terraform 谷歌云运行添加云 sql 连接
[英]terraform google cloud run add cloud sql connection
问题描述
I am using terraform to create my infrastucture on google cloud.
我正在使用 terraform 在谷歌云上创建我的基础设施。 I use tfvars file to hold my variables such as database password.我使用 tfvars 文件来保存我的变量,例如数据库密码。 I deploy my app to cloud run and create a database in sql. Problem is i need to add this database to cloud run's Cloud SQL connections.我将我的应用程序部署到云运行并在 sql 中创建一个数据库。问题是我需要将此数据库添加到云运行的云 SQL 连接中。 Because otherwise this app can't connect to database.因为否则这个应用程序无法连接到数据库。 How can i do this with terraform?我如何使用 terraform 执行此操作?
My tf file:我的 tf 文件:
variable "database_password" {
type = string
}
variable "database_user" {
type = string
}
variable "project_name" {
type=string
}
variable "jwt_key" {
type = string
}
provider "google"{
credentials=file("credentials.json")
project=var.project_name
region="us-west1"
}
resource "google_sql_database_instance" "instance" {
name="socialmediadatabase"
region="us-central1"
database_version="POSTGRES_13"
deletion_protection = false
settings{
tier="db-f1-micro"
}
}
resource "google_sql_database" "database"{
name="socialmedia"
instance=google_sql_database_instance.instance.name
}
resource "google_sql_user" "database-user" {
name = var.database_user
instance = google_sql_database_instance.instance.name
password = var.database_password
}
resource "google_cloud_run_service" "run" {
name="socialmedia"
location = "us-central1"
template {
spec {
containers {
image = "gcr.io/${var.project_name}/socialmedia:latest"
ports {
container_port = 5000
}
env {
name="ENV"
value = "production"
}
env {
name="JWT_KEY"
value = var.jwt_key
}
env {
name="DB_URL"
value = "postgresql://${var.database_user}:${var.database_password}@/socialmedia?host=/cloudsql/${google_sql_database_instance.instance.connection_name}"
}
}
}
}
metadata {
annotations = {
"run.googleapis.com/cloudsql-instances"=google_sql_database_instance.instance.connection_name
}
}
}
#?
resource "google_cloud_run_service_iam_member" "member" {
service = google_cloud_run_service.run.name
location = google_cloud_run_service.run.location
role = "roles/run.invoker"
member = "allUsers"
}
2 个解决方案
解决方案1
3 2021-06-17 17:10:32
I solved it.我解决了。 I was supposed to add metadata under template.我应该在模板下添加元数据。 This is the correct one:这是正确的:
variable "database_password" {
type = string
}
variable "database_user" {
type = string
}
variable "project_name" {
type=string
}
variable "jwt_key" {
type = string
}
provider "google"{
credentials=file("credentials.json")
project=var.project_name
region="us-west1"
}
resource "google_sql_database_instance" "instance" {
name="socialmediadatabase"
region="us-central1"
database_version="POSTGRES_13"
deletion_protection = false
settings{
tier="db-f1-micro"
}
}
resource "google_sql_database" "database"{
name="socialmedia"
instance=google_sql_database_instance.instance.name
}
resource "google_sql_user" "database-user" {
name = var.database_user
instance = google_sql_database_instance.instance.name
password = var.database_password
}
resource "google_cloud_run_service" "run" {
name="socialmedia"
location = "us-central1"
template {
spec {
containers {
image = "gcr.io/${var.project_name}/socialmedia:latest"
ports {
container_port = 5000
}
env {
name="ENV"
value = "production"
}
env {
name="JWT_KEY"
value = var.jwt_key
}
env {
name="DB_URL"
value = "postgresql://${var.database_user}:${var.database_password}@/socialmedia?host=/cloudsql/${google_sql_database_instance.instance.connection_name}"
}
}
}
metadata {
annotations = {
"run.googleapis.com/cloudsql-instances"=google_sql_database_instance.instance.connection_name
}
}
}
}
#?
resource "google_cloud_run_service_iam_member" "member" {
service = google_cloud_run_service.run.name
location = google_cloud_run_service.run.location
role = "roles/run.invoker"
member = "allUsers"
}
解决方案2
-1 2021-06-17 12:07:37
Looking into the code - I guess that you would like to provide secret information using terraform into an environment variable of a Cloud Run...查看代码 - 我猜您想使用 terraform 将秘密信息提供到 Cloud Run 的环境变量中......
I would say, there may be at least 2 issues with such approach:我会说,这种方法可能至少有两个问题:
1/ Those secret values are going to be stored in the terrafrom state file. 1/ 这些秘密值将存储在 terrafrom state 文件中。 In a decrypted format.以解密格式。 I am not sure this is a good idea.我不确定这是个好主意。
2/ Those secret values become accesible to anybody (or anything) who has access to environment variables. 2/ 那些可以访问环境变量的任何人(或任何事物)都可以访问这些秘密值。 From my point of view - a bit risky.从我的角度来看 - 有点冒险。
I would suggest to store secret values in the Secret Manager ... - see documentation here and provide only the secret names as environment variables...我建议将秘密值存储在秘密管理器中...... -请参阅此处的文档并仅提供秘密名称作为环境变量......
Thus, the Cloud Run code should get the environment variables and fetch the correspondent secret values from the Secret Manager.因此,Cloud Run 代码应该获取环境变量并从 Secret Manager 获取相应的秘密值。
To make this happen, the secrets (as placeholders) can be created by terraform, so there names can be provided smoothly in the Cloud Run.为了实现这一点,秘密(作为占位符)可以通过 terraform 创建,因此可以在 Cloud Run 中顺利提供名称。
The Cloud Run service account should get relevant IAM roles to access the secrets. Cloud Run 服务帐户应获得相关的 IAM 角色以访问机密。 That can be done using terraform as well.这也可以使用 terraform 来完成。
Finally, don't forget to populate (using UI console or gcloud CLI command) the secrets with actual values (or versions in GCP terminology), and modify Cloud Run code so it can hanlde exceptions - an absence of the secret value or incorrect values.最后,不要忘记使用实际值(或 GCP 术语中的版本)填充(使用 UI 控制台或 gcloud CLI 命令)机密,并修改 Cloud Run 代码,以便它可以处理异常 - 缺少机密值或不正确的值.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.