Skip to content

Comments

Adjust Terraform's secret version lifecycle #6

Merged
kedeinroga merged 1 commit intomainfrom
fix-iac
Jan 24, 2026
Merged

Adjust Terraform's secret version lifecycle #6
kedeinroga merged 1 commit intomainfrom
fix-iac

Conversation

@kedeinroga
Copy link
Owner

@kedeinroga kedeinroga commented Jan 24, 2026

No description provided.

@github-actions
Copy link

github-actions bot commented Jan 24, 2026

Terraform Format and Style 🖌failure

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Terraform Plan 📖success

Show Plan 
google_iam_workload_identity_pool.github: Refreshing state... [id=projects/radio-485022/locations/global/workloadIdentityPools/github-actions-pool]
google_service_account.github_actions: Refreshing state... [id=projects/radio-485022/serviceAccounts/radio-backend-sa-github@radio-485022.iam.gserviceaccount.com]
google_service_account.cloudrun: Refreshing state... [id=projects/radio-485022/serviceAccounts/radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_artifact_registry_repository.repository: Refreshing state... [id=projects/radio-485022/locations/us-central1/repositories/radio-backend]
google_project_service.apis["iamcredentials.googleapis.com"]: Refreshing state... [id=radio-485022/iamcredentials.googleapis.com]
google_secret_manager_secret.secrets["database_url"]: Refreshing state... [id=projects/radio-485022/secrets/database-url]
google_project_service.apis["secretmanager.googleapis.com"]: Refreshing state... [id=radio-485022/secretmanager.googleapis.com]
google_project_service.apis["run.googleapis.com"]: Refreshing state... [id=radio-485022/run.googleapis.com]
google_project_service.apis["iam.googleapis.com"]: Refreshing state... [id=radio-485022/iam.googleapis.com]
google_secret_manager_secret.secrets["jwt_private_key"]: Refreshing state... [id=projects/radio-485022/secrets/jwt-private-key]
google_project_service.apis["artifactregistry.googleapis.com"]: Refreshing state... [id=radio-485022/artifactregistry.googleapis.com]
google_project_service.apis["cloudresourcemanager.googleapis.com"]: Refreshing state... [id=radio-485022/cloudresourcemanager.googleapis.com]
google_project_service.apis["compute.googleapis.com"]: Refreshing state... [id=radio-485022/compute.googleapis.com]
google_secret_manager_secret.secrets["jwt_public_key"]: Refreshing state... [id=projects/radio-485022/secrets/jwt-public-key]
google_secret_manager_secret.secrets["redis_url"]: Refreshing state... [id=projects/radio-485022/secrets/redis-url]
google_secret_manager_secret.secrets["ad_impression_token_secret"]: Refreshing state... [id=projects/radio-485022/secrets/ad-impression-token-secret]
google_project_iam_member.github_actions_roles["roles/secretmanager.secretAccessor"]: Refreshing state... [id=radio-485022/roles/secretmanager.secretAccessor/serviceAccount:radio-backend-sa-github@radio-485022.iam.gserviceaccount.com]
google_project_iam_member.github_actions_roles["roles/artifactregistry.writer"]: Refreshing state... [id=radio-485022/roles/artifactregistry.writer/serviceAccount:radio-backend-sa-github@radio-485022.iam.gserviceaccount.com]
google_project_iam_member.github_actions_roles["roles/iam.serviceAccountUser"]: Refreshing state... [id=radio-485022/roles/iam.serviceAccountUser/serviceAccount:radio-backend-sa-github@radio-485022.iam.gserviceaccount.com]
google_project_iam_member.github_actions_roles["roles/run.admin"]: Refreshing state... [id=radio-485022/roles/run.admin/serviceAccount:radio-backend-sa-github@radio-485022.iam.gserviceaccount.com]
google_service_account_iam_member.github_actions_impersonate: Refreshing state... [id=projects/radio-485022/serviceAccounts/radio-backend-sa@radio-485022.iam.gserviceaccount.com/roles/iam.serviceAccountUser/serviceAccount:radio-backend-sa-github@radio-485022.iam.gserviceaccount.com]
google_project_iam_member.cloudrun_roles["roles/cloudtrace.agent"]: Refreshing state... [id=radio-485022/roles/cloudtrace.agent/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_project_iam_member.cloudrun_roles["roles/logging.logWriter"]: Refreshing state... [id=radio-485022/roles/logging.logWriter/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_project_iam_member.cloudrun_roles["roles/monitoring.metricWriter"]: Refreshing state... [id=radio-485022/roles/monitoring.metricWriter/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_project_iam_member.cloudrun_roles["roles/run.invoker"]: Refreshing state... [id=radio-485022/roles/run.invoker/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_iam_workload_identity_pool_provider.github: Refreshing state... [id=projects/radio-485022/locations/global/workloadIdentityPools/github-actions-pool/providers/github-provider]
google_service_account_iam_member.github_workload_identity: Refreshing state... [id=projects/radio-485022/serviceAccounts/radio-backend-sa-github@radio-485022.iam.gserviceaccount.com/roles/iam.workloadIdentityUser/principalSet://iam.googleapis.com/projects/296736956418/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/kedeinroga/radio-backend]
google_artifact_registry_repository_iam_member.github_actions_writer: Refreshing state... [id=projects/radio-485022/locations/us-central1/repositories/radio-backend/roles/artifactregistry.writer/serviceAccount:radio-backend-sa-github@radio-485022.iam.gserviceaccount.com]
google_artifact_registry_repository_iam_member.cloudrun_reader: Refreshing state... [id=projects/radio-485022/locations/us-central1/repositories/radio-backend/roles/artifactregistry.reader/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_secret_manager_secret_version.secret_versions["jwt_public_key"]: Refreshing state... [id=projects/296736956418/secrets/jwt-public-key/versions/3]
google_secret_manager_secret_version.secret_versions["redis_url"]: Refreshing state... [id=projects/296736956418/secrets/redis-url/versions/4]
google_secret_manager_secret_version.secret_versions["database_url"]: Refreshing state... [id=projects/296736956418/secrets/database-url/versions/5]
google_secret_manager_secret_version.secret_versions["jwt_private_key"]: Refreshing state... [id=projects/296736956418/secrets/jwt-private-key/versions/3]
google_secret_manager_secret_version.secret_versions["ad_impression_token_secret"]: Refreshing state... [id=projects/296736956418/secrets/ad-impression-token-secret/versions/3]
google_secret_manager_secret_iam_member.cloudrun_secret_access["ad_impression_token_secret"]: Refreshing state... [id=projects/radio-485022/secrets/ad-impression-token-secret/roles/secretmanager.secretAccessor/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_secret_manager_secret_iam_member.cloudrun_secret_access["jwt_private_key"]: Refreshing state... [id=projects/radio-485022/secrets/jwt-private-key/roles/secretmanager.secretAccessor/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_secret_manager_secret_iam_member.cloudrun_secret_access["jwt_public_key"]: Refreshing state... [id=projects/radio-485022/secrets/jwt-public-key/roles/secretmanager.secretAccessor/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_secret_manager_secret_iam_member.cloudrun_secret_access["redis_url"]: Refreshing state... [id=projects/radio-485022/secrets/redis-url/roles/secretmanager.secretAccessor/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_secret_manager_secret_iam_member.cloudrun_secret_access["database_url"]: Refreshing state... [id=projects/radio-485022/secrets/database-url/roles/secretmanager.secretAccessor/serviceAccount:radio-backend-sa@radio-485022.iam.gserviceaccount.com]
google_cloud_run_v2_service.service: Refreshing state... [id=projects/radio-485022/locations/us-central1/services/radio-backend]
google_cloud_run_v2_service_iam_member.public_access: Refreshing state... [id=projects/radio-485022/locations/us-central1/services/radio-backend/roles/run.invoker/allUsers]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # google_cloud_run_v2_service.service will be updated in-place
  ~ resource "google_cloud_run_v2_service" "service" {
      - client                  = "gcloud" -> null
      - client_version          = "552.0.0" -> null
        id                      = "projects/radio-485022/locations/us-central1/services/radio-backend"
        name                    = "radio-backend"
        # (25 unchanged attributes hidden)

      ~ template {
            # (6 unchanged attributes hidden)

          ~ containers {
              ~ image      = "gcr.io/radio-485022/radio-backend:prod-0f3bc424b515f591ff4ca8d0ff79c071e44b63cb" -> "gcr.io/radio-485022/radio-backend:latest"
                # (3 unchanged attributes hidden)

              ~ env {
                  ~ name  = "DATABASE_URL" -> "AD_CACHE_TTL"
                  + value = "10m"

                  - value_source {
                      - secret_key_ref {
                          - secret  = "database-url" -> null
                          - version = "latest" -> null
                        }
                    }
                }
              ~ env {
                  ~ name  = "REDIS_URL" -> "AD_FRAUD_SCORE_THRESHOLD"
                  + value = "0.7"

                  - value_source {
                      - secret_key_ref {
                          - secret  = "redis-url" -> null
                          - version = "latest" -> null
                        }
                    }
                }
              ~ env {
                  ~ name  = "JWT_PRIVATE_KEY" -> "AD_FREQUENCY_CAP_DAILY"
                  + value = "30"

                  - value_source {
                      - secret_key_ref {
                          - secret  = "jwt-private-key" -> null
                          - version = "latest" -> null
                        }
                    }
                }
              ~ env {
                  ~ name  = "JWT_PUBLIC_KEY" -> "AD_FREQUENCY_CAP_HOURLY"
                  + value = "6"

                  - value_source {
                      - secret_key_ref {
                          - secret  = "jwt-public-key" -> null
                          - version = "latest" -> null
                        }
                    }
                }
              ~ env {
                  ~ name  = "AD_IMPRESSION_TOKEN_SECRET" -> "AD_IMPRESSION_TOKEN_MAX_AGE"
                  + value = "5m"

                  - value_source {
                      - secret_key_ref {
                          - secret  = "ad-impression-token-secret" -> null
                          - version = "latest" -> null
                        }
                    }
                }
              ~ env {
                  ~ name  = "ENV" -> "AD_RATE_LIMIT_REQUESTS"
                  ~ value = "production" -> "50"
                }
              ~ env {
                  ~ name  = "SERVER_PORT" -> "AD_RATE_LIMIT_WINDOW"
                  ~ value = "8080" -> "1m"
                }
              + env {
                  + name  = "ANALYTICS_BATCH_SIZE"
                  + value = "100"
                }
              + env {
                  + name  = "ANALYTICS_FLUSH_INTERVAL"
                  + value = "10s"
                }
              + env {
                  + name  = "BCRYPT_COST"
                  + value = "12"
                }
              + env {
                  + name  = "CORS_ALLOWED_HEADERS"
                  + value = "Content-Type,Authorization,X-Language,X-Request-ID"
                }
              + env {
                  + name  = "CORS_ALLOWED_METHODS"
                  + value = "GET,POST,PUT,DELETE,OPTIONS"
                }
              + env {
                  + name  = "CORS_ALLOWED_ORIGINS"
                  + value = "https://rradio.online"
                }
              + env {
                  + name  = "DEFAULT_LANGUAGE"
                  + value = "en"
                }
              + env {
                  + name  = "FEATURE_ANALYTICS"
                  + value = "true"
                }
              + env {
                  + name  = "FEATURE_PREMIUM_CONTENT"
                  + value = "true"
                }
              + env {
                  + name  = "FEATURE_VAULT_INTEGRATION"
                  + value = "false"
                }
              + env {
                  + name  = "JWT_EXPIRATION"
                  + value = "24h"
                }
              + env {
                  + name  = "JWT_REFRESH_EXPIRATION"
                  + value = "168h"
                }
              + env {
                  + name  = "LOG_FORMAT"
                  + value = "json"
                }
              + env {
                  + name  = "LOG_LEVEL"
                  + value = "info"
                }
              + env {
                  + name  = "RADIO_BROWSER_API_URL"
                  + value = "https://de1.api.radio-browser.info"
                }
              + env {
                  + name  = "RATE_LIMIT_REQUESTS"
                  + value = "100"
                }
              + env {
                  + name  = "RATE_LIMIT_WINDOW"
                  + value = "1m"
                }
              + env {
                  + name  = "SERVER_BASE_URL"
                  + value = "https://api.rradio.online"
                }
              + env {
                  + name  = "SERVER_ENV"
                  + value = "production"
                }
              + env {
                  + name  = "SERVER_HOST"
                  + value = "0.0.0.0"
                }
              + env {
                  + name  = "SERVER_PORT"
                  + value = "8080"
                }
              + env {
                  + name  = "SERVER_TIMEOUT"
                  + value = "30s"
                }
              + env {
                  + name  = "SUPPORTED_LANGUAGES"
                  + value = "en,es,fr,de"
                }
              + env {
                  + name = "DATABASE_URL"

                  + value_source {
                      + secret_key_ref {
                          + secret  = "database-url"
                          + version = "latest"
                        }
                    }
                }
              + env {
                  + name = "REDIS_URL"

                  + value_source {
                      + secret_key_ref {
                          + secret  = "redis-url"
                          + version = "latest"
                        }
                    }
                }
              + env {
                  + name = "JWT_PRIVATE_KEY"

                  + value_source {
                      + secret_key_ref {
                          + secret  = "jwt-private-key"
                          + version = "latest"
                        }
                    }
                }
              + env {
                  + name = "JWT_PUBLIC_KEY"

                  + value_source {
                      + secret_key_ref {
                          + secret  = "jwt-public-key"
                          + version = "latest"
                        }
                    }
                }
              + env {
                  + name = "AD_IMPRESSION_TOKEN_SECRET"

                  + value_source {
                      + secret_key_ref {
                          + secret  = "ad-impression-token-secret"
                          + version = "latest"
                        }
                    }
                }

              ~ resources {
                  ~ limits            = {
                      ~ "cpu"    = "1" -> "1000m"
                        # (1 unchanged element hidden)
                    }
                    # (2 unchanged attributes hidden)
                }

                # (3 unchanged blocks hidden)
            }

            # (1 unchanged block hidden)
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Pusher: @kedeinroga, Action: pull_request

@kedeinroga kedeinroga merged commit 6a3620a into main Jan 24, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kedeinroga