# variables.tf defines inputs for the module
variable "project" {
description = "Project containing the webapp."
}
variable "name" {
description = "Prefix used for form resource names"
default = "webapp"
}
variable "sql_instance_project" {
description = "Project containing SQL instance. Defaults to var.project."
default = ""
}
variable "sql_instance_connection_name" {
description = "SQL instance connection name"
default = ""
}
variable "enable_pre_deploy_job" {
description = <<EOI
Configure a Cloud Run Job to be executed *before* the main Cloud Run service is deployed. This is useful for running
database migrations among other things.
EOI
type = bool
default = false
}
variable "trigger_pre_deploy_job" {
description = <<EOI
When true, the pre-deploy Cloud Run job is executed via a null_resource-triggered gcloud command whenever Terraform
detects that var.image_name has changed.
EOI
type = bool
default = true
}
variable "force_pre_deploy_job" {
description = <<EOI
When true, and only when used in addition to var.trigger_pre_deploy_job, the pre-deploy Cloud Run job is executed at
every terraform apply, regardless of the status of var.image_name. This is sometimes useful for development
environments where the "latest" tag is deployed, as without this the pre-deploy command would never run. For staging
and production environments this should never be required as the var.image_name should change with each
release/deployment of an application.
EOI
type = bool
default = false
}
variable "pre_deploy_job_image_name" {
description = <<EOI
Specify the URL of a container image to use for the pre-deploy Cloud Run job. By default the var.image_name URL is used
(see locals.tf).
EOI
type = string
default = null
}
variable "pre_deploy_job_command" {
description = "The command to run in the pre-deploy Cloud Run job."
type = list(string)
default = null
}
variable "pre_deploy_job_args" {
description = "Arguments supplied to the command in the pre-deploy Cloud Run job."
type = list(string)
default = null
}
variable "grant_sql_client_role_to_webapp_sa" {
description = <<EOI
When set to true the 'roles/cloudsql.client' role will be granted to the
webapp service account at the project level to allow it to connect to Cloud SQL.
EOI
type = bool
default = false
}
variable "cloud_run_region" {
description = "Override region used to create Cloud Resources"
default = ""
}
variable "environment_variables" {
description = "Environment variables which should be set on the service. Map from name to value."
default = {}
}
variable "min_scale" {
description = <<EOI
Minimum number of auto-scaled instances. Defaults to 0, thus, the container will stop
if it doesn't receive requests for a period of time and the following request will make
the container start from cold.
This should be carefully considered for containers that take a significant amount of
time starting from cold.
EOI
default = 0
}
variable "max_scale" {
description = "Maximum number of auto-scaled instances. For a container with N-workers, maxScale should be less than 1/N of the maximum connection count for the Cloud SQL instance."
}
variable "container_concurrency" {
description = "Maximum number of concurrent requests to an instance before it is auto-scaled. Defaults to 80 which is the maximum that Cloud Run allows"
default = "80"
}
variable "cpu_limit" {
description = "CPU limit for the deployed container. Defaults to 1 CPU, '1000m'."
default = "1000m"
}
variable "memory_limit" {
description = "Memory limit for the deployed container. Defaults to 512 MB, '512M'."
default = "512M"
}
variable "timeout_seconds" {
description = "The maximum duration, in seconds, the instance is allowed for responding to a request. Default to 300. Maximum is 900."
default = 300
}
variable "allow_unauthenticated_invocations" {
description = <<EOI
If true, the webapp will allow unauthenticated invocations. If false, the webapp requires authentication
as a Google user with the Cloud Run invoker permission on the deployment.
EOI
type = bool
default = true
}
variable "ingress_style" {
type = string
default = "domain-mapping"
description = "Whether to configure a load balancer or create a domain mapping"
validation {
condition = contains(["domain-mapping", "load-balancer"], var.ingress_style)
error_message = "Ingress style must be one of 'domain-mapping' or 'load-balancer'."
}
}
variable "dns_name" {
default = ""
description = <<EOI
Deprecated: use the dns_names variable instead.
If non-empty, var.dns_names will be ignored.
If non-empty, a domain mapping will be created for the webapp from this host
to point to the webapp or a load balancer will be created for this host depending
on the value of the ingress_style variable.
The domain must first have been verified by Google and the account being used by
the google provider must have been added as an owner.
If and only if a domain mapping has been created, the
"domain_mapping_present" output will be true.
If a domain mapping or load balancer has been created, the "dns_resource_records"
output contains the appropriate DNS records.
EOI
}
variable "dns_names" {
type = list(any)
default = []
description = <<EOI
List of DNS names for web application. Note that no records are created,
the records to be created can be found in the dns_resource_records output.
Ignored if var.dns_name is non-empty.
EOI
}
variable "use_ssl_certificates" {
type = bool
default = false
description = <<EOI
Whether to use the custom TLS certs in var.ssl_certificates for the load balancer
or the Google-managed certs for the specified var.dns_names.
EOI
}
variable "ssl_certificates" {
type = list(any)
default = []
description = <<EOI
A list of self-links to any custom TLS certificates to add to the load balancer.
Requires that var.ingress_style be "load-balancer". The self-link is available as
the "self_link" attribute of "google_compute_ssl_certificate" resources.
EOI
}
variable "ssl_policy" {
type = string
default = null
description = <<EOI
By default, the google_compute_ssl_policy.default SSL policy is applied to the load balancer in load_balancer.tf.
This sets the SSL profile to MODERN and restricts TLS to >= 1.2. If a different SSL policy is required, it should be
created outside of this module and its ID passed through using this variable.
EOI
}
variable "enable_ipv6" {
type = bool
default = false
description = "Whether to enable IPv6 address on the CDN load-balancer."
}
variable "create_ipv6_address" {
type = bool
default = false
description = "Allocate an IPv6 address to the load balancer if var.enable_ipv6 is true."
}
variable "service_account_id" {
default = ""
description = <<EOI
A service account is always created for the web application. If non-empty this
variable overrides the default service account id. The default id is formed
from the "name" variable value with "-run" appended.
EOI
}
variable "service_account_display_name" {
default = ""
description = <<EOI
If non-empty, override the default display name of the webapp service account.
EOI
}
variable "alerting_email_address" {
default = ""
type = string
description = <<EOT
Email address for basic uptime alerts. If empty (the default) no alerting will be configured.
Otherwise note that the project must be in a Stackdriver monitoring workspace and this must be
configured manually (no terraform support).
EOT
}
variable "alert_notification_channels" {
default = []
type = list(string)
description = <<EOT
Optional. A list of notification channel IDs to send uptime alerts to. The format for the channel IDs should
be "projects/[PROJECT_ID]/notificationChannels/[CHANNEL_ID]".
EOT
}
variable "alerting_uptime_timeout" {
default = "30s"
type = string
description = "timeout for http polling"
}
variable "alerting_uptime_period" {
type = string
default = "300s"
description = "Frequency of uptime checks"
}
variable "alerting_success_threshold_percent" {
type = number
default = 75
description = <<EOT
If the percentage of successful uptime checks within the given uptime period falls below
this, an alert will be triggered. Set to 100 to trigger an alert if any uptime check fails,
set to a lower number to tolerate failures without alerting.
Experience has taught us that uptime checks can fail semi-regularly due to transient
problems outside our control, therefore we allow some leeway before triggering an alert.
EOT
}
variable "alerting_enabled" {
type = bool
default = true
description = "Whether alerting policy is enabled"
}
variable "monitoring_path" {
type = string
default = "/"
description = "path component of url to be monitored"
}
variable "allowed_ingress" {
default = "all"
description = <<EOL
Specify the allowed ingress to the service. Should be one of:
"all", "internal" or "internal-and-cloud-load-balancing".
If var.ingress_style == "load-balancer", the provided var.allowed_ingress will be ignored
and the allowed ingress will be set automatically to "internal-and-cloud-load-balancing".
Setting this to a value other than "all" implies that the service will be
moved to the "beta" launch stage. See
https://cloud.google.com/run/docs/troubleshooting#launch-stage-validation.
EOL
}
variable "service_annotations" {
type = map(string)
default = {}
description = <<EOL
Map containing additional annotations to be added to the Cloud Run service
itself.
EOL
}
variable "template_annotations" {
type = map(string)
default = {}
description = <<EOL
Map containing additional annotations to be added to the Cloud Run service
template.
EOL
}
variable "enable_beta_launch_stage" {
default = false
description = "Force use of the 'BETA' launch stage for the service."
}
variable "disable_monitoring" {
default = false
description = <<-EOL
Optional. If true, do not create uptime checks. This is useful if, for
example, the service is configured to require authenticated invocations.
Note that this is different from not specifying an alerting email address.
If no alerting email address is specified the uptime checks are still
created, they just don't alert if they fail.
EOL
}
variable "create_monitoring_dashboard" {
type = bool
default = false
description = <<-EOL
Optional. Determines whether to create the monitoring dashboard defined in ./dashboard.json
for the provisioned Cloud Run service. Defaults to false.
EOL
}
variable "enable_static_egress_ip" {
default = false
type = bool
description = <<-EOL
Whether to assign a static ip for egress from this cloud run instance. If enabled the
service "vpcaccess.googleapis.com" must also be enabled on the project.
EOL
}
variable "static_egress_ip_cidr_range" {
default = "10.124.0.0/28"
description = "The cidr range used to create a subnet that this cloud run will use if assigned a static ip"
}
variable "min_ports_per_vm" {
default = 64
type = number
description = <<-EOL
When using Cloud NAT to provide an egress route, Cloud NAT's minimum ports per VM
can be configured to determine how many concurrent connections can be established
to the same destination IP address and port.
EOL
}
variable "auth_proxy_egress_connector" {
type = string
default = ""
description = <<-EOL
When an auth proxy Function is created for uptime check of internal services, a VPC connector
should be provided to route the Function's egress traffic through it to reach the webapp
Cloud Run service.
If static IP is enabled, its configured VPC connector will be used instead.
EOL
}
variable "secrets_volume" {
type = list(object({
name = string # name of the file that is going to be mounted
path = string # name of the directory of the volume mount. e.g. "/secrets". Must be unique for each secret.
id = string # id of the GCP Cloud Secret Manager secret
version = string # version of the GCP Cloud Secret Manager secret, defaults to "latest" if empty
}))
default = []
description = <<-EOL
Optional. If containing a list of maps specifying a Secret Manager secret ID,
a name and a secret version, will create named files from the secrets.
EOL
}
variable "secrets_envars" {
type = list(object({
name = string # name of the environment variables
id = string # id of the GCP Cloud Secret Manager secret
version = string # version of the GCP Cloud Secret Manager secret, defaults to "latest" if empty
}))
default = []
description = <<-EOL
Optional. If containing a list of maps specifying a Secret Manager secret ID,
a name and a secret version, will create named environment variables from the
secrets.
EOL
}
variable "image_name" {
type = string
description = "The URL of the container image to be deployed."
validation {
condition = length(var.image_name) > 0
error_message = "The image_name value must be a valid URL to a container image."
}
}