Add support for vpc connector and ingress settings to cloud-function (#116)

* add support for ingress/egress/vpc connector to cloud function * refactor vpc connector support * refactor ingress settings support * fix vpc connector value * fix vpc connector value
2020-07-24 08:55:58 +02:00 · 2020-07-24 08:55:58 +02:00 · 3cad63285f
parent cb84c34c5d
commit 3cad63285f
4 changed files with 65 additions and 13 deletions
--- a/modules/cloud-function/README.md
+++ b/modules/cloud-function/README.md
@ -6,8 +6,6 @@ The GCS object used for deployment uses a hash of the bundle zip contents in its

 ## TODO

- [ ] add support for `ingress_settings`
- [ ] add support for `vpc_connector` and `vpc_connector_egress_settings`
 - [ ] add support for `source_repository`

 ## Examples
@ -138,15 +136,17 @@ module "cf-http" {
 | project_id | Project id used for all resources. | <code title="">string</code> | ✓ |  |
 | *bucket_config* | Enable and configure auto-created bucket. Set fields to null to use defaults. | <code title="object&#40;&#123;&#10;location             &#61; string&#10;lifecycle_delete_age &#61; number&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
 | *environment_variables* | Cloud function environment variables. | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="">{}</code> |
-| *function_config* | Cloud function configuration. | <code title="object&#40;&#123;&#10;entry_point &#61; string&#10;instances   &#61; number&#10;memory      &#61; number&#10;runtime     &#61; string&#10;timeout     &#61; number&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;entry_point &#61; &#34;main&#34;&#10;instances   &#61; 1&#10;memory      &#61; 256&#10;runtime     &#61; &#34;python37&#34;&#10;timeout     &#61; 180&#10;&#125;">...</code> |
+| *function_config* | Cloud function configuration. | <code title="object&#40;&#123;&#10;entry_point      &#61; string&#10;ingress_settings &#61; string&#10;instances        &#61; number&#10;memory           &#61; number&#10;runtime          &#61; string&#10;timeout          &#61; number&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;entry_point      &#61; &#34;main&#34;&#10;ingress_settings &#61; null&#10;instances        &#61; 1&#10;memory           &#61; 256&#10;runtime          &#61; &#34;python37&#34;&#10;timeout          &#61; 180&#10;&#125;">...</code> |
 | *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *iam_roles* | List of roles used to set authoritative bindings. Ignored for template use. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *ingress_settings* | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL and ALLOW_INTERNAL_ONLY. | <code title="">string</code> |  | <code title="">null</code> |
 | *labels* | Resource labels | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="">{}</code> |
 | *prefix* | Optional prefix used for resource names. | <code title="">string</code> |  | <code title="">null</code> |
 | *region* | Region used for all resources. | <code title="">string</code> |  | <code title="">europe-west1</code> |
 | *service_account* | Service account email. Unused if service account is auto-created. | <code title="">string</code> |  | <code title="">null</code> |
 | *service_account_create* | Auto-create service account. | <code title="">bool</code> |  | <code title="">false</code> |
 | *trigger_config* | Function trigger configuration. Leave null for HTTP trigger. | <code title="object&#40;&#123;&#10;event    &#61; string&#10;resource &#61; string&#10;retry    &#61; bool&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
+| *vpc_connector_config* | VPC connector configuration. Set `create_config` attributes to trigger creation. | <code title="object&#40;&#123;&#10;egress_settings &#61; string&#10;name            &#61; string&#10;create_config &#61; object&#40;&#123;&#10;ip_cidr_range &#61; string&#10;network       &#61; string&#10;&#125;&#41;&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |

 ## Outputs

@ -159,4 +159,5 @@ module "cf-http" {
 | service_account | Service account resource. |  |
 | service_account_email | Service account email. |  |
 | service_account_iam_email | Service account email. |  |
+| vpc_connector | VPC connector resource if created. |  |
 <!-- END TFDOC -->
--- a/modules/cloud-function/main.tf
+++ b/modules/cloud-function/main.tf
@ -34,8 +34,27 @@ locals {
    )
    : var.service_account
  )
+  vpc_connector = (
+    var.vpc_connector_config == null
+    ? null
+    : (
+      var.vpc_connector_config.create_config == null
+      ? var.vpc_connector_config.name
+      : google_vpc_access_connector.connector.0.id
+    )
+  )
 }

+resource "google_vpc_access_connector" "connector" {
+  count         = try(var.vpc_connector_config.create_config, null) != null ? 1 : 0
+  project       = var.project_id
+  name          = var.vpc_connector_config.name
+  region        = var.region
+  ip_cidr_range = var.vpc_connector_config.create_config.ip_cidr_range
+  network       = var.vpc_connector_config.create_config.network
+}
+
+
 resource "google_cloudfunctions_function" "function" {
  project               = var.project_id
  region                = var.region
@ -52,6 +71,12 @@ resource "google_cloudfunctions_function" "function" {
  source_archive_object = google_storage_bucket_object.bundle.name
  labels                = var.labels
  trigger_http          = var.trigger_config == null ? true : null
+  ingress_settings      = var.ingress_settings
+
+  vpc_connector = local.vpc_connector
+  vpc_connector_egress_settings = try(
+    var.vpc_connector_config.egress_settings, null
+  )

  dynamic event_trigger {
    for_each = var.trigger_config == null ? [] : [""]
--- a/modules/cloud-function/outputs.tf
+++ b/modules/cloud-function/outputs.tf
@ -53,3 +53,8 @@ output "service_account_iam_email" {
    local.service_account_email == null ? "" : local.service_account_email
  ])
 }
+
+output "vpc_connector" {
+  description = "VPC connector resource if created."
+  value       = try(google_vpc_access_connector.connector.0.id, null)
+}
--- a/modules/cloud-function/variables.tf
+++ b/modules/cloud-function/variables.tf
@ -57,21 +57,29 @@ variable "iam_roles" {
 variable "function_config" {
  description = "Cloud function configuration."
  type = object({
-    entry_point = string
-    instances   = number
-    memory      = number
-    runtime     = string
-    timeout     = number
+    entry_point      = string
+    ingress_settings = string
+    instances        = number
+    memory           = number
+    runtime          = string
+    timeout          = number
  })
  default = {
-    entry_point = "main"
-    instances   = 1
-    memory      = 256
-    runtime     = "python37"
-    timeout     = 180
+    entry_point      = "main"
+    ingress_settings = null
+    instances        = 1
+    memory           = 256
+    runtime          = "python37"
+    timeout          = 180
  }
 }

+variable "ingress_settings" {
+  description = "Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL and ALLOW_INTERNAL_ONLY."
+  type        = string
+  default     = null
+}
+
 variable "labels" {
  description = "Resource labels"
  type        = map(string)
@ -121,3 +129,16 @@ variable "trigger_config" {
  })
  default = null
 }
+
+variable "vpc_connector_config" {
+  description = "VPC connector configuration. Set `create_config` attributes to trigger creation."
+  type = object({
+    egress_settings = string
+    name            = string
+    create_config = object({
+      ip_cidr_range = string
+      network       = string
+    })
+  })
+  default = null
+}