diff --git a/metadata.yaml b/metadata.yaml
index c8f61524..feacbdca 100644
--- a/metadata.yaml
+++ b/metadata.yaml
@@ -321,13 +321,13 @@ spec:
roles:
- level: Project
roles:
- - roles/artifactregistry.admin
- - roles/iam.serviceAccountUser
- - roles/serviceusage.serviceUsageViewer
- roles/cloudkms.admin
- roles/resourcemanager.projectIamAdmin
- roles/run.admin
- roles/iam.serviceAccountAdmin
+ - roles/artifactregistry.admin
+ - roles/iam.serviceAccountUser
+ - roles/serviceusage.serviceUsageViewer
services:
- accesscontextmanager.googleapis.com
- cloudbilling.googleapis.com
diff --git a/modules/job-exec/README.md b/modules/job-exec/README.md
index 8c703254..96ae75d4 100644
--- a/modules/job-exec/README.md
+++ b/modules/job-exec/README.md
@@ -54,8 +54,8 @@ Functional examples are included in the
| task\_count | Specifies the desired number of tasks the execution should run. | `number` | `null` | no |
| timeout | Max allowed time duration the Task may be active before the system will actively try to mark it failed and kill associated containers. | `string` | `"600s"` | no |
| volume\_mounts | Volume to mount into the container's filesystem. | list(object({
name = string
mount_path = string
})) | `[]` | no |
-| volumes | A list of Volumes to make available to containers. | list(object({
name = string
cloud_sql_instance = optional(object({
instances = set(string)
}))
gcs = optional(object({
bucket = string
read_only = optional(bool)
mount_options = optional(list(string))
}))
})) | `[]` | no |
-| vpc\_access | VPC Access configuration to use for this Task. | list(object({
connector = string
egress = string
})) | `[]` | no |
+| volumes | Volumes needed for environment variables (when using secret) | list(object({
name = string
secret = optional(object({
secret = string
default_mode = optional(string)
items = optional(object({
path = string
version = optional(string)
mode = optional(string)
}))
}))
cloud_sql_instance = optional(object({
instances = set(string)
}))
empty_dir = optional(object({
medium = optional(string)
size_limit = optional(string)
}))
gcs = optional(object({
bucket = string
read_only = optional(bool)
mount_options = optional(list(string))
}))
nfs = optional(object({
server = string
path = string
read_only = optional(string)
}))
})) | `[]` | no |
+| vpc\_access | Configure this to enable your service to send traffic to a Virtual Private Cloud. Set egress to ALL\_TRAFFIC or PRIVATE\_RANGES\_ONLY. Choose a connector or network\_interfaces (for direct VPC egress). For details: https://cloud.google.com/run/docs/configuring/connecting-vpc | object({
connector = optional(string)
egress = optional(string)
network_interfaces = optional(object({
network = optional(string)
subnetwork = optional(string)
tags = optional(list(string))
}))
}) | `null` | no |
## Outputs
diff --git a/modules/job-exec/main.tf b/modules/job-exec/main.tf
index 8f9f05b6..41f74f72 100644
--- a/modules/job-exec/main.tf
+++ b/modules/job-exec/main.tf
@@ -80,28 +80,61 @@ resource "google_cloud_run_v2_job" "job" {
content {
name = volumes.value["name"]
- dynamic "cloud_sql_instance" {
- for_each = volumes.value.cloud_sql_instance != null && try(volumes.value.cloud_sql_instance.instances, null) != null ? [volumes.value.cloud_sql_instance.instances] : []
+ dynamic "secret" {
+ for_each = volumes.value.secret[*]
content {
- instances = try(volumes.value.cloud_sql_instance.instances, [])
+ secret = secret.value["secret"]
+ items {
+ path = secret.value.items["path"]
+ version = secret.value.items["version"]
+ mode = secret.value.items["mode"]
+ }
}
}
+ dynamic "cloud_sql_instance" {
+ for_each = volumes.value.cloud_sql_instance[*]
+ content {
+ instances = cloud_sql_instance.value["instances"]
+ }
+ }
+ dynamic "empty_dir" {
+ for_each = volumes.value.empty_dir[*]
+ content {
+ medium = empty_dir.value["medium"]
+ size_limit = empty_dir.value["size_limit"]
+ }
+ }
dynamic "gcs" {
- for_each = volumes.value.gcs != null && try(volumes.value.gcs.bucket, null) != null ? [volumes.value.gcs.bucket] : []
+ for_each = volumes.value.gcs[*]
+ content {
+ bucket = gcs.value["bucket"]
+ read_only = gcs.value["read_only"]
+ }
+ }
+ dynamic "nfs" {
+ for_each = volumes.value.nfs[*]
content {
- bucket = volumes.value.gcs.bucket
- read_only = volumes.value.gcs.read_only
+ server = nfs.value["server"]
+ path = nfs.value["path"]
+ read_only = nfs.value["read_only"]
}
}
}
}
-
dynamic "vpc_access" {
- for_each = var.vpc_access
+ for_each = var.vpc_access[*]
content {
- connector = vpc_access.value["connector"]
- egress = vpc_access.value["egress"]
+ connector = vpc_access.value.connector
+ egress = vpc_access.value.egress
+ dynamic "network_interfaces" {
+ for_each = vpc_access.value.network_interfaces[*]
+ content {
+ network = network_interfaces.value.network
+ subnetwork = network_interfaces.value.subnetwork
+ tags = network_interfaces.value.tags
+ }
+ }
}
}
}
diff --git a/modules/job-exec/metadata.yaml b/modules/job-exec/metadata.yaml
index ee852d67..dcfbcbce 100644
--- a/modules/job-exec/metadata.yaml
+++ b/modules/job-exec/metadata.yaml
@@ -125,18 +125,36 @@ spec:
description: Specifies the desired number of tasks the execution should run.
varType: number
- name: volumes
- description: A list of Volumes to make available to containers.
+ description: Volumes needed for environment variables (when using secret)
varType: |-
list(object({
name = string
+ secret = optional(object({
+ secret = string
+ default_mode = optional(string)
+ items = optional(object({
+ path = string
+ version = optional(string)
+ mode = optional(string)
+ }))
+ }))
cloud_sql_instance = optional(object({
instances = set(string)
}))
+ empty_dir = optional(object({
+ medium = optional(string)
+ size_limit = optional(string)
+ }))
gcs = optional(object({
bucket = string
read_only = optional(bool)
mount_options = optional(list(string))
}))
+ nfs = optional(object({
+ server = string
+ path = string
+ read_only = optional(string)
+ }))
}))
defaultValue: []
- name: volume_mounts
@@ -148,13 +166,17 @@ spec:
}))
defaultValue: []
- name: vpc_access
- description: VPC Access configuration to use for this Task.
+ description: "Configure this to enable your service to send traffic to a Virtual Private Cloud. Set egress to ALL_TRAFFIC or PRIVATE_RANGES_ONLY. Choose a connector or network_interfaces (for direct VPC egress). For details: https://cloud.google.com/run/docs/configuring/connecting-vpc"
varType: |-
- list(object({
- connector = string
- egress = string
- }))
- defaultValue: []
+ object({
+ connector = optional(string)
+ egress = optional(string)
+ network_interfaces = optional(object({
+ network = optional(string)
+ subnetwork = optional(string)
+ tags = optional(list(string))
+ }))
+ })
- name: limits
description: Resource limits to the container
varType: |-
@@ -177,13 +199,13 @@ spec:
roles:
- level: Project
roles:
+ - roles/iam.serviceAccountUser
+ - roles/serviceusage.serviceUsageViewer
+ - roles/cloudkms.admin
- roles/resourcemanager.projectIamAdmin
- roles/run.admin
- roles/iam.serviceAccountAdmin
- roles/artifactregistry.admin
- - roles/iam.serviceAccountUser
- - roles/serviceusage.serviceUsageViewer
- - roles/cloudkms.admin
services:
- accesscontextmanager.googleapis.com
- cloudbilling.googleapis.com
diff --git a/modules/job-exec/variables.tf b/modules/job-exec/variables.tf
index 18c1d14d..4e006d86 100644
--- a/modules/job-exec/variables.tf
+++ b/modules/job-exec/variables.tf
@@ -114,16 +114,34 @@ variable "task_count" {
variable "volumes" {
type = list(object({
name = string
+ secret = optional(object({
+ secret = string
+ default_mode = optional(string)
+ items = optional(object({
+ path = string
+ version = optional(string)
+ mode = optional(string)
+ }))
+ }))
cloud_sql_instance = optional(object({
instances = set(string)
}))
+ empty_dir = optional(object({
+ medium = optional(string)
+ size_limit = optional(string)
+ }))
gcs = optional(object({
bucket = string
read_only = optional(bool)
mount_options = optional(list(string))
}))
+ nfs = optional(object({
+ server = string
+ path = string
+ read_only = optional(string)
+ }))
}))
- description = "A list of Volumes to make available to containers."
+ description = "Volumes needed for environment variables (when using secret)"
default = []
}
@@ -137,12 +155,17 @@ variable "volume_mounts" {
}
variable "vpc_access" {
- type = list(object({
- connector = string
- egress = string
- }))
- description = "VPC Access configuration to use for this Task."
- default = []
+ type = object({
+ connector = optional(string)
+ egress = optional(string)
+ network_interfaces = optional(object({
+ network = optional(string)
+ subnetwork = optional(string)
+ tags = optional(list(string))
+ }))
+ })
+ description = "Configure this to enable your service to send traffic to a Virtual Private Cloud. Set egress to ALL_TRAFFIC or PRIVATE_RANGES_ONLY. Choose a connector or network_interfaces (for direct VPC egress). For details: https://cloud.google.com/run/docs/configuring/connecting-vpc"
+ default = null
}
variable "limits" {
diff --git a/modules/secure-cloud-run-security/metadata.yaml b/modules/secure-cloud-run-security/metadata.yaml
index 1895886d..8089b4d3 100644
--- a/modules/secure-cloud-run-security/metadata.yaml
+++ b/modules/secure-cloud-run-security/metadata.yaml
@@ -131,13 +131,13 @@ spec:
roles:
- level: Project
roles:
+ - roles/iam.serviceAccountAdmin
+ - roles/artifactregistry.admin
- roles/iam.serviceAccountUser
- roles/serviceusage.serviceUsageViewer
- roles/cloudkms.admin
- roles/resourcemanager.projectIamAdmin
- roles/run.admin
- - roles/iam.serviceAccountAdmin
- - roles/artifactregistry.admin
services:
- accesscontextmanager.googleapis.com
- cloudbilling.googleapis.com
diff --git a/modules/secure-cloud-run/metadata.yaml b/modules/secure-cloud-run/metadata.yaml
index e6e99532..05db8b75 100644
--- a/modules/secure-cloud-run/metadata.yaml
+++ b/modules/secure-cloud-run/metadata.yaml
@@ -248,13 +248,13 @@ spec:
roles:
- level: Project
roles:
- - roles/iam.serviceAccountAdmin
- - roles/artifactregistry.admin
- roles/iam.serviceAccountUser
- roles/serviceusage.serviceUsageViewer
- roles/cloudkms.admin
- roles/resourcemanager.projectIamAdmin
- roles/run.admin
+ - roles/iam.serviceAccountAdmin
+ - roles/artifactregistry.admin
services:
- accesscontextmanager.googleapis.com
- cloudbilling.googleapis.com
diff --git a/modules/secure-serverless-harness/metadata.yaml b/modules/secure-serverless-harness/metadata.yaml
index d61e5972..13faffb7 100644
--- a/modules/secure-serverless-harness/metadata.yaml
+++ b/modules/secure-serverless-harness/metadata.yaml
@@ -280,13 +280,13 @@ spec:
roles:
- level: Project
roles:
+ - roles/serviceusage.serviceUsageViewer
+ - roles/cloudkms.admin
+ - roles/resourcemanager.projectIamAdmin
- roles/run.admin
- roles/iam.serviceAccountAdmin
- roles/artifactregistry.admin
- roles/iam.serviceAccountUser
- - roles/serviceusage.serviceUsageViewer
- - roles/cloudkms.admin
- - roles/resourcemanager.projectIamAdmin
services:
- accesscontextmanager.googleapis.com
- cloudbilling.googleapis.com
diff --git a/modules/v2/metadata.yaml b/modules/v2/metadata.yaml
index f70376c8..fbb8d3b4 100644
--- a/modules/v2/metadata.yaml
+++ b/modules/v2/metadata.yaml
@@ -563,13 +563,13 @@ spec:
roles:
- level: Project
roles:
- - roles/iam.serviceAccountUser
- - roles/serviceusage.serviceUsageViewer
- - roles/resourcemanager.projectIamAdmin
- roles/compute.viewer
- roles/iap.admin
- roles/run.admin
- roles/iam.serviceAccountAdmin
+ - roles/iam.serviceAccountUser
+ - roles/serviceusage.serviceUsageViewer
+ - roles/resourcemanager.projectIamAdmin
services:
- cloudresourcemanager.googleapis.com
- compute.googleapis.com