Datadog Terraform module for Google Cloud Run

Use this Terraform module to install Datadog Serverless Monitoring for Google Cloud Run services.

This Terraform module wraps the google_cloud_run_v2_service resource and automatically configures your Cloud Run application for Datadog Serverless Monitoring by:

• creating the google_cloud_run_v2_service resource invocation
• adding the designated volumes, volume_mounts to the main container if the user enables logging
• adding the Datadog agent as a sidecar container to collect metrics, traces, and logs
• configuring environment variables for Datadog instrumentation

Usage

module "datadog-cloud-run-v2-<language>" {
  source = "DataDog/cloud-run-datadog/google"
  name = var.name
  location = var.region
  deletion_protection = false

  datadog_api_key = "example-datadog-api-key"
  datadog_service = "cloud-run-tf-<language>-example"
  datadog_version = "1_0_0"
  datadog_env = "serverless"
  datadog_enable_logging = true


  datadog_sidecar = {
    # use default sidecar image, name, resources, healthport
  }

  template = {
    containers = [
      {
        name = "my-cloud-run-app"
        image = "us-docker.pkg.dev/cloudrun/container/hello"
        resources = {
          limits = {
            cpu    = "1"
            memory = "512Mi"
          }
        }
        ports = {
          container_port = 8080
        }
      },
    ]
  }

}

Note: Make sure exactly one of the containers passed into template.containers has a ports block:

ports = {
    container_port = <Port number>
}

Configuration

Module syntax

Wraps google_cloud_run_v2_service resource

• Arguments available in the google_cloud_run_v2_service resource are available in this Terraform module.
• All blocks (template, containers, volumes, etc) in the resource are represented in the module as objects with required types - insert an =
• Any resource optional blocks that can occur multiple times are represented as a list-collection of objects with the same types/parameters as the blocks
• See variables.tf for the complete list of variables, or the table below for full syntax details/examples

Datadog Variables

The following Datadog variables should be set on application containers:

Variable	Purpose	How to Set
DD_SERVICE	Enables Unified Service Tagging. Defaults to the Cloud Run service name.	Set via the datadog_service parameter or per container in template.containers[*].env.
DD_SERVERLESS_LOG_PATH	Used when logging is enabled (datadog_enable_logging = true). Is the path where logs are written and where the agent sidecar reads from.	Set via datadog_logging_path.
DD_LOGS_INJECTION	Enables automatic correlation of logs and traces.	Set automatically if datadog_enable_logging = true, or manually in template.containers[*].env.
DD_TRACE_ENABLED	Toggles APM tracing. Defaults to true.	Leave unset to use the default, or override in template.containers[*].env.

The following Datadog variables can be set for sidecar:

Variable	Purpose	How to Set
DD_SERVERLESS_LOG_PATH	Must match where the application containers write logs if logging is enabled.	Automatically set via datadog_logging_path when datadog_enable_logging = true.
DD_SERVICE	Used for Unified Service Tagging. Defaults to the Cloud Run service name.	Set via datadog_service.
DD_VERSION	(Optional) Part of Unified Service Tagging (e.g., Git SHA or application version).	Set via datadog_version.
DD_ENV	(Optional) Part of Unified Service Tagging (e.g., serverless, staging).	Set via datadog_env.
DD_SITE	Target Datadog site (e.g., datadoghq.com, datadoghq.eu).	Set via datadog_site.
DD_API_KEY	API key used by the Datadog agent to send telemetry.	Set via datadog_api_key.
DD_HEALTH_PORT	Port used by the sidecar’s startup probe. Defaults to 5555.	Set via datadog_sidecar.health_port.
DD_LOG_LEVEL	(Optional) Controls log verbosity in Cloud Run logs (TRACE, DEBUG, INFO, etc.).	Set via datadog_log_level.
Other agent environment variables	For advanced agent configuration. Avoid overriding any of the above variables.	Set via datadog_sidecar.env_vars.

Transitioning from resource to module

If you've an established resource instrumentation but would like to switch to the module instead:

• Add an = to every resources block, and for optional, repeatable blocks like volumes, volume_mounts, env, containers convert them to a list of objects representation
• Make sure to remove any containers with the datadog sidecar name from your template, and remove any DD_* environment variables from your app containers
• Declare the DD_* environment variables either in the corresponding module's datadog_* parameters or as container env vars in template.containers[*].env
• To avoid Terraform destroying the resource, declare a moved block in your configuration, making sure the name parameter in both module and resource are the same so the service is updated in place:

   moved {
    from = google_cloud_run_v2_service.{your_service}
    to   = module.{your_service}.google_cloud_run_v2_service.this
   }

google_cloud_run_v2_service resource

resource "google_cloud_run_v2_service" "example_cloud_run_service" {
  name = "cloud-run-example"
  ...
  template {
    containers {
        name = "main-container"
        image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
    containers {
        name = "container-2"
        image = "us-docker.pkg.dev/cloudrun/container/hello:latest"
    }
  }
  ...
}

Datadog Terraform module for Google Cloud Run

module "example_cloud_run_service" {
  source = "DataDog/cloud-run-datadog/google"
  name = "cloud-run-example"
  ...
  template = {
    containers = [
      {
        name = "main-container"
        image = "us-docker.pkg.dev/cloudrun/container/hello"
      },
      {
        name = "container-2"
        image = "us-docker.pkg.dev/cloudrun/container/hello:latest"
      },
    ]
  }
  ...
}

Requirements

Name	Version
terraform	>= 1.5.0
google	>= 7.19.0

Modules

No modules.

Resources

Name	Type
google_cloud_run_v2_service.this	resource

Inputs

Name	Description	Type	Default	Required
annotations	Unstructured key value map that may be set by external tools to store and arbitrary metadata. They are not queryable and should be preserved when modifying objects. Cloud Run API v2 does not support annotations with 'run.googleapis.com', 'cloud.googleapis.com', 'serving.knative.dev', or 'autoscaling.knative.dev' namespaces, and they will be rejected in new resources. All system annotations in v1 now have a corresponding field in v2 Service. This field follows Kubernetes annotations' namespacing, limits, and rules. Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field 'effective_annotations' for all of the annotations present on the resource.	map(string)	null	no
binary_authorization	n/a	object({ breakglass_justification = optional(string), policy = optional(string), use_default = optional(bool) })	null	no
build_config	n/a	object({ base_image = optional(string), enable_automatic_updates = optional(bool), environment_variables = optional(map(string)), function_target = optional(string), image_uri = optional(string), service_account = optional(string), source_location = optional(string), worker_pool = optional(string) })	null	no
client	Arbitrary identifier for the API client.	string	null	no
client_version	Arbitrary version identifier for the API client.	string	null	no
custom_audiences	One or more custom audiences that you want this service to support. Specify each custom audience as the full URL in a string. The custom audiences are encoded in the token and used to authenticate requests. For more information, see https://cloud.google.com/run/docs/configuring/custom-audiences.	list(string)	null	no
datadog_api_key	Datadog API key	string	n/a	yes
datadog_enable_logging	Enables log collection. Defaults to true.	bool	true	no
datadog_env	Datadog Environment tag, used for Unified Service Tagging.	string	null	no
datadog_log_level	Datadog agent's level of log output in Cloud Run UI, from most to least output: TRACE, DEBUG, INFO, WARN, ERROR, CRITICAL	string	null	no
datadog_logging_path	Datadog logging path to be used for log collection. Ensure var.datadog_enable_logging is true. Must begin with path given in var.datadog_shared_volume.mount_path.	string	"/shared-volume/logs/*.log"	no
datadog_service	Datadog Service tag, used for Unified Service Tagging.	string	null	no
datadog_shared_volume	Datadog shared volume for log collection. Ensure var.datadog_enable_logging is true. Note: will always be of type empty_dir and in-memory. If a volume with this name is provided as part of var.template.volumes, it will be overridden.	object({ name = string mount_path = string size_limit = optional(string) })	{ "mount_path": "/shared-volume", "name": "shared-volume" }	no
datadog_sidecar	Datadog sidecar configuration. Nested attributes include: - image - Image for version of Datadog agent to use. - name - Name of the sidecar container. - resources - Resources like for any cloud run container. - startup_probe - Startup probe settings only for failure_threshold, initial_delay_seconds, period_seconds, timeout_seconds. - health_port - Health port to start the startup probe. - env_vars - List of environment variables with name and value fieldsfor customizing Datadog agent configuration, if any.	object({ image = optional(string, "gcr.io/datadoghq/serverless-init:latest") name = optional(string, "datadog-sidecar") resources = optional(object({ limits = optional(object({ cpu = optional(string, "1") memory = optional(string, "512Mi") }), null), }), { # default sidecar resources limits = { cpu = "1" memory = "512Mi" } }) startup_probe = optional( object({ failure_threshold = optional(number), initial_delay_seconds = optional(number), period_seconds = optional(number), timeout_seconds = optional(number), }), { # default startup probe failure_threshold = 3 period_seconds = 10 initial_delay_seconds = 0 timeout_seconds = 1 } ) health_port = optional(number, 5555) # DD_HEALTH_PORT env = optional(list(object({ # user-customizable env vars for Datadog agent configuration name = string value = string })), null) })	{ "health_port": 5555, "image": "gcr.io/datadoghq/serverless-init:latest", "name": "datadog-sidecar", "resources": { "limits": { "cpu": "1", "memory": "512Mi" } }, "startup_probe": { "failure_threshold": 3, "initial_delay_seconds": 0, "period_seconds": 10, "timeout_seconds": 1 } }	no
datadog_site	Datadog site	string	"datadoghq.com"	no
datadog_tags	Datadog tags	list(string)	null	no
datadog_version	Datadog Version tag, used for Unified Service Tagging.	string	null	no
default_uri_disabled	Disables public resolution of the default URI of this service.	bool	null	no
deletion_protection	Whether Terraform will be prevented from destroying the service. Defaults to true. When a'terraform destroy' or 'terraform apply' would delete the service, the command will fail if this field is not set to false in Terraform state. When the field is set to true or unset in Terraform state, a 'terraform apply' or 'terraform destroy' that would delete the service will fail. When the field is set to false, deleting the service is allowed.	bool	null	no
description	User-provided description of the Service. This field currently has a 512-character limit.	string	null	no
ingress	Provides the ingress settings for this Service. On output, returns the currently observed ingress settings, or INGRESS_TRAFFIC_UNSPECIFIED if no revision is active. Possible values: ["INGRESS_TRAFFIC_ALL", "INGRESS_TRAFFIC_INTERNAL_ONLY", "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER"]	string	null	no
invoker_iam_disabled	Disables IAM permission check for run.routes.invoke for callers of this service. For more information, visit https://cloud.google.com/run/docs/securing/managing-access#invoker_check.	bool	null	no
labels	Unstructured key value map that can be used to organize and categorize objects. User-provided labels are shared with Google's billing system, so they can be used to filter, or break down billing charges by team, component, environment, state, etc. For more information, visit https://docs.cloud.google.com/resource-manager/docs/creating-managing-labels or https://cloud.google.com/run/docs/configuring/labels. Cloud Run API v2 does not support labels with 'run.googleapis.com', 'cloud.googleapis.com', 'serving.knative.dev', or 'autoscaling.knative.dev' namespaces, and they will be rejected. All system labels in v1 now have a corresponding field in v2 Service. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.	map(string)	null	no
launch_stage	The launch stage as defined by Google Cloud Platform Launch Stages. Cloud Run supports ALPHA, BETA, and GA. If no value is specified, GA is assumed. Set the launch stage to a preview stage on input to allow use of preview features in that stage. On read (or output), describes whether the resource uses preview features. For example, if ALPHA is provided as input, but only BETA and GA-level features are used, this field will be BETA on output. Possible values: ["UNIMPLEMENTED", "PRELAUNCH", "EARLY_ACCESS", "ALPHA", "BETA", "GA", "DEPRECATED"]	string	null	no
location	The location of the cloud run service	string	n/a	yes
multi_region_settings	n/a	object({ regions = optional(list(string)) })	null	no
name	Name of the Service.	string	n/a	yes
project	n/a	string	null	no
scaling	n/a	object({ scaling_mode = optional(string) })	null	no
template	n/a	object({ annotations = optional(map(string)), encryption_key = optional(string), execution_environment = optional(string), gpu_zonal_redundancy_disabled = optional(bool), health_check_disabled = optional(bool), labels = optional(map(string)), max_instance_request_concurrency = optional(number), revision = optional(string), service_account = optional(string), session_affinity = optional(bool), timeout = optional(string), containers = optional(list(object({ args = optional(list(string)), base_image_uri = optional(string), command = optional(list(string)), depends_on = optional(list(string)), image = string, name = optional(string), working_dir = optional(string), env = optional(set(object({ name = string, value = optional(string), value_source = optional(object({ secret_key_ref = optional(object({ secret = string, version = optional(string) })) })) }))), liveness_probe = optional(object({ failure_threshold = optional(number), initial_delay_seconds = optional(number), period_seconds = optional(number), timeout_seconds = optional(number), grpc = optional(object({ port = optional(number), service = optional(string) })), http_get = optional(object({ path = optional(string), port = optional(number), http_headers = optional(list(object({ name = string, value = optional(string) }))) })), tcp_socket = optional(object({ port = number })) })), ports = optional(object({ container_port = optional(number), name = optional(string) })), readiness_probe = optional(object({ grpc = optional(object({ service = optional(string) })), http_get = optional(object({ })) })), resources = optional(object({ cpu_idle = optional(bool), limits = optional(map(string)), startup_cpu_boost = optional(bool) })), startup_probe = optional(object({ failure_threshold = optional(number), initial_delay_seconds = optional(number), period_seconds = optional(number), timeout_seconds = optional(number), grpc = optional(object({ port = optional(number), service = optional(string) })), http_get = optional(object({ path = optional(string), port = optional(number), http_headers = optional(list(object({ name = string, value = optional(string) }))) })), tcp_socket = optional(object({ port = optional(number) })) })), volume_mounts = optional(list(object({ mount_path = string, name = string, sub_path = optional(string) }))) }))), node_selector = optional(object({ accelerator = string })), scaling = optional(object({ max_instance_count = optional(number), min_instance_count = optional(number) })), volumes = optional(list(object({ name = string, cloud_sql_instance = optional(object({ instances = optional(set(string)) })), empty_dir = optional(object({ medium = optional(string), size_limit = optional(string) })), gcs = optional(object({ bucket = string, mount_options = optional(list(string)), read_only = optional(bool) })), nfs = optional(object({ path = string, read_only = optional(bool), server = string })), secret = optional(object({ default_mode = optional(number), secret = string, items = optional(list(object({ mode = optional(number), path = string, version = optional(string) }))) })) }))), vpc_access = optional(object({ connector = optional(string), egress = optional(string), network_interfaces = optional(list(object({ network = optional(string), subnetwork = optional(string), tags = optional(list(string)) }))) })) })	n/a	yes
timeouts	n/a	object({ create = optional(string), delete = optional(string), update = optional(string) })	null	no
traffic	n/a	list(object({ percent = optional(number), revision = optional(string), tag = optional(string), type = optional(string) }))	null	no

Outputs

Name	Description
annotations	Unstructured key value map that may be set by external tools to store and arbitrary metadata. They are not queryable and should be preserved when modifying objects. Cloud Run API v2 does not support annotations with 'run.googleapis.com', 'cloud.googleapis.com', 'serving.knative.dev', or 'autoscaling.knative.dev' namespaces, and they will be rejected in new resources. All system annotations in v1 now have a corresponding field in v2 Service. This field follows Kubernetes annotations' namespacing, limits, and rules. Note: This field is non-authoritative, and will only manage the annotations present in your configuration. Please refer to the field 'effective_annotations' for all of the annotations present on the resource.
binary_authorization	n/a
build_config	n/a
client	Arbitrary identifier for the API client.
client_version	Arbitrary version identifier for the API client.
conditions	The Conditions of all other associated sub-resources. They contain additional diagnostics information in case the Service does not reach its Serving state. See comments in reconciling for additional information on reconciliation process in Cloud Run.
create_time	The creation time.
creator	Email address of the authenticated creator.
custom_audiences	One or more custom audiences that you want this service to support. Specify each custom audience as the full URL in a string. The custom audiences are encoded in the token and used to authenticate requests. For more information, see https://cloud.google.com/run/docs/configuring/custom-audiences.
default_uri_disabled	Disables public resolution of the default URI of this service.
delete_time	The deletion time.
deletion_protection	Whether Terraform will be prevented from destroying the service. Defaults to true. When a'terraform destroy' or 'terraform apply' would delete the service, the command will fail if this field is not set to false in Terraform state. When the field is set to true or unset in Terraform state, a 'terraform apply' or 'terraform destroy' that would delete the service will fail. When the field is set to false, deleting the service is allowed.
description	User-provided description of the Service. This field currently has a 512-character limit.
effective_annotations	All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.
effective_labels	All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
etag	A system-generated fingerprint for this version of the resource. May be used to detect modification conflict during updates.
expire_time	For a deleted resource, the time after which it will be permanently deleted.
generation	A number that monotonically increases every time the user modifies the desired state. Please note that unlike v1, this is an int64 value. As with most Google APIs, its JSON representation will be a string instead of an integer.
id	n/a
ignored_containers	List of containers that are ignored by the module.
ignored_volume_mounts	List of volume mounts that overlap with the Datadog shared volume and are ignored by the module.
ignored_volumes	List of volumes that are ignored by the module.
ingress	Provides the ingress settings for this Service. On output, returns the currently observed ingress settings, or INGRESS_TRAFFIC_UNSPECIFIED if no revision is active. Possible values: ["INGRESS_TRAFFIC_ALL", "INGRESS_TRAFFIC_INTERNAL_ONLY", "INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER"]
invoker_iam_disabled	Disables IAM permission check for run.routes.invoke for callers of this service. For more information, visit https://cloud.google.com/run/docs/securing/managing-access#invoker_check.
labels	Unstructured key value map that can be used to organize and categorize objects. User-provided labels are shared with Google's billing system, so they can be used to filter, or break down billing charges by team, component, environment, state, etc. For more information, visit https://docs.cloud.google.com/resource-manager/docs/creating-managing-labels or https://cloud.google.com/run/docs/configuring/labels. Cloud Run API v2 does not support labels with 'run.googleapis.com', 'cloud.googleapis.com', 'serving.knative.dev', or 'autoscaling.knative.dev' namespaces, and they will be rejected. All system labels in v1 now have a corresponding field in v2 Service. Note: This field is non-authoritative, and will only manage the labels present in your configuration. Please refer to the field 'effective_labels' for all of the labels present on the resource.
last_modifier	Email address of the last authenticated modifier.
latest_created_revision	Name of the last created revision. See comments in reconciling for additional information on reconciliation process in Cloud Run.
latest_ready_revision	Name of the latest revision that is serving traffic. See comments in reconciling for additional information on reconciliation process in Cloud Run.
launch_stage	The launch stage as defined by Google Cloud Platform Launch Stages. Cloud Run supports ALPHA, BETA, and GA. If no value is specified, GA is assumed. Set the launch stage to a preview stage on input to allow use of preview features in that stage. On read (or output), describes whether the resource uses preview features. For example, if ALPHA is provided as input, but only BETA and GA-level features are used, this field will be BETA on output. Possible values: ["UNIMPLEMENTED", "PRELAUNCH", "EARLY_ACCESS", "ALPHA", "BETA", "GA", "DEPRECATED"]
location	The location of the cloud run service
multi_region_settings	n/a
name	Name of the Service.
observed_generation	The generation of this Service currently serving traffic. See comments in reconciling for additional information on reconciliation process in Cloud Run. Please note that unlike v1, this is an int64 value. As with most Google APIs, its JSON representation will be a string instead of an integer.
project	n/a
reconciling	Returns true if the Service is currently being acted upon by the system to bring it into the desired state. When a new Service is created, or an existing one is updated, Cloud Run will asynchronously perform all necessary steps to bring the Service to the desired serving state. This process is called reconciliation. While reconciliation is in process, observedGeneration, latest_ready_revison, trafficStatuses, and uri will have transient values that might mismatch the intended state: Once reconciliation is over (and this field is false), there are two possible outcomes: reconciliation succeeded and the serving state matches the Service, or there was an error, and reconciliation failed. This state can be found in terminalCondition.state. If reconciliation succeeded, the following fields will match: traffic and trafficStatuses, observedGeneration and generation, latestReadyRevision and latestCreatedRevision. If reconciliation failed, trafficStatuses, observedGeneration, and latestReadyRevision will have the state of the last serving revision, or empty for newly created Services. Additional information on the failure can be found in terminalCondition and conditions.
scaling	n/a
template	n/a
terminal_condition	The Condition of this Service, containing its readiness status, and detailed error information in case it did not reach a serving state. See comments in reconciling for additional information on reconciliation process in Cloud Run.
terraform_labels	The combination of labels configured directly on the resource and default labels configured on the provider.
timeouts	n/a
traffic	n/a
traffic_statuses	Detailed status information for corresponding traffic targets. See comments in reconciling for additional information on reconciliation process in Cloud Run.
uid	Server assigned unique identifier for the trigger. The value is a UUID4 string and guaranteed to remain unchanged until the resource is deleted.
update_time	The last-modified time.
uri	The main URI in which this Service is serving traffic.
urls	All URLs serving traffic for this Service.