Merge branch 'remove-beta-launch-stage' into 'master'

Do not enable BETA launch-stage for referencing secrets Closes #33 See merge request !45

Merge branch 'remove-beta-launch-stage' into 'master'
Do not enable BETA launch-stage for referencing secrets Closes #33 See merge request !45
8a4aade6 · Robin Goodall · c065daf1 · 00bb3974 · 8a4aade6 · 8a4aade6
Commit 8a4aade6 authored 2 years ago by Robin Goodall
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [4.1.4] - 2022-03-21
+### Added
+ - Remove Beta launch stage flag that was required for referencing Secret Manager
+   secrets. See https://cloud.google.com/run/docs/release-notes#November_09_2021
+
 ## [4.1.3] - 2022-01-24
 ### Added
 - Add a monitoring dashboard, defined in ./dashboard.json, for the Cloud Run service.

--- a/README.md
+++ b/README.md
@@ -121,8 +121,6 @@ is likely to be whitelisted within firewall configuration that lives outside of
 Secret Manager secrets can be as environment variables or volume mounts (files) in the 
 running container.

-At time of writing, this requires Cloud Run to run as BETA.
-
 The service account that Cloud Run runs as needs access to the secrets for this feature to work.
 Thus, this module gives `secretAccessor` role to that service account for the secrets passed on
 `secrets_volume` and `secrets_envars`.

--- a/locals.tf
+++ b/locals.tf
@@ -39,12 +39,6 @@ locals {
    load-balancer = "internal-and-cloud-load-balancing"
  }, var.ingress_style, var.allowed_ingress)

-  # Do we need to enable the 'beta' launch stage - only required if certain beta
-  # functionality is being used, or if `enable_beta_launch_stage` is set downstream.
-  enable_beta_launch_stage = (
-    var.enable_beta_launch_stage || length(var.secrets_volume) != 0 || length(var.secrets_envars) != 0
-  )
-
  # Whether we should monitor the custom domain - only possible if there are a dns names
  # set and unauthenticated invocation is enabled.
  can_monitor_custom_dns = length(local.dns_names) > 0 && var.allow_unauthenticated_invocations

--- a/main.tf
+++ b/main.tf
@@ -44,7 +44,7 @@ resource "google_cloud_run_service" "webapp" {
      },

      # Add the beta launch stage if required.
-      local.enable_beta_launch_stage ? {
+      var.enable_beta_launch_stage ? {
        # Required to be able to set ingress type and secrets volume mounts
        "run.googleapis.com/launch-stage" : "BETA",
      } : {},
@@ -184,7 +184,7 @@ resource "google_cloud_run_service" "webapp" {
      # These are only changed when "run.googleapis.com/launch-stage" is "BETA".
      # It's non-trivial to make ignore_changes dependent on input variables so
      # we always ignore these annotations even if, strictly speaking, we only
-      # need to do so is local.enable_beta_launch_stage is true.
+      # need to do so is var.enable_beta_launch_stage is true.
      metadata[0].annotations["serving.knative.dev/creator"],
      metadata[0].annotations["serving.knative.dev/lastModifier"],