Split Cloud Function module in separate v1 and v2 modules (#1450)
* split v1 * v2 * blueprints * remove _http
This commit is contained in:
parent
a424635221
commit
2830e4b9e2
|
@ -35,7 +35,7 @@ Currently available modules:
|
||||||
- **data** - [AlloyDB instance](./modules/alloydb-instance), [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Cloud Dataplex](./modules/cloud-dataplex), [Cloud SQL instance](./modules/cloudsql-instance), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Datafusion](./modules/datafusion), [Dataproc](./modules/dataproc), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub)
|
- **data** - [AlloyDB instance](./modules/alloydb-instance), [BigQuery dataset](./modules/bigquery-dataset), [Bigtable instance](./modules/bigtable-instance), [Cloud Dataplex](./modules/cloud-dataplex), [Cloud SQL instance](./modules/cloudsql-instance), [Data Catalog Policy Tag](./modules/data-catalog-policy-tag), [Datafusion](./modules/datafusion), [Dataproc](./modules/dataproc), [GCS](./modules/gcs), [Pub/Sub](./modules/pubsub)
|
||||||
- **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository)
|
- **development** - [API Gateway](./modules/api-gateway), [Apigee](./modules/apigee), [Artifact Registry](./modules/artifact-registry), [Container Registry](./modules/container-registry), [Cloud Source Repository](./modules/source-repository)
|
||||||
- **security** - [Binauthz](./modules/binauthz/), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc)
|
- **security** - [Binauthz](./modules/binauthz/), [KMS](./modules/kms), [SecretManager](./modules/secret-manager), [VPC Service Control](./modules/vpc-sc)
|
||||||
- **serverless** - [Cloud Function](./modules/cloud-function), [Cloud Run](./modules/cloud-run)
|
- **serverless** - [Cloud Function v1](./modules/cloud-function-v1), [Cloud Function v2](./modules/cloud-function-v2), [Cloud Run](./modules/cloud-run)
|
||||||
|
|
||||||
For more information and usage examples see each module's README file.
|
For more information and usage examples see each module's README file.
|
||||||
|
|
||||||
|
|
|
@ -152,7 +152,7 @@ module "bucket_export" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "function_export" {
|
module "function_export" {
|
||||||
source = "../../../modules/cloud-function"
|
source = "../../../modules/cloud-function-v1"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
name = "export"
|
name = "export"
|
||||||
bucket_name = "${module.project.project_id}-code-export"
|
bucket_name = "${module.project.project_id}-code-export"
|
||||||
|
@ -180,17 +180,15 @@ module "function_export" {
|
||||||
DATASTORE = var.datastore_name
|
DATASTORE = var.datastore_name
|
||||||
}
|
}
|
||||||
trigger_config = {
|
trigger_config = {
|
||||||
v1 = {
|
event = "google.pubsub.topic.publish"
|
||||||
event = "google.pubsub.topic.publish"
|
resource = module.pubsub_export.id
|
||||||
resource = module.pubsub_export.id
|
retry = null
|
||||||
retry = null
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
service_account_create = true
|
service_account_create = true
|
||||||
}
|
}
|
||||||
|
|
||||||
module "function_gcs2bq" {
|
module "function_gcs2bq" {
|
||||||
source = "../../../modules/cloud-function"
|
source = "../../../modules/cloud-function-v1"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
name = "gcs2bq"
|
name = "gcs2bq"
|
||||||
bucket_name = "${module.project.project_id}-code-gcs2bq"
|
bucket_name = "${module.project.project_id}-code-gcs2bq"
|
||||||
|
@ -218,11 +216,9 @@ module "function_gcs2bq" {
|
||||||
LOCATION = var.organization.analytics_region
|
LOCATION = var.organization.analytics_region
|
||||||
}
|
}
|
||||||
trigger_config = {
|
trigger_config = {
|
||||||
v1 = {
|
event = "google.pubsub.topic.publish"
|
||||||
event = "google.pubsub.topic.publish"
|
resource = module.bucket_export.topic
|
||||||
resource = module.bucket_export.topic
|
retry = null
|
||||||
retry = null
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
service_account_create = true
|
service_account_create = true
|
||||||
}
|
}
|
||||||
|
|
|
@ -74,7 +74,7 @@ module "service-account" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "cf" {
|
module "cf" {
|
||||||
source = "../../../modules/cloud-function"
|
source = "../../../modules/cloud-function-v1"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
name = var.name
|
name = var.name
|
||||||
bucket_name = "${var.name}-${random_pet.random.id}"
|
bucket_name = "${var.name}-${random_pet.random.id}"
|
||||||
|
@ -87,10 +87,8 @@ module "cf" {
|
||||||
}
|
}
|
||||||
service_account = module.service-account.email
|
service_account = module.service-account.email
|
||||||
trigger_config = {
|
trigger_config = {
|
||||||
v1 = {
|
event = "google.pubsub.topic.publish"
|
||||||
event = "google.pubsub.topic.publish"
|
resource = module.pubsub.topic.id
|
||||||
resource = module.pubsub.topic.id
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -51,7 +51,7 @@ module "pubsub" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "cloud-function" {
|
module "cloud-function" {
|
||||||
source = "../../../../modules/cloud-function"
|
source = "../../../../modules/cloud-function-v1"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
name = var.name
|
name = var.name
|
||||||
bucket_name = coalesce(
|
bucket_name = coalesce(
|
||||||
|
@ -76,10 +76,8 @@ module "cloud-function" {
|
||||||
}
|
}
|
||||||
service_account_create = true
|
service_account_create = true
|
||||||
trigger_config = {
|
trigger_config = {
|
||||||
v1 = {
|
event = "google.pubsub.topic.publish"
|
||||||
event = "google.pubsub.topic.publish"
|
resource = module.pubsub.topic.id
|
||||||
resource = module.pubsub.topic.id
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
vpc_connector = (
|
vpc_connector = (
|
||||||
var.cloud_function_config.vpc_connector == null
|
var.cloud_function_config.vpc_connector == null
|
||||||
|
|
|
@ -47,7 +47,7 @@ module "pubsub" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "cf" {
|
module "cf" {
|
||||||
source = "../../../modules/cloud-function"
|
source = "../../../modules/cloud-function-v1"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
name = var.name
|
name = var.name
|
||||||
bucket_name = "${var.name}-${random_pet.random.id}"
|
bucket_name = "${var.name}-${random_pet.random.id}"
|
||||||
|
@ -66,10 +66,8 @@ module "cf" {
|
||||||
}
|
}
|
||||||
service_account_create = true
|
service_account_create = true
|
||||||
trigger_config = {
|
trigger_config = {
|
||||||
v1 = {
|
event = "google.pubsub.topic.publish"
|
||||||
event = "google.pubsub.topic.publish"
|
resource = module.pubsub.topic.id
|
||||||
resource = module.pubsub.topic.id
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -85,7 +85,7 @@ module "pubsub_file" {
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
module "cf" {
|
module "cf" {
|
||||||
source = "../../../modules/cloud-function"
|
source = "../../../modules/cloud-function-v1"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
region = var.region
|
region = var.region
|
||||||
name = var.name
|
name = var.name
|
||||||
|
@ -99,16 +99,14 @@ module "cf" {
|
||||||
}
|
}
|
||||||
service_account = module.service-account.email
|
service_account = module.service-account.email
|
||||||
trigger_config = {
|
trigger_config = {
|
||||||
v1 = {
|
event = "google.pubsub.topic.publish"
|
||||||
event = "google.pubsub.topic.publish"
|
resource = module.pubsub.topic.id
|
||||||
resource = module.pubsub.topic.id
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module "cffile" {
|
module "cffile" {
|
||||||
count = var.cai_gcs_export ? 1 : 0
|
count = var.cai_gcs_export ? 1 : 0
|
||||||
source = "../../../modules/cloud-function"
|
source = "../../../modules/cloud-function-v1"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
region = var.region
|
region = var.region
|
||||||
name = var.name_cffile
|
name = var.name_cffile
|
||||||
|
@ -124,11 +122,9 @@ module "cffile" {
|
||||||
}
|
}
|
||||||
service_account = module.service-account.email
|
service_account = module.service-account.email
|
||||||
trigger_config = {
|
trigger_config = {
|
||||||
v1 = {
|
event = "google.pubsub.topic.publish"
|
||||||
event = "google.pubsub.topic.publish"
|
resource = module.pubsub_file.topic.id
|
||||||
resource = module.pubsub_file.topic.id
|
retry = null
|
||||||
retry = null
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -108,7 +108,7 @@ module "pubsub" {
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
module "cf-restarter" {
|
module "cf-restarter" {
|
||||||
source = "../../../modules/cloud-function"
|
source = "../../../modules/cloud-function-v1"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
name = "cf-restarter"
|
name = "cf-restarter"
|
||||||
region = var.region
|
region = var.region
|
||||||
|
@ -132,16 +132,14 @@ module "cf-restarter" {
|
||||||
}
|
}
|
||||||
|
|
||||||
trigger_config = {
|
trigger_config = {
|
||||||
v1 = {
|
event = "google.pubsub.topic.publish"
|
||||||
event = "google.pubsub.topic.publish"
|
resource = module.pubsub.topic.id
|
||||||
resource = module.pubsub.topic.id
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
module "cf-healthchecker" {
|
module "cf-healthchecker" {
|
||||||
source = "../../../modules/cloud-function"
|
source = "../../../modules/cloud-function-v1"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
name = "cf-healthchecker"
|
name = "cf-healthchecker"
|
||||||
region = var.region
|
region = var.region
|
||||||
|
@ -172,18 +170,14 @@ module "cf-healthchecker" {
|
||||||
create = true
|
create = true
|
||||||
name = "hc-connector"
|
name = "hc-connector"
|
||||||
egress_settings = "PRIVATE_RANGES_ONLY"
|
egress_settings = "PRIVATE_RANGES_ONLY"
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
vpc_connector_config = {
|
vpc_connector_config = {
|
||||||
ip_cidr_range = "10.132.0.0/28"
|
ip_cidr_range = "10.132.0.0/28"
|
||||||
network = "vpc"
|
network = "vpc"
|
||||||
}
|
}
|
||||||
|
|
||||||
iam = {
|
iam = {
|
||||||
"roles/cloudfunctions.invoker" = [module.service-account-scheduler.iam_email]
|
"roles/cloudfunctions.invoker" = [module.service-account-scheduler.iam_email]
|
||||||
}
|
}
|
||||||
|
|
||||||
depends_on = [
|
depends_on = [
|
||||||
module.vpc
|
module.vpc
|
||||||
]
|
]
|
||||||
|
|
|
@ -177,7 +177,7 @@ module "test-vm" {
|
||||||
###############################################################################
|
###############################################################################
|
||||||
|
|
||||||
module "function-hello" {
|
module "function-hello" {
|
||||||
source = "../../../modules/cloud-function"
|
source = "../../../modules/cloud-function-v1"
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
name = var.name
|
name = var.name
|
||||||
bucket_name = "${var.name}-tf-cf-deploy"
|
bucket_name = "${var.name}-tf-cf-deploy"
|
||||||
|
|
|
@ -62,8 +62,8 @@ module "sa" {
|
||||||
|
|
||||||
|
|
||||||
module "functions" {
|
module "functions" {
|
||||||
|
source = "../../../modules/cloud-function-v1"
|
||||||
for_each = toset(var.regions)
|
for_each = toset(var.regions)
|
||||||
source = "../../../modules/cloud-function"
|
|
||||||
project_id = module.project.project_id
|
project_id = module.project.project_id
|
||||||
name = "${local.function_name_prefix}-${each.value}"
|
name = "${local.function_name_prefix}-${each.value}"
|
||||||
bucket_name = "bkt-${module.project.project_id}-${each.value}"
|
bucket_name = "bkt-${module.project.project_id}-${each.value}"
|
||||||
|
|
|
@ -100,5 +100,6 @@ These modules are used in the examples included in this repository. If you are u
|
||||||
|
|
||||||
## Serverless
|
## Serverless
|
||||||
|
|
||||||
- [Cloud Functions](./cloud-function)
|
- [Cloud Functions v1](./cloud-function-v1)
|
||||||
|
- [Cloud Functions v2](./cloud-function-v2)
|
||||||
- [Cloud Run](./cloud-run)
|
- [Cloud Run](./cloud-run)
|
||||||
|
|
|
@ -0,0 +1,236 @@
|
||||||
|
# Cloud Function Module (V1)
|
||||||
|
|
||||||
|
Cloud Function management, with support for IAM roles and optional bucket creation.
|
||||||
|
|
||||||
|
The GCS object used for deployment uses a hash of the bundle zip contents in its name, which ensures change tracking and avoids recreating the function if the GCS object is deleted and needs recreating.
|
||||||
|
|
||||||
|
## TODO
|
||||||
|
|
||||||
|
- [ ] add support for `source_repository`
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
### HTTP trigger
|
||||||
|
|
||||||
|
This deploys a Cloud Function with an HTTP endpoint, using a pre-existing GCS bucket for deployment, setting the service account to the Cloud Function default one, and delegating access control to the containing project.
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "cf-http" {
|
||||||
|
source = "./fabric/modules/cloud-function-v1"
|
||||||
|
project_id = "my-project"
|
||||||
|
name = "test-cf-http"
|
||||||
|
bucket_name = "test-cf-bundles"
|
||||||
|
bundle_config = {
|
||||||
|
source_dir = "fabric/assets/"
|
||||||
|
output_path = "bundle.zip"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest modules=1 resources=2
|
||||||
|
```
|
||||||
|
|
||||||
|
### PubSub and non-HTTP triggers
|
||||||
|
|
||||||
|
Other trigger types other than HTTP are configured via the `trigger_config` variable. This example shows a PubSub trigger.
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "cf-http" {
|
||||||
|
source = "./fabric/modules/cloud-function-v1"
|
||||||
|
project_id = "my-project"
|
||||||
|
name = "test-cf-http"
|
||||||
|
bucket_name = "test-cf-bundles"
|
||||||
|
bundle_config = {
|
||||||
|
source_dir = "fabric/assets/"
|
||||||
|
output_path = "bundle.zip"
|
||||||
|
}
|
||||||
|
trigger_config = {
|
||||||
|
event = "google.pubsub.topic.publish"
|
||||||
|
resource = "local.my-topic"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest modules=1 resources=2
|
||||||
|
```
|
||||||
|
|
||||||
|
### Controlling HTTP access
|
||||||
|
|
||||||
|
To allow anonymous access to the function, grant the `roles/cloudfunctions.invoker` role to the special `allUsers` identifier. Use specific identities (service accounts, groups, etc.) instead of `allUsers` to only allow selective access.
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "cf-http" {
|
||||||
|
source = "./fabric/modules/cloud-function-v1"
|
||||||
|
project_id = "my-project"
|
||||||
|
name = "test-cf-http"
|
||||||
|
bucket_name = "test-cf-bundles"
|
||||||
|
bundle_config = {
|
||||||
|
source_dir = "fabric/assets/"
|
||||||
|
output_path = "bundle.zip"
|
||||||
|
}
|
||||||
|
iam = {
|
||||||
|
"roles/cloudfunctions.invoker" = ["allUsers"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest modules=1 resources=3 inventory=iam.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
### GCS bucket creation
|
||||||
|
|
||||||
|
You can have the module auto-create the GCS bucket used for deployment via the `bucket_config` variable. Setting `bucket_config.location` to `null` will also use the function region for GCS.
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "cf-http" {
|
||||||
|
source = "./fabric/modules/cloud-function-v1"
|
||||||
|
project_id = "my-project"
|
||||||
|
name = "test-cf-http"
|
||||||
|
bucket_name = "test-cf-bundles"
|
||||||
|
bucket_config = {
|
||||||
|
lifecycle_delete_age_days = 1
|
||||||
|
}
|
||||||
|
bundle_config = {
|
||||||
|
source_dir = "fabric/assets/"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest modules=1 resources=3
|
||||||
|
```
|
||||||
|
|
||||||
|
### Service account management
|
||||||
|
|
||||||
|
To use a custom service account managed by the module, set `service_account_create` to `true` and leave `service_account` set to `null` value (default).
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "cf-http" {
|
||||||
|
source = "./fabric/modules/cloud-function-v1"
|
||||||
|
project_id = "my-project"
|
||||||
|
name = "test-cf-http"
|
||||||
|
bucket_name = "test-cf-bundles"
|
||||||
|
bundle_config = {
|
||||||
|
source_dir = "fabric/assets/"
|
||||||
|
output_path = "bundle.zip"
|
||||||
|
}
|
||||||
|
service_account_create = true
|
||||||
|
}
|
||||||
|
# tftest modules=1 resources=3
|
||||||
|
```
|
||||||
|
|
||||||
|
To use an externally managed service account, pass its email in `service_account` and leave `service_account_create` to `false` (the default).
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "cf-http" {
|
||||||
|
source = "./fabric/modules/cloud-function-v1"
|
||||||
|
project_id = "my-project"
|
||||||
|
name = "test-cf-http"
|
||||||
|
bucket_name = "test-cf-bundles"
|
||||||
|
bundle_config = {
|
||||||
|
source_dir = "fabric/assets/"
|
||||||
|
output_path = "bundle.zip"
|
||||||
|
}
|
||||||
|
service_account = "non-existent@serice.account.email"
|
||||||
|
}
|
||||||
|
# tftest modules=1 resources=2
|
||||||
|
```
|
||||||
|
|
||||||
|
### Custom bundle config
|
||||||
|
|
||||||
|
In order to help prevent `archive_zip.output_md5` from changing cross platform (e.g. Cloud Build vs your local development environment), you'll have to make sure that the files included in the zip are always the same.
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "cf-http" {
|
||||||
|
source = "./fabric/modules/cloud-function-v1"
|
||||||
|
project_id = "my-project"
|
||||||
|
name = "test-cf-http"
|
||||||
|
bucket_name = "test-cf-bundles"
|
||||||
|
bundle_config = {
|
||||||
|
source_dir = "fabric/assets"
|
||||||
|
output_path = "bundle.zip"
|
||||||
|
excludes = ["__pycache__"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest modules=1 resources=2
|
||||||
|
```
|
||||||
|
|
||||||
|
### Private Cloud Build Pool
|
||||||
|
|
||||||
|
This deploys a Cloud Function with an HTTP endpoint, using a pre-existing GCS bucket for deployment using a pre existing private Cloud Build worker pool.
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "cf-http" {
|
||||||
|
source = "./fabric/modules/cloud-function-v1"
|
||||||
|
project_id = "my-project"
|
||||||
|
name = "test-cf-http"
|
||||||
|
bucket_name = "test-cf-bundles"
|
||||||
|
build_worker_pool = "projects/my-project/locations/europe-west1/workerPools/my_build_worker_pool"
|
||||||
|
bundle_config = {
|
||||||
|
source_dir = "fabric/assets"
|
||||||
|
output_path = "bundle.zip"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest modules=1 resources=2
|
||||||
|
```
|
||||||
|
|
||||||
|
### Multiple Cloud Functions within project
|
||||||
|
|
||||||
|
When deploying multiple functions do not reuse `bundle_config.output_path` between instances as the result is undefined. Default `output_path` creates file in `/tmp` folder using project Id and function name to avoid name conflicts.
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
module "cf-http-one" {
|
||||||
|
source = "./fabric/modules/cloud-function-v1"
|
||||||
|
project_id = "my-project"
|
||||||
|
name = "test-cf-http-one"
|
||||||
|
bucket_name = "test-cf-bundles"
|
||||||
|
bundle_config = {
|
||||||
|
source_dir = "fabric/assets"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
module "cf-http-two" {
|
||||||
|
source = "./fabric/modules/cloud-function-v1"
|
||||||
|
project_id = "my-project"
|
||||||
|
name = "test-cf-http-two"
|
||||||
|
bucket_name = "test-cf-bundles"
|
||||||
|
bundle_config = {
|
||||||
|
source_dir = "fabric/assets"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# tftest modules=2 resources=4 inventory=multiple_functions.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
<!-- BEGIN TFDOC -->
|
||||||
|
|
||||||
|
## Variables
|
||||||
|
|
||||||
|
| name | description | type | required | default |
|
||||||
|
|---|---|:---:|:---:|:---:|
|
||||||
|
| [bucket_name](variables.tf#L26) | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | <code>string</code> | ✓ | |
|
||||||
|
| [bundle_config](variables.tf#L37) | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | <code title="object({ source_dir = string output_path = optional(string) excludes = optional(list(string)) })">object({…})</code> | ✓ | |
|
||||||
|
| [name](variables.tf#L96) | Name used for cloud function and associated resources. | <code>string</code> | ✓ | |
|
||||||
|
| [project_id](variables.tf#L111) | Project id used for all resources. | <code>string</code> | ✓ | |
|
||||||
|
| [bucket_config](variables.tf#L17) | Enable and configure auto-created bucket. Set fields to null to use defaults. | <code title="object({ location = optional(string) lifecycle_delete_age_days = optional(number) })">object({…})</code> | | <code>null</code> |
|
||||||
|
| [build_worker_pool](variables.tf#L31) | Build worker pool, in projects/<PROJECT-ID>/locations/<REGION>/workerPools/<POOL_NAME> format. | <code>string</code> | | <code>null</code> |
|
||||||
|
| [description](variables.tf#L46) | Optional description. | <code>string</code> | | <code>"Terraform managed."</code> |
|
||||||
|
| [environment_variables](variables.tf#L52) | Cloud function environment variables. | <code>map(string)</code> | | <code>{}</code> |
|
||||||
|
| [function_config](variables.tf#L58) | Cloud function configuration. Defaults to using main as entrypoint, 1 instance with 256MiB of memory, and 180 second timeout. | <code title="object({ entry_point = optional(string, "main") instance_count = optional(number, 1) memory_mb = optional(number, 256) # Memory in MB cpu = optional(string, "0.166") runtime = optional(string, "python310") timeout_seconds = optional(number, 180) })">object({…})</code> | | <code title="{ entry_point = "main" instance_count = 1 memory_mb = 256 cpu = "0.166" runtime = "python310" timeout_seconds = 180 }">{…}</code> |
|
||||||
|
| [iam](variables.tf#L78) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||||
|
| [ingress_settings](variables.tf#L84) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY . | <code>string</code> | | <code>null</code> |
|
||||||
|
| [labels](variables.tf#L90) | Resource labels. | <code>map(string)</code> | | <code>{}</code> |
|
||||||
|
| [prefix](variables.tf#L101) | Optional prefix used for resource names. | <code>string</code> | | <code>null</code> |
|
||||||
|
| [region](variables.tf#L116) | Region used for all resources. | <code>string</code> | | <code>"europe-west1"</code> |
|
||||||
|
| [secrets](variables.tf#L122) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <code title="map(object({ is_volume = bool project_id = number secret = string versions = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
|
| [service_account](variables.tf#L134) | Service account email. Unused if service account is auto-created. | <code>string</code> | | <code>null</code> |
|
||||||
|
| [service_account_create](variables.tf#L140) | Auto-create service account. | <code>bool</code> | | <code>false</code> |
|
||||||
|
| [trigger_config](variables.tf#L146) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object({ event = string resource = string retry = optional(bool) })">object({…})</code> | | <code>null</code> |
|
||||||
|
| [vpc_connector](variables.tf#L156) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object({ create = bool name = string egress_settings = string })">object({…})</code> | | <code>null</code> |
|
||||||
|
| [vpc_connector_config](variables.tf#L166) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object({ ip_cidr_range = string network = string })">object({…})</code> | | <code>null</code> |
|
||||||
|
|
||||||
|
## Outputs
|
||||||
|
|
||||||
|
| name | description | sensitive |
|
||||||
|
|---|---|:---:|
|
||||||
|
| [bucket](outputs.tf#L17) | Bucket resource (only if auto-created). | |
|
||||||
|
| [bucket_name](outputs.tf#L24) | Bucket name. | |
|
||||||
|
| [function](outputs.tf#L29) | Cloud function resources. | |
|
||||||
|
| [function_name](outputs.tf#L34) | Cloud function name. | |
|
||||||
|
| [id](outputs.tf#L39) | Fully qualified function id. | |
|
||||||
|
| [service_account](outputs.tf#L44) | Service account resource. | |
|
||||||
|
| [service_account_email](outputs.tf#L49) | Service account email. | |
|
||||||
|
| [service_account_iam_email](outputs.tf#L54) | Service account email. | |
|
||||||
|
| [vpc_connector](outputs.tf#L62) | VPC connector resource if created. | |
|
||||||
|
|
||||||
|
<!-- END TFDOC -->
|
|
@ -0,0 +1,181 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2022 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
locals {
|
||||||
|
bucket = (
|
||||||
|
var.bucket_name != null
|
||||||
|
? var.bucket_name
|
||||||
|
: (
|
||||||
|
length(google_storage_bucket.bucket) > 0
|
||||||
|
? google_storage_bucket.bucket[0].name
|
||||||
|
: null
|
||||||
|
)
|
||||||
|
)
|
||||||
|
prefix = var.prefix == null ? "" : "${var.prefix}-"
|
||||||
|
service_account_email = (
|
||||||
|
var.service_account_create
|
||||||
|
? google_service_account.service_account[0].email
|
||||||
|
: var.service_account
|
||||||
|
)
|
||||||
|
vpc_connector = (
|
||||||
|
var.vpc_connector == null
|
||||||
|
? null
|
||||||
|
: (
|
||||||
|
try(var.vpc_connector.create, false) == false
|
||||||
|
? var.vpc_connector.name
|
||||||
|
: google_vpc_access_connector.connector.0.id
|
||||||
|
)
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_vpc_access_connector" "connector" {
|
||||||
|
count = try(var.vpc_connector.create, false) == false ? 0 : 1
|
||||||
|
project = var.project_id
|
||||||
|
name = var.vpc_connector.name
|
||||||
|
region = var.region
|
||||||
|
ip_cidr_range = var.vpc_connector_config.ip_cidr_range
|
||||||
|
network = var.vpc_connector_config.network
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_cloudfunctions_function" "function" {
|
||||||
|
project = var.project_id
|
||||||
|
region = var.region
|
||||||
|
name = "${local.prefix}${var.name}"
|
||||||
|
description = var.description
|
||||||
|
runtime = var.function_config.runtime
|
||||||
|
available_memory_mb = var.function_config.memory_mb
|
||||||
|
max_instances = var.function_config.instance_count
|
||||||
|
timeout = var.function_config.timeout_seconds
|
||||||
|
entry_point = var.function_config.entry_point
|
||||||
|
environment_variables = var.environment_variables
|
||||||
|
service_account_email = local.service_account_email
|
||||||
|
source_archive_bucket = local.bucket
|
||||||
|
source_archive_object = google_storage_bucket_object.bundle.name
|
||||||
|
labels = var.labels
|
||||||
|
trigger_http = var.trigger_config == null ? true : null
|
||||||
|
|
||||||
|
ingress_settings = var.ingress_settings
|
||||||
|
build_worker_pool = var.build_worker_pool
|
||||||
|
|
||||||
|
vpc_connector = local.vpc_connector
|
||||||
|
vpc_connector_egress_settings = try(
|
||||||
|
var.vpc_connector.egress_settings, null
|
||||||
|
)
|
||||||
|
|
||||||
|
dynamic "event_trigger" {
|
||||||
|
for_each = var.trigger_config == null ? [] : [""]
|
||||||
|
content {
|
||||||
|
event_type = var.trigger_config.event
|
||||||
|
resource = var.trigger_config.resource
|
||||||
|
dynamic "failure_policy" {
|
||||||
|
for_each = var.trigger_config.retry == null ? [] : [""]
|
||||||
|
content {
|
||||||
|
retry = var.trigger_config.retry
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic "secret_environment_variables" {
|
||||||
|
for_each = { for k, v in var.secrets : k => v if !v.is_volume }
|
||||||
|
iterator = secret
|
||||||
|
content {
|
||||||
|
key = secret.key
|
||||||
|
project_id = secret.value.project_id
|
||||||
|
secret = secret.value.secret
|
||||||
|
version = try(secret.value.versions.0, "latest")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic "secret_volumes" {
|
||||||
|
for_each = { for k, v in var.secrets : k => v if v.is_volume }
|
||||||
|
iterator = secret
|
||||||
|
content {
|
||||||
|
mount_path = secret.key
|
||||||
|
project_id = secret.value.project_id
|
||||||
|
secret = secret.value.secret
|
||||||
|
dynamic "versions" {
|
||||||
|
for_each = secret.value.versions
|
||||||
|
iterator = version
|
||||||
|
content {
|
||||||
|
path = split(":", version)[1]
|
||||||
|
version = split(":", version)[0]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_cloudfunctions_function_iam_binding" "default" {
|
||||||
|
for_each = var.iam
|
||||||
|
project = var.project_id
|
||||||
|
region = var.region
|
||||||
|
cloud_function = google_cloudfunctions_function.function.id
|
||||||
|
role = each.key
|
||||||
|
members = each.value
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_storage_bucket" "bucket" {
|
||||||
|
count = var.bucket_config == null ? 0 : 1
|
||||||
|
project = var.project_id
|
||||||
|
name = "${local.prefix}${var.bucket_name}"
|
||||||
|
uniform_bucket_level_access = true
|
||||||
|
location = (
|
||||||
|
var.bucket_config.location == null
|
||||||
|
? var.region
|
||||||
|
: var.bucket_config.location
|
||||||
|
)
|
||||||
|
labels = var.labels
|
||||||
|
|
||||||
|
dynamic "lifecycle_rule" {
|
||||||
|
for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
|
||||||
|
content {
|
||||||
|
action { type = "Delete" }
|
||||||
|
condition {
|
||||||
|
age = var.bucket_config.lifecycle_delete_age_days
|
||||||
|
with_state = "ARCHIVED"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
dynamic "versioning" {
|
||||||
|
for_each = var.bucket_config.lifecycle_delete_age_days == null ? [] : [""]
|
||||||
|
content {
|
||||||
|
enabled = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_storage_bucket_object" "bundle" {
|
||||||
|
name = "bundle-${data.archive_file.bundle.output_md5}.zip"
|
||||||
|
bucket = local.bucket
|
||||||
|
source = data.archive_file.bundle.output_path
|
||||||
|
}
|
||||||
|
|
||||||
|
data "archive_file" "bundle" {
|
||||||
|
type = "zip"
|
||||||
|
source_dir = var.bundle_config.source_dir
|
||||||
|
output_path = coalesce(var.bundle_config.output_path, "/tmp/bundle-${var.project_id}-${var.name}.zip")
|
||||||
|
output_file_mode = "0644"
|
||||||
|
excludes = var.bundle_config.excludes
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "google_service_account" "service_account" {
|
||||||
|
count = var.service_account_create ? 1 : 0
|
||||||
|
project = var.project_id
|
||||||
|
account_id = "tf-cf-${var.name}"
|
||||||
|
display_name = "Terraform Cloud Function ${var.name}."
|
||||||
|
}
|
|
@ -0,0 +1,65 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2022 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
output "bucket" {
|
||||||
|
description = "Bucket resource (only if auto-created)."
|
||||||
|
value = try(
|
||||||
|
var.bucket_config == null ? null : google_storage_bucket.bucket.0, null
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
output "bucket_name" {
|
||||||
|
description = "Bucket name."
|
||||||
|
value = local.bucket
|
||||||
|
}
|
||||||
|
|
||||||
|
output "function" {
|
||||||
|
description = "Cloud function resources."
|
||||||
|
value = google_cloudfunctions_function.function
|
||||||
|
}
|
||||||
|
|
||||||
|
output "function_name" {
|
||||||
|
description = "Cloud function name."
|
||||||
|
value = google_cloudfunctions_function.function.name
|
||||||
|
}
|
||||||
|
|
||||||
|
output "id" {
|
||||||
|
description = "Fully qualified function id."
|
||||||
|
value = google_cloudfunctions_function.function.id
|
||||||
|
}
|
||||||
|
|
||||||
|
output "service_account" {
|
||||||
|
description = "Service account resource."
|
||||||
|
value = try(google_service_account.service_account[0], null)
|
||||||
|
}
|
||||||
|
|
||||||
|
output "service_account_email" {
|
||||||
|
description = "Service account email."
|
||||||
|
value = local.service_account_email
|
||||||
|
}
|
||||||
|
|
||||||
|
output "service_account_iam_email" {
|
||||||
|
description = "Service account email."
|
||||||
|
value = join("", [
|
||||||
|
"serviceAccount:",
|
||||||
|
local.service_account_email == null ? "" : local.service_account_email
|
||||||
|
])
|
||||||
|
}
|
||||||
|
|
||||||
|
output "vpc_connector" {
|
||||||
|
description = "VPC connector resource if created."
|
||||||
|
value = try(google_vpc_access_connector.connector.0.id, null)
|
||||||
|
}
|
|
@ -146,36 +146,11 @@ variable "service_account_create" {
|
||||||
variable "trigger_config" {
|
variable "trigger_config" {
|
||||||
description = "Function trigger configuration. Leave null for HTTP trigger."
|
description = "Function trigger configuration. Leave null for HTTP trigger."
|
||||||
type = object({
|
type = object({
|
||||||
v1 = optional(object({
|
event = string
|
||||||
event = string
|
resource = string
|
||||||
resource = string
|
retry = optional(bool)
|
||||||
retry = optional(bool)
|
|
||||||
})),
|
|
||||||
v2 = optional(object({
|
|
||||||
region = optional(string)
|
|
||||||
event_type = optional(string)
|
|
||||||
pubsub_topic = optional(string)
|
|
||||||
event_filters = optional(list(object({
|
|
||||||
attribute = string
|
|
||||||
value = string
|
|
||||||
operator = string
|
|
||||||
})))
|
|
||||||
service_account_email = optional(string)
|
|
||||||
service_account_create = optional(bool)
|
|
||||||
retry_policy = optional(string)
|
|
||||||
}))
|
|
||||||
})
|
})
|
||||||
default = { v1 = null, v2 = null }
|
default = null
|
||||||
validation {
|
|
||||||
condition = !(var.trigger_config.v1 != null && var.trigger_config.v2 != null)
|
|
||||||
error_message = "Provide configuration for only one generation - either v1 or v2"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "v2" {
|
|
||||||
description = "Whether to use Cloud Function version 2nd Gen or 1st Gen."
|
|
||||||
type = bool
|
|
||||||
default = false
|
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "vpc_connector" {
|
variable "vpc_connector" {
|
|
@ -1,4 +1,4 @@
|
||||||
# Cloud Function Module
|
# Cloud Function Module (v2)
|
||||||
|
|
||||||
Cloud Function management, with support for IAM roles and optional bucket creation.
|
Cloud Function management, with support for IAM roles and optional bucket creation.
|
||||||
|
|
||||||
|
@ -16,23 +16,7 @@ This deploys a Cloud Function with an HTTP endpoint, using a pre-existing GCS bu
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "cf-http" {
|
module "cf-http" {
|
||||||
source = "./fabric/modules/cloud-function"
|
source = "./fabric/modules/cloud-function-v2"
|
||||||
project_id = "my-project"
|
|
||||||
name = "test-cf-http"
|
|
||||||
bucket_name = "test-cf-bundles"
|
|
||||||
bundle_config = {
|
|
||||||
source_dir = "fabric/assets/"
|
|
||||||
output_path = "bundle.zip"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
# tftest modules=1 resources=2
|
|
||||||
```
|
|
||||||
|
|
||||||
Analogous example using 2nd generation Cloud Functions
|
|
||||||
```hcl
|
|
||||||
module "cf-http" {
|
|
||||||
source = "./fabric/modules/cloud-function"
|
|
||||||
v2 = true
|
|
||||||
project_id = "my-project"
|
project_id = "my-project"
|
||||||
name = "test-cf-http"
|
name = "test-cf-http"
|
||||||
bucket_name = "test-cf-bundles"
|
bucket_name = "test-cf-bundles"
|
||||||
|
@ -46,30 +30,8 @@ module "cf-http" {
|
||||||
|
|
||||||
### PubSub and non-HTTP triggers
|
### PubSub and non-HTTP triggers
|
||||||
|
|
||||||
Other trigger types other than HTTP are configured via the `trigger_config` variable. This example shows a PubSub trigger.
|
Other trigger types other than HTTP are configured via the `trigger_config` variable. This example shows a PubSub trigger via [Eventarc](https://cloud.google.com/eventarc/docs):
|
||||||
|
|
||||||
```hcl
|
|
||||||
module "cf-http" {
|
|
||||||
source = "./fabric/modules/cloud-function"
|
|
||||||
project_id = "my-project"
|
|
||||||
name = "test-cf-http"
|
|
||||||
bucket_name = "test-cf-bundles"
|
|
||||||
bundle_config = {
|
|
||||||
source_dir = "fabric/assets/"
|
|
||||||
output_path = "bundle.zip"
|
|
||||||
}
|
|
||||||
trigger_config = {
|
|
||||||
v1 = {
|
|
||||||
event = "google.pubsub.topic.publish"
|
|
||||||
resource = "local.my-topic"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
# tftest modules=1 resources=2
|
|
||||||
```
|
|
||||||
|
|
||||||
Cloud Functions 2nd gen support only [Eventarc](https://cloud.google.com/eventarc/docs) and uses separate structure
|
|
||||||
to configure:
|
|
||||||
```hcl
|
```hcl
|
||||||
module "trigger-service-account" {
|
module "trigger-service-account" {
|
||||||
source = "./fabric/modules/iam-service-account"
|
source = "./fabric/modules/iam-service-account"
|
||||||
|
@ -83,9 +45,8 @@ module "trigger-service-account" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "cf-http" {
|
module "cf-http" {
|
||||||
source = "./fabric/modules/cloud-function"
|
source = "./fabric/modules/cloud-function-v2"
|
||||||
project_id = "my-project"
|
project_id = "my-project"
|
||||||
v2 = true
|
|
||||||
name = "test-cf-http"
|
name = "test-cf-http"
|
||||||
bucket_name = "test-cf-bundles"
|
bucket_name = "test-cf-bundles"
|
||||||
bundle_config = {
|
bundle_config = {
|
||||||
|
@ -93,17 +54,16 @@ module "cf-http" {
|
||||||
output_path = "bundle.zip"
|
output_path = "bundle.zip"
|
||||||
}
|
}
|
||||||
trigger_config = {
|
trigger_config = {
|
||||||
v2 = {
|
event_type = "google.cloud.pubsub.topic.v1.messagePublished"
|
||||||
event_type = "google.cloud.pubsub.topic.v1.messagePublished"
|
pubsub_topic = "local.my-topic"
|
||||||
pubsub_topic = "local.my-topic"
|
service_account_email = module.trigger-service-account.email
|
||||||
service_account_email = module.trigger-service-account.email
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=2 resources=4
|
# tftest modules=2 resources=4
|
||||||
```
|
```
|
||||||
Ensure that pubsub robo-account `service-%s@gcp-sa-pubsub.iam.gserviceaccount.com` has `roles/iam.serviceAccountTokenCreatator`
|
|
||||||
as documented [here](https://cloud.google.com/eventarc/docs/roles-permissions#pubsub-topic)
|
Ensure that pubsub service identity (`service-[project number]@gcp-sa-pubsub.iam.gserviceaccount.com` has `roles/iam.serviceAccountTokenCreator`
|
||||||
|
as documented [here](https://cloud.google.com/eventarc/docs/roles-permissions#pubsub-topic).
|
||||||
|
|
||||||
### Controlling HTTP access
|
### Controlling HTTP access
|
||||||
|
|
||||||
|
@ -111,7 +71,7 @@ To allow anonymous access to the function, grant the `roles/cloudfunctions.invok
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "cf-http" {
|
module "cf-http" {
|
||||||
source = "./fabric/modules/cloud-function"
|
source = "./fabric/modules/cloud-function-v2"
|
||||||
project_id = "my-project"
|
project_id = "my-project"
|
||||||
name = "test-cf-http"
|
name = "test-cf-http"
|
||||||
bucket_name = "test-cf-bundles"
|
bucket_name = "test-cf-bundles"
|
||||||
|
@ -123,7 +83,7 @@ module "cf-http" {
|
||||||
"roles/cloudfunctions.invoker" = ["allUsers"]
|
"roles/cloudfunctions.invoker" = ["allUsers"]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=1 resources=3
|
# tftest modules=1 resources=3 inventory=iam.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
### GCS bucket creation
|
### GCS bucket creation
|
||||||
|
@ -132,7 +92,7 @@ You can have the module auto-create the GCS bucket used for deployment via the `
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "cf-http" {
|
module "cf-http" {
|
||||||
source = "./fabric/modules/cloud-function"
|
source = "./fabric/modules/cloud-function-v2"
|
||||||
project_id = "my-project"
|
project_id = "my-project"
|
||||||
name = "test-cf-http"
|
name = "test-cf-http"
|
||||||
bucket_name = "test-cf-bundles"
|
bucket_name = "test-cf-bundles"
|
||||||
|
@ -152,7 +112,7 @@ To use a custom service account managed by the module, set `service_account_crea
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "cf-http" {
|
module "cf-http" {
|
||||||
source = "./fabric/modules/cloud-function"
|
source = "./fabric/modules/cloud-function-v2"
|
||||||
project_id = "my-project"
|
project_id = "my-project"
|
||||||
name = "test-cf-http"
|
name = "test-cf-http"
|
||||||
bucket_name = "test-cf-bundles"
|
bucket_name = "test-cf-bundles"
|
||||||
|
@ -169,7 +129,7 @@ To use an externally managed service account, pass its email in `service_account
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "cf-http" {
|
module "cf-http" {
|
||||||
source = "./fabric/modules/cloud-function"
|
source = "./fabric/modules/cloud-function-v2"
|
||||||
project_id = "my-project"
|
project_id = "my-project"
|
||||||
name = "test-cf-http"
|
name = "test-cf-http"
|
||||||
bucket_name = "test-cf-bundles"
|
bucket_name = "test-cf-bundles"
|
||||||
|
@ -188,7 +148,7 @@ In order to help prevent `archive_zip.output_md5` from changing cross platform (
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "cf-http" {
|
module "cf-http" {
|
||||||
source = "./fabric/modules/cloud-function"
|
source = "./fabric/modules/cloud-function-v2"
|
||||||
project_id = "my-project"
|
project_id = "my-project"
|
||||||
name = "test-cf-http"
|
name = "test-cf-http"
|
||||||
bucket_name = "test-cf-bundles"
|
bucket_name = "test-cf-bundles"
|
||||||
|
@ -207,7 +167,7 @@ This deploys a Cloud Function with an HTTP endpoint, using a pre-existing GCS bu
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "cf-http" {
|
module "cf-http" {
|
||||||
source = "./fabric/modules/cloud-function"
|
source = "./fabric/modules/cloud-function-v2"
|
||||||
project_id = "my-project"
|
project_id = "my-project"
|
||||||
name = "test-cf-http"
|
name = "test-cf-http"
|
||||||
bucket_name = "test-cf-bundles"
|
bucket_name = "test-cf-bundles"
|
||||||
|
@ -226,7 +186,7 @@ When deploying multiple functions do not reuse `bundle_config.output_path` betwe
|
||||||
|
|
||||||
```hcl
|
```hcl
|
||||||
module "cf-http-one" {
|
module "cf-http-one" {
|
||||||
source = "./fabric/modules/cloud-function"
|
source = "./fabric/modules/cloud-function-v2"
|
||||||
project_id = "my-project"
|
project_id = "my-project"
|
||||||
name = "test-cf-http-one"
|
name = "test-cf-http-one"
|
||||||
bucket_name = "test-cf-bundles"
|
bucket_name = "test-cf-bundles"
|
||||||
|
@ -236,7 +196,7 @@ module "cf-http-one" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "cf-http-two" {
|
module "cf-http-two" {
|
||||||
source = "./fabric/modules/cloud-function"
|
source = "./fabric/modules/cloud-function-v2"
|
||||||
project_id = "my-project"
|
project_id = "my-project"
|
||||||
name = "test-cf-http-two"
|
name = "test-cf-http-two"
|
||||||
bucket_name = "test-cf-bundles"
|
bucket_name = "test-cf-bundles"
|
||||||
|
@ -245,8 +205,6 @@ module "cf-http-two" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# tftest modules=2 resources=4 inventory=multiple_functions.yaml
|
# tftest modules=2 resources=4 inventory=multiple_functions.yaml
|
||||||
|
|
||||||
|
|
||||||
```
|
```
|
||||||
<!-- BEGIN TFDOC -->
|
<!-- BEGIN TFDOC -->
|
||||||
|
|
||||||
|
@ -271,10 +229,9 @@ module "cf-http-two" {
|
||||||
| [secrets](variables.tf#L122) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <code title="map(object({ is_volume = bool project_id = number secret = string versions = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
| [secrets](variables.tf#L122) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <code title="map(object({ is_volume = bool project_id = number secret = string versions = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||||
| [service_account](variables.tf#L134) | Service account email. Unused if service account is auto-created. | <code>string</code> | | <code>null</code> |
|
| [service_account](variables.tf#L134) | Service account email. Unused if service account is auto-created. | <code>string</code> | | <code>null</code> |
|
||||||
| [service_account_create](variables.tf#L140) | Auto-create service account. | <code>bool</code> | | <code>false</code> |
|
| [service_account_create](variables.tf#L140) | Auto-create service account. | <code>bool</code> | | <code>false</code> |
|
||||||
| [trigger_config](variables.tf#L146) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object({ v1 = optional(object({ event = string resource = string retry = optional(bool) })), v2 = optional(object({ region = optional(string) event_type = optional(string) pubsub_topic = optional(string) event_filters = optional(list(object({ attribute = string value = string operator = string }))) service_account_email = optional(string) service_account_create = optional(bool) retry_policy = optional(string) })) })">object({…})</code> | | <code>{ v1 = null, v2 = null }</code> |
|
| [trigger_config](variables.tf#L146) | Function trigger configuration. Leave null for HTTP trigger. | <code title="object({ event_type = string pubsub_topic = optional(string) region = optional(string) event_filters = optional(list(object({ attribute = string value = string operator = string })), []) service_account_email = optional(string) service_account_create = optional(bool, false) retry_policy = optional(string) })">object({…})</code> | | <code>null</code> |
|
||||||
| [v2](variables.tf#L175) | Whether to use Cloud Function version 2nd Gen or 1st Gen. | <code>bool</code> | | <code>false</code> |
|
| [vpc_connector](variables.tf#L164) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object({ create = bool name = string egress_settings = string })">object({…})</code> | | <code>null</code> |
|
||||||
| [vpc_connector](variables.tf#L181) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <code title="object({ create = bool name = string egress_settings = string })">object({…})</code> | | <code>null</code> |
|
| [vpc_connector_config](variables.tf#L174) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object({ ip_cidr_range = string network = string })">object({…})</code> | | <code>null</code> |
|
||||||
| [vpc_connector_config](variables.tf#L191) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <code title="object({ ip_cidr_range = string network = string })">object({…})</code> | | <code>null</code> |
|
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
|
@ -24,15 +24,14 @@ locals {
|
||||||
: null
|
: null
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
function = (
|
prefix = var.prefix == null ? "" : "${var.prefix}-"
|
||||||
var.v2
|
service_account_email = (
|
||||||
? google_cloudfunctions2_function.function[0]
|
var.service_account_create
|
||||||
: google_cloudfunctions_function.function[0]
|
? google_service_account.service_account[0].email
|
||||||
|
: var.service_account
|
||||||
)
|
)
|
||||||
prefix = var.prefix == null ? "" : "${var.prefix}-"
|
|
||||||
service_account_email = var.service_account_create ? google_service_account.service_account[0].email : var.service_account
|
|
||||||
trigger_service_account_email = (
|
trigger_service_account_email = (
|
||||||
coalesce(try(var.trigger_config.v2.service_account_create, false), false)
|
try(var.trigger_config.service_account_create, false)
|
||||||
? google_service_account.trigger_service_account[0].email
|
? google_service_account.trigger_service_account[0].email
|
||||||
: null
|
: null
|
||||||
)
|
)
|
||||||
|
@ -48,7 +47,7 @@ locals {
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_vpc_access_connector" "connector" {
|
resource "google_vpc_access_connector" "connector" {
|
||||||
count = try(var.vpc_connector.create, false) == false ? 0 : 1
|
count = try(var.vpc_connector.create, false) == true ? 1 : 0
|
||||||
project = var.project_id
|
project = var.project_id
|
||||||
name = var.vpc_connector.name
|
name = var.vpc_connector.name
|
||||||
region = var.region
|
region = var.region
|
||||||
|
@ -56,78 +55,7 @@ resource "google_vpc_access_connector" "connector" {
|
||||||
network = var.vpc_connector_config.network
|
network = var.vpc_connector_config.network
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_cloudfunctions_function" "function" {
|
|
||||||
count = var.v2 ? 0 : 1
|
|
||||||
project = var.project_id
|
|
||||||
region = var.region
|
|
||||||
name = "${local.prefix}${var.name}"
|
|
||||||
description = var.description
|
|
||||||
runtime = var.function_config.runtime
|
|
||||||
available_memory_mb = var.function_config.memory_mb
|
|
||||||
max_instances = var.function_config.instance_count
|
|
||||||
timeout = var.function_config.timeout_seconds
|
|
||||||
entry_point = var.function_config.entry_point
|
|
||||||
environment_variables = var.environment_variables
|
|
||||||
service_account_email = local.service_account_email
|
|
||||||
source_archive_bucket = local.bucket
|
|
||||||
source_archive_object = google_storage_bucket_object.bundle.name
|
|
||||||
labels = var.labels
|
|
||||||
trigger_http = var.trigger_config.v1 == null ? true : null
|
|
||||||
|
|
||||||
ingress_settings = var.ingress_settings
|
|
||||||
build_worker_pool = var.build_worker_pool
|
|
||||||
|
|
||||||
vpc_connector = local.vpc_connector
|
|
||||||
vpc_connector_egress_settings = try(
|
|
||||||
var.vpc_connector.egress_settings, null
|
|
||||||
)
|
|
||||||
|
|
||||||
dynamic "event_trigger" {
|
|
||||||
for_each = var.trigger_config.v1 == null ? [] : [""]
|
|
||||||
content {
|
|
||||||
event_type = var.trigger_config.v1.event
|
|
||||||
resource = var.trigger_config.v1.resource
|
|
||||||
dynamic "failure_policy" {
|
|
||||||
for_each = var.trigger_config.v1.retry == null ? [] : [""]
|
|
||||||
content {
|
|
||||||
retry = var.trigger_config.v1.retry
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
dynamic "secret_environment_variables" {
|
|
||||||
for_each = { for k, v in var.secrets : k => v if !v.is_volume }
|
|
||||||
iterator = secret
|
|
||||||
content {
|
|
||||||
key = secret.key
|
|
||||||
project_id = secret.value.project_id
|
|
||||||
secret = secret.value.secret
|
|
||||||
version = try(secret.value.versions.0, "latest")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
dynamic "secret_volumes" {
|
|
||||||
for_each = { for k, v in var.secrets : k => v if v.is_volume }
|
|
||||||
iterator = secret
|
|
||||||
content {
|
|
||||||
mount_path = secret.key
|
|
||||||
project_id = secret.value.project_id
|
|
||||||
secret = secret.value.secret
|
|
||||||
dynamic "versions" {
|
|
||||||
for_each = secret.value.versions
|
|
||||||
iterator = version
|
|
||||||
content {
|
|
||||||
path = split(":", version)[1]
|
|
||||||
version = split(":", version)[0]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_cloudfunctions2_function" "function" {
|
resource "google_cloudfunctions2_function" "function" {
|
||||||
count = var.v2 ? 1 : 0
|
|
||||||
provider = google-beta
|
provider = google-beta
|
||||||
project = var.project_id
|
project = var.project_id
|
||||||
location = var.region
|
location = var.region
|
||||||
|
@ -136,7 +64,7 @@ resource "google_cloudfunctions2_function" "function" {
|
||||||
build_config {
|
build_config {
|
||||||
worker_pool = var.build_worker_pool
|
worker_pool = var.build_worker_pool
|
||||||
runtime = var.function_config.runtime
|
runtime = var.function_config.runtime
|
||||||
entry_point = "${var.function_config.entry_point}_http" # Set the entry point
|
entry_point = var.function_config.entry_point
|
||||||
environment_variables = var.environment_variables
|
environment_variables = var.environment_variables
|
||||||
source {
|
source {
|
||||||
storage_source {
|
storage_source {
|
||||||
|
@ -146,13 +74,17 @@ resource "google_cloudfunctions2_function" "function" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
dynamic "event_trigger" {
|
dynamic "event_trigger" {
|
||||||
for_each = var.trigger_config.v2 == null ? [] : [""]
|
for_each = var.trigger_config == null ? [] : [""]
|
||||||
content {
|
content {
|
||||||
trigger_region = var.trigger_config.v2.region
|
event_type = var.trigger_config.event_type
|
||||||
event_type = var.trigger_config.v2.event_type
|
pubsub_topic = var.trigger_config.pubsub_topic
|
||||||
pubsub_topic = var.trigger_config.v2.pubsub_topic
|
trigger_region = (
|
||||||
|
var.trigger_config.region == null
|
||||||
|
? var.region
|
||||||
|
: var.trigger_config.region
|
||||||
|
)
|
||||||
dynamic "event_filters" {
|
dynamic "event_filters" {
|
||||||
for_each = var.trigger_config.v2.event_filters == null ? [] : var.trigger_config.v2.event_filters
|
for_each = var.trigger_config.event_filters
|
||||||
iterator = event_filter
|
iterator = event_filter
|
||||||
content {
|
content {
|
||||||
attribute = event_filter.attribute
|
attribute = event_filter.attribute
|
||||||
|
@ -160,8 +92,8 @@ resource "google_cloudfunctions2_function" "function" {
|
||||||
operator = event_filter.operator
|
operator = event_filter.operator
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
service_account_email = var.trigger_config.v2.service_account_email
|
service_account_email = var.trigger_config.service_account_email
|
||||||
retry_policy = var.trigger_config.v2.retry_policy
|
retry_policy = var.trigger_config.retry_policy
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
service_config {
|
service_config {
|
||||||
|
@ -210,20 +142,11 @@ resource "google_cloudfunctions2_function" "function" {
|
||||||
labels = var.labels
|
labels = var.labels
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_cloudfunctions_function_iam_binding" "default" {
|
|
||||||
for_each = !var.v2 ? var.iam : {}
|
|
||||||
project = var.project_id
|
|
||||||
region = var.region
|
|
||||||
cloud_function = local.function.name
|
|
||||||
role = each.key
|
|
||||||
members = each.value
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "google_cloudfunctions2_function_iam_binding" "default" {
|
resource "google_cloudfunctions2_function_iam_binding" "default" {
|
||||||
for_each = var.v2 ? var.iam : {}
|
for_each = var.iam
|
||||||
project = var.project_id
|
project = var.project_id
|
||||||
location = google_cloudfunctions2_function.function[0].location
|
location = google_cloudfunctions2_function.function.location
|
||||||
cloud_function = local.function.name
|
cloud_function = google_cloudfunctions2_function.function.name
|
||||||
role = each.key
|
role = each.key
|
||||||
members = each.value
|
members = each.value
|
||||||
}
|
}
|
||||||
|
@ -281,14 +204,18 @@ resource "google_service_account" "service_account" {
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_service_account" "trigger_service_account" {
|
resource "google_service_account" "trigger_service_account" {
|
||||||
count = coalesce(try(var.trigger_config.v2.service_account_create, false), false) ? 1 : 0
|
count = (
|
||||||
|
try(var.trigger_config.service_account_create, false) == true ? 1 : 0
|
||||||
|
)
|
||||||
project = var.project_id
|
project = var.project_id
|
||||||
account_id = "tf-cf-trigger-${var.name}"
|
account_id = "tf-cf-trigger-${var.name}"
|
||||||
display_name = "Terraform trigger for Cloud Function ${var.name}."
|
display_name = "Terraform trigger for Cloud Function ${var.name}."
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_project_iam_member" "trigger_iam" {
|
resource "google_project_iam_member" "trigger_iam" {
|
||||||
count = coalesce(try(var.trigger_config.v2.service_account_create, false), false) ? 1 : 0
|
count = (
|
||||||
|
try(var.trigger_config.service_account_create, false) == true ? 1 : 0
|
||||||
|
)
|
||||||
project = var.project_id
|
project = var.project_id
|
||||||
member = "serviceAccount:${google_service_account.trigger_service_account[0].email}"
|
member = "serviceAccount:${google_service_account.trigger_service_account[0].email}"
|
||||||
role = "roles/run.invoker"
|
role = "roles/run.invoker"
|
|
@ -28,17 +28,17 @@ output "bucket_name" {
|
||||||
|
|
||||||
output "function" {
|
output "function" {
|
||||||
description = "Cloud function resources."
|
description = "Cloud function resources."
|
||||||
value = local.function
|
value = google_cloudfunctions2_function.function
|
||||||
}
|
}
|
||||||
|
|
||||||
output "function_name" {
|
output "function_name" {
|
||||||
description = "Cloud function name."
|
description = "Cloud function name."
|
||||||
value = local.function.name
|
value = google_cloudfunctions2_function.function.name
|
||||||
}
|
}
|
||||||
|
|
||||||
output "id" {
|
output "id" {
|
||||||
description = "Fully qualified function id."
|
description = "Fully qualified function id."
|
||||||
value = local.function.id
|
value = google_cloudfunctions2_function.function.id
|
||||||
}
|
}
|
||||||
|
|
||||||
output "service_account" {
|
output "service_account" {
|
||||||
|
@ -79,7 +79,7 @@ output "trigger_service_account_iam_email" {
|
||||||
|
|
||||||
output "uri" {
|
output "uri" {
|
||||||
description = "Cloud function service uri."
|
description = "Cloud function service uri."
|
||||||
value = var.v2 ? google_cloudfunctions2_function.function[0].service_config[0].uri : null
|
value = google_cloudfunctions2_function.function.service_config[0].uri
|
||||||
}
|
}
|
||||||
|
|
||||||
output "vpc_connector" {
|
output "vpc_connector" {
|
|
@ -0,0 +1,183 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2022 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
variable "bucket_config" {
|
||||||
|
description = "Enable and configure auto-created bucket. Set fields to null to use defaults."
|
||||||
|
type = object({
|
||||||
|
location = optional(string)
|
||||||
|
lifecycle_delete_age_days = optional(number)
|
||||||
|
})
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "bucket_name" {
|
||||||
|
description = "Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null."
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "build_worker_pool" {
|
||||||
|
description = "Build worker pool, in projects/<PROJECT-ID>/locations/<REGION>/workerPools/<POOL_NAME> format."
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "bundle_config" {
|
||||||
|
description = "Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null."
|
||||||
|
type = object({
|
||||||
|
source_dir = string
|
||||||
|
output_path = optional(string)
|
||||||
|
excludes = optional(list(string))
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "description" {
|
||||||
|
description = "Optional description."
|
||||||
|
type = string
|
||||||
|
default = "Terraform managed."
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "environment_variables" {
|
||||||
|
description = "Cloud function environment variables."
|
||||||
|
type = map(string)
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "function_config" {
|
||||||
|
description = "Cloud function configuration. Defaults to using main as entrypoint, 1 instance with 256MiB of memory, and 180 second timeout."
|
||||||
|
type = object({
|
||||||
|
entry_point = optional(string, "main")
|
||||||
|
instance_count = optional(number, 1)
|
||||||
|
memory_mb = optional(number, 256) # Memory in MB
|
||||||
|
cpu = optional(string, "0.166")
|
||||||
|
runtime = optional(string, "python310")
|
||||||
|
timeout_seconds = optional(number, 180)
|
||||||
|
})
|
||||||
|
default = {
|
||||||
|
entry_point = "main"
|
||||||
|
instance_count = 1
|
||||||
|
memory_mb = 256
|
||||||
|
cpu = "0.166"
|
||||||
|
runtime = "python310"
|
||||||
|
timeout_seconds = 180
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "iam" {
|
||||||
|
description = "IAM bindings for topic in {ROLE => [MEMBERS]} format."
|
||||||
|
type = map(list(string))
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "ingress_settings" {
|
||||||
|
description = "Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY ."
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "labels" {
|
||||||
|
description = "Resource labels."
|
||||||
|
type = map(string)
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "name" {
|
||||||
|
description = "Name used for cloud function and associated resources."
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "prefix" {
|
||||||
|
description = "Optional prefix used for resource names."
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
validation {
|
||||||
|
condition = var.prefix != ""
|
||||||
|
error_message = "Prefix cannot be empty, please use null instead."
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "project_id" {
|
||||||
|
description = "Project id used for all resources."
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "region" {
|
||||||
|
description = "Region used for all resources."
|
||||||
|
type = string
|
||||||
|
default = "europe-west1"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "secrets" {
|
||||||
|
description = "Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format."
|
||||||
|
type = map(object({
|
||||||
|
is_volume = bool
|
||||||
|
project_id = number
|
||||||
|
secret = string
|
||||||
|
versions = list(string)
|
||||||
|
}))
|
||||||
|
nullable = false
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "service_account" {
|
||||||
|
description = "Service account email. Unused if service account is auto-created."
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "service_account_create" {
|
||||||
|
description = "Auto-create service account."
|
||||||
|
type = bool
|
||||||
|
default = false
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "trigger_config" {
|
||||||
|
description = "Function trigger configuration. Leave null for HTTP trigger."
|
||||||
|
type = object({
|
||||||
|
event_type = string
|
||||||
|
pubsub_topic = optional(string)
|
||||||
|
region = optional(string)
|
||||||
|
event_filters = optional(list(object({
|
||||||
|
attribute = string
|
||||||
|
value = string
|
||||||
|
operator = string
|
||||||
|
})), [])
|
||||||
|
service_account_email = optional(string)
|
||||||
|
service_account_create = optional(bool, false)
|
||||||
|
retry_policy = optional(string)
|
||||||
|
})
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "vpc_connector" {
|
||||||
|
description = "VPC connector configuration. Set create to 'true' if a new connector needs to be created."
|
||||||
|
type = object({
|
||||||
|
create = bool
|
||||||
|
name = string
|
||||||
|
egress_settings = string
|
||||||
|
})
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "vpc_connector_config" {
|
||||||
|
description = "VPC connector network configuration. Must be provided if new VPC connector is being created."
|
||||||
|
type = object({
|
||||||
|
ip_cidr_range = string
|
||||||
|
network = string
|
||||||
|
})
|
||||||
|
default = null
|
||||||
|
}
|
||||||
|
|
||||||
|
|
|
@ -4,10 +4,26 @@
|
||||||
# you may not use this file except in compliance with the License.
|
# you may not use this file except in compliance with the License.
|
||||||
# You may obtain a copy of the License at
|
# You may obtain a copy of the License at
|
||||||
#
|
#
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
# https://www.apache.org/licenses/LICENSE-2.0
|
||||||
#
|
#
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
|
terraform {
|
||||||
|
required_version = ">= 1.4.4"
|
||||||
|
required_providers {
|
||||||
|
google = {
|
||||||
|
source = "hashicorp/google"
|
||||||
|
version = ">= 4.69.0" # tftest
|
||||||
|
}
|
||||||
|
google-beta = {
|
||||||
|
source = "hashicorp/google-beta"
|
||||||
|
version = ">= 4.69.0" # tftest
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
project_id = "my-project"
|
|
||||||
name = "test"
|
|
||||||
bucket_name = "mybucket"
|
|
||||||
bundle_config = {
|
|
||||||
source_dir = "../../tests/modules/cloud_function/bundle"
|
|
||||||
output_path = "bundle.zip"
|
|
||||||
excludes = null
|
|
||||||
}
|
|
||||||
iam = {
|
|
||||||
"roles/cloudfunctions.invoker" = ["allUsers"]
|
|
||||||
}
|
|
|
@ -1,12 +0,0 @@
|
||||||
project_id = "my-project"
|
|
||||||
name = "test"
|
|
||||||
bucket_name = var.bucket_name
|
|
||||||
v2 = var.v2
|
|
||||||
bundle_config = {
|
|
||||||
source_dir = "bundle"
|
|
||||||
output_path = "bundle.zip"
|
|
||||||
excludes = null
|
|
||||||
}
|
|
||||||
iam = {
|
|
||||||
"roles/cloudfunctions.invoker" = ["allUsers"]
|
|
||||||
}
|
|
|
@ -1,31 +0,0 @@
|
||||||
/**
|
|
||||||
* Copyright 2022 Google LLC
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
module "test" {
|
|
||||||
source = "../../../../modules/cloud-function"
|
|
||||||
project_id = "my-project"
|
|
||||||
name = "test"
|
|
||||||
bucket_name = var.bucket_name
|
|
||||||
v2 = var.v2
|
|
||||||
bundle_config = {
|
|
||||||
source_dir = "bundle"
|
|
||||||
output_path = "bundle.zip"
|
|
||||||
excludes = null
|
|
||||||
}
|
|
||||||
iam = {
|
|
||||||
"roles/cloudfunctions.invoker" = ["allUsers"]
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,25 +0,0 @@
|
||||||
/**
|
|
||||||
* Copyright 2022 Google LLC
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
variable "bucket_name" {
|
|
||||||
type = any
|
|
||||||
default = "test"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "v2" {
|
|
||||||
type = any
|
|
||||||
default = false
|
|
||||||
}
|
|
|
@ -1,43 +0,0 @@
|
||||||
# Copyright 2023 Google LLC
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
import pytest
|
|
||||||
|
|
||||||
|
|
||||||
@pytest.fixture
|
|
||||||
def resources(plan_summary, version):
|
|
||||||
# convert `version` to a boolean suitable for the `v2` variable
|
|
||||||
v2 = {'v1': 'false', 'v2': 'true'}[version]
|
|
||||||
summary = plan_summary('modules/cloud-function',
|
|
||||||
tf_var_files=['common.tfvars'], v2=v2)
|
|
||||||
return summary
|
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.parametrize('version', ['v1', 'v2'])
|
|
||||||
def test_resource_count(resources):
|
|
||||||
"Test number of resources created."
|
|
||||||
assert resources.counts['resources'] == 3
|
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.parametrize('version', ['v1', 'v2'])
|
|
||||||
def test_iam(resources, version):
|
|
||||||
"Test IAM binding resources."
|
|
||||||
type = {
|
|
||||||
'v1': 'google_cloudfunctions_function_iam_binding',
|
|
||||||
'v2': 'google_cloudfunctions2_function_iam_binding'
|
|
||||||
}[version]
|
|
||||||
key = f'{type}.default["roles/cloudfunctions.invoker"]'
|
|
||||||
binding = resources.values[key]
|
|
||||||
assert binding['role'] == 'roles/cloudfunctions.invoker'
|
|
||||||
assert binding['members'] == ['allUsers']
|
|
|
@ -0,0 +1,28 @@
|
||||||
|
# Copyright 2023 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
values:
|
||||||
|
module.cf-http.google_cloudfunctions_function_iam_binding.default["roles/cloudfunctions.invoker"]:
|
||||||
|
condition: []
|
||||||
|
members:
|
||||||
|
- allUsers
|
||||||
|
project: my-project
|
||||||
|
region: europe-west1
|
||||||
|
role: roles/cloudfunctions.invoker
|
||||||
|
|
||||||
|
counts:
|
||||||
|
google_cloudfunctions_function: 1
|
||||||
|
google_storage_bucket_object: 1
|
||||||
|
modules: 1
|
||||||
|
resources: 3
|
|
@ -0,0 +1,29 @@
|
||||||
|
# Copyright 2023 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
values:
|
||||||
|
module.cf-http.google_cloudfunctions2_function_iam_binding.default["roles/cloudfunctions.invoker"]:
|
||||||
|
cloud_function: test-cf-http
|
||||||
|
condition: []
|
||||||
|
location: europe-west1
|
||||||
|
members:
|
||||||
|
- allUsers
|
||||||
|
project: my-project
|
||||||
|
role: roles/cloudfunctions.invoker
|
||||||
|
|
||||||
|
counts:
|
||||||
|
google_cloudfunctions2_function: 1
|
||||||
|
google_storage_bucket_object: 1
|
||||||
|
modules: 1
|
||||||
|
resources: 3
|
|
@ -1,4 +1,4 @@
|
||||||
# Copyright 2022 Google LLC
|
# Copyright 2023 Google LLC
|
||||||
#
|
#
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
# you may not use this file except in compliance with the License.
|
# you may not use this file except in compliance with the License.
|
||||||
|
@ -11,3 +11,15 @@
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
|
values:
|
||||||
|
module.cf-http-one.google_storage_bucket_object.bundle:
|
||||||
|
source: /tmp/bundle-my-project-test-cf-http-one.zip
|
||||||
|
module.cf-http-two.google_storage_bucket_object.bundle:
|
||||||
|
source: /tmp/bundle-my-project-test-cf-http-two.zip
|
||||||
|
|
||||||
|
counts:
|
||||||
|
google_cloudfunctions2_function: 2
|
||||||
|
google_storage_bucket_object: 2
|
||||||
|
modules: 2
|
||||||
|
resources: 4
|
Loading…
Reference in New Issue