metadata.annotations does not support annotation run.googleapis.com/secrets

[andrewmackett]

Summary

Creating a new Cloud Run service that uses Secret Manager fails with this error:

╷
│ Error: Error creating Service: googleapi: Error 400: metadata.annotations: Annotation 'run.googleapis.com/secrets' is not supported on resources of kind 'Service'. Supported kinds are: Revision, Execution
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.BadRequest",
│     "fieldViolations": [
│       {
│         "description": "Annotation 'run.googleapis.com/secrets' is not supported on resources of kind 'Service'. Supported kinds are: Revision, Execution",
│         "field": "metadata.annotations"
│       }
│     ]
│   }
│ ]
│ 
│   with module.cloud_run.google_cloud_run_service.default,
│   on .terraform/modules/cloud_run/main.tf line 2, in resource "google_cloud_run_service" "default":
│    2: resource google_cloud_run_service default {
│ 
╵

I believe this is happening because the run.googleapis.com/secrets annotation is being set in metadata.annotations where it's not supported.

Removing the run.googleapis.com/secrets annotation from here should fix the issue.

Example Code

Terraform to reproduce the error:

variable "project_id" {
  type        = string
  description = "The GCP project ID where the resources will be created."
}

# Create a service account
resource "google_service_account" "this" {
  project      = var.project_id
  account_id   = "my-service-account"
  display_name = "my-service-account"
}

# Create a secret in Secret Manager
resource "google_secret_manager_secret" "secret" {
  project   = var.project_id
  secret_id = "my-secret"
  replication {
    automatic = true
  }
}

# Store the secret value
resource "google_secret_manager_secret_version" "secret" {
  secret      = google_secret_manager_secret.secret.id
  secret_data = "super-secret-value"
}

# Allow the service account to read the secret value from Secret Manager
resource "google_secret_manager_secret_iam_member" "secret" {
  project   = var.project_id
  secret_id = google_secret_manager_secret.secret.secret_id
  role      = "roles/secretmanager.secretAccessor"
  member    = "serviceAccount:${google_service_account.this.email}"
}

module "cloud_run" {
  source = "git::[email protected]:garbetjie/terraform-google-cloud-run.git//?ref=2.2.1"

  project               = var.project_id
  location              = "us-central1"
  name                  = "my-cloud-run"
  image                 = "us-docker.pkg.dev/cloudrun/container/hello"
  service_account_email = google_service_account.this.email

  env = [
    {
      key     = "MY_SECRET"
      secret  = google_secret_manager_secret.secret.id
      version = "latest"
    },
  ]
}

[garbetjie]

Whoops. Somehow I missed this issue. I'll take a look at replicating it when I have a chance.

Are you still experiencing it?

[silbinarywolf]

I'm also experiencing it.

According to this issue, the fix should in theory be simply moving "metadata" out of the "template" block:
hashicorp/terraform-provider-google#10958 (comment)