Cloud Run integration with Secret Manager

alfonsozamorac commented 1 week ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to a user, that user is claiming responsibility for the issue.
Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.2.9 on darwin_arm64

provider registry.terraform.io/hashicorp/google v6.11.1
provider registry.terraform.io/hashicorp/google-beta v6.11.1

Affected Resource(s)

google_cloud_run_v2_service

Terraform Configuration

provider "google" {
    project = "XXXXXXXX"

}
resource "google_cloud_run_v2_service" "default" {
  name     = "cloudrun-service"
  location = "us-central1"
  deletion_protection = false
  ingress = "INGRESS_TRAFFIC_ALL"

  template {
    volumes {
      name = "a-volume"
      secret {
        secret = google_secret_manager_secret.secret.secret_id
        default_mode = 292 # 0444
        items {
          version = "1"
          path = "my-secret"
        }
      }
    }
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
      volume_mounts {
        name = "a-volume"
        mount_path = "/secrets"
      }
    }
  }
  depends_on = [google_secret_manager_secret_version.secret-version-data]
}

data "google_project" "project" {
}

resource "google_secret_manager_secret" "secret" {
  secret_id = "secret-1"
  replication {
    auto {}
  }
}

resource "google_secret_manager_secret_version" "secret-version-data" {
  secret = google_secret_manager_secret.secret.name
  secret_data = "secret-data"
}

resource "google_secret_manager_secret_iam_member" "secret-access" {
  secret_id = google_secret_manager_secret.secret.id
  role      = "roles/secretmanager.secretAccessor"
  member    = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com"
  depends_on = [google_secret_manager_secret.secret]
}

Debug Output

│ Error: Error waiting to create Service: Error waiting for Creating Service: timeout while waiting for state to become 'done: true' (last state: 'done: false', timeout: 20m0s) │ │ with google_cloud_run_v2_service.default, │ on main.tf line 5, in resource "google_cloud_run_v2_service" "default": │ 5: resource "google_cloud_run_v2_service" "default" {

Expected Behavior

Creation complete

Actual Behavior

Timeout and unstable

Steps to reproduce

terraform apply
terraform destroy

Important Factoids

No response

References

I have followed the following example of the provider for handling secrets with Cloud Run (https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_service#example-usage---cloudrunv2-service-secret) but I am getting a timeout error, and if I go to the configuration in the UI it does not get displayed and gives an error. I am also having problems when I use google_vpc_access_connector and I have a NAT that does not allow the network traffic to go out. I have a PoC that was working at least until October 18, and with the same terraform code it no longer works and all the errors are being caused by Cloud Run.

wyardley commented 1 week ago

FWIW, your example exactly as you have it works for me in about 1:30 (minus the explicit depends_on, which I believe you shouldn't need, since you have implicit deps on the same resources already by using the interpolated values) and the same provider version.... maybe double-check the cloud run logs to see if that gives you any idea of what's going wrong.

In your example here, you're using the default compute service account; if you're using a different SA for the cloud run job in your actual use case, you might need to adjust the secret permissions.

(obviously, in a real world situation, you probably would want to consider managing the secret version (the actual value of the secret) outside of Terraform).

google_cloud_run_v2_service.default: Still creating... [1m30s elapsed]
google_cloud_run_v2_service.default: Creation complete after 1m33s [id=projects/xxx/locations/us-central1/services/cloudrun-service]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

alfonsozamorac commented 1 week ago

I just tried recreating again and now everything works again after two days. I don't know if there was a Google issue or if it was just a one-off. The case can be closed, thank you very much for the help!

hashicorp / terraform-provider-google