Support secrets from other projects
If secrets used for environment variables or volumes are defined in another project, one needs to define secret aliases in order to actually add them to Cloud Run services:
- Add a
run.googleapis.com/secrets
annotation of the formsecret1:projects/{{project}}/secrets/{{secret}},secret2:projects/{{project}}/secrets/{{secret}}
- Use the alias (i.e.
secret1
orsecret2
as the "id" of the secret)
We can manually add the run.googleapis.com/secrets
annotation but adding the secrets to secrets_envars
or secrets_volumes
fails because the module tries to add IAM permissions for the secrets and tries to use the alias name instead of the actual secret.
Add a new secret_aliases
variable which maps from alias name to external secret specs. When an alias name is used in secrets_envars
or secrets_volumes
, set IAM permissions on that secret. Perhaps also have some way to disable setting IAM permissions for complex cases?
E.g., in the example above, this might look like:
# Default web-application.
module "webapp" {
source = "gitlab.developers.cam.ac.uk/uis/gcp-cloud-run-app/devops"
version = "<9.0.0"
# ...
secret_aliases = {
secret1 = {
project = "..."
name = "..."
}
}
secrets_envars = [
# An environment variable set from a secret local to the project.
{
name = "VAR1"
version = "latest"
id = module.my_secret.secret_id
}
# An environment variable set from an external secret
{
name = "VAR2"
version = "latest"
id = "secret1"
}
]
}