Cloud Run it's recreating all the secret environment variables when adding/removing a secret env #10634
Comments
|
I am facing the same during plans, not even adding or removing env vars. |
|
I had the same issue with Terraform 1.3.3 and GCP provider 4.41.0. Only env var with secrets are affected by the delete/add issue. It looks like the issue is in the Terraform SDK env {
name = "ABC_SOME_SECRET_01"
value = ""
value_from {
secret_key_ref {
name = google_secret_manager_secret.some_secret_01.secret_id
key = "latest"
}
}
} |
|
for me it is fixed with It looks it is fixed by using https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_service |
|
I believe this is a duplicate of #9175 |
|
Any update here? This is still an ongoing issue. Considering when you have 2 dynamic env blocks one for environment variables and one for environment secrets the following behavior takes place. If you add a new variable in the first dynamic block, the environment variables, then the plan shows all the secrets from the second dynamic block being deleted and recreated. I have: env_vars = {
MY_ENV_VAR1 = MY_VALUE1
MY_ENV_VAR2 = MY_VALUE2
}
env_secrets = ["MY_SECRET_KEY1", "MY_SECRET_KEY2"]The env blocks look like this: dynamic "env" {
for_each = var.env_vars
content {
name = env.key
value = env.value
}
}
dynamic "env" {
for_each = toset(var.env_secrets)
content {
name = env.key
value_source {
secret_key_ref {
secret = google_secret_manager_secret.this[env.key].secret_id
version = "latest"
}
}
}
}Adding a new env var like this env_vars = {
MY_ENV_VAR1 = MY_VALUE1
MY_ENV_VAR2 = MY_VALUE2
MY_ENV_VAR3 = MY_VALUE3
}causes changes where plan look like this: ~ resource "google_cloud_run_v2_service" "this" {
id = "projects/project/locations/location/services/service"
name = "service"
# (2 7unchanged attributes hidden)
~ template {
# (7 unchanged attributes hidden)
~ containers {
name = "service-1"
# (4 unchanged attributes hidden)
- env {
- name = "MY_SECRET_KEY1" -> null
- value_source {
- secret_key_ref {
- secret = "MY_SECRET_KEY1" -> null
- version = "latest" -> null
}
}
}
- env {
- name = "MY_SECRET_KEY2" -> null
- value_source {
- secret_key_ref {
- secret = "MY_SECRET_KEY2" -> null
- version = "latest" -> null
}
}
}
+ env {
+ name = "MY_SECRET_KEY1"
+ value_source {
+ secret_key_ref {
+ secret = "MY_SECRET_KEY1"
+ version = "latest"
}
}
}
+ env {
+ name = "MY_ENV_VAR3"
+ value = "MY_VALUE3"
}
+ env {
+ name = "MY_SECRET_KEY2"
+ value_source {
+ secret_key_ref {
+ secret = "MY_SECRET_KEY2"
+ version = "latest"
}
}
}
# (2 unchanged blocks hidden)
}
# (3 unchanged blocks hidden)
}
# (1 unchanged block hidden)
} |
|
This is a serious pain |
Community Note
modular-magicianuser, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot, a community member has claimed the issue already.Terraform Version
Terraform v1.0.11google-beta ~> 3.90google ~>3.90Affected Resource(s)
google_cloud_runTerraform Configuration Files
Where
var.secret_environment_variablestakes this form{ "terraform-api-key-1" = "API_KEY_1" "terraform-secret-1" = "SECRET_1" "terraform-api-key-2" = "API_KEY_2" }and
var.container.envs{ "UPLOAD EVENTS" = "sample-boolean" "DOMAIN" = "sample-domain" "APP_URL_TEMPLATE" = "sample-url" }Expected Behavior
Whe removing the
"terraform-secret-1" = "SECRET_1"value fromvar.secret_environment_variablesCloud Run will need only to remove the environment variable relate dto that secretActual Behavior
It needs to remove all the current secret env variables, and recreate them again except the one that is removed, that it's marked as removed
Steps to Reproduce
References
The text was updated successfully, but these errors were encountered: