https://blog.quentin-favrie.net/2022/01/02/album-serverless/

main.tf

provider "google" {
  project     = var.gcp_project
  region      = var.gcp_region
  credentials = file(var.gcp_auth_file)
}

data "google_project" "project" {
}

# Docker image registry
resource "google_container_registry" "registry" {
  project  = var.gcp_project
  location = var.gcp_location
}

# Custom role allowed to GET objects from buckets
resource "google_project_iam_custom_role" "storage-noauth" {
  role_id     = "storage.objectView"
  title       = "Storage Object View Only"
  permissions = ["storage.objects.get"]
}

# Policy attaching the custom role "storage-noauth" to all users
data "google_iam_policy" "storage-noauth" {
  binding {
    role    = google_project_iam_custom_role.storage-noauth.id
    members = [
      "allUsers",
    ]
  }
}

# Bucket for storing the static website
resource "google_storage_bucket" "app" {
  name          = var.gcp_bucket_app
  location      = var.gcp_location
  force_destroy = true

  uniform_bucket_level_access = true
}

# Attach the policy "storage-noauth" to the static website bucket.
# It allows any user to access the files in it if they have the correct url.
resource "google_storage_bucket_iam_policy" "app-acl" {
  bucket      = google_storage_bucket.app.name
  policy_data = data.google_iam_policy.storage-noauth.policy_data
}


# Bucket for storing the videos
resource "google_storage_bucket" "assets" {
  name          = var.gcp_bucket_assets
  location      = var.gcp_location
  force_destroy = true

  uniform_bucket_level_access = true
}

# Attach the policy "storage-noauth" to the videos bucket.
# It allows any user to access the files in it if they have the correct url.
resource "google_storage_bucket_iam_policy" "assets-acl" {
  bucket      = google_storage_bucket.assets.name
  policy_data = data.google_iam_policy.storage-noauth.policy_data
}

# Declare the API credentials file in the Secret Manager
resource "google_secret_manager_secret" "api-gcp-key-file" {
  secret_id = "api-gcp-key-file"
  replication {
    automatic = true
  }
}

# Store the API credentials file in the Secret Manager
resource "google_secret_manager_secret_version" "api-gcp-key-file-version" {
  secret      = google_secret_manager_secret.api-gcp-key-file.id
  secret_data = file(var.gcp_api_key_file)
}

# The API using Cloud Run
# The container has the secret "api-gcp-key-file" mounted as a volume.
resource "google_cloud_run_service" "api" {
  name                       = var.gcp_cloud_run_api
  location                   = var.gcp_region
  autogenerate_revision_name = true

  template {
    spec {
      containers {
        image = var.gcp_cloud_run_api_image
        ports {
          container_port = 80
        }
        env {
          name  = "GCLOUD_PROJECT_ID"
          value = data.google_project.project.project_id
        }
        env {
          name  = "GCLOUD_KEY_FILE"
          value = "/secrets/${google_secret_manager_secret.api-gcp-key-file.secret_id}"
        }
        env {
          name  = "STORAGE_ASSETS_BUCKET"
          value = google_storage_bucket.assets.name
        }
        volume_mounts {
          name       = google_secret_manager_secret.api-gcp-key-file.secret_id
          mount_path = "/secrets"
        }
      }
      volumes {
        name = google_secret_manager_secret.api-gcp-key-file.secret_id
        secret {
          secret_name = google_secret_manager_secret.api-gcp-key-file.secret_id
        }
      }
    }

    metadata {
      annotations = {
        "autoscaling.knative.dev/maxScale" = "1"
        "client.knative.dev/user-image"    = var.gcp_cloud_run_api_image
        "run.googleapis.com/client-name"   = "terraform"
      }
    }
  }

  traffic {
    percent         = 100
    latest_revision = true
  }

  depends_on = [google_secret_manager_secret_version.api-gcp-key-file-version]
}

# Policy attaching the permission to access a Cloud Run service to all users
data "google_iam_policy" "cloud-run-noauth" {
  binding {
    role    = "roles/run.invoker"
    members = [
      "allUsers",
    ]
  }
}

# Attach the policy "cloud-run-noauth" to the API
resource "google_cloud_run_service_iam_policy" "api-noauth" {
  location    = google_cloud_run_service.api.location
  project     = google_cloud_run_service.api.project
  service     = google_cloud_run_service.api.name
  policy_data = data.google_iam_policy.cloud-run-noauth.policy_data
  depends_on  = [google_cloud_run_service.api]
}

variables.tf

variable "gcp_project" {
  type        = string
  description = "GCP project name"
}

variable "gcp_region" {
  type        = string
  description = "GCP region"
  default     = "europe-west1"
}

variable "gcp_location" {
  type        = string
  description = "GCP location"
  default     = "EU"
}

variable "gcp_auth_file" {
  type        = string
  description = "GCP authentication file for terraform"
}

variable "gcp_bucket_app" {
  type        = string
  description = "The id of the bucket for the static website"
}

variable "gcp_bucket_assets" {
  type        = string
  description = "The id of the bucket for the assets"
}

variable "gcp_cloud_run_api" {
  type        = string
  description = "The id of the Cloud Run Service"
}

variable "gcp_cloud_run_api_image" {
  type        = string
  description = "The name of the docker image for the API"
}

variable "gcp_api_key_file" {
  type        = string
  description = "GCP authentication file for accessing buckets from the API"
}