在GCP上,我使用云运行与秘密管理器的环境变量的秘密。
如何有效地更新云运行实例当我更新一个秘密?
我尝试使用这个Terraform代码,没有成功:
// run.tf
module "cloud-run-app" {
source = "GoogleCloudPlatform/cloud-run/google"
version = "~> 0.0"
service_name = "${local.main_project}-cloudrun"
location = local.region
image = local.cloudrun_image
project_id = local.main_project
env_vars = local.envvars_injection
env_secret_vars = local.secrets_injection
service_account_email = google_service_account.app.email
ports = local.cloudrun_port
service_annotations = {
"run.googleapis.com/ingress" : "internal-and-cloud-load-balancing"
}
service_labels = {
"env_type" = var.env_name
}
template_annotations = {
"autoscaling.knative.dev/maxScale" : local.cloudrun_app_max_scale,
"autoscaling.knative.dev/minScale" : local.cloudrun_app_min_scale,
"generated-by" : "terraform",
"run.googleapis.com/client-name" : "terraform"
}
depends_on = [
google_project_iam_member.run_gcr,
google_project_iam_member.app_secretmanager,
google_secret_manager_secret_version.secrets
]
}
// secrets.tf
resource "google_secret_manager_secret" "secrets" {
for_each = local.secrets_definition
secret_id = each.key
replication {
automatic = true
}
}
resource "google_secret_manager_secret_version" "secrets" {
for_each = local.secrets_definition
secret = google_secret_manager_secret.secrets["${each.key}"].name
secret_data = each.value
}
这里的技巧是将secret挂载为卷(文件),而不是作为环境变量。
如果您这样做,将您的秘密版本指向latest版本,并在每次需要秘密内容时读取该文件,您将读取最新版本。无需重新加载Cloud Run实例或重新部署版本。