Dec 21, 2025

How to Fix Terraform Too Many Open Files on Google Cloud Run

Troubleshooting “Terraform Too Many Open Files” on Google Cloud Run

As a Senior DevOps Engineer, encountering the “Too Many Open Files” error is a classic rite of passage. When it surfaces with Terraform running on Google Cloud Run, it introduces a unique set of considerations due to Cloud Run’s serverless, containerized, and managed environment. This guide will walk you through diagnosing and resolving this issue.

1. The Root Cause: Why This Happens on Google Cloud Run

The “Too Many Open Files” error, often reported as EMFILE or ulimit exceeded, occurs when a process attempts to open more file descriptors than the operating system’s configured limit allows. In the context of Terraform on Cloud Run, this typically stems from:

Terraform’s Nature: Terraform is an I/O and process-intensive tool.
- Provider Plugins: Each provider (e.g., google, kubernetes, helm) runs as a separate child process. Complex configurations with many distinct providers, or multiple instances of the same provider, can quickly consume file descriptors.
- API Interactions: Terraform makes numerous API calls to manage resources. Each network connection (a socket) consumes a file descriptor. A large number of resources or a configuration with high concurrency can lead to many concurrent connections.
- State Management: Reading and writing remote state (e.g., from Google Cloud Storage) also involves network and file I/O.
- Temporary Files: Terraform and its providers might create temporary files during execution.
Google Cloud Run’s Environment:
- Default ulimit: Cloud Run containers, like many Linux environments, come with a default ulimit -n (number of open files) that is often 1024 or 4096. While sufficient for many web services, complex Terraform operations can easily exceed this, especially when managing hundreds or thousands of resources across multiple providers.
- Container Abstraction: You don’t have direct root access to the underlying host system to modify /etc/security/limits.conf or use sysctl commands after the container has started. Any ulimit modification must be applied at the process level within your container’s execution.
- Ephemeral Nature: Each execution of your Cloud Run service or job starts a fresh container, meaning no persistent changes to system-wide limits.

In essence, a demanding Terraform workflow clashes with the default, pragmatic resource limits of a general-purpose container environment.

2. Quick Fix (CLI)

The most direct way to mitigate this issue is to increase the ulimit for the Terraform process within your Docker container. Since Cloud Run controls the container’s execution, this change needs to be part of your container image’s ENTRYPOINT or CMD.

Step 1: Modify your Dockerfile

Adjust your Dockerfile to set a higher ulimit specifically for the Terraform command. We can achieve this by wrapping the terraform command with ulimit -n in the ENTRYPOINT or CMD directive.

# Start with a suitable base image (e.g., one that includes Terraform or where you install it)
# For demonstration, let's assume you have Terraform installed or copy it.
FROM hashicorp/terraform:1.x.x # Or your custom base image with Terraform

WORKDIR /app

# Copy your Terraform configuration files
COPY . .

# Set a higher ulimit for the Terraform process.
# Choose a value like 8192, 16384, or even 32768, depending on your needs.
# The `sh -c` ensures the ulimit command is executed before terraform.
ENTRYPOINT ["/bin/sh", "-c", "ulimit -n 16384 && terraform $*"]

# You might typically use a CMD here to define the default operation,
# e.g., CMD ["apply", "-auto-approve"] if this is for an automated job.
# If you're running terraform commands manually via Cloud Run's command override,
# the ENTRYPOINT will ensure the ulimit is set for whatever you pass.

Explanation:

ulimit -n 16384: Sets the maximum number of open file descriptors for the subsequent command to 16,384.
&& terraform $*: Ensures that if ulimit command succeeds, Terraform is then executed with any arguments passed to the container.

Step 2: Build and Deploy the Container Image

Build your Docker image:

gcloud builds submit --tag gcr.io/YOUR_PROJECT_ID/terraform-runner:latest .

Replace YOUR_PROJECT_ID with your Google Cloud Project ID.

Deploy to Cloud Run (Service or Job):

For a Cloud Run Service (if running Terraform via an API endpoint):

gcloud run deploy terraform-service \
  --image gcr.io/YOUR_PROJECT_ID/terraform-runner:latest \
  --platform managed \
  --region YOUR_REGION \
  --no-allow-unauthenticated # Secure your service appropriately

For a Cloud Run Job (recommended for one-off Terraform runs):
```
gcloud run jobs create terraform-job \
  --image gcr.io/YOUR_PROJECT_ID/terraform-runner:latest \
  --region YOUR_REGION \
  --command "apply" --arg "-auto-approve" \
  --cpu 2 --memory 4Gi # Allocate sufficient resources
```
Note: For Cloud Run Jobs, you explicitly define the command and args that will override the CMD in your Dockerfile (if present) and are appended to the ENTRYPOINT. The ulimit set in the ENTRYPOINT will still apply.

3. Configuration Check

Beyond the quick fix, review these configurations to ensure robustness and prevent recurrence.

3.1. Dockerfile and Container Configuration

ulimit in ENTRYPOINT/CMD: Double-check that the ulimit -n command is correctly integrated and applies to the terraform process. Make sure it’s placed before the actual terraform command execution.
Base Image: Ensure your base image is suitable and doesn’t introduce its own ulimit restrictions that can’t be overridden. Using minimal images can sometimes reduce overall resource consumption.
Resource Allocation:
- CPU and Memory: Terraform can be CPU and memory intensive, especially with large configurations. Insufficient resources can lead to slower execution, retries, and indirectly exacerbate file descriptor issues. Increase CPU (e.g., 2-4 cores) and Memory (e.g., 2-8GiB) for your Cloud Run service/job.
```
# Example for updating a Cloud Run service
gcloud run services update terraform-service \
  --cpu 2 --memory 4Gi \
  --region YOUR_REGION
```
```
# Example for updating a Cloud Run job (or when creating)
gcloud run jobs update terraform-job \
  --cpu 2 --memory 4Gi \
  --region YOUR_REGION
```
Concurrency (for Cloud Run Services): If your Cloud Run service is handling multiple concurrent requests that each run a Terraform operation, consider reducing the maximum concurrency. While Terraform typically runs one primary process, high service concurrency could strain the underlying system if each instance is hitting ulimit. For Terraform, a concurrency of 1 is often appropriate.

3.2. Terraform Configuration (`.tf` files)

Provider Versions: Ensure you’re using recent and stable versions of your Terraform providers. Older versions might have memory leaks or inefficient resource handling that indirectly contributes to open file issues.

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 4.0" # Use a modern, stable version
    }
    # ... other providers
  }
}

Backend Configuration: Verify your backend configuration for GCS. Ensure state locking is correctly configured to prevent concurrent writes, which can sometimes lead to transient issues.

terraform {
  backend "gcs" {
    bucket         = "your-terraform-state-bucket"
    prefix         = "terraform/state"
    # Optional: Set a specific project if different from the default
    # project        = "your-gcp-project"
  }
}

Reduce Concurrency (Terraform parallelism): While not directly ulimit-related, reducing Terraform’s internal parallelism can sometimes help reduce the number of simultaneous network connections or child processes. This is usually managed via the -parallelism flag, though default is generally sensible.
```
terraform apply -parallelism=10 # Default is 10, reduce if necessary
```
Module Breakdown: For extremely large and complex configurations, consider breaking down your Terraform root module into smaller, more manageable child modules or distinct root modules. This can reduce the scope of a single terraform apply operation.

4. Verification

After implementing the changes, it’s crucial to verify that the “Too Many Open Files” error is resolved and that Terraform executes successfully.

Re-run the Terraform Operation:
- For Cloud Run Service: Trigger the API endpoint that invokes your Terraform run.
- For Cloud Run Job: Execute the job again:
```
gcloud run jobs execute terraform-job --region YOUR_REGION
```
Monitor Cloud Logging:
- Navigate to Cloud Logging in the Google Cloud Console.
- Filter logs by your Cloud Run service or job.
- Look for the specific “Too Many Open Files” error message. If the error no longer appears, it’s a good sign.
- Observe the full execution logs to ensure Terraform completes its plan or apply successfully without any other unexpected errors or timeouts.
Check Resource Creation/Modification:
- After a successful terraform apply, verify that the intended GCP resources have been created, updated, or destroyed as expected in the respective GCP service consoles (e.g., Compute Engine, Cloud SQL, Cloud Storage).

By systematically addressing the ulimit within your container and optimizing both your Cloud Run and Terraform configurations, you can reliably run even complex infrastructure provisioning tasks on Google Cloud Run.