這個 Terraform 範例完整展示如何建立 Cloud SQL 執行個體,並將驗證資訊儲存在 Secret Manager 中,以及如何使用這些密鑰設定 Cloud Run 執行個體
程式碼範例
Terraform
如要瞭解如何套用或移除 Terraform 設定,請參閱「基本 Terraform 指令」。 詳情請參閱 Terraform供應商參考說明文件。
data "google_project" "project" {
}
# Enable Secret Manager API
resource "google_project_service" "secretmanager_api" {
service = "secretmanager.googleapis.com"
disable_on_destroy = false
}
# Enable SQL Admin API
resource "google_project_service" "sqladmin_api" {
service = "sqladmin.googleapis.com"
disable_on_destroy = false
}
# Enable Cloud Run API
resource "google_project_service" "cloudrun_api" {
service = "run.googleapis.com"
disable_on_destroy = false
}
# Creates SQL instance (~15 minutes to fully spin up)
resource "google_sql_database_instance" "default" {
name = "mysql-instance-1"
region = "us-central1"
database_version = "MYSQL_8_0"
root_password = "abcABC123!"
settings {
tier = "db-f1-micro"
password_validation_policy {
min_length = 6
complexity = "COMPLEXITY_DEFAULT"
reuse_interval = 2
disallow_username_substring = true
enable_password_policy = true
}
}
# set `deletion_protection` to true, will ensure that one cannot accidentally delete this instance by
# use of Terraform whereas `deletion_protection_enabled` flag protects this instance at the GCP level.
deletion_protection = false
depends_on = [google_project_service.sqladmin_api]
}
# Create dbuser secret
resource "google_secret_manager_secret" "dbuser" {
secret_id = "dbusersecret"
replication {
auto {}
}
depends_on = [google_project_service.secretmanager_api]
}
# Attaches secret data for dbuser secret
resource "google_secret_manager_secret_version" "dbuser_data" {
secret = google_secret_manager_secret.dbuser.id
secret_data = "secret-data" # Stores secret as a plain txt in state
}
# Update service account for dbuser secret
resource "google_secret_manager_secret_iam_member" "secretaccess_compute_dbuser" {
secret_id = google_secret_manager_secret.dbuser.id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com" # Project's compute service account
}
# Create dbpass secret
resource "google_secret_manager_secret" "dbpass" {
secret_id = "dbpasssecret"
replication {
auto {}
}
depends_on = [google_project_service.secretmanager_api]
}
# Attaches secret data for dbpass secret
resource "google_secret_manager_secret_version" "dbpass_data" {
secret = google_secret_manager_secret.dbpass.id
secret_data = "secret-data" # Stores secret as a plain txt in state
}
# Update service account for dbpass secret
resource "google_secret_manager_secret_iam_member" "secretaccess_compute_dbpass" {
secret_id = google_secret_manager_secret.dbpass.id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com" # Project's compute service account
}
# Create dbname secret
resource "google_secret_manager_secret" "dbname" {
secret_id = "dbnamesecret"
replication {
auto {}
}
depends_on = [google_project_service.secretmanager_api]
}
# Attaches secret data for dbname secret
resource "google_secret_manager_secret_version" "dbname_data" {
secret = google_secret_manager_secret.dbname.id
secret_data = "secret-data" # Stores secret as a plain txt in state
}
# Update service account for dbname secret
resource "google_secret_manager_secret_iam_member" "secretaccess_compute_dbname" {
secret_id = google_secret_manager_secret.dbname.id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com" # Project's compute service account
}
resource "google_cloud_run_v2_service" "default" {
name = "cloudrun-service"
location = "us-central1"
deletion_protection = false # set to "true" in production
template {
containers {
image = "us-docker.pkg.dev/cloudrun/container/hello:latest" # Image to deploy
# Sets a environment variable for instance connection name
env {
name = "INSTANCE_CONNECTION_NAME"
value = google_sql_database_instance.default.connection_name
}
# Sets a secret environment variable for database user secret
env {
name = "DB_USER"
value_source {
secret_key_ref {
secret = google_secret_manager_secret.dbuser.secret_id # secret name
version = "latest" # secret version number or 'latest'
}
}
}
# Sets a secret environment variable for database password secret
env {
name = "DB_PASS"
value_source {
secret_key_ref {
secret = google_secret_manager_secret.dbpass.secret_id # secret name
version = "latest" # secret version number or 'latest'
}
}
}
# Sets a secret environment variable for database name secret
env {
name = "DB_NAME"
value_source {
secret_key_ref {
secret = google_secret_manager_secret.dbname.secret_id # secret name
version = "latest" # secret version number or 'latest'
}
}
}
volume_mounts {
name = "cloudsql"
mount_path = "/cloudsql"
}
}
volumes {
name = "cloudsql"
cloud_sql_instance {
instances = [google_sql_database_instance.default.connection_name]
}
}
}
client = "terraform"
depends_on = [google_project_service.secretmanager_api, google_project_service.cloudrun_api, google_project_service.sqladmin_api]
}後續步驟
如要搜尋及篩選其他 Google Cloud 產品的程式碼範例,請參閱Google Cloud 範例瀏覽器。