cloud_run_service cross-project secrets referencing

marekaf commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

terraform -v
Terraform v1.1.7
on darwin_amd64
+ provider registry.terraform.io/hashicorp/google v4.15.0
+ provider registry.terraform.io/hashicorp/google-beta v4.2.1
+ provider registry.terraform.io/hashicorp/random v3.1.2

Affected Resource(s)

google_cloud_run_service

Terraform Configuration Files

resource "google_cloud_run_service" "main" {
  name     = "main"
  location = var.region
  autogenerate_revision_name = true
  metadata {
    annotations = {
      "run.googleapis.com/secrets" = "db-password:projects/1234567890/secrets/db-password"
    }
  }

  template {
    spec {
      service_account_name = google_service_account.main.email
      timeout_seconds      = 60

      containers {
        image = var.image

        resources {
          limits = {
            cpu    = "1"
            memory = "128Mi"
          }
        }

        ports {
          name           = "http1"
          container_port = 80
        }

        env {
          name = "DB_PASSWORD"
          value_from {
            secret_key_ref {
              name = "db-password"
              key  = "1" // secret version
            }
          }
        }
      }
    }
    metadata {
      annotations = {}
    }
  }
}

Debug Output

Panic Output

Expected Behavior

Terraform should create the cloud run service and pull a secret from another GCP project without any errors.

Actual Behavior

Error waiting to create Service: resource is in failed state "Ready:False", message: spec.template.spec.container.env[0].value_from.secret_key_ref.name: Secret projects/3333333333/secrets/db-secret/versions/1 was not found

For some reason, terraform is trying to look for the secret in this GCP project, even though the annotation properly references the aliased secret & secret id of another project

Steps to Reproduce

terraform apply

Important Factoids

doing this in console by hand works without any issues

if I take the random alias that is created by doing this manually in the console, the alias looks like this

secret-e0e199b5-8675-438c-a34a-3edcb93008a3:projects/1234567890/secrets/db-password

if I put this as the alias to my .tf file and run plan, drift is shown

If I have the same configuration in terraform, I do terraform plan and no drift

References

b/272361921

marekaf commented 2 years ago

Actually, nevermind... I just figured it out.

The annotations for secret alias has to be BOTH in metadata.annotations as well as template.metadata.annotations.

RIP my time. Hope this helps somebody before they blow their brains out.

resource "google_cloud_run_service" "main" {
  name     = "main"
  location = var.region
  autogenerate_revision_name = true
  metadata {
    annotations = {
      "run.googleapis.com/secrets" = "db-password:projects/1234567890/secrets/db-password"
    }
  }

  template {
    spec {
      service_account_name = google_service_account.main.email
      timeout_seconds      = 60

      containers {
        image = var.image

        resources {
          limits = {
            cpu    = "1"
            memory = "128Mi"
          }
        }

        ports {
          name           = "http1"
          container_port = 80
        }

        env {
          name = "DB_PASSWORD"
          value_from {
            secret_key_ref {
              name = "db-password"
              key  = "1" // secret version
            }
          }
        }
      }
    }
    metadata {
    annotations = {
      "run.googleapis.com/secrets" = "db-password:projects/1234567890/secrets/db-password"
      }
    }
  }
}

jketcham commented 1 year ago

Hope this helps somebody before they blow their brains out.

🙌 This really should be made more clear in the docs, adding an example would be great.

When I set this up with provider version 4.42.0, I only needed to add the annotation to the template block, and it returned with an error when I tried to add it to the top level metadata.annotations for the cloud run service itself.

hashicorp / terraform-provider-google