Updated README and variables

README.md

@@ -6,7 +6,7 @@ The resources/services/activations/deletions that this module will create/trigge
 
 * Creates a Cloud Run service with provided name and container
 * Creates Domain mapping for the deployed service
-* Applies IAM policies
+* Applies IAM roles
 
 ## Assumptions and Prerequisites
 
@@ -38,8 +38,7 @@ module "cloud_run" {
     }
   ]
   service_labels = {
-    "usage"         = "<ENV>" ,
-    "owner"         = "<ADMIN>"
+    "key"         = "value"
   }
   service_annotations = {
     # possible values: all, internal, internal-and-cloud-load-balancing
@@ -48,7 +47,7 @@ module "cloud_run" {
 
   // Metadata
   template_labels = {
-    "app" = "helloworld"
+    "key" = "value"
   }
   template_annotations = {
     "run.googleapis.com/cloudsql-instances" = "<CLOUD_SQL_CONNECTION_STRING>"
@@ -61,7 +60,7 @@ module "cloud_run" {
   // template spec
   container_concurrency = 0
   timeout_seconds       = "120"
-  service_account_name  = "<USER_MANAGED_SERVICE_ACCOUNT_NAME>"
+  service_account_name  = "<USER_MANAGED_SERVICE_ACCOUNT_EMAIL>"
   volumes = [
     {
       name = "<SECRET_VOLUME_NAME>"
@@ -93,8 +92,8 @@ module "cloud_run" {
     name     = "http1"
     port     = 3000
   }
-  argument          = ""
-  container_command = ""
+  argument          = []
+  container_command = []
 
   # envs
   env_vars = [
@@ -130,19 +129,22 @@ module "cloud_run" {
   force_override       = false
   certificate_mode     = "AUTOMATIC" # NONE, AUTOMATIC
   domain_map_labels = {
-    "business_unit" = "app_name"
+    "key"           = "value"
   }
   domain_map_annotations = {
     "run.googleapis.com/launch-stage" = "BETA"
   }
 
   #### IAM
-  role = "roles/viewer"
+  role = [
+    "roles/run.invoker",
+    "roles/viewer"
+  ]
   members = [
+    "allUsers", # ensure before using allUsers
     "user:<USER_EMAIL>",
     "serviceAccount:<SA_EMAIL>"
   ]
-  authenticated_access = false
 }
 ```
 
@@ -151,31 +153,30 @@ module "cloud_run" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| argument | Arguments passed to the entry point command | `string` | `""` | no |
-| authenticated\_access | Option to enable or disable service authentication | `bool` | `false` | no |
+| argument | Arguments passed to the ENTRYPOINT command | `list(string)` | `[]` | no |
 | certificate\_mode | The mode of the certificate | `string` | `"NONE"` | no |
-| container\_command | Leave blank to use the entry point command defined in the container image | `string` | `""` | no |
+| container\_command | Leave blank to use the ENTRYPOINT command defined in the container image | `list(string)` | `[]` | no |
 | container\_concurrency | Concurrent request limits to the service | `number` | `0` | no |
 | domain\_map\_annotations | Annotations to the domain map | `map(string)` | `{}` | no |
-| domain\_map\_labels | Labels to the domain map | `map(string)` | <pre>{<br>  "business_unit": "app_name"<br>}</pre> | no |
+| domain\_map\_labels | A set of key/value label pairs to assign to the Domain mapping | `map(string)` | `{}` | no |
 | env\_secret\_vars | [Beta] Environment variables (Secret Manager) | <pre>list(object({<br>    name = string<br>    value_from = set(object({<br>      secret_key_ref = map(string)<br>    }))<br>  }))</pre> | `[]` | no |
 | env\_vars | Environment variables (cleartext) | <pre>list(object({<br>    value = string<br>    name  = string<br>  }))</pre> | `[]` | no |
 | force\_override | Option to force override existing mapping | `bool` | `false` | no |
 | generate\_revision\_name | Option to enable revision name generation | `bool` | `true` | no |
 | image | GCR hosted image URL to deploy | `string` | n/a | yes |
 | limits | Resource limits to the container | `map(string)` | `{}` | no |
 | location | Cloud Run service deployment location | `string` | n/a | yes |
-| members | Users/SAs to be givem permission to the service | `list(string)` | <pre>[<br>  "user:abc@xyz.com",<br>  "serviceAccount:abc@xyz.com"<br>]</pre> | no |
-| ports | Port which the container listens to | <pre>object({<br>    name = string<br>    port = number<br>  })</pre> | <pre>{<br>  "name": "http1",<br>  "port": 2000<br>}</pre> | no |
+| members | Users/SAs to be given access to the service | `list(string)` | `[]` | no |
+| ports | Port which the container listens to | <pre>object({<br>    name = string<br>    port = number<br>  })</pre> | <pre>{<br>  "name": "http1",<br>  "port": 8080<br>}</pre> | no |
 | project\_id | The project ID to deploy to | `string` | n/a | yes |
 | requests | Resource requests to the container | `map(string)` | `{}` | no |
-| role | Roles to be provisioned to the service | `string` | `null` | no |
-| service\_account\_name | Service Account needed for the service | `string` | `null` | no |
+| roles | Roles to be provisioned for the members | `list(string)` | `[]` | no |
+| service\_account\_email | Service Account email needed for the service | `string` | `null` | no |
 | service\_annotations | Annotations to the service | `map(string)` | <pre>{<br>  "run.googleapis.com/ingress": "all"<br>}</pre> | no |
-| service\_labels | Labels to the service | `map(string)` | <pre>{<br>  "business_unit": "app_name"<br>}</pre> | no |
+| service\_labels | A set of key/value label pairs to assign to the service | `map(string)` | `{}` | no |
 | service\_name | The name of the Cloud Run service to create | `string` | n/a | yes |
 | template\_annotations | Annotations to the container metadata | `map(string)` | <pre>{<br>  "autoscaling.knative.dev/maxScale": 2,<br>  "autoscaling.knative.dev/minScale": 1,<br>  "generated-by": "terraform",<br>  "run.googleapis.com/client-name": "terraform"<br>}</pre> | no |
-| template\_labels | Labels to the container metadata | `map(string)` | <pre>{<br>  "app": "helloworld"<br>}</pre> | no |
+| template\_labels | A set of key/value label pairs to assign to the container metadata | `map(string)` | `{}` | no |
 | timeout\_seconds | Timeout for each request | `number` | `120` | no |
 | traffic\_split | Managing traffic routing to the service | <pre>list(object({<br>    latest_revision = bool<br>    percent         = number<br>    revision_name   = string<br>  }))</pre> | <pre>[<br>  {<br>    "latest_revision": true,<br>    "percent": 100,<br>    "revision_name": "v1-0-0"<br>  }<br>]</pre> | no |
 | verified\_domain\_name | Custom Domain Name | `string` | `null` | no |
@@ -220,10 +221,13 @@ Note: In order to deploy a service with a user-managed service account, the user
 
 ### APIs
 
-A project with the following APIs enabled must be used to host the
-resources of this module:
+A project with the following APIs enabled must be used to host the main
+resource of this module:
 
 - Google Cloud Run: `run.googleapis.com`
+- Serverless VPC Access (optional): `vpcaccess.googleapis.com`
+- Cloud SQL (optional): `sqladmin.googleapis.com`
+
 
 The [Project Factory module][project-factory-module] and the
 [IAM module][iam-module] may be used in combination to provision a

examples/cloud_run_vpc_connector/README.md

@@ -1,29 +1,25 @@
 # Terraform Cloud Run Module
 
-This module handles the basic deployment of containerized applications on Cloud Run, along with domain mapping and IAM policy for the service.
+This exmaple module handles the basic deployment of containerized applications on Cloud Run, along with domain mapping and IAM policy for the service.
 
 The resources/services/activations/deletions that this module will create/trigger are:
 
-* Creates a Cloud Run service with provided name and container
-* Creates Domain mapping for the deployed service
-* Applies IAM policies
+* Creates a Cloud Run service with provided name and container with Serverless VPC Connector
 
 ## Assumptions and Prerequisites
 
 This module assumes that below mentioend prerequisites are in place before consuming the module.
 
 * All required APIs are enabled in the GCP Project
-* Cloud SQL
 * VPC Connector
-* Environment Variables in Secret Manager
 
 ## Usage
 
 Basic usage of this module is as follows:
 
 ```hcl
-module "cloud_run" {
-  source = "./simple_cloud_run"
+module "cloud_run_vpc_connector" {
+  source = "./cloud_run_vpc_connector"
 
   service_name           = var.service_name
   project_id             = var.project_id
@@ -38,22 +34,21 @@ module "cloud_run" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| generate\_revision\_name | Option to enable revision name generation | `bool` | `true` | no |
-| image | GCR hosted image URL to deploy | `string` | n/a | yes |
-| location | Cloud Run service deployment location | `string` | n/a | yes |
 | project\_id | The project ID to deploy to | `string` | n/a | yes |
-| service\_name | The name of the Cloud Run service to create | `string` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
+| connector\_id | n/a |
 | revision | Deployed revision for the service |
 | service\_id | Unique Identifier for the created service |
 | service\_location | Location in which the Cloud Run service was created |
 | service\_name | Name of the created service |
 | service\_status | Status of the created service |
 | service\_url | The URL on which the deployed service is available |
+| subnets | n/a |
+| vpc\_name | VPC created for serverless |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
@@ -83,6 +78,7 @@ A project with the following APIs enabled must be used to host the
 resources of this module:
 
 - Google Cloud Run: `run.googleapis.com`
+- Serverless VPC Access: `vpcaccess.googleapis.com`
 
 The [Project Factory module][project-factory-module] and the
 [IAM module][iam-module] may be used in combination to provision a

examples/simple_cloud_run/README.md

@@ -1,28 +1,23 @@
 # Terraform Cloud Run Module
 
-This module handles the basic deployment of containerized applications on Cloud Run, along with domain mapping and IAM policy for the service.
+This example module handles the basic deployment of containerized applications on Cloud Run, along with domain mapping and IAM policy for the service.
 
 The resources/services/activations/deletions that this module will create/trigger are:
 
 * Creates a Cloud Run service with provided name and container
-* Creates Domain mapping for the deployed service
-* Applies IAM policies
 
 ## Assumptions and Prerequisites
 
 This module assumes that below mentioend prerequisites are in place before consuming the module.
 
 * All required APIs are enabled in the GCP Project
-* Cloud SQL
-* VPC Connector
-* Environment Variables in Secret Manager
 
 ## Usage
 
 Basic usage of this module is as follows:
 
 ```hcl
-module "cloud_run" {
+module "simple_cloud_run" {
   source = "./simple_cloud_run"
 
   service_name           = var.service_name

variables.tf

@@ -227,19 +227,19 @@ variable "domain_map_annotations" {
 variable "roles" {
   type        = list(string)
   description = "Roles to be provisioned for the members"
-  default = [
-    "roles/run.invoker",
-    "roles/run.viewer"
-  ]
+  default     = []
+  # Usage: [ "roles/run.invoker", "roles/run.viewer" ]
 }
 
 variable "members" {
   type        = list(string)
   description = "Users/SAs to be given access to the service"
-  default = [
-    "allusers", # not recommended but ensure before using it
-    # use below format for Users and SAs
-    #"user:abc@xyz.com",
-    #"serviceAccount:abc@xyz.com",
-  ]
+  default     = []
+  # Usage:
+  # [
+  #   "allUsers", # ensure before using allUsers
+  #    #use below format for Users and SAs
+  #   "user:abc@xyz.com",
+  #   "serviceAccount:abc@xyz.com",
+  # ]
 }