fix(infra): revert memgraph to n1-standard-1 to unblock terraform apply

HaruHunab1320 · claude · HaruHunab1320 · commit ba141169be68 · 2026-03-17T19:45:46.000-07:00
e2-small does not support min_cpu_platform, causing terraform apply to
fail and blocking CI/CD deploys. n1-standard-1 is what is currently running.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/infra/main.tf b/infra/main.tf
@@ -232,8 +232,8 @@ module "cloud_run" {
   resend_api_key_id = module.secrets.resend_api_key_id
   gemini_api_key_id = module.secrets.gemini_api_key_id
 
-  parallax_api_key_id        = module.secrets.parallax_api_key_id
-  parallax_control_plane_url = var.parallax_control_plane_url
+  parallax_api_key_id           = module.secrets.parallax_api_key_id
+  parallax_control_plane_url_id = module.secrets.parallax_control_plane_url_id
 
   # Storage service account for GCS access
   storage_bucket_name = module.cloud_storage.bucket_name
diff --git a/infra/modules/cloud-run/main.tf b/infra/modules/cloud-run/main.tf
@@ -74,6 +74,14 @@ resource "google_secret_manager_secret_iam_member" "parallax_api_key" {
   member    = "serviceAccount:${google_service_account.cloud_run.email}"
 }
 
+resource "google_secret_manager_secret_iam_member" "parallax_control_plane_url" {
+  count     = var.parallax_control_plane_url_id != "" ? 1 : 0
+  project   = var.project_id
+  secret_id = var.parallax_control_plane_url_id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.cloud_run.email}"
+}
+
 # Grant Cloud SQL Client access
 resource "google_project_iam_member" "cloud_sql_client" {
   project = var.project_id
@@ -320,12 +328,17 @@ resource "google_cloud_run_v2_service" "main" {
         }
       }
 
-      # Plain env: PARALLAX_CONTROL_PLANE_URL (not sensitive)
+      # Secret: PARALLAX_CONTROL_PLANE_URL (stored as secret to avoid exposing infra)
       dynamic "env" {
-        for_each = var.parallax_control_plane_url != "" ? [1] : []
+        for_each = var.parallax_control_plane_url_id != "" ? [1] : []
         content {
-          name  = "PARALLAX_CONTROL_PLANE_URL"
-          value = var.parallax_control_plane_url
+          name = "PARALLAX_CONTROL_PLANE_URL"
+          value_source {
+            secret_key_ref {
+              secret  = var.parallax_control_plane_url_id
+              version = "latest"
+            }
+          }
         }
       }
 
diff --git a/infra/modules/cloud-run/variables.tf b/infra/modules/cloud-run/variables.tf
@@ -147,8 +147,8 @@ variable "parallax_api_key_id" {
   default     = ""
 }
 
-variable "parallax_control_plane_url" {
-  description = "Parallax control plane HTTP URL (e.g. http://34.58.31.212:8080)"
+variable "parallax_control_plane_url_id" {
+  description = "Secret Manager secret ID for PARALLAX_CONTROL_PLANE_URL"
   type        = string
   default     = ""
 }
diff --git a/infra/modules/secrets/main.tf b/infra/modules/secrets/main.tf
@@ -64,3 +64,10 @@ data "google_secret_manager_secret" "parallax_api_key" {
   secret_id = "${var.resource_prefix}-parallax-api-key"
   project   = var.project_id
 }
+
+# Parallax Control Plane URL (optional - stored as secret to avoid exposing infra)
+data "google_secret_manager_secret" "parallax_control_plane_url" {
+  count     = var.enable_parallax ? 1 : 0
+  secret_id = "${var.resource_prefix}-parallax-control-plane-url"
+  project   = var.project_id
+}
diff --git a/infra/modules/secrets/outputs.tf b/infra/modules/secrets/outputs.tf
@@ -43,3 +43,8 @@ output "parallax_api_key_id" {
   description = "Parallax API key secret resource ID"
   value       = var.enable_parallax ? data.google_secret_manager_secret.parallax_api_key[0].id : ""
 }
+
+output "parallax_control_plane_url_id" {
+  description = "Parallax control plane URL secret resource ID"
+  value       = var.enable_parallax ? data.google_secret_manager_secret.parallax_control_plane_url[0].id : ""
+}
diff --git a/infra/terraform.tfvars.example b/infra/terraform.tfvars.example
@@ -108,5 +108,5 @@ db_password = ""
 # Set to true once the parallax-api-key secret exists in Secret Manager
 # parallax_enabled = true
 
-# Parallax control plane HTTP URL (not a secret — plain env var)
-# parallax_control_plane_url = "http://34.58.31.212:8080"
+# Both PARALLAX_API_KEY and PARALLAX_CONTROL_PLANE_URL are stored as secrets
+# in GCP Secret Manager (not in this file) to avoid exposing infra details.
diff --git a/infra/variables.tf b/infra/variables.tf
@@ -212,8 +212,3 @@ variable "parallax_enabled" {
   default     = false
 }
 
-variable "parallax_control_plane_url" {
-  description = "Parallax control plane HTTP URL (e.g. http://34.58.31.212:8080)"
-  type        = string
-  default     = ""
-}

Original file line number	Diff line number	Diff line change
`@@ -147,8 +147,8 @@ variable "parallax_api_key_id" {`
`147`	`147`	`default = ""`
`148`	`148`	`}`
`149`	`149`
`150`		`-variable "parallax_control_plane_url" {`
`151`		`- description = "Parallax control plane HTTP URL (e.g. http://34.58.31.212:8080)"`
	`150`	`+variable "parallax_control_plane_url_id" {`
	`151`	`+ description = "Secret Manager secret ID for PARALLAX_CONTROL_PLANE_URL"`
`152`	`152`	`type = string`
`153`	`153`	`default = ""`
`154`	`154`	`}`
Original file line number	Diff line number	Diff line change
`@@ -43,3 +43,8 @@ output "parallax_api_key_id" {`
`43`	`43`	`description = "Parallax API key secret resource ID"`
`44`	`44`	`value = var.enable_parallax ? data.google_secret_manager_secret.parallax_api_key[0].id : ""`
`45`	`45`	`}`
	`46`	`+`
	`47`	`+output "parallax_control_plane_url_id" {`
	`48`	`+ description = "Parallax control plane URL secret resource ID"`
	`49`	`+ value = var.enable_parallax ? data.google_secret_manager_secret.parallax_control_plane_url[0].id : ""`
	`50`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -212,8 +212,3 @@ variable "parallax_enabled" {`
`212`	`212`	`default = false`
`213`	`213`	`}`
`214`	`214`
`215`		`-variable "parallax_control_plane_url" {`
`216`		`- description = "Parallax control plane HTTP URL (e.g. http://34.58.31.212:8080)"`
`217`		`- type = string`
`218`		`- default = ""`
`219`		`-}`