Jor*_*UFF 3 google-cloud-platform terraform-provider-gcp google-cloud-run
在 GCP 上,我将 Cloud Run 与 Secret Manager 中的环境变量一起使用。
更新密钥时如何高效更新 Cloud Run 实例?
我尝试使用此 Terraform 代码,但没有成功:
// run.tf
module "cloud-run-app" {
source = "GoogleCloudPlatform/cloud-run/google"
version = "~> 0.0"
service_name = "${local.main_project}-cloudrun"
location = local.region
image = local.cloudrun_image
project_id = local.main_project
env_vars = local.envvars_injection
env_secret_vars = local.secrets_injection
service_account_email = google_service_account.app.email
ports = local.cloudrun_port
service_annotations = {
"run.googleapis.com/ingress" : "internal-and-cloud-load-balancing"
}
service_labels = {
"env_type" = var.env_name
}
template_annotations = {
"autoscaling.knative.dev/maxScale" : local.cloudrun_app_max_scale,
"autoscaling.knative.dev/minScale" : local.cloudrun_app_min_scale,
"generated-by" : "terraform",
"run.googleapis.com/client-name" : "terraform"
}
depends_on = [
google_project_iam_member.run_gcr,
google_project_iam_member.app_secretmanager,
google_secret_manager_secret_version.secrets
]
}
// secrets.tf
resource "google_secret_manager_secret" "secrets" {
for_each = local.secrets_definition
secret_id = each.key
replication {
automatic = true
}
}
resource "google_secret_manager_secret_version" "secrets" {
for_each = local.secrets_definition
secret = google_secret_manager_secret.secrets["${each.key}"].name
secret_data = each.value
}
这里的技巧是将密钥安装为卷(文件)而不是环境变量。
如果这样做,将您的秘密版本指向该latest版本,并在每次需要秘密内容时读取该文件,您将读取最新版本。无需重新加载 Cloud Run 实例或重新部署版本。
| 归档时间: |
|
| 查看次数: |
769 次 |
| 最近记录: |