terraform-provider-google: Cloud Run Service Secret Environment Variables, throws spec.template.spec.containers[0].env.value_from should be empty
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
- Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
- If you are interested in working on this issue or have submitted a pull request, please leave a comment.
- If an issue is assigned to the
modular-magicianuser, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot, a community member has claimed the issue already.
Terraform Version
0.15.3.
Affected Resource(s)
Cloud Run beta, spec env secret manager env.
google_cloud_run_service
Terraform Configuration Files
(code from example)
data "google_project" "project" {
provider = google-beta
}
resource "google_secret_manager_secret" "secret" {
provider = google-beta
secret_id = "secret"
replication {
automatic = true
}
}
resource "google_secret_manager_secret_version" "secret-version-data" {
provider = google-beta
secret = google_secret_manager_secret.secret.name
secret_data = "secret-data"
}
resource "google_secret_manager_secret_iam_member" "secret-access" {
provider = google-beta
secret_id = google_secret_manager_secret.secret.id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com"
depends_on = [google_secret_manager_secret.secret]
}
resource "google_cloud_run_service" "default" {
provider = google-beta
name = "cloudrun-srv"
location = "us-central1"
template {
spec {
containers {
image = "gcr.io/cloudrun/hello"
env {
name = "SECRET_ENV_VAR"
value_from {
secret_key_ref {
name = google_secret_manager_secret.secret.secret_id
key = "1"
}
}
}
}
}
}
metadata {
annotations = {
generated-by = "magic-modules"
"run.googleapis.com/launch-stage" = "ALPHA"
}
}
traffic {
percent = 100
latest_revision = true
}
autogenerate_revision_name = true
lifecycle {
ignore_changes = [
metadata.0.annotations,
]
}
depends_on = [google_secret_manager_secret_version.secret-version-data]
}
```tf
### Debug Output
│ Error: Error updating Service "locations/us-east1/namespaces/just-ricardo-duarte/services/cloud-run-example": googleapi: Error 400: spec.template.spec.containers[0].env.value_from: spec.template.spec.containers[0].env.value_from should be empty
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.BadRequest",
│ "fieldViolations": [
│ {
│ "description": "spec.template.spec.containers[0].env.value_from should be empty",
│ "field": "spec.template.spec.containers[0].env.value_from"
│ }
│ ]
│ }
│ ]
### Expected Behavior
should have allowed to add a secret manager reference to cloud run
### Actual Behavior
Terraform apply failed
### Steps to Reproduce
terraform init
terraform apply
### References
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service#example-usage---cloud-run-service-secret-environment-variables
* #0000
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 12
- Comments: 16
@edwardmedia i had read this before i opened the issue, but i think you will agree that between that line and
"run.googleapis.com/launch-stage" = "BETA"I fully understand terraform doesnt have control over which annonations are allowed since, some of these are obscure and a consequence of using kuberneters in th background. However since this little line makes all the different when adopting beta/alpha features, i feel the docs should highlight the requirement properly, or the error message should be more descriptive, thats all. As you can see i am not the only one that tripped when adopting this.