Support secrets from other projects
If secrets used for environment variables or volumes are defined in another project, one needs to define secret aliases in order to actually add them to Cloud Run services:
- Add a
run.googleapis.com/secretsannotation of the formsecret1:projects/{{project}}/secrets/{{secret}},secret2:projects/{{project}}/secrets/{{secret}} - Use the alias (i.e.
secret1orsecret2as the "id" of the secret)
We can manually add the run.googleapis.com/secrets annotation but adding the secrets to secrets_envars or secrets_volumes fails because the module tries to add IAM permissions for the secrets and tries to use the alias name instead of the actual secret.
Add a new secret_aliases variable which maps from alias name to external secret specs. When an alias name is used in secrets_envars or secrets_volumes, set IAM permissions on that secret. Perhaps also have some way to disable setting IAM permissions for complex cases?
E.g., in the example above, this might look like:
# Default web-application.
module "webapp" {
source = "gitlab.developers.cam.ac.uk/uis/gcp-cloud-run-app/devops"
version = "<9.0.0"
# ...
secret_aliases = {
secret1 = {
project = "..."
name = "..."
}
}
secrets_envars = [
# An environment variable set from a secret local to the project.
{
name = "VAR1"
version = "latest"
id = module.my_secret.secret_id
}
# An environment variable set from an external secret
{
name = "VAR2"
version = "latest"
id = "secret1"
}
]
}