Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces Terraform and containerization assets to deploy and run the “class-change-batch” workload on Google Cloud (Cloud Run Job + Cloud Scheduler), including required IAM/service accounts, secrets, and Artifact Registry setup.
Changes:
- Add Terraform module to provision Cloud Run Job, Cloud Scheduler trigger, Artifact Registry repo, Secret Manager secrets, and IAM bindings.
- Add example tfvars and Terraform-related gitignore rules.
- Add Dockerfile and .dockerignore, plus mise tool config update for Terraform.
Reviewed changes
Copilot reviewed 12 out of 13 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| terraform/main.tf | Terraform/provider config, locals, and required API enablement. |
| terraform/variables.tf | Input variables for project/region/Cloud SQL/schedule/image tag. |
| terraform/terraform.tfvars.example | Example variable values for deployment. |
| terraform/service_account.tf | Job service account + Cloud SQL IAM roles + Cloud SQL IAM user creation. |
| terraform/secrets.tf | Secret Manager secrets for USER_ID / USER_PASSWORD + accessor IAM. |
| terraform/cloud_run_job.tf | Cloud Run Job definition with env vars and Secret Manager injection. |
| terraform/scheduler.tf | Scheduler service account, Run invoker binding, and scheduled HTTP trigger. |
| terraform/artifact_registry.tf | Artifact Registry Docker repository provisioning. |
| terraform/outputs.tf | Outputs for service accounts, image/repo, secrets, and job name. |
| Dockerfile | Container image build for the Python batch job. |
| .dockerignore | Reduce Docker build context (excluding terraform, venvs, etc.). |
| .gitignore | Ignore Terraform artifacts and local tfvars. |
| mise.toml | Add Terraform tool management via mise. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| oauth_token { | ||
| service_account_email = google_service_account.scheduler.email | ||
| } | ||
| } |
There was a problem hiding this comment.
Cloud Scheduler oauth_token { service_account_email = ... } typically requires granting the Cloud Scheduler service agent roles/iam.serviceAccountTokenCreator on the referenced service account; otherwise the scheduler job can fail with permission errors when minting the access token. Add an IAM binding (e.g., google_service_account_iam_member) granting token-creator to the Cloud Scheduler service agent for google_service_account.scheduler.
|
@masaya-osuga |
うん、できるはず。 |
No description provided.