Example Terraform syntax for Cloud Run with Secret Manager secret as mounted file

example-cloud-run-tf-secret-file.tf

provider "google" {
  project = var.project
}

data "google_project" "current" {}

# Build the service agent email using the format: 
# service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com
locals {
  project_number           = data.google_project.current.number
  cloud_run_service_agent  = "service-${local.project_number}@serverless-robot-prod.iam.gserviceaccount.com"
}

# ... other resources like database, etc.

# Create Secret Manager secret for .env file
resource "google_secret_manager_secret" "env_file" {
  secret_id = "example-env"

  replication {
    auto {}
  }
}

# Create the initial version of the secret
resource "google_secret_manager_secret_version" "env_file_version" {
  secret         = google_secret_manager_secret.env_file.id
  secret_data = <<-EOT
    DB_HOST=/cloudsql/${google_sql_database_instance.postgres.connection_name}
    DB_PORT=5432
    DB_NAME=${google_sql_database.database.name}
    DB_USERNAME=${google_sql_user.user.name}
    DB_PASSWORD=${var.db_password}
    DB_SSL=false
    DB_LOGGING=true

    # Node environment
    NODE_ENV=production

    # Logging configuration
    LOG_LEVEL=info

    # Server configuration
    PORT=8080
    HOST=0.0.0.0

    # ...

  EOT
}

# Create a service account for Cloud Run
resource "google_service_account" "cloud_run_sa" {
  account_id   = "example-sa"
  display_name = "Service Account for Example Cloud Run"
}

# Grant the service account access to the secret
resource "google_secret_manager_secret_iam_member" "cloud_run_secret_access" {
  secret_id = google_secret_manager_secret.env_file.id
  role      = "roles/secretmanager.secretAccessor"
  member    = "serviceAccount:${google_service_account.cloud_run_sa.email}"
}

# Grant the service account access to Cloud SQL
resource "google_project_iam_member" "cloud_run_sql_access" {
  project = var.project
  role    = "roles/cloudsql.client"
  member  = "serviceAccount:${google_service_account.cloud_run_sa.email}"
}

# Grant the Cloud Run service agent access to Artifact Registry
resource "google_artifact_registry_repository_iam_member" "cloud_run_service_agent_access" {
  project    = var.project
  location   = var.region
  repository = "example-docker-repo"
  role       = "roles/artifactregistry.reader"
  member     = "serviceAccount:${local.cloud_run_service_agent}"
}

# Create the Cloud Run V2 Service
resource "google_cloud_run_v2_service" "api" {
  name                = var.example_service_name
  location            = var.region
  deletion_protection = false
  ingress             = "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER"

  template {
    scaling {
      max_instance_count = 10
    }

    volumes {
      name = "cloudsql"
      cloud_sql_instance {
        instances = [google_sql_database_instance.postgres.connection_name]
      }
    }
    volumes {
      name = "env-file"
      secret {
        secret       = google_secret_manager_secret.env_file.id
        # default_mode = 292 # 0444
        items {
          version = "latest"
          path    = ".env"
        }
      }
    }

    service_account = google_service_account.cloud_run_sa.email

    containers {
      image = var.example_container_image

      volume_mounts {
        name       = "env-file"
        mount_path = "/secrets"
      }
      volume_mounts {
        name       = "cloudsql"
        mount_path = "/cloudsql"
      }
    }
  }

  traffic {
    type    = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"
    percent = 100
  }

  depends_on = [
    google_secret_manager_secret_iam_member.cloud_run_secret_access,
    google_project_iam_member.cloud_run_sql_access,
    google_artifact_registry_repository_iam_member.cloud_run_service_agent_access
  ]

}