2

https://www.terraform.io/docs/providers/google/d/google_container_registry_repository.html

There is a data source but no resource.

gcr seems to have no direct API. Is there a workaround for create a gcr repo with terraform? Can I create a folder in that "artifacts" bucket that gcr uses? Is there a way to manually terraform a gcr repo?

red888
  • 27,709
  • 55
  • 204
  • 392

2 Answers2

3

First, Terraform notion of google_container_registry_repository seems incomplete, because it represents only "root repositories" :

  • gcr.io/[PROJECT_ID]
  • [REGION].gcr.io/[PROJECT_ID], where [REGION] can be us, eu or asia

Whereas "repository" (in GCP terminology) can also refer to :

  • [REGION].gcr.io/[PROJECT_ID]/my-repo
  • [REGION].gcr.io/[PROJECT_ID]/my-repo/my-sub-repo
  • ...

There is no notion of these types of repositories in Terraform data source.

That being said :

  • "root repositories" cannot be created and are managed by Google (if a new region xy appears, then xy.gcr.io will be created by Google)
  • other repositories used to order images (for example, a repository per developer or per project) seems kind of an abstract notion, more something like directories in Google Cloud Storage. They are created "on-the-fly" when you push an image, and they do not exist if there is no image in it. To complete the analogy between GCS directories and GCR repositories, note that there are also no google_storage_bucket_directory resources

For the latter kind of repositories (my-repo, my-repo/my-subrepo), the underlying storage bucket cannot be configured : it will always be artifacts.[PROJECT-ID].appspot.com or [REGION].artifacts.[PROJECT-ID].appspot.com, depending of the "root repository". There is no way to isolate different repositories in different buckets.

So in conclusion : you cannot create a GCR repository, whether it be with Terraform, with gcloud, from the web UI, etc.

norbjd
  • 10,166
  • 4
  • 45
  • 80
1

You can create GCRs using Terraform but you can't destroy them or change region, the problem is with how GCR is implemented by Google rather than a limitation of Terraform.

As norbjd explained (pretty well imho) GCR is like a front-end for buckets that store container images.

GCP doesn't seem to have a concept of deleting GCRs at all, you have to delete the underlying bucket. Terraform can't handle this because it's like saying "when you apply use resource A but when you destroy use resource B".
To destroy you need some other mechanism, either manually deleting the bucket(s) or running a gcloud command for instance.

This simple code will create a repo, and will report as destroyed successfully by terraform destroy but will still appear in Container Registries in your project (and maybe incurring storage costs):

# This creates a global GCR in the current project.
# Though it actually creates the multi-region bucket 'artifacts.[PROJECT_ID].appspot.com'
resource "google_container_registry" "my_registry" {
}
PeteP
  • 541
  • 1
  • 3
  • 13