Skip to content

Comments

fix(terraform): uncomment backend configuration for state storage in GCS#3

Merged
kedeinroga merged 3 commits intomainfrom
fix-iac
Jan 23, 2026
Merged

fix(terraform): uncomment backend configuration for state storage in GCS#3
kedeinroga merged 3 commits intomainfrom
fix-iac

Conversation

@kedeinroga
Copy link
Owner

@kedeinroga kedeinroga commented Jan 22, 2026

No description provided.

@github-actions
Copy link

github-actions bot commented Jan 23, 2026

Terraform Format and Style 🖌failure

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

Show Plan 
google_service_account.github_actions: Refreshing state... [id=projects/radio-485022/serviceAccounts/radio-backend-sa-github@radio-485022.iam.gserviceaccount.com]
google_service_account.cloudrun: Refreshing state... [id=projects/radio-485022/serviceAccounts/radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_secret_manager_secret.secrets["jwt_public_key"]: Refreshing state... [id=projects/radio-485022/secrets/jwt-public-key]
google_project_service.apis["cloudresourcemanager.googleapis.com"]: Refreshing state... [id=radio-485022/cloudresourcemanager.googleapis.com]
google_secret_manager_secret.secrets["ad_impression_token_secret"]: Refreshing state... [id=projects/radio-485022/secrets/ad-impression-token-secret]
google_iam_workload_identity_pool.github: Refreshing state... [id=projects/radio-485022/locations/global/workloadIdentityPools/github-actions-pool]
google_secret_manager_secret.secrets["redis_url"]: Refreshing state... [id=projects/radio-485022/secrets/redis-url]
google_secret_manager_secret.secrets["database_url"]: Refreshing state... [id=projects/radio-485022/secrets/database-url]
google_secret_manager_secret.secrets["jwt_private_key"]: Refreshing state... [id=projects/radio-485022/secrets/jwt-private-key]
google_artifact_registry_repository.repository: Refreshing state... [id=projects/radio-485022/locations/us-central1/repositories/radio-backend]
google_project_service.apis["iamcredentials.googleapis.com"]: Refreshing state... [id=radio-485022/iamcredentials.googleapis.com]
google_project_service.apis["compute.googleapis.com"]: Refreshing state... [id=radio-485022/compute.googleapis.com]
google_project_service.apis["iam.googleapis.com"]: Refreshing state... [id=radio-485022/iam.googleapis.com]
google_project_service.apis["secretmanager.googleapis.com"]: Refreshing state... [id=radio-485022/secretmanager.googleapis.com]
google_project_service.apis["run.googleapis.com"]: Refreshing state... [id=radio-485022/run.googleapis.com]
google_project_service.apis["artifactregistry.googleapis.com"]: Refreshing state... [id=radio-485022/artifactregistry.googleapis.com]
google_project_iam_member.cloudrun_roles["roles/logging.logWriter"]: Refreshing state... [id=radio-485022/roles/logging.logWriter/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_project_iam_member.cloudrun_roles["roles/monitoring.metricWriter"]: Refreshing state... [id=radio-485022/roles/monitoring.metricWriter/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_project_iam_member.cloudrun_roles["roles/run.invoker"]: Refreshing state... [id=radio-485022/roles/run.invoker/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_project_iam_member.cloudrun_roles["roles/cloudtrace.agent"]: Refreshing state... [id=radio-485022/roles/cloudtrace.agent/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_project_iam_member.github_actions_roles["roles/run.admin"]: Refreshing state... [id=radio-485022/roles/run.admin/serviceAccount:radio-backend-sa-github@radio-485022.iam.gserviceaccount.com]
google_project_iam_member.github_actions_roles["roles/secretmanager.secretAccessor"]: Refreshing state... [id=radio-485022/roles/secretmanager.secretAccessor/serviceAccount:radio-backend-sa-github@radio-485022.iam.gserviceaccount.com]
google_project_iam_member.github_actions_roles["roles/artifactregistry.writer"]: Refreshing state... [id=radio-485022/roles/artifactregistry.writer/serviceAccount:radio-backend-sa-github@radio-485022.iam.gserviceaccount.com]
google_project_iam_member.github_actions_roles["roles/iam.serviceAccountUser"]: Refreshing state... [id=radio-485022/roles/iam.serviceAccountUser/serviceAccount:radio-backend-sa-github@radio-485022.iam.gserviceaccount.com]
google_service_account_iam_member.github_actions_impersonate: Refreshing state... [id=projects/radio-485022/serviceAccounts/radio-backend-sa@radio-485022.iam.gserviceaccount.com/roles/iam.serviceAccountUser/serviceAccount:radio-backend-sa-github@radio-485022.iam.gserviceaccount.com]
google_secret_manager_secret_version.secret_versions["jwt_public_key"]: Refreshing state... [id=projects/296736956418/secrets/jwt-public-key/versions/1]
google_secret_manager_secret_version.secret_versions["redis_url"]: Refreshing state... [id=projects/296736956418/secrets/redis-url/versions/1]
google_secret_manager_secret_iam_member.cloudrun_secret_access["ad_impression_token_secret"]: Refreshing state... [id=projects/radio-485022/secrets/ad-impression-token-secret/roles/secretmanager.secretAccessor/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_secret_manager_secret_version.secret_versions["jwt_private_key"]: Refreshing state... [id=projects/296736956418/secrets/jwt-private-key/versions/1]
google_secret_manager_secret_version.secret_versions["database_url"]: Refreshing state... [id=projects/296736956418/secrets/database-url/versions/1]
google_secret_manager_secret_version.secret_versions["ad_impression_token_secret"]: Refreshing state... [id=projects/296736956418/secrets/ad-impression-token-secret/versions/1]
google_secret_manager_secret_iam_member.cloudrun_secret_access["jwt_public_key"]: Refreshing state... [id=projects/radio-485022/secrets/jwt-public-key/roles/secretmanager.secretAccessor/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_secret_manager_secret_iam_member.cloudrun_secret_access["database_url"]: Refreshing state... [id=projects/radio-485022/secrets/database-url/roles/secretmanager.secretAccessor/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_secret_manager_secret_iam_member.cloudrun_secret_access["jwt_private_key"]: Refreshing state... [id=projects/radio-485022/secrets/jwt-private-key/roles/secretmanager.secretAccessor/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_secret_manager_secret_iam_member.cloudrun_secret_access["redis_url"]: Refreshing state... [id=projects/radio-485022/secrets/redis-url/roles/secretmanager.secretAccessor/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_service_account_iam_member.github_workload_identity: Refreshing state... [id=projects/radio-485022/serviceAccounts/radio-backend-sa-github@radio-485022.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/296736956418/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/kedeinroga/radio-backend]
google_iam_workload_identity_pool_provider.github: Refreshing state... [id=projects/radio-485022/locations/global/workloadIdentityPools/github-actions-pool/providers/github-provider]
google_artifact_registry_repository_iam_member.cloudrun_reader: Refreshing state... [id=projects/radio-485022/locations/us-central1/repositories/radio-backend/roles/artifactregistry.reader/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_artifact_registry_repository_iam_member.github_actions_writer: Refreshing state... [id=projects/radio-485022/locations/us-central1/repositories/radio-backend/roles/artifactregistry.writer/serviceAccount:radio-backend-sa-github@radio-485022.iam.gserviceaccount.com]
google_cloud_run_v2_service.service: Refreshing state... [id=projects/radio-485022/locations/us-central1/services/radio-backend]
google_cloud_run_v2_service_iam_member.public_access: Refreshing state... [id=projects/radio-485022/locations/us-central1/services/radio-backend/roles/run.invoker/allUsers]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # google_cloud_run_v2_service.service will be updated in-place
  ~ resource "google_cloud_run_v2_service" "service" {
      - client                  = "gcloud" -> null
      - client_version          = "552.0.0" -> null
        id                      = "projects/radio-485022/locations/us-central1/services/radio-backend"
        name                    = "radio-backend"
        # (25 unchanged attributes hidden)

      ~ template {
            # (6 unchanged attributes hidden)

          ~ containers {
              ~ image      = "gcr.io/radio-485022/radio-backend:prod-688b0aea80f52c61b8c405aa006bb15afceac38f" -> "gcr.io/radio-485022/radio-backend:latest"
                # (3 unchanged attributes hidden)

              ~ env {
                  ~ name  = "DATABASE_URL" -> "AD_CACHE_TTL"
                  + value = "10m"

                  - value_source {
                      - secret_key_ref {
                          - secret  = "database-url" -> null
                          - version = "latest" -> null
                        }
                    }
                }
              ~ env {
                  ~ name  = "REDIS_URL" -> "AD_FRAUD_SCORE_THRESHOLD"
                  + value = "0.7"

                  - value_source {
                      - secret_key_ref {
                          - secret  = "redis-url" -> null
                          - version = "latest" -> null
                        }
                    }
                }
              ~ env {
                  ~ name  = "JWT_PRIVATE_KEY" -> "AD_FREQUENCY_CAP_DAILY"
                  + value = "30"

                  - value_source {
                      - secret_key_ref {
                          - secret  = "jwt-private-key" -> null
                          - version = "latest" -> null
                        }
                    }
                }
              ~ env {
                  ~ name  = "JWT_PUBLIC_KEY" -> "AD_FREQUENCY_CAP_HOURLY"
                  + value = "6"

                  - value_source {
                      - secret_key_ref {
                          - secret  = "jwt-public-key" -> null
                          - version = "latest" -> null
                        }
                    }
                }
              ~ env {
                  ~ name  = "AD_IMPRESSION_TOKEN_SECRET" -> "AD_IMPRESSION_TOKEN_MAX_AGE"
                  + value = "5m"

                  - value_source {
                      - secret_key_ref {
                          - secret  = "ad-impression-token-secret" -> null
                          - version = "latest" -> null
                        }
                    }
                }
              ~ env {
                  ~ name  = "ENV" -> "AD_RATE_LIMIT_REQUESTS"
                  ~ value = "production" -> "50"
                }
              ~ env {
                  ~ name  = "SERVER_PORT" -> "AD_RATE_LIMIT_WINDOW"
                  ~ value = "8080" -> "1m"
                }
              + env {
                  + name  = "ANALYTICS_BATCH_SIZE"
                  + value = "100"
                }
              + env {
                  + name  = "ANALYTICS_FLUSH_INTERVAL"
                  + value = "10s"
                }
              + env {
                  + name  = "BCRYPT_COST"
                  + value = "12"
                }
              + env {
                  + name  = "CORS_ALLOWED_HEADERS"
                  + value = "Content-Type,Authorization,X-Language,X-Request-ID"
                }
              + env {
                  + name  = "CORS_ALLOWED_METHODS"
                  + value = "GET,POST,PUT,DELETE,OPTIONS"
                }
              + env {
                  + name  = "CORS_ALLOWED_ORIGINS"
                  + value = "https://your-production-frontend.com"
                }
              + env {
                  + name  = "DEFAULT_LANGUAGE"
                  + value = "en"
                }
              + env {
                  + name  = "FEATURE_ANALYTICS"
                  + value = "true"
                }
              + env {
                  + name  = "FEATURE_PREMIUM_CONTENT"
                  + value = "true"
                }
              + env {
                  + name  = "FEATURE_VAULT_INTEGRATION"
                  + value = "false"
                }
              + env {
                  + name  = "JWT_EXPIRATION"
                  + value = "24h"
                }
              + env {
                  + name  = "JWT_REFRESH_EXPIRATION"
                  + value = "168h"
                }
              + env {
                  + name  = "LOG_FORMAT"
                  + value = "json"
                }
              + env {
                  + name  = "LOG_LEVEL"
                  + value = "info"
                }
              + env {
                  + name  = "RADIO_BROWSER_API_URL"
                  + value = "https://de1.api.radio-browser.info"
                }
              + env {
                  + name  = "RATE_LIMIT_REQUESTS"
                  + value = "100"
                }
              + env {
                  + name  = "RATE_LIMIT_WINDOW"
                  + value = "1m"
                }
              + env {
                  + name  = "SERVER_BASE_URL"
                  + value = "https://radio-backend-296736956418.us-central1.run.app"
                }
              + env {
                  + name  = "SERVER_ENV"
                  + value = "production"
                }
              + env {
                  + name  = "SERVER_HOST"
                  + value = "0.0.0.0"
                }
              + env {
                  + name  = "SERVER_PORT"
                  + value = "8080"
                }
              + env {
                  + name  = "SERVER_TIMEOUT"
                  + value = "30s"
                }
              + env {
                  + name  = "SUPPORTED_LANGUAGES"
                  + value = "en,es,fr,de"
                }
              + env {
                  + name = "DATABASE_URL"

                  + value_source {
                      + secret_key_ref {
                          + secret  = "database-url"
                          + version = "latest"
                        }
                    }
                }
              + env {
                  + name = "REDIS_URL"

                  + value_source {
                      + secret_key_ref {
                          + secret  = "redis-url"
                          + version = "latest"
                        }
                    }
                }
              + env {
                  + name = "JWT_PRIVATE_KEY"

                  + value_source {
                      + secret_key_ref {
                          + secret  = "jwt-private-key"
                          + version = "latest"
                        }
                    }
                }
              + env {
                  + name = "JWT_PUBLIC_KEY"

                  + value_source {
                      + secret_key_ref {
                          + secret  = "jwt-public-key"
                          + version = "latest"
                        }
                    }
                }
              + env {
                  + name = "AD_IMPRESSION_TOKEN_SECRET"

                  + value_source {
                      + secret_key_ref {
                          + secret  = "ad-impression-token-secret"
                          + version = "latest"
                        }
                    }
                }

              ~ resources {
                  ~ limits            = {
                      ~ "cpu"    = "1" -> "1000m"
                        # (1 unchanged element hidden)
                    }
                    # (2 unchanged attributes hidden)
                }

                # (3 unchanged blocks hidden)
            }

            # (1 unchanged block hidden)
        }

        # (1 unchanged block hidden)
    }

  # google_secret_manager_secret_version.secret_versions["redis_url"] will be updated in-place
  ~ resource "google_secret_manager_secret_version" "secret_versions" {
      ~ enabled               = false -> true
        id                    = "projects/296736956418/secrets/redis-url/versions/1"
        name                  = "projects/296736956418/secrets/redis-url/versions/1"
        # (6 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

Changes to Outputs:
  ~ infrastructure_summary               = <<-EOT
        ═══════════════════════════════════════════════════════════════
        Radio Backend Infrastructure - PRODUCTION
        ═══════════════════════════════════════════════════════════════
      -     
      + 
        📦 Project Details:
           Project ID: radio-485022
           Region:     us-central1
           Environment: production
      -     
      + 
        🚀 Cloud Run Service:
           Name:       radio-backend
           URL:        https://radio-backend-dj5vy4oxma-uc.a.run.app
           Instances:  1 - 3
           CPU:        1000m
           Memory:     512Mi
      -     
      + 
        🔐 Service Accounts:
           Cloud Run:       radio-backend-sa@radio-485022.iam.gserviceaccount.com
           GitHub Actions:  radio-backend-sa-github@radio-485022.iam.gserviceaccount.com
      -     
      + 
        📦 Artifact Registry:
           Repository: radio-backend
           URL:        us-central1-docker.pkg.dev/radio-485022/radio-backend
      -     
      + 
        🔑 Workload Identity:
           Pool:       github-actions-pool
           Provider:   github-provider
           Repository: kedeinroga/radio-backend
      -     
      + 
        🔒 Secrets (Secret Manager):
           - ad-impression-token-secret
               - database-url
               - jwt-private-key
               - jwt-public-key
               - redis-url
      -     
      + 
        ═══════════════════════════════════════════════════════════════
      -     
      + 
        📝 Next Steps:
           1. Add secret values (see 'secret_instructions' output)
           2. Configure GitHub Actions secrets
           3. Push container image to Artifact Registry
           4. Deploy application to Cloud Run
    EOT
  ~ secret_instructions                  = <<-EOT
        Secrets have been created in Secret Manager. Add values using:
      -     
      + 
        # Database URL (Supabase)
        printf "your-database-url" | gcloud secrets versions add database-url --data-file=-
      -     
      + 
        # Redis URL (Upstash)
        printf "your-redis-url" | gcloud secrets versions add redis-url --data-file=-
      -     
      + 
        # JWT Private Key
        cat keys/jwt-private.pem | gcloud secrets versions add jwt-private-key --data-file=-
      -     
      + 
        # JWT Public Key
        cat keys/jwt-public.pem | gcloud secrets versions add jwt-public-key --data-file=-
      -     
      + 
        # Ad Impression Token Secret
        printf "your-ad-token-secret" | gcloud secrets versions add ad-impression-token-secret --data-file=-
    EOT

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Pusher: @kedeinroga, Action: pull_request

@kedeinroga kedeinroga merged commit f679acb into main Jan 23, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kedeinroga