
google_project_iam_member.service_account_user: Refreshing state... [id=mh-api-389212/roles/iam.serviceAccountUser/serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com]
google_iam_workload_identity_pool.terraform-pool: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool]
google_iam_workload_identity_pool_provider.terraform-provider: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool/providers/terraform-provider]
google_service_account_iam_member.terraform_sa: Refreshing state... [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/650836814988/locations/global/workloadIdentityPools/terraform-pool/attribute.repository/o-ga09/MH-API]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:

  • create
    -/+ destroy and then create replacement

Terraform will perform the following actions:

google_cloud_run_service.stg-mh-api is tainted, so must be replaced

-/+ resource "google_cloud_run_service" "stg-mh-api" {
~ id = "locations/asia-northeast1/namespaces/mh-api-389212/services/stg-mh-api" -> (known after apply)
name = "stg-mh-api"
~ status = [
- {
- conditions = [
- {
- message = <<-EOT
Revision 'stg-mh-api-00001-lhf' is not ready and cannot serve traffic. spec.template.spec.containers[0].env[3].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/DATABASE_URL/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
spec.template.spec.containers[0].env[5].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/SENTRY_DSN/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
EOT
- reason = "SecretsAccessCheckFailed"
- status = "False"
- type = "Ready"
},
- {
- message = <<-EOT
spec.template.spec.containers[0].env[3].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/DATABASE_URL/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
spec.template.spec.containers[0].env[5].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/SENTRY_DSN/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
EOT
- status = "True"
- type = "ConfigurationsReady"
# (1 unchanged attribute hidden)
},
- {
- message = <<-EOT
Revision 'stg-mh-api-00001-lhf' is not ready and cannot serve traffic. spec.template.spec.containers[0].env[3].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/DATABASE_URL/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
spec.template.spec.containers[0].env[5].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/SENTRY_DSN/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
EOT
- reason = "SecretsAccessCheckFailed"
- status = "False"
- type = "RoutesReady"
},
]
- latest_created_revision_name = "stg-mh-api-00001-lhf"
- observed_generation = 1
- traffic = []
# (2 unchanged attributes hidden)
},
] -> (known after apply)
# (3 unchanged attributes hidden)

  ~ metadata (known after apply)
  - metadata {
      - annotations           = {} -> null
      - effective_annotations = {
          - "run.googleapis.com/ingress"        = "all"
          - "run.googleapis.com/ingress-status" = "all"
          - "run.googleapis.com/operation-id"   = "fb6265c7-0a1e-4056-be4d-8251b283da79"
          - "run.googleapis.com/urls"           = jsonencode(
                [
                  - "https://stg-mh-api-650836814988.asia-northeast1.run.app",
                ]
            )
          - "serving.knative.dev/creator"       = "terraform@mh-api-389212.iam.gserviceaccount.com"
          - "serving.knative.dev/lastModifier"  = "terraform@mh-api-389212.iam.gserviceaccount.com"
        } -> null
      - effective_labels      = {
          - "cloud.googleapis.com/location" = "asia-northeast1"
        } -> null
      - generation            = 1 -> null
      - labels                = {} -> null
      - namespace             = "mh-api-389212" -> null
      - resource_version      = "AAY2XPRKq7U" -> null
      - self_link             = "/apis/serving.knative.dev/v1/namespaces/650836814988/services/stg-mh-api" -> null
      - terraform_labels      = {} -> null
      - uid                   = "46259725-a887-43aa-8622-1c93d7f126f0" -> null
    }

  ~ template {
      ~ metadata {
          ~ generation       = 0 -> (known after apply)
          ~ labels           = {
              - "run.googleapis.com/startupProbeType" = "Default"
            } -> (known after apply)
          + name             = (known after apply)
          + namespace        = (known after apply)
          + resource_version = (known after apply)
          + self_link        = (known after apply)
          + uid              = (known after apply)
            # (1 unchanged attribute hidden)
        }
      ~ spec {
          - node_selector         = {} -> null
          + serving_state         = (known after apply)
          ~ timeout_seconds       = 300 -> (known after apply)
            # (2 unchanged attributes hidden)

          ~ containers {
              - args        = [] -> null
              - command     = [] -> null
              ~ image       = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-api:2db39d0a958497b98d42177b826d2cbb32330b65" -> "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-api:d9aad7e9405983e4f8980910c8a09029abfa09e6"
              + name        = (known after apply)
                # (1 unchanged attribute hidden)

              ~ resources (known after apply)
              - resources {
                  - limits   = {
                      - "cpu"    = "1000m"
                      - "memory" = "512Mi"
                    } -> null
                  - requests = {} -> null
                }

                # (9 unchanged blocks hidden)
            }
        }
    }

  ~ traffic {
      + url             = (known after apply)
        # (4 unchanged attributes hidden)
    }
}

google_cloud_run_service.stg-mh-mcp is tainted, so must be replaced

-/+ resource "google_cloud_run_service" "stg-mh-mcp" {
~ id = "locations/asia-northeast1/namespaces/mh-api-389212/services/stg-mh-mcp" -> (known after apply)
name = "stg-mh-mcp"
~ status = [
- {
- conditions = [
- {
- message = <<-EOT
Revision 'stg-mh-mcp-00001-xh9' is not ready and cannot serve traffic. spec.template.spec.containers[0].env[2].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/DATABASE_URL/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
spec.template.spec.containers[0].env[4].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/SENTRY_DSN/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
EOT
- reason = "SecretsAccessCheckFailed"
- status = "False"
- type = "Ready"
},
- {
- message = <<-EOT
spec.template.spec.containers[0].env[2].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/DATABASE_URL/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
spec.template.spec.containers[0].env[4].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/SENTRY_DSN/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
EOT
- status = "True"
- type = "ConfigurationsReady"
# (1 unchanged attribute hidden)
},
- {
- message = <<-EOT
Revision 'stg-mh-mcp-00001-xh9' is not ready and cannot serve traffic. spec.template.spec.containers[0].env[2].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/DATABASE_URL/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
spec.template.spec.containers[0].env[4].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/SENTRY_DSN/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
EOT
- reason = "SecretsAccessCheckFailed"
- status = "False"
- type = "RoutesReady"
},
]
- latest_created_revision_name = "stg-mh-mcp-00001-xh9"
- observed_generation = 1
- traffic = []
# (2 unchanged attributes hidden)
},
] -> (known after apply)
# (3 unchanged attributes hidden)

  ~ metadata (known after apply)
  - metadata {
      - annotations           = {} -> null
      - effective_annotations = {
          - "run.googleapis.com/ingress"        = "all"
          - "run.googleapis.com/ingress-status" = "all"
          - "run.googleapis.com/operation-id"   = "94750a6d-f3f9-4aa8-aa36-aff054bc3e77"
          - "run.googleapis.com/urls"           = jsonencode(
                [
                  - "https://stg-mh-mcp-650836814988.asia-northeast1.run.app",
                ]
            )
          - "serving.knative.dev/creator"       = "terraform@mh-api-389212.iam.gserviceaccount.com"
          - "serving.knative.dev/lastModifier"  = "terraform@mh-api-389212.iam.gserviceaccount.com"
        } -> null
      - effective_labels      = {
          - "cloud.googleapis.com/location" = "asia-northeast1"
        } -> null
      - generation            = 1 -> null
      - labels                = {} -> null
      - namespace             = "mh-api-389212" -> null
      - resource_version      = "AAY2XPRGD4o" -> null
      - self_link             = "/apis/serving.knative.dev/v1/namespaces/650836814988/services/stg-mh-mcp" -> null
      - terraform_labels      = {} -> null
      - uid                   = "5d07f421-12b1-4259-8f3e-1be5ed324da1" -> null
    }

  ~ template {
      ~ metadata {
          ~ generation       = 0 -> (known after apply)
          ~ labels           = {
              - "run.googleapis.com/startupProbeType" = "Default"
            } -> (known after apply)
          + name             = (known after apply)
          + namespace        = (known after apply)
          + resource_version = (known after apply)
          + self_link        = (known after apply)
          + uid              = (known after apply)
            # (1 unchanged attribute hidden)
        }
      ~ spec {
          - node_selector         = {} -> null
          + serving_state         = (known after apply)
          ~ timeout_seconds       = 300 -> (known after apply)
            # (2 unchanged attributes hidden)

          ~ containers {
              - args        = [] -> null
              - command     = [] -> null
              ~ image       = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-mcp:2db39d0a958497b98d42177b826d2cbb32330b65" -> "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-mcp:d9aad7e9405983e4f8980910c8a09029abfa09e6"
              + name        = (known after apply)
                # (1 unchanged attribute hidden)

              ~ resources (known after apply)
              - resources {
                  - limits   = {
                      - "cpu"    = "1000m"
                      - "memory" = "512Mi"
                    } -> null
                  - requests = {} -> null
                }

                # (9 unchanged blocks hidden)
            }
        }
    }

  ~ traffic {
      + url             = (known after apply)
        # (4 unchanged attributes hidden)
    }
}

google_cloud_run_service_iam_policy.auth will be created

  • resource "google_cloud_run_service_iam_policy" "auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-api"
      }

google_cloud_run_service_iam_policy.mcp_auth will be created

  • resource "google_cloud_run_service_iam_policy" "mcp_auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-mcp"
      }

google_project_service.enable_api["secretmanager.googleapis.com"] will be created

  • resource "google_project_service" "enable_api" {
    • disable_dependent_services = true
    • disable_on_destroy = true
    • id = (known after apply)
    • project = "mh-api-389212"
    • service = "secretmanager.googleapis.com"
      }

Plan: 5 to add, 0 to change, 2 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

</details>
*Pusher: @o-ga09, Action: `pull_request`, Working Directory: ``, Workflow: `terraform`*

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 30, 2025

Code Metrics Report

Coverage Code to Test Ratio Test Execution Time
31.8% 1:0.4 58s

Code coverage of files in pull request scope (0.0%)

Files Coverage
cmd/mcp/main.go 0.0%

Reported by octocov

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented May 30, 2025

Terraform Format and Style failure

Terraform Initialization ⚙️success

Terraform Validation success

Validation Output ```

Success! The configuration is valid.

</details>
#### Terraform Plan `success`
<details><summary>Show Plan</summary>

terraform
google_project_service.enable_api["serviceusage.googleapis.com"]: Refreshing state... [id=mh-api-389212/serviceusage.googleapis.com]
google_project_service.enable_api["run.googleapis.com"]: Refreshing state... [id=mh-api-389212/run.googleapis.com]
google_project_iam_member.cloud_run_trace_agent: Refreshing state... [id=mh-api-389212/roles/cloudtrace.agent/serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com]
data.google_iam_policy.auth: Reading...
google_project_iam_member.service_account_user: Refreshing state... [id=mh-api-389212/roles/iam.serviceAccountUser/serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com]
google_project_service.enable_api["secretmanager.googleapis.com"]: Refreshing state... [id=mh-api-389212/secretmanager.googleapis.com]
google_project_iam_member.logging_writer: Refreshing state... [id=mh-api-389212/roles/logging.logWriter/serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com]
data.google_iam_policy.auth: Read complete after 0s [id=3450855414]
google_project_service.enable_api["cloudresourcemanager.googleapis.com"]: Refreshing state... [id=mh-api-389212/cloudresourcemanager.googleapis.com]
google_project_service.enable_api["artifactregistry.googleapis.com"]: Refreshing state... [id=mh-api-389212/artifactregistry.googleapis.com]
google_cloud_run_service.stg-mh-mcp: Refreshing state... [id=locations/asia-northeast1/namespaces/mh-api-389212/services/stg-mh-mcp]
google_project_service.enable_api["iam.googleapis.com"]: Refreshing state... [id=mh-api-389212/iam.googleapis.com]
google_project_service.enable_api["iamcredentials.googleapis.com"]: Refreshing state... [id=mh-api-389212/iamcredentials.googleapis.com]
data.google_service_account.terraform_sa: Reading...
data.google_iam_policy.mcp_auth: Reading...
data.google_iam_policy.mcp_auth: Read complete after 0s [id=2054599854]
google_cloud_run_service.stg-mh-api: Refreshing state... [id=locations/asia-northeast1/namespaces/mh-api-389212/services/stg-mh-api]
data.google_service_account.terraform_sa: Read complete after 0s [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com]
google_project_service.enable_api["logging.googleapis.com"]: Refreshing state... [id=mh-api-389212/logging.googleapis.com]
google_iam_workload_identity_pool.terraform-pool: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool]
google_iam_workload_identity_pool_provider.terraform-provider: Refreshing state... [id=projects/mh-api-389212/locations/global/workloadIdentityPools/terraform-pool/providers/terraform-provider]
google_service_account_iam_member.terraform_sa: Refreshing state... [id=projects/mh-api-389212/serviceAccounts/terraform@mh-api-389212.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/650836814988/locations/global/workloadIdentityPools/terraform-pool/attribute.repository/o-ga09/MH-API]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:

  • create
    -/+ destroy and then create replacement

Terraform will perform the following actions:

google_cloud_run_service.stg-mh-api is tainted, so must be replaced

-/+ resource "google_cloud_run_service" "stg-mh-api" {
~ id = "locations/asia-northeast1/namespaces/mh-api-389212/services/stg-mh-api" -> (known after apply)
name = "stg-mh-api"
~ status = [
- {
- conditions = [
- {
- message = <<-EOT
Revision 'stg-mh-api-00001-246' is not ready and cannot serve traffic. spec.template.spec.containers[0].env[3].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/DATABASE_URL/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
spec.template.spec.containers[0].env[5].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/SENTRY_DSN/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
EOT
- reason = "SecretsAccessCheckFailed"
- status = "False"
- type = "Ready"
},
- {
- message = <<-EOT
spec.template.spec.containers[0].env[3].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/DATABASE_URL/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
spec.template.spec.containers[0].env[5].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/SENTRY_DSN/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
EOT
- status = "True"
- type = "ConfigurationsReady"
# (1 unchanged attribute hidden)
},
- {
- message = <<-EOT
Revision 'stg-mh-api-00001-246' is not ready and cannot serve traffic. spec.template.spec.containers[0].env[3].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/DATABASE_URL/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
spec.template.spec.containers[0].env[5].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/SENTRY_DSN/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
EOT
- reason = "SecretsAccessCheckFailed"
- status = "False"
- type = "RoutesReady"
},
]
- latest_created_revision_name = "stg-mh-api-00001-246"
- observed_generation = 1
- traffic = []
# (2 unchanged attributes hidden)
},
] -> (known after apply)
# (3 unchanged attributes hidden)

  ~ metadata (known after apply)
  - metadata {
      - annotations           = {} -> null
      - effective_annotations = {
          - "run.googleapis.com/ingress"        = "all"
          - "run.googleapis.com/ingress-status" = "all"
          - "run.googleapis.com/operation-id"   = "a7735280-1fad-4d62-9e10-435da09db588"
          - "run.googleapis.com/urls"           = jsonencode(
                [
                  - "https://stg-mh-api-650836814988.asia-northeast1.run.app",
                ]
            )
          - "serving.knative.dev/creator"       = "terraform@mh-api-389212.iam.gserviceaccount.com"
          - "serving.knative.dev/lastModifier"  = "terraform@mh-api-389212.iam.gserviceaccount.com"
        } -> null
      - effective_labels      = {
          - "cloud.googleapis.com/location" = "asia-northeast1"
        } -> null
      - generation            = 1 -> null
      - labels                = {} -> null
      - namespace             = "mh-api-389212" -> null
      - resource_version      = "AAY2XSMoySk" -> null
      - self_link             = "/apis/serving.knative.dev/v1/namespaces/650836814988/services/stg-mh-api" -> null
      - terraform_labels      = {} -> null
      - uid                   = "e976db8c-5196-451d-9f5a-5bdea6e13c44" -> null
    }

  ~ template {
      ~ metadata {
          ~ generation       = 0 -> (known after apply)
          ~ labels           = {
              - "run.googleapis.com/startupProbeType" = "Default"
            } -> (known after apply)
          + name             = (known after apply)
          + namespace        = (known after apply)
          + resource_version = (known after apply)
          + self_link        = (known after apply)
          + uid              = (known after apply)
            # (1 unchanged attribute hidden)
        }
      ~ spec {
          - node_selector         = {} -> null
          + serving_state         = (known after apply)
          ~ timeout_seconds       = 300 -> (known after apply)
            # (2 unchanged attributes hidden)

          ~ containers {
              - args        = [] -> null
              - command     = [] -> null
              ~ image       = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-api:3ba0c19cb3951c5b4764294f3a0940004a0ac129" -> "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-api:18b91a21894566c62cae3f265204f357dcd77e17"
              + name        = (known after apply)
                # (1 unchanged attribute hidden)

              ~ resources (known after apply)
              - resources {
                  - limits   = {
                      - "cpu"    = "1000m"
                      - "memory" = "512Mi"
                    } -> null
                  - requests = {} -> null
                }

                # (9 unchanged blocks hidden)
            }
        }
    }

  ~ traffic {
      + url             = (known after apply)
        # (4 unchanged attributes hidden)
    }
}

google_cloud_run_service.stg-mh-mcp is tainted, so must be replaced

-/+ resource "google_cloud_run_service" "stg-mh-mcp" {
~ id = "locations/asia-northeast1/namespaces/mh-api-389212/services/stg-mh-mcp" -> (known after apply)
name = "stg-mh-mcp"
~ status = [
- {
- conditions = [
- {
- message = <<-EOT
Revision 'stg-mh-mcp-00001-hft' is not ready and cannot serve traffic. spec.template.spec.containers[0].env[2].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/DATABASE_URL/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
spec.template.spec.containers[0].env[4].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/SENTRY_DSN/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
EOT
- reason = "SecretsAccessCheckFailed"
- status = "False"
- type = "Ready"
},
- {
- message = <<-EOT
spec.template.spec.containers[0].env[2].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/DATABASE_URL/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
spec.template.spec.containers[0].env[4].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/SENTRY_DSN/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
EOT
- status = "True"
- type = "ConfigurationsReady"
# (1 unchanged attribute hidden)
},
- {
- message = <<-EOT
Revision 'stg-mh-mcp-00001-hft' is not ready and cannot serve traffic. spec.template.spec.containers[0].env[2].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/DATABASE_URL/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
spec.template.spec.containers[0].env[4].value_from.secret_key_ref.name: Permission denied on secret: projects/650836814988/secrets/SENTRY_DSN/versions/latest for Revision service account terraform@mh-api-389212.iam.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.
EOT
- reason = "SecretsAccessCheckFailed"
- status = "False"
- type = "RoutesReady"
},
]
- latest_created_revision_name = "stg-mh-mcp-00001-hft"
- observed_generation = 1
- traffic = []
# (2 unchanged attributes hidden)
},
] -> (known after apply)
# (3 unchanged attributes hidden)

  ~ metadata (known after apply)
  - metadata {
      - annotations           = {} -> null
      - effective_annotations = {
          - "run.googleapis.com/ingress"        = "all"
          - "run.googleapis.com/ingress-status" = "all"
          - "run.googleapis.com/operation-id"   = "512be5d9-fd00-4cb3-86d1-e7572ef27a2d"
          - "run.googleapis.com/urls"           = jsonencode(
                [
                  - "https://stg-mh-mcp-650836814988.asia-northeast1.run.app",
                ]
            )
          - "serving.knative.dev/creator"       = "terraform@mh-api-389212.iam.gserviceaccount.com"
          - "serving.knative.dev/lastModifier"  = "terraform@mh-api-389212.iam.gserviceaccount.com"
        } -> null
      - effective_labels      = {
          - "cloud.googleapis.com/location" = "asia-northeast1"
        } -> null
      - generation            = 1 -> null
      - labels                = {} -> null
      - namespace             = "mh-api-389212" -> null
      - resource_version      = "AAY2XSNzcDQ" -> null
      - self_link             = "/apis/serving.knative.dev/v1/namespaces/650836814988/services/stg-mh-mcp" -> null
      - terraform_labels      = {} -> null
      - uid                   = "7091c909-2b40-4557-894d-717757cef3a3" -> null
    }

  ~ template {
      ~ metadata {
          ~ generation       = 0 -> (known after apply)
          ~ labels           = {
              - "run.googleapis.com/startupProbeType" = "Default"
            } -> (known after apply)
          + name             = (known after apply)
          + namespace        = (known after apply)
          + resource_version = (known after apply)
          + self_link        = (known after apply)
          + uid              = (known after apply)
            # (1 unchanged attribute hidden)
        }
      ~ spec {
          - node_selector         = {} -> null
          + serving_state         = (known after apply)
          ~ timeout_seconds       = 300 -> (known after apply)
            # (2 unchanged attributes hidden)

          ~ containers {
              - args        = [] -> null
              - command     = [] -> null
              ~ image       = "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-mcp:3ba0c19cb3951c5b4764294f3a0940004a0ac129" -> "asia-northeast1-docker.pkg.dev/mh-api-389212/mh-api/mh-mcp:18b91a21894566c62cae3f265204f357dcd77e17"
              + name        = (known after apply)
                # (1 unchanged attribute hidden)

              ~ resources (known after apply)
              - resources {
                  - limits   = {
                      - "cpu"    = "1000m"
                      - "memory" = "512Mi"
                    } -> null
                  - requests = {} -> null
                }

                # (9 unchanged blocks hidden)
            }
        }
    }

  ~ traffic {
      + url             = (known after apply)
        # (4 unchanged attributes hidden)
    }
}

google_cloud_run_service_iam_policy.auth will be created

  • resource "google_cloud_run_service_iam_policy" "auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-api"
      }

google_cloud_run_service_iam_policy.mcp_auth will be created

  • resource "google_cloud_run_service_iam_policy" "mcp_auth" {
    • etag = (known after apply)
    • id = (known after apply)
    • location = "asia-northeast1"
    • policy_data = jsonencode(
      {
      + bindings = [
      + {
      + members = [
      + "allUsers",
      + "serviceAccount:terraform@mh-api-389212.iam.gserviceaccount.com",
      ]
      + role = "roles/run.invoker"
      },
      ]
      }
      )
    • project = "mh-api-389212"
    • service = "stg-mh-mcp"
      }

google_project_iam_member.secret_manager_secret_accessor will be created

  • resource "google_project_iam_member" "secret_manager_secret_accessor" {

Plan: 5 to add, 0 to change, 2 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

</details>
*Pusher: @o-ga09, Action: `pull_request`, Working Directory: ``, Workflow: `terraform`*

@o-ga09 o-ga09 merged commit 8be1c73 into main May 30, 2025
6 checks passed
@o-ga09 o-ga09 deleted the claude/issue-131-20250529_124751 branch May 30, 2025 17:01
@github-actions github-actions bot mentioned this pull request Apr 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

モンハンAPIのMCPサーバーを実装する

2 participants

@o-ga09