import-automation/terraform/main.tf (317-318)

The service account is hardcoded with a specific project number (965988403328), which makes the Terraform configuration non-portable and will cause failures in other GCP projects. Furthermore, using the default compute service account is a security anti-pattern. The Cloud Run service should use the dedicated automation_sa service account, which has already been granted the necessary IAM roles for Spanner and GCS access.

    service_account = google_service_account.automation_sa.email

import-automation/terraform/main.tf (351-357)

The spanner_ingestion_workflow needs to be updated to call the new Cloud Run service instead of the now-deleted Cloud Function. The current workflow YAML (as seen in the context) constructs a Cloud Function URL which is no longer valid. You should pass the Cloud Run service URI as an environment variable and update the workflow YAML to use sys.get_env("INGESTION_FUNCTION_URL").

  user_env_vars = {
    LOCATION               = var.region
    PROJECT_ID             = var.project_id
    SPANNER_PROJECT_ID     = local.spanner_project_id
    SPANNER_INSTANCE_ID    = var.spanner_instance_id
    SPANNER_DATABASE_ID    = var.spanner_database_id
    INGESTION_FUNCTION_URL = google_cloud_run_v2_service.ingestion_helper_service.uri
  }

import-automation/terraform/main.tf (84)

Using the :latest tag for the container image can lead to non-deterministic deployments. If the image is updated in the registry, new deployments or auto-scaling events might pull a different version than intended. It is recommended to use a specific version tag or a container image digest for production environments.