subcategory	description
Cloud Run (v2 API)	Service acts as a top-level container that manages a set of configurations and revision templates which implement a network service.

google_cloud_run_v2_service

Service acts as a top-level container that manages a set of configurations and revision templates which implement a network service. Service exists to provide a singular abstraction which can be access controlled, reasoned about, and which encapsulates software lifecycle decisions such as rollout policy and team resource ownership.

To get more information about Service, see:

API documentation
How-to Guides
- Official Documentation

## Example Usage - Cloudrunv2 Service Basic

resource "google_cloud_run_v2_service" "default" {
  name     = "cloudrun-service"
  location = "us-central1"
  deletion_protection = false
  ingress = "INGRESS_TRAFFIC_ALL"
  
  template {
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
}

## Example Usage - Cloudrunv2 Service Limits

resource "google_cloud_run_v2_service" "default" {
  name     = "cloudrun-service"
  location = "us-central1"
  deletion_protection = false
  ingress = "INGRESS_TRAFFIC_ALL"

  template {
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
      resources {
        limits = {
          cpu    = "2"
          memory = "1024Mi"
        }
      }
    }
  }
}

## Example Usage - Cloudrunv2 Service Sql

resource "google_cloud_run_v2_service" "default" {
  name     = "cloudrun-service"
  location = "us-central1"
  deletion_protection = false
  ingress = "INGRESS_TRAFFIC_ALL"
  
  template {
    scaling {
      max_instance_count = 2
    }
  
    volumes {
      name = "cloudsql"
      cloud_sql_instance {
        instances = [google_sql_database_instance.instance.connection_name]
      }
    }

    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"

      env {
        name = "FOO"
        value = "bar"
      }
      env {
        name = "SECRET_ENV_VAR"
        value_source {
          secret_key_ref {
            secret = google_secret_manager_secret.secret.secret_id
            version = "1"
          }
        }
      }
      volume_mounts {
        name = "cloudsql"
        mount_path = "/cloudsql"
      }
    }
  }

  traffic {
    type = "TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST"
    percent = 100
  }
  depends_on = [google_secret_manager_secret_version.secret-version-data]
}

data "google_project" "project" {
}

resource "google_secret_manager_secret" "secret" {
  secret_id = "secret-1"
  replication {
    auto {}
  }
}

resource "google_secret_manager_secret_version" "secret-version-data" {
  secret = google_secret_manager_secret.secret.name
  secret_data = "secret-data"
}

resource "google_secret_manager_secret_iam_member" "secret-access" {
  secret_id = google_secret_manager_secret.secret.id
  role      = "roles/secretmanager.secretAccessor"
  member    = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com"
  depends_on = [google_secret_manager_secret.secret]
}

resource "google_sql_database_instance" "instance" {
  name             = "cloudrun-sql"
  region           = "us-central1"
  database_version = "MYSQL_5_7"
  settings {
    tier = "db-f1-micro"
  }

  deletion_protection  = true
}

## Example Usage - Cloudrunv2 Service Vpcaccess

resource "google_cloud_run_v2_service" "default" {
  name     = "cloudrun-service"
  location = "us-central1"
  deletion_protection = false

  template {
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
    vpc_access{
      connector = google_vpc_access_connector.connector.id
      egress = "ALL_TRAFFIC"
    }
  }
}

resource "google_vpc_access_connector" "connector" {
  name          = "run-vpc"
  subnet {
    name = google_compute_subnetwork.custom_test.name
  }
  machine_type = "e2-standard-4"
  min_instances = 2
  max_instances = 3
  region        = "us-central1"
}
resource "google_compute_subnetwork" "custom_test" {
  name          = "run-subnetwork"
  ip_cidr_range = "10.2.0.0/28"
  region        = "us-central1"
  network       = google_compute_network.custom_test.id
}
resource "google_compute_network" "custom_test" {
  name                    = "run-network"
  auto_create_subnetworks = false
}

## Example Usage - Cloudrunv2 Service Directvpc

resource "google_cloud_run_v2_service" "default" {
  name     = "cloudrun-service"
  location = "us-central1"
  deletion_protection = false
  launch_stage = "GA"
  template {
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
    vpc_access{
      network_interfaces {
        network = "default"
        subnetwork = "default"
        tags = ["tag1", "tag2", "tag3"]
      }
    }
  }
}

## Example Usage - Cloudrunv2 Service Gpu

resource "google_cloud_run_v2_service" "default" {
  name     = "cloudrun-service"
  location = "us-central1"
  deletion_protection = false
  ingress = "INGRESS_TRAFFIC_ALL"

  template {
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
      resources {
        limits = {
          "cpu" = "4"
          "memory" = "16Gi"
          "nvidia.com/gpu" = "1"
        }
        startup_cpu_boost = true
      }
    }
    node_selector {
      accelerator = "nvidia-l4"
    }
    gpu_zonal_redundancy_disabled = true
    scaling {
      max_instance_count = 1
    }
  }
}

## Example Usage - Cloudrunv2 Service Probes

resource "google_cloud_run_v2_service" "default" {
  name     = "cloudrun-service"
  location = "us-central1"
  deletion_protection = false

  template {
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
      startup_probe {
        initial_delay_seconds = 0
        timeout_seconds = 1
        period_seconds = 3
        failure_threshold = 1
        tcp_socket {
          port = 8080
        }
      }
      liveness_probe {
        http_get {
          path = "/"
        }
      }
    }
  }
}

## Example Usage - Cloudrunv2 Service Secret

resource "google_cloud_run_v2_service" "default" {
  name     = "cloudrun-service"
  location = "us-central1"
  deletion_protection = false
  ingress = "INGRESS_TRAFFIC_ALL"

  template {
    volumes {
      name = "a-volume"
      secret {
        secret = google_secret_manager_secret.secret.secret_id
        default_mode = 292 # 0444
        items {
          version = "1"
          path = "my-secret"
        }
      }
    }
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
      volume_mounts {
        name = "a-volume"
        mount_path = "/secrets"
      }
    }
  }
  depends_on = [google_secret_manager_secret_version.secret-version-data]
}

data "google_project" "project" {
}

resource "google_secret_manager_secret" "secret" {
  secret_id = "secret-1"
  replication {
    auto {}
  }
}

resource "google_secret_manager_secret_version" "secret-version-data" {
  secret = google_secret_manager_secret.secret.name
  secret_data = "secret-data"
}

resource "google_secret_manager_secret_iam_member" "secret-access" {
  secret_id = google_secret_manager_secret.secret.id
  role      = "roles/secretmanager.secretAccessor"
  member    = "serviceAccount:${data.google_project.project.number}-compute@developer.gserviceaccount.com"
  depends_on = [google_secret_manager_secret.secret]
}

## Example Usage - Cloudrunv2 Service Multicontainer

resource "google_cloud_run_v2_service" "default" {
  name     = "cloudrun-service"
  location = "us-central1"
  deletion_protection = false
  ingress = "INGRESS_TRAFFIC_ALL"
  template {
    containers {
      name = "hello-1"
      ports {
        container_port = 8080
      }
      image = "us-docker.pkg.dev/cloudrun/container/hello"
      depends_on = ["hello-2"]
      volume_mounts {
        name = "empty-dir-volume"
        mount_path = "/mnt"
      }
    }
    containers {
      name = "hello-2"
      image = "us-docker.pkg.dev/cloudrun/container/hello"
      env {
        name = "PORT"
        value = "8081"
      }
      startup_probe {
        http_get {
          port = 8081
        }
      }
    }
    volumes {
      name = "empty-dir-volume"
      empty_dir {
        medium = "MEMORY"
        size_limit = "256Mi"
      }
    }
  }
}

## Example Usage - Cloudrunv2 Service Mount Gcs

resource "google_cloud_run_v2_service" "default" {
  name     = "cloudrun-service"

  location     = "us-central1"
  deletion_protection = false


  template {
    execution_environment = "EXECUTION_ENVIRONMENT_GEN2"

    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
      volume_mounts {
        name       = "bucket"
        mount_path = "/var/www"
      }
    }

    volumes {
      name = "bucket"
      gcs {
        bucket    = google_storage_bucket.default.name
        read_only = false
      }
    }
  }
}

resource "google_storage_bucket" "default" {
    name     = "cloudrun-service"
    location = "US"
}

## Example Usage - Cloudrunv2 Service Mount Nfs

resource "google_cloud_run_v2_service" "default" {
  name     = "cloudrun-service"

  location     = "us-central1"
  deletion_protection = false
  ingress      = "INGRESS_TRAFFIC_ALL"

  template {
    execution_environment = "EXECUTION_ENVIRONMENT_GEN2"
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello:latest"
      volume_mounts {
        name       = "nfs"
        mount_path = "/mnt/nfs/filestore"
      }
    }
    vpc_access {
      network_interfaces {
        network    = "default"
        subnetwork = "default"
      }
    }

    volumes {
      name = "nfs"
      nfs {
        server    = google_filestore_instance.default.networks[0].ip_addresses[0]
        path      = "/share1"
        read_only = false
      }
    }
  }
}

resource "google_filestore_instance" "default" {
  name     = "cloudrun-service"
  location = "us-central1-b"
  tier     = "BASIC_HDD"

  file_shares {
    capacity_gb = 1024
    name        = "share1"
  }

  networks {
    network = "default"
    modes   = ["MODE_IPV4"]
  }
}

## Example Usage - Cloudrunv2 Service Mesh

resource "google_cloud_run_v2_service" "default" {
  provider = google-beta
  name     = "cloudrun-service"
  depends_on = [time_sleep.wait_for_mesh]
  deletion_protection = false

  location     = "us-central1"
  launch_stage = "BETA"

  template {
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
    service_mesh {
      mesh = google_network_services_mesh.mesh.id
    }
  }
}

resource "time_sleep" "wait_for_mesh" {
  depends_on = [google_network_services_mesh.mesh]

  create_duration = "1m"
}

resource "google_network_services_mesh" "mesh" {
  provider = google-beta
  name     = "network-services-mesh"
}

## Example Usage - Cloudrunv2 Service Invokeriam

resource "google_cloud_run_v2_service" "default" {
  provider = google-beta
  name     = "cloudrun-service"
  location = "us-central1"
  deletion_protection = false
  invoker_iam_disabled = true
  description = "The serving URL of this service will not perform any IAM check when invoked"
  ingress = "INGRESS_TRAFFIC_ALL"
  
  template {
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
}

## Example Usage - Cloudrunv2 Service Function

resource "google_cloud_run_v2_service" "default" {
  name     = "cloudrun-service"
  location = "us-central1"
  deletion_protection = false
  ingress = "INGRESS_TRAFFIC_ALL"

  template {
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
      base_image_uri = "us-central1-docker.pkg.dev/serverless-runtimes/google-22-full/runtimes/nodejs22"
    }
  }
  build_config {
    source_location = "gs://${google_storage_bucket.bucket.name}/${google_storage_bucket_object.object.name}"
    function_target = "helloHttp"
    image_uri = "us-docker.pkg.dev/cloudrun/container/hello"
    base_image = "us-central1-docker.pkg.dev/serverless-runtimes/google-22-full/runtimes/nodejs22"
    enable_automatic_updates = true
    worker_pool = "worker-pool"
    environment_variables = {
      FOO_KEY = "FOO_VALUE"
      BAR_KEY = "BAR_VALUE"
    }
    service_account = google_service_account.cloudbuild_service_account.id
  }
  depends_on = [
    google_project_iam_member.act_as,
    google_project_iam_member.logs_writer
  ]
}

data "google_project" "project" {
}

resource "google_storage_bucket" "bucket" {
  name     = "${data.google_project.project.project_id}-gcf-source"  # Every bucket name must be globally unique
  location = "US"
  uniform_bucket_level_access = true
}

resource "google_storage_bucket_object" "object" {
  name   = "function-source.zip"
  bucket = google_storage_bucket.bucket.name
  source = "function_source.zip"  # Add path to the zipped function source code
}

resource "google_service_account" "cloudbuild_service_account" {
  account_id = "build-sa"
}

resource "google_project_iam_member" "act_as" {
  project = data.google_project.project.project_id
  role    = "roles/iam.serviceAccountUser"
  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
}

resource "google_project_iam_member" "logs_writer" {
  project = data.google_project.project.project_id
  role    = "roles/logging.logWriter"
  member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
}

## Example Usage - Cloudrunv2 Service Iap

resource "google_cloud_run_v2_service" "default" {
  provider = google-beta
  name     = "cloudrun-iap-service"
  location = "us-central1"
  deletion_protection = false
  ingress = "INGRESS_TRAFFIC_ALL"
  launch_stage = "BETA"
  iap_enabled = true

  template {
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
}

Argument Reference

The following arguments are supported:

name - (Required) Name of the Service.
template - (Required) The template used to create revisions for this Service. Structure is documented below.
location - (Required) The location of the cloud run service

The template block supports:

revision - (Optional) The unique name for the revision. If this field is omitted, it will be automatically generated based on the Service name.
labels - (Optional) Unstructured key value map that can be used to organize and categorize objects. User-provided labels are shared with Google's billing system, so they can be used to filter, or break down billing charges by team, component, environment, state, etc. For more information, visit https://cloud.google.com/resource-manager/docs/creating-managing-labels or https://cloud.google.com/run/docs/configuring/labels. Cloud Run API v2 does not support labels with run.googleapis.com, cloud.googleapis.com, serving.knative.dev, or autoscaling.knative.dev namespaces, and they will be rejected. All system labels in v1 now have a corresponding field in v2 RevisionTemplate.
annotations - (Optional) Unstructured key value map that may be set by external tools to store and arbitrary metadata. They are not queryable and should be preserved when modifying objects. Cloud Run API v2 does not support annotations with run.googleapis.com, cloud.googleapis.com, serving.knative.dev, or autoscaling.knative.dev namespaces, and they will be rejected. All system annotations in v1 now have a corresponding field in v2 RevisionTemplate. This field follows Kubernetes annotations' namespacing, limits, and rules.
scaling - (Optional) Scaling settings for this Revision. Structure is documented below.
vpc_access - (Optional) VPC Access configuration to use for this Task. For more information, visit https://cloud.google.com/run/docs/configuring/connecting-vpc. Structure is documented below.
timeout - (Optional) Max allowed time for an instance to respond to a request. A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".
service_account - (Optional) Email address of the IAM service account associated with the revision of the service. The service account represents the identity of the running revision, and determines what permissions the revision has. If not provided, the revision will use the project's default service account.
containers - (Optional) Holds the containers that define the unit of execution for this Service. Structure is documented below.
volumes - (Optional) A list of Volumes to make available to containers. Structure is documented below.
execution_environment - (Optional) The sandbox environment to host this Revision. Possible values are: EXECUTION_ENVIRONMENT_GEN1, EXECUTION_ENVIRONMENT_GEN2.
encryption_key - (Optional) A reference to a customer managed encryption key (CMEK) to use to encrypt this container image. For more information, go to https://cloud.google.com/run/docs/securing/using-cmek
max_instance_request_concurrency - (Optional) Sets the maximum number of requests that each serving instance can receive. If not specified or 0, defaults to 80 when requested CPU >= 1 and defaults to 1 when requested CPU < 1.
session_affinity - (Optional) Enables session affinity. For more information, go to https://cloud.google.com/run/docs/configuring/session-affinity
service_mesh - (Optional, Beta) Enables Cloud Service Mesh for this Revision. Structure is documented below.
node_selector - (Optional) Node Selector describes the hardware requirements of the resources. Structure is documented below.
gpu_zonal_redundancy_disabled - (Optional) True if GPU zonal redundancy is disabled on this revision.

The scaling block supports:

min_instance_count - (Optional) Minimum number of serving instances that this resource should have. Defaults to 0. Must not be greater than maximum instance count.
max_instance_count - (Optional) Maximum number of serving instances that this resource should have. Must not be less than minimum instance count. If absent, Cloud Run will calculate a default value based on the project's available container instances quota in the region and specified instance size.

The vpc_access block supports:

connector - (Optional) VPC Access connector name. Format: projects/{project}/locations/{location}/connectors/{connector}, where {project} can be project id or number.
egress - (Optional) Traffic VPC egress settings. Possible values are: ALL_TRAFFIC, PRIVATE_RANGES_ONLY.
network_interfaces - (Optional) Direct VPC egress settings. Currently only single network interface is supported. Structure is documented below.

The network_interfaces block supports:

network - (Optional) The VPC network that the Cloud Run resource will be able to send traffic to. At least one of network or subnetwork must be specified. If both network and subnetwork are specified, the given VPC subnetwork must belong to the given VPC network. If network is not specified, it will be looked up from the subnetwork.
subnetwork - (Optional) The VPC subnetwork that the Cloud Run resource will get IPs from. At least one of network or subnetwork must be specified. If both network and subnetwork are specified, the given VPC subnetwork must belong to the given VPC network. If subnetwork is not specified, the subnetwork with the same name with the network will be used.
tags - (Optional) Network tags applied to this Cloud Run service.

The containers block supports:

name - (Optional) Name of the container specified as a DNS_LABEL.
image - (Required) URL of the Container image in Google Container Registry or Google Artifact Registry. More info: https://kubernetes.io/docs/concepts/containers/images
command - (Optional) Entrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
args - (Optional) Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references are not supported in Cloud Run.
env - (Optional) List of environment variables to set in the container. Structure is documented below.
resources - (Optional) Compute Resource requirements by this container. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources Structure is documented below.
ports - (Optional) List of ports to expose from the container. Only a single port can be specified. The specified ports must be listening on all interfaces (0.0.0.0) within the container to be accessible. If omitted, a port number will be chosen and passed to the container through the PORT environment variable for the container to listen on Structure is documented below.
volume_mounts - (Optional) Volume to mount into the container's filesystem. Structure is documented below.
working_dir - (Optional) Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image.
liveness_probe - (Optional) Periodic probe of container liveness. Container will be restarted if the probe fails. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes Structure is documented below.
startup_probe - (Optional) Startup probe of application within the container. All other probes are disabled if a startup probe is provided, until it succeeds. Container will not be added to service endpoints if the probe fails. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes Structure is documented below.
depends_on - (Optional) Containers which should be started before this container. If specified the container will wait to start until all containers with the listed names are healthy.
base_image_uri - (Optional) Base image for this container. If set, it indicates that the service is enrolled into automatic base image update.
build_info - (Output) The build info of the container image. Structure is documented below.

The env block supports:

name - (Required) Name of the environment variable. Must be a C_IDENTIFIER, and may not exceed 32768 characters.
value - (Optional) Literal value of the environment variable. Defaults to "" and the maximum allowed length is 32768 characters. Variable references are not supported in Cloud Run.
value_source - (Optional) Source for the environment variable's value. Structure is documented below.

The value_source block supports:

secret_key_ref - (Optional) Selects a secret and a specific version from Cloud Secret Manager. Structure is documented below.

The secret_key_ref block supports:

secret - (Required) The name of the secret in Cloud Secret Manager. Format: {secretName} if the secret is in the same project. projects/{project}/secrets/{secretName} if the secret is in a different project.
version - (Optional) The Cloud Secret Manager secret version. Can be 'latest' for the latest value or an integer for a specific version.

The resources block supports:

limits - (Optional) Only memory, CPU, and nvidia.com/gpu are supported. Use key cpu for CPU limit, memory for memory limit, nvidia.com/gpu for gpu limit. Note: The only supported values for CPU are '1', '2', '4', and '8'. Setting 4 CPU requires at least 2Gi of memory. The values of the map is string form of the 'quantity' k8s type: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apimachinery/pkg/api/resource/quantity.go
cpu_idle - (Optional) Determines whether CPU is only allocated during requests. True by default if the parent resources field is not set. However, if resources is set, this field must be explicitly set to true to preserve the default behavior.
startup_cpu_boost - (Optional) Determines whether CPU should be boosted on startup of a new container instance above the requested CPU threshold, this can help reduce cold-start latency.

The ports block supports:

name - (Optional) If specified, used to specify which protocol to use. Allowed values are "http1" and "h2c".
container_port - (Optional) Port number the container listens on. This must be a valid TCP port number, 0 < containerPort < 65536.

The volume_mounts block supports:

name - (Required) This must match the Name of a Volume.
mount_path - (Required) Path within the container at which the volume should be mounted. Must not contain ':'. For Cloud SQL volumes, it can be left empty, or must otherwise be /cloudsql. All instances defined in the Volume will be available as /cloudsql/[instance]. For more information on Cloud SQL volumes, visit https://cloud.google.com/sql/docs/mysql/connect-run

The liveness_probe block supports:

initial_delay_seconds - (Optional) Number of seconds after the container has started before the probe is initiated. Defaults to 0 seconds. Minimum value is 0. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
timeout_seconds - (Optional) Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. Maximum value is 3600. Must be smaller than periodSeconds. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
period_seconds - (Optional) How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. Must be greater or equal than timeoutSeconds
failure_threshold - (Optional) Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
http_get - (Optional) HTTPGet specifies the http request to perform. Structure is documented below.
grpc - (Optional) GRPC specifies an action involving a GRPC port. Structure is documented below.
tcp_socket - (Optional) TCPSocketAction describes an action based on opening a socket Structure is documented below.

The http_get block supports:

path - (Optional) Path to access on the HTTP server. Defaults to '/'.
port - (Optional) Port number to access on the container. Number must be in the range 1 to 65535. If not specified, defaults to the same value as container.ports[0].containerPort.
http_headers - (Optional) Custom headers to set in the request. HTTP allows repeated headers. Structure is documented below.

The http_headers block supports:

name - (Required) The header field name
value - (Optional) The header field value

The grpc block supports:

port - (Optional) Port number to access on the container. Number must be in the range 1 to 65535. If not specified, defaults to the same value as container.ports[0].containerPort.
service - (Optional) The name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.

The tcp_socket block supports:

port - (Required) Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the exposed port of the container, which is the value of container.ports[0].containerPort.

The startup_probe block supports:

initial_delay_seconds - (Optional) Number of seconds after the container has started before the probe is initiated. Defaults to 0 seconds. Minimum value is 0. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
timeout_seconds - (Optional) Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. Maximum value is 3600. Must be smaller than periodSeconds. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
period_seconds - (Optional) How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. Maximum value for liveness probe is 3600. Maximum value for startup probe is 240. Must be greater or equal than timeoutSeconds
failure_threshold - (Optional) Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.
http_get - (Optional) HTTPGet specifies the http request to perform. Exactly one of HTTPGet or TCPSocket must be specified. Structure is documented below.
tcp_socket - (Optional) TCPSocket specifies an action involving a TCP port. Exactly one of HTTPGet or TCPSocket must be specified. Structure is documented below.
grpc - (Optional) GRPC specifies an action involving a GRPC port. Structure is documented below.

The http_get block supports:

path - (Optional) Path to access on the HTTP server. Defaults to '/'.
port - (Optional) Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the same value as container.ports[0].containerPort.
http_headers - (Optional) Custom headers to set in the request. HTTP allows repeated headers. Structure is documented below.

The http_headers block supports:

name - (Required) The header field name
value - (Optional) The header field value

The tcp_socket block supports:

port - (Optional) Port number to access on the container. Must be in the range 1 to 65535. If not specified, defaults to the same value as container.ports[0].containerPort.

The grpc block supports:

port - (Optional) Port number to access on the container. Number must be in the range 1 to 65535. If not specified, defaults to the same value as container.ports[0].containerPort.
service - (Optional) The name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.

The build_info block contains:

function_target - (Output) Entry point of the function when the image is a Cloud Run function.
source_location - (Output) Source code location of the image.

The volumes block supports:

name - (Required) Volume's name.
secret - (Optional) Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret Structure is documented below.
cloud_sql_instance - (Optional) For Cloud SQL volumes, contains the specific instances that should be mounted. Visit https://cloud.google.com/sql/docs/mysql/connect-run for more information on how to connect Cloud SQL and Cloud Run. Structure is documented below.
empty_dir - (Optional) Ephemeral storage used as a shared volume. Structure is documented below.
gcs - (Optional) Cloud Storage bucket mounted as a volume using GCSFuse. This feature is only supported in the gen2 execution environment. Structure is documented below.
nfs - (Optional) Represents an NFS mount. Structure is documented below.

The secret block supports:

secret - (Required) The name of the secret in Cloud Secret Manager. Format: {secret} if the secret is in the same project. projects/{project}/secrets/{secret} if the secret is in a different project.
default_mode - (Optional) Integer representation of mode bits to use on created files by default. Must be a value between 0000 and 0777 (octal), defaulting to 0444. Directories within the path are not affected by this setting.
items - (Optional) If unspecified, the volume will expose a file whose name is the secret, relative to VolumeMount.mount_path. If specified, the key will be used as the version to fetch from Cloud Secret Manager and the path will be the name of the file exposed in the volume. When items are defined, they must specify a path and a version. Structure is documented below.

The items block supports:

path - (Required) The relative path of the secret in the container.
version - (Optional) The Cloud Secret Manager secret version. Can be 'latest' for the latest value or an integer for a specific version
mode - (Optional) Integer octal mode bits to use on this file, must be a value between 01 and 0777 (octal). If 0 or not set, the Volume's default mode will be used.

The cloud_sql_instance block supports:

instances - (Optional) The Cloud SQL instance connection names, as can be found in https://console.cloud.google.com/sql/instances. Visit https://cloud.google.com/sql/docs/mysql/connect-run for more information on how to connect Cloud SQL and Cloud Run. Format: {project}:{location}:{instance}

The empty_dir block supports:

medium - (Optional) The different types of medium supported for EmptyDir. Default value is MEMORY. Possible values are: MEMORY.
size_limit - (Optional) Limit on the storage usable by this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. This field's values are of the 'Quantity' k8s type: https://kubernetes.io/docs/reference/kubernetes-api/common-definitions/quantity/. The default is nil which means that the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir.

The gcs block supports:

bucket - (Required) GCS Bucket name
read_only - (Optional) If true, mount the GCS bucket as read-only
mount_options - (Optional, Beta) A list of flags to pass to the gcsfuse command for configuring this volume. Flags should be passed without leading dashes.

The nfs block supports:

server - (Required) Hostname or IP address of the NFS server
path - (Required) Path that is exported by the NFS server.
read_only - (Optional) If true, mount the NFS volume as read only

The service_mesh block supports:

mesh - (Optional) The Mesh resource name. For more information see https://cloud.google.com/service-mesh/docs/reference/network-services/rest/v1/projects.locations.meshes#resource:-mesh.

The node_selector block supports:

accelerator - (Required) The GPU to attach to an instance. See https://cloud.google.com/run/docs/configuring/services/gpu for configuring GPU.

description - (Optional) User-provided description of the Service. This field currently has a 512-character limit.
labels - (Optional) Unstructured key value map that can be used to organize and categorize objects. User-provided labels are shared with Google's billing system, so they can be used to filter, or break down billing charges by team, component, environment, state, etc. For more information, visit https://cloud.google.com/resource-manager/docs/creating-managing-labels or https://cloud.google.com/run/docs/configuring/labels. Cloud Run API v2 does not support labels with run.googleapis.com, cloud.googleapis.com, serving.knative.dev, or autoscaling.knative.dev namespaces, and they will be rejected. All system labels in v1 now have a corresponding field in v2 Service. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field effective_labels for all of the labels present on the resource.
annotations - (Optional) Unstructured key value map that may be set by external tools to store and arbitrary metadata. They are not queryable and should be preserved when modifying objects. Cloud Run API v2 does not support annotations with run.googleapis.com, cloud.googleapis.com, serving.knative.dev, or autoscaling.knative.dev namespaces, and they will be rejected in new resources. All system annotations in v1 now have a corresponding field in v2 Service. This field follows Kubernetes annotations' namespacing, limits, and rules. Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field effective_annotations for all of the annotations present on the resource.
client - (Optional) Arbitrary identifier for the API client.
client_version - (Optional) Arbitrary version identifier for the API client.
ingress - (Optional) Provides the ingress settings for this Service. On output, returns the currently observed ingress settings, or INGRESS_TRAFFIC_UNSPECIFIED if no revision is active. Possible values are: INGRESS_TRAFFIC_ALL, INGRESS_TRAFFIC_INTERNAL_ONLY, INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER.
launch_stage - (Optional) The launch stage as defined by Google Cloud Platform Launch Stages. Cloud Run supports ALPHA, BETA, and GA. If no value is specified, GA is assumed. Set the launch stage to a preview stage on input to allow use of preview features in that stage. On read (or output), describes whether the resource uses preview features. For example, if ALPHA is provided as input, but only BETA and GA-level features are used, this field will be BETA on output. Possible values are: UNIMPLEMENTED, PRELAUNCH, EARLY_ACCESS, ALPHA, BETA, GA, DEPRECATED.
binary_authorization - (Optional) Settings for the Binary Authorization feature. Structure is documented below.
custom_audiences - (Optional) One or more custom audiences that you want this service to support. Specify each custom audience as the full URL in a string. The custom audiences are encoded in the token and used to authenticate requests. For more information, see https://cloud.google.com/run/docs/configuring/custom-audiences.
scaling - (Optional) Scaling settings that apply to the whole service Structure is documented below.
default_uri_disabled - (Optional, Beta) Disables public resolution of the default URI of this service.
traffic - (Optional) Specifies how to distribute traffic over a collection of Revisions belonging to the Service. If traffic is empty or not provided, defaults to 100% traffic to the latest Ready Revision. Structure is documented below.
invoker_iam_disabled - (Optional) Disables IAM permission check for run.routes.invoke for callers of this service. For more information, visit https://cloud.google.com/run/docs/securing/managing-access#invoker_check.
build_config - (Optional) Configuration for building a Cloud Run function. Structure is documented below.
iap_enabled - (Optional, Beta) Used to enable/disable IAP for the service.
project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
deletion_protection - (Optional) Whether Terraform will be prevented from destroying the service. Defaults to true. When aterraform destroy or terraform apply would delete the service, the command will fail if this field is not set to false in Terraform state. When the field is set to true or unset in Terraform state, a terraform apply or terraform destroy that would delete the service will fail. When the field is set to false, deleting the service is allowed.

The binary_authorization block supports:

breakglass_justification - (Optional) If present, indicates to use Breakglass using this justification. If useDefault is False, then it must be empty. For more information on breakglass, see https://cloud.google.com/binary-authorization/docs/using-breakglass
use_default - (Optional) If True, indicates to use the default project's binary authorization policy. If False, binary authorization will be disabled.
policy - (Optional) The path to a binary authorization policy. Format: projects/{project}/platforms/cloudRun/{policy-name}

The scaling block supports:

min_instance_count - (Optional) Minimum number of instances for the service, to be divided among all revisions receiving traffic.

The traffic block supports:

type - (Optional) The allocation type for this traffic target. Possible values are: TRAFFIC_TARGET_ALLOCATION_TYPE_LATEST, TRAFFIC_TARGET_ALLOCATION_TYPE_REVISION.
revision - (Optional) Revision to which to send this portion of traffic, if traffic allocation is by revision.
percent - (Optional) Specifies percent of the traffic to this Revision. This defaults to zero if unspecified.
tag - (Optional) Indicates a string to be part of the URI to exclusively reference this target.

The build_config block supports:

name - (Output) The Cloud Build name of the latest successful deployment of the function.
source_location - (Optional) The Cloud Storage bucket URI where the function source code is located.
function_target - (Optional) The name of the function (as defined in source code) that will be executed. Defaults to the resource name suffix, if not specified. For backward compatibility, if function with given name is not found, then the system will try to use function named "function".
image_uri - (Optional) Artifact Registry URI to store the built image.
base_image - (Optional) The base image used to build the function.
enable_automatic_updates - (Optional) Sets whether the function will receive automatic base image updates.
worker_pool - (Optional) Name of the Cloud Build Custom Worker Pool that should be used to build the Cloud Run function. The format of this field is projects/{project}/locations/{region}/workerPools/{workerPool} where {project} and {region} are the project id and region respectively where the worker pool is defined and {workerPool} is the short name of the worker pool.
environment_variables - (Optional) User-provided build-time environment variables for the function.
service_account - (Optional) Service account to be used for building the container. The format of this field is projects/{projectId}/serviceAccounts/{serviceAccountEmail}.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

id - an identifier for the resource with format projects/{{project}}/locations/{{location}}/services/{{name}}
uid - Server assigned unique identifier for the trigger. The value is a UUID4 string and guaranteed to remain unchanged until the resource is deleted.
generation - A number that monotonically increases every time the user modifies the desired state. Please note that unlike v1, this is an int64 value. As with most Google APIs, its JSON representation will be a string instead of an integer.
create_time - The creation time.
update_time - The last-modified time.
delete_time - The deletion time.
expire_time - For a deleted resource, the time after which it will be permanently deleted.
creator - Email address of the authenticated creator.
last_modifier - Email address of the last authenticated modifier.
observed_generation - The generation of this Service currently serving traffic. See comments in reconciling for additional information on reconciliation process in Cloud Run. Please note that unlike v1, this is an int64 value. As with most Google APIs, its JSON representation will be a string instead of an integer.
terminal_condition - The Condition of this Service, containing its readiness status, and detailed error information in case it did not reach a serving state. See comments in reconciling for additional information on reconciliation process in Cloud Run. Structure is documented below.
conditions - The Conditions of all other associated sub-resources. They contain additional diagnostics information in case the Service does not reach its Serving state. See comments in reconciling for additional information on reconciliation process in Cloud Run. Structure is documented below.
latest_ready_revision - Name of the latest revision that is serving traffic. See comments in reconciling for additional information on reconciliation process in Cloud Run.
latest_created_revision - Name of the last created revision. See comments in reconciling for additional information on reconciliation process in Cloud Run.
traffic_statuses - Detailed status information for corresponding traffic targets. See comments in reconciling for additional information on reconciliation process in Cloud Run. Structure is documented below.
uri - The main URI in which this Service is serving traffic.
urls - All URLs serving traffic for this Service.
reconciling - Returns true if the Service is currently being acted upon by the system to bring it into the desired state. When a new Service is created, or an existing one is updated, Cloud Run will asynchronously perform all necessary steps to bring the Service to the desired serving state. This process is called reconciliation. While reconciliation is in process, observedGeneration, latest_ready_revison, trafficStatuses, and uri will have transient values that might mismatch the intended state: Once reconciliation is over (and this field is false), there are two possible outcomes: reconciliation succeeded and the serving state matches the Service, or there was an error, and reconciliation failed. This state can be found in terminalCondition.state. If reconciliation succeeded, the following fields will match: traffic and trafficStatuses, observedGeneration and generation, latestReadyRevision and latestCreatedRevision. If reconciliation failed, trafficStatuses, observedGeneration, and latestReadyRevision will have the state of the last serving revision, or empty for newly created Services. Additional information on the failure can be found in terminalCondition and conditions.
etag - A system-generated fingerprint for this version of the resource. May be used to detect modification conflict during updates.
terraform_labels - The combination of labels configured directly on the resource and default labels configured on the provider.
effective_labels - All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
effective_annotations - All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.

The terminal_condition block contains:

type - (Output) type is used to communicate the status of the reconciliation process. See also: https://github.com/knative/serving/blob/main/docs/spec/errors.md#error-conditions-and-reporting Types common to all resources include: * "Ready": True when the Resource is ready.
state - (Output) State of the condition.
message - (Output) Human readable message indicating details about the current status.
last_transition_time - (Output) Last time the condition transitioned from one status to another.
severity - (Output) How to interpret failures of this condition, one of Error, Warning, Info
reason - (Output) A common (service-level) reason for this condition.
revision_reason - (Output) A reason for the revision condition.
execution_reason - (Output) A reason for the execution condition.

The conditions block contains:

type - (Output) type is used to communicate the status of the reconciliation process. See also: https://github.com/knative/serving/blob/main/docs/spec/errors.md#error-conditions-and-reporting Types common to all resources include: * "Ready": True when the Resource is ready.
state - (Output) State of the condition.
message - (Output) Human readable message indicating details about the current status.
last_transition_time - (Output) Last time the condition transitioned from one status to another. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
severity - (Output) How to interpret failures of this condition, one of Error, Warning, Info
reason - (Output) A common (service-level) reason for this condition.
revision_reason - (Output) A reason for the revision condition.
execution_reason - (Output) A reason for the execution condition.

The traffic_statuses block contains:

type - (Output) The allocation type for this traffic target.
revision - (Output) Revision to which this traffic is sent.
percent - (Output) Specifies percent of the traffic to this Revision.
tag - (Output) Indicates the string used in the URI to exclusively reference this target.
uri - (Output) Displays the target URI.

Timeouts

This resource provides the following Timeouts configuration options:

create - Default is 20 minutes.
update - Default is 20 minutes.
delete - Default is 20 minutes.

Import

Service can be imported using any of these accepted formats:

projects/{{project}}/locations/{{location}}/services/{{name}}
{{project}}/{{location}}/{{name}}
{{location}}/{{name}}

In Terraform v1.5.0 and later, use an import block to import Service using one of the formats above. For example:

import {
  id = "projects/{{project}}/locations/{{location}}/services/{{name}}"
  to = google_cloud_run_v2_service.default
}

When using the terraform import command, Service can be imported using one of the formats above. For example:

$ terraform import google_cloud_run_v2_service.default projects/{{project}}/locations/{{location}}/services/{{name}}
$ terraform import google_cloud_run_v2_service.default {{project}}/{{location}}/{{name}}
$ terraform import google_cloud_run_v2_service.default {{location}}/{{name}}

User Project Overrides

This resource supports User Project Overrides.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cloud_run_v2_service.html.markdown

cloud_run_v2_service.html.markdown

google_cloud_run_v2_service

Argument Reference

Attributes Reference

Timeouts

Import

User Project Overrides

Files

cloud_run_v2_service.html.markdown

Latest commit

History

cloud_run_v2_service.html.markdown

File metadata and controls

google_cloud_run_v2_service

Argument Reference

Attributes Reference

Timeouts

Import

User Project Overrides