diff --git a/fast/stages/2-networking-a-peering/README.md b/fast/stages/2-networking-a-peering/README.md
index 69ab7788..75c5fb66 100644
--- a/fast/stages/2-networking-a-peering/README.md
+++ b/fast/stages/2-networking-a-peering/README.md
@@ -403,7 +403,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | |
| [custom_roles](variables.tf#L63) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
| [dns](variables.tf#L72) | Onprem DNS resolvers. | map(list(string)) | | {…} | |
-| [factories_config](variables.tf#L80) | Configuration for network resource factories. | object({…}) | | {…} | |
+| [factories_config](variables.tf#L80) | Configuration for network resource factories. | object({…}) | | {…} | |
| [outputs_location](variables.tf#L121) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
| [peering_configs](variables-peerings.tf#L19) | Peering configurations. | object({…}) | | {} | |
| [psa_ranges](variables.tf#L138) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | null | |
diff --git a/fast/stages/2-networking-a-peering/main.tf b/fast/stages/2-networking-a-peering/main.tf
index 8a47a0d5..29fcea32 100644
--- a/fast/stages/2-networking-a-peering/main.tf
+++ b/fast/stages/2-networking-a-peering/main.tf
@@ -52,7 +52,7 @@ module "folder" {
module "firewall-policy-default" {
source = "../../../modules/net-firewall-policy"
- name = "net-default"
+ name = var.factories_config.firewall_policy_name
parent_id = module.folder.id
rules_factory_config = {
cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml"
diff --git a/fast/stages/2-networking-a-peering/variables.tf b/fast/stages/2-networking-a-peering/variables.tf
index 89024258..a0ff0a79 100644
--- a/fast/stages/2-networking-a-peering/variables.tf
+++ b/fast/stages/2-networking-a-peering/variables.tf
@@ -82,7 +82,7 @@ variable "factories_config" {
type = object({
data_dir = optional(string, "data")
dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml")
- firewall_policy_name = optional(string, "factory")
+ firewall_policy_name = optional(string, "net-default")
})
default = {
data_dir = "data"
@@ -223,4 +223,4 @@ variable "vpn_onprem_primary_config" {
}))
})
default = null
-}
\ No newline at end of file
+}
diff --git a/fast/stages/2-networking-b-vpn/README.md b/fast/stages/2-networking-b-vpn/README.md
index 1f43b180..e87cee14 100644
--- a/fast/stages/2-networking-b-vpn/README.md
+++ b/fast/stages/2-networking-b-vpn/README.md
@@ -428,7 +428,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | |
| [custom_roles](variables.tf#L63) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
| [dns](variables.tf#L72) | Onprem DNS resolvers. | map(list(string)) | | {…} | |
-| [factories_config](variables.tf#L80) | Configuration for network resource factories. | object({…}) | | {…} | |
+| [factories_config](variables.tf#L80) | Configuration for network resource factories. | object({…}) | | {…} | |
| [outputs_location](variables.tf#L121) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
| [psa_ranges](variables.tf#L138) | IP ranges used for Private Service Access (CloudSQL, etc.). | object({…}) | | null | |
| [regions](variables.tf#L159) | Region definitions. | object({…}) | | {…} | |
diff --git a/fast/stages/2-networking-b-vpn/main.tf b/fast/stages/2-networking-b-vpn/main.tf
index 8a47a0d5..29fcea32 100644
--- a/fast/stages/2-networking-b-vpn/main.tf
+++ b/fast/stages/2-networking-b-vpn/main.tf
@@ -52,7 +52,7 @@ module "folder" {
module "firewall-policy-default" {
source = "../../../modules/net-firewall-policy"
- name = "net-default"
+ name = var.factories_config.firewall_policy_name
parent_id = module.folder.id
rules_factory_config = {
cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml"
diff --git a/fast/stages/2-networking-b-vpn/variables.tf b/fast/stages/2-networking-b-vpn/variables.tf
index 89024258..a0ff0a79 100644
--- a/fast/stages/2-networking-b-vpn/variables.tf
+++ b/fast/stages/2-networking-b-vpn/variables.tf
@@ -82,7 +82,7 @@ variable "factories_config" {
type = object({
data_dir = optional(string, "data")
dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml")
- firewall_policy_name = optional(string, "factory")
+ firewall_policy_name = optional(string, "net-default")
})
default = {
data_dir = "data"
@@ -223,4 +223,4 @@ variable "vpn_onprem_primary_config" {
}))
})
default = null
-}
\ No newline at end of file
+}
diff --git a/fast/stages/2-networking-c-nva/README.md b/fast/stages/2-networking-c-nva/README.md
index 778de036..dfc41a0c 100644
--- a/fast/stages/2-networking-c-nva/README.md
+++ b/fast/stages/2-networking-c-nva/README.md
@@ -484,7 +484,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | |
| [custom_roles](variables.tf#L63) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
| [dns](variables.tf#L72) | Onprem DNS resolvers. | map(list(string)) | | {…} | |
-| [factories_config](variables.tf#L80) | Configuration for network resource factories. | object({…}) | | {…} | |
+| [factories_config](variables.tf#L80) | Configuration for network resource factories. | object({…}) | | {…} | |
| [gcp_ranges](variables.tf#L111) | GCP address ranges in name => range format. | map(string) | | {…} | |
| [onprem_cidr](variables.tf#L126) | Onprem addresses in name => range format. | map(string) | | {…} | |
| [outputs_location](variables.tf#L144) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
diff --git a/fast/stages/2-networking-c-nva/main.tf b/fast/stages/2-networking-c-nva/main.tf
index aff2eaf5..d67abf1c 100644
--- a/fast/stages/2-networking-c-nva/main.tf
+++ b/fast/stages/2-networking-c-nva/main.tf
@@ -53,7 +53,7 @@ module "folder" {
module "firewall-policy-default" {
source = "../../../modules/net-firewall-policy"
- name = "net-default"
+ name = var.factories_config.firewall_policy_name
parent_id = module.folder.id
rules_factory_config = {
cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml"
diff --git a/fast/stages/2-networking-c-nva/variables.tf b/fast/stages/2-networking-c-nva/variables.tf
index c5becd21..1b4ad4ec 100644
--- a/fast/stages/2-networking-c-nva/variables.tf
+++ b/fast/stages/2-networking-c-nva/variables.tf
@@ -82,7 +82,7 @@ variable "factories_config" {
type = object({
data_dir = optional(string, "data")
dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml")
- firewall_policy_name = optional(string, "factory")
+ firewall_policy_name = optional(string, "net-default")
})
default = {
data_dir = "data"
@@ -289,4 +289,4 @@ variable "vpn_onprem_secondary_config" {
}))
})
default = null
-}
\ No newline at end of file
+}
diff --git a/fast/stages/2-networking-d-separate-envs/README.md b/fast/stages/2-networking-d-separate-envs/README.md
index eae0eaf4..7514454f 100644
--- a/fast/stages/2-networking-d-separate-envs/README.md
+++ b/fast/stages/2-networking-d-separate-envs/README.md
@@ -346,7 +346,7 @@ Regions are defined via the `regions` variable which sets up a mapping between t
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | |
| [custom_roles](variables.tf#L63) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
| [dns](variables.tf#L72) | Onprem DNS resolvers. | map(list(string)) | | {…} | |
-| [factories_config](variables.tf#L81) | Configuration for network resource factories. | object({…}) | | {…} | |
+| [factories_config](variables.tf#L81) | Configuration for network resource factories. | object({…}) | | {…} | |
| [outputs_location](variables.tf#L122) | Path where providers and tfvars files for the following stages are written. Leave empty to disable. | string | | null | |
| [psa_ranges](variables.tf#L139) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | |
| [regions](variables.tf#L160) | Region definitions. | object({…}) | | {…} | |
diff --git a/fast/stages/2-networking-d-separate-envs/main.tf b/fast/stages/2-networking-d-separate-envs/main.tf
index 5145e186..2c5639bc 100644
--- a/fast/stages/2-networking-d-separate-envs/main.tf
+++ b/fast/stages/2-networking-d-separate-envs/main.tf
@@ -48,7 +48,7 @@ module "folder" {
module "firewall-policy-default" {
source = "../../../modules/net-firewall-policy"
- name = "net-default"
+ name = var.factories_config.firewall_policy_name
parent_id = module.folder.id
rules_factory_config = {
cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml"
diff --git a/fast/stages/2-networking-d-separate-envs/variables.tf b/fast/stages/2-networking-d-separate-envs/variables.tf
index 52112396..29d4788a 100644
--- a/fast/stages/2-networking-d-separate-envs/variables.tf
+++ b/fast/stages/2-networking-d-separate-envs/variables.tf
@@ -83,7 +83,7 @@ variable "factories_config" {
type = object({
data_dir = optional(string, "data")
dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml")
- firewall_policy_name = optional(string, "factory")
+ firewall_policy_name = optional(string, "net-default")
})
default = {
data_dir = "data"
@@ -265,4 +265,4 @@ variable "vpn_onprem_prod_primary_config" {
}))
})
default = null
-}
\ No newline at end of file
+}
diff --git a/fast/stages/2-networking-e-nva-bgp/README.md b/fast/stages/2-networking-e-nva-bgp/README.md
index 32be44b1..405ac719 100644
--- a/fast/stages/2-networking-e-nva-bgp/README.md
+++ b/fast/stages/2-networking-e-nva-bgp/README.md
@@ -510,7 +510,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [alert_config](variables.tf#L17) | Configuration for monitoring alerts. | object({…}) | | {…} | |
| [custom_roles](variables.tf#L63) | Custom roles defined at the org level, in key => id format. | object({…}) | | null | 0-bootstrap |
| [dns](variables.tf#L72) | Onprem DNS resolvers. | map(list(string)) | | {…} | |
-| [factories_config](variables.tf#L80) | Configuration for network resource factories. | object({…}) | | {…} | |
+| [factories_config](variables.tf#L80) | Configuration for network resource factories. | object({…}) | | {…} | |
| [gcp_ranges](variables.tf#L111) | GCP address ranges in name => range format. | map(string) | | {…} | |
| [ncc_asn](variables.tf#L126) | The NCC Cloud Routers ASN configuration. | map(number) | | {…} | |
| [onprem_cidr](variables.tf#L137) | Onprem addresses in name => range format. | map(string) | | {…} | |
diff --git a/fast/stages/2-networking-e-nva-bgp/main.tf b/fast/stages/2-networking-e-nva-bgp/main.tf
index aff2eaf5..d67abf1c 100644
--- a/fast/stages/2-networking-e-nva-bgp/main.tf
+++ b/fast/stages/2-networking-e-nva-bgp/main.tf
@@ -53,7 +53,7 @@ module "folder" {
module "firewall-policy-default" {
source = "../../../modules/net-firewall-policy"
- name = "net-default"
+ name = var.factories_config.firewall_policy_name
parent_id = module.folder.id
rules_factory_config = {
cidr_file_path = "${var.factories_config.data_dir}/cidrs.yaml"
diff --git a/fast/stages/2-networking-e-nva-bgp/variables.tf b/fast/stages/2-networking-e-nva-bgp/variables.tf
index 4d4a451c..b8773041 100644
--- a/fast/stages/2-networking-e-nva-bgp/variables.tf
+++ b/fast/stages/2-networking-e-nva-bgp/variables.tf
@@ -82,7 +82,7 @@ variable "factories_config" {
type = object({
data_dir = optional(string, "data")
dns_policy_rules_file = optional(string, "data/dns-policy-rules.yaml")
- firewall_policy_name = optional(string, "factory")
+ firewall_policy_name = optional(string, "net-default")
})
default = {
data_dir = "data"
@@ -306,4 +306,4 @@ variable "zones" {
description = "Zones in which NVAs are deployed."
type = list(string)
default = ["b", "c"]
-}
\ No newline at end of file
+}
diff --git a/modules/cloud-function-v2/README.md b/modules/cloud-function-v2/README.md
index ca08b884..fa56fa10 100644
--- a/modules/cloud-function-v2/README.md
+++ b/modules/cloud-function-v2/README.md
@@ -4,6 +4,21 @@ Cloud Function management, with support for IAM roles and optional bucket creati
The GCS object used for deployment uses a hash of the bundle zip contents in its name, which ensures change tracking and avoids recreating the function if the GCS object is deleted and needs recreating.
+
+- [TODO](#todo)
+- [Examples](#examples)
+ - [HTTP trigger](#http-trigger)
+ - [PubSub and non-HTTP triggers](#pubsub-and-non-http-triggers)
+ - [Controlling HTTP access](#controlling-http-access)
+ - [GCS bucket creation](#gcs-bucket-creation)
+ - [Service account management](#service-account-management)
+ - [Custom bundle config](#custom-bundle-config)
+ - [Private Cloud Build Pool](#private-cloud-build-pool)
+ - [Multiple Cloud Functions within project](#multiple-cloud-functions-within-project)
+- [Variables](#variables)
+- [Outputs](#outputs)
+
+
## TODO
- [ ] add support for `source_repository`
@@ -67,7 +82,7 @@ as documented [here](https://cloud.google.com/eventarc/docs/roles-permissions#pu
### Controlling HTTP access
-To allow anonymous access to the function, grant the `roles/cloudfunctions.invoker` role to the special `allUsers` identifier. Use specific identities (service accounts, groups, etc.) instead of `allUsers` to only allow selective access.
+To allow anonymous access to the function, grant the `roles/run.invoker` role to the special `allUsers` identifier. Use specific identities (service accounts, groups, etc.) instead of `allUsers` to only allow selective access. The Cloud Run role needs to be used as explained in the [gcloud documentation](https://cloud.google.com/sdk/gcloud/reference/functions/add-invoker-policy-binding#DESCRIPTION).
```hcl
module "cf-http" {
@@ -80,7 +95,7 @@ module "cf-http" {
output_path = "bundle.zip"
}
iam = {
- "roles/cloudfunctions.invoker" = ["allUsers"]
+ "roles/run.invoker" = ["allUsers"]
}
}
# tftest modules=1 resources=3 inventory=iam.yaml
diff --git a/modules/cloud-function-v2/main.tf b/modules/cloud-function-v2/main.tf
index 71979ee3..5b506f29 100644
--- a/modules/cloud-function-v2/main.tf
+++ b/modules/cloud-function-v2/main.tf
@@ -24,28 +24,17 @@ locals {
: null
)
)
- _iam_run_invoker_members = concat(
- lookup(var.iam, "roles/run.invoker", []),
- var.trigger_config == null ? [] :
- var.trigger_config.service_account_create ? ["serviceAccount:${local.trigger_service_account_email}"] : []
- )
- iam = merge(
- var.iam,
- length(local._iam_run_invoker_members) == 0 ? {} :
- {
- "roles/run.invoker" : local._iam_run_invoker_members
- },
- )
prefix = var.prefix == null ? "" : "${var.prefix}-"
service_account_email = (
var.service_account_create
? google_service_account.service_account[0].email
: var.service_account
)
- trigger_service_account_email = (
- try(var.trigger_config.service_account_create, false)
- ? google_service_account.trigger_service_account[0].email
- : try(var.trigger_config.service_account_email, null)
+ trigger_sa_create = (
+ try(var.trigger_config.service_account_create, false) == true
+ )
+ trigger_sa_email = try(
+ google_service_account.trigger_service_account[0].email, null
)
vpc_connector = (
var.vpc_connector == null
@@ -104,7 +93,7 @@ resource "google_cloudfunctions2_function" "function" {
operator = event_filter.value.operator
}
}
- service_account_email = local.trigger_service_account_email
+ service_account_email = local.trigger_sa_email
retry_policy = var.trigger_config.retry_policy
}
}
@@ -154,8 +143,10 @@ resource "google_cloudfunctions2_function" "function" {
labels = var.labels
}
-resource "google_cloudfunctions2_function_iam_binding" "default" {
- for_each = local.iam
+resource "google_cloudfunctions2_function_iam_binding" "binding" {
+ for_each = {
+ for k, v in var.iam : k => v if k != "roles/run.invoker"
+ }
project = var.project_id
location = google_cloudfunctions2_function.function.location
cloud_function = google_cloudfunctions2_function.function.name
@@ -163,6 +154,39 @@ resource "google_cloudfunctions2_function_iam_binding" "default" {
members = each.value
}
+resource "google_cloud_run_service_iam_binding" "invoker" {
+ # cloud run resources are needed for invoker role to the underlying service
+ count = (
+ lookup(var.iam, "roles/run.invoker", null) != null
+ ) ? 1 : 0
+ project = var.project_id
+ location = google_cloudfunctions2_function.function.location
+ service = google_cloudfunctions2_function.function.name
+ role = "roles/run.invoker"
+ members = distinct(compact(concat(
+ lookup(var.iam, "roles/run.invoker", []),
+ (
+ !local.trigger_sa_create
+ ? []
+ : ["serviceAccount:${local.trigger_sa_email}"]
+ )
+ )))
+}
+
+resource "google_cloud_run_service_iam_member" "invoker" {
+ # if authoritative invoker role is not present and we create trigger sa
+ # use additive binding to grant it the role
+ count = (
+ lookup(var.iam, "roles/run.invoker", null) == null &&
+ local.trigger_sa_create
+ ) ? 1 : 0
+ project = var.project_id
+ location = google_cloudfunctions2_function.function.location
+ service = google_cloudfunctions2_function.function.name
+ role = "roles/run.invoker"
+ member = "serviceAccount:${local.trigger_sa_email}"
+}
+
resource "google_storage_bucket" "bucket" {
count = var.bucket_config == null ? 0 : 1
project = var.project_id
@@ -216,9 +240,7 @@ resource "google_service_account" "service_account" {
}
resource "google_service_account" "trigger_service_account" {
- count = (
- try(var.trigger_config.service_account_create, false) == true ? 1 : 0
- )
+ count = local.trigger_sa_create ? 1 : 0
project = var.project_id
account_id = "tf-cf-trigger-${var.name}"
display_name = "Terraform trigger for Cloud Function ${var.name}."
diff --git a/modules/cloud-function-v2/outputs.tf b/modules/cloud-function-v2/outputs.tf
index 780f5c1e..4e42a002 100644
--- a/modules/cloud-function-v2/outputs.tf
+++ b/modules/cloud-function-v2/outputs.tf
@@ -66,14 +66,14 @@ output "trigger_service_account" {
output "trigger_service_account_email" {
description = "Service account email."
- value = local.trigger_service_account_email
+ value = local.trigger_sa_email
}
output "trigger_service_account_iam_email" {
description = "Service account email."
value = join("", [
"serviceAccount:",
- local.trigger_service_account_email == null ? "" : local.trigger_service_account_email
+ local.trigger_sa_email == null ? "" : local.trigger_sa_email
])
}
diff --git a/modules/cloud-run/main.tf b/modules/cloud-run/main.tf
index 527e1fd1..46f6e3a8 100644
--- a/modules/cloud-run/main.tf
+++ b/modules/cloud-run/main.tf
@@ -35,17 +35,6 @@ locals {
"run.googleapis.com/ingress" = var.ingress_settings
},
)
- _iam_run_invoker_members = concat(
- lookup(var.iam, "roles/run.invoker", []),
- var.eventarc_triggers.service_account_create ? ["serviceAccount:${local.trigger_service_account_email}"] : []
- )
- iam = merge(
- var.iam,
- length(local._iam_run_invoker_members) == 0 ? {} :
- {
- "roles/run.invoker" : local._iam_run_invoker_members
- },
- )
prefix = var.prefix == null ? "" : "${var.prefix}-"
revision_annotations = merge(
try(var.revision_annotations.autoscaling, null) == null ? {} : {
@@ -90,17 +79,12 @@ locals {
)
: var.service_account
)
- trigger_service_account_email = (
- var.eventarc_triggers.service_account_create
- ? (
- length(google_service_account.trigger_service_account) > 0
- ? google_service_account.trigger_service_account[0].email
- # : google_service_account.trigger_service_account[0].email # : null
- : null
- )
- : var.eventarc_triggers.service_account_email
+ trigger_sa_create = try(
+ var.eventarc_triggers.service_account_create, false
+ )
+ trigger_sa_email = try(
+ google_service_account.trigger_service_account[0].email, null
)
-
vpc_connector_create = var.vpc_connector_create != null
}
@@ -317,12 +301,33 @@ resource "google_cloud_run_service" "service" {
}
resource "google_cloud_run_service_iam_binding" "binding" {
- for_each = local.iam
+ for_each = var.iam
project = google_cloud_run_service.service.project
location = google_cloud_run_service.service.location
service = google_cloud_run_service.service.name
role = each.key
- members = each.value
+ members = (
+ each.key != "roles/run.invoker" || !local.trigger_sa_create
+ ? each.value
+ # if invoker role is present and we create trigger sa, add it as member
+ : concat(
+ each.value, ["serviceAccount:${local.trigger_sa_email}"]
+ )
+ )
+}
+
+resource "google_cloud_run_service_iam_member" "default" {
+ # if authoritative invoker role is not present and we create trigger sa
+ # use additive binding to grant it the role
+ count = (
+ lookup(var.iam, "roles/run.invoker", null) == null &&
+ local.trigger_sa_create
+ ) ? 1 : 0
+ project = google_cloud_run_service.service.project
+ location = google_cloud_run_service.service.location
+ service = google_cloud_run_service.service.name
+ role = "roles/run.invoker"
+ member = "serviceAccount:${local.trigger_sa_email}"
}
resource "google_service_account" "service_account" {
@@ -355,7 +360,7 @@ resource "google_eventarc_trigger" "audit_log_triggers" {
region = google_cloud_run_service.service.location
}
}
- service_account = local.trigger_service_account_email
+ service_account = local.trigger_sa_email
}
resource "google_eventarc_trigger" "pubsub_triggers" {
@@ -378,11 +383,11 @@ resource "google_eventarc_trigger" "pubsub_triggers" {
region = google_cloud_run_service.service.location
}
}
- service_account = local.trigger_service_account_email
+ service_account = local.trigger_sa_email
}
resource "google_service_account" "trigger_service_account" {
- count = var.eventarc_triggers.service_account_create ? 1 : 0 # coalesce(try(var.eventarc_triggers.service_account_create, false), false) ? 1 : 0
+ count = local.trigger_sa_create ? 1 : 0
project = var.project_id
account_id = "tf-cr-trigger-${var.name}"
display_name = "Terraform trigger for Cloud Run ${var.name}."
diff --git a/tests/modules/cloud_function_v2/examples/iam.yaml b/tests/modules/cloud_function_v2/examples/iam.yaml
index 6353b626..4bbd6653 100644
--- a/tests/modules/cloud_function_v2/examples/iam.yaml
+++ b/tests/modules/cloud_function_v2/examples/iam.yaml
@@ -13,17 +13,37 @@
# limitations under the License.
values:
- module.cf-http.google_cloudfunctions2_function_iam_binding.default["roles/cloudfunctions.invoker"]:
- cloud_function: test-cf-http
+ module.cf-http.google_cloud_run_service_iam_binding.invoker[0]:
condition: []
location: europe-west1
members:
- allUsers
project: my-project
- role: roles/cloudfunctions.invoker
+ role: roles/run.invoker
+ service: test-cf-http
+ module.cf-http.google_cloudfunctions2_function.function: {}
+ module.cf-http.google_storage_bucket_object.bundle:
+ bucket: test-cf-bundles
+ cache_control: null
+ content: null
+ content_disposition: null
+ content_encoding: null
+ content_language: null
+ customer_encryption: []
+ detect_md5hash: different hash
+ event_based_hold: null
+ metadata: null
+ name: bundle-6f1ece136848fee658e335b05fe2d79d.zip
+ source: bundle.zip
+ temporary_hold: null
+ timeouts: null
counts:
+ google_cloud_run_service_iam_binding: 1
google_cloudfunctions2_function: 1
google_storage_bucket_object: 1
modules: 1
resources: 3
+
+outputs: {}
+
diff --git a/tests/modules/cloud_run/examples/trigger-service-account-external.yaml b/tests/modules/cloud_run/examples/trigger-service-account-external.yaml
index def9c89a..45d15ea4 100644
--- a/tests/modules/cloud_run/examples/trigger-service-account-external.yaml
+++ b/tests/modules/cloud_run/examples/trigger-service-account-external.yaml
@@ -13,10 +13,61 @@
# limitations under the License.
values:
- module.cloud_run.google_cloud_run_service.service: {}
+ module.cloud_run.google_cloud_run_service.service:
+ autogenerate_revision_name: false
+ location: europe-west1
+ metadata:
+ - {}
+ name: hello
+ project: my-project
+ template:
+ - metadata:
+ - {}
+ spec:
+ - containers:
+ - args: null
+ command: null
+ env: []
+ env_from: []
+ image: us-docker.pkg.dev/cloudrun/container/hello
+ liveness_probe: []
+ volume_mounts: []
+ working_dir: null
+ volumes: []
+ timeouts: null
module.cloud_run.google_eventarc_trigger.audit_log_triggers["setiampolicy"]:
- service_account: cloud-run-trigger@my-project.iam.gserviceaccount.com
+ channel: null
+ destination:
+ - cloud_function: null
+ cloud_run_service:
+ - path: null
+ region: europe-west1
+ service: hello
+ gke: []
+ workflow: null
+ event_data_content_type: null
+ labels: null
+ location: europe-west1
+ matching_criteria:
+ - attribute: methodName
+ operator: ''
+ value: SetIamPolicy
+ - attribute: serviceName
+ operator: ''
+ value: cloudresourcemanager.googleapis.com
+ - attribute: type
+ operator: ''
+ value: google.cloud.audit.log.v1.written
+ name: audit-log-setiampolicy
+ project: my-project
+ service_account: null
+ timeouts: null
counts:
google_cloud_run_service: 1
google_eventarc_trigger: 1
+ modules: 1
+ resources: 2
+
+outputs: {}
+
diff --git a/tests/modules/cloud_run/examples/trigger-service-account.yaml b/tests/modules/cloud_run/examples/trigger-service-account.yaml
index 86b1e1af..92b8fce8 100644
--- a/tests/modules/cloud_run/examples/trigger-service-account.yaml
+++ b/tests/modules/cloud_run/examples/trigger-service-account.yaml
@@ -13,23 +13,95 @@
# limitations under the License.
values:
- module.cloud_run.google_cloud_run_service.service: {}
- module.cloud_run.google_cloud_run_service_iam_binding.binding["roles/run.invoker"]:
+ module.cloud_run.google_cloud_run_service.service:
+ autogenerate_revision_name: false
+ location: europe-west1
+ metadata:
+ - {}
+ name: hello
+ project: my-project
+ template:
+ - metadata:
+ - {}
+ spec:
+ - containers:
+ - args: null
+ command: null
+ env: []
+ env_from: []
+ image: us-docker.pkg.dev/cloudrun/container/hello
+ liveness_probe: []
+ volume_mounts: []
+ working_dir: null
+ volumes: []
+ timeouts: null
+ module.cloud_run.google_cloud_run_service_iam_member.default[0]:
+ condition: []
+ location: europe-west1
project: my-project
role: roles/run.invoker
service: hello
- # members: ["known after apply"]
- module.cloud_run.google_eventarc_trigger.pubsub_triggers["topic-1"]: {}
- # service_account: known after apply
- module.cloud_run.google_eventarc_trigger.pubsub_triggers["topic-2"]: {}
- # service_account: known after apply
+ module.cloud_run.google_eventarc_trigger.pubsub_triggers["topic-1"]:
+ channel: null
+ destination:
+ - cloud_function: null
+ cloud_run_service:
+ - path: null
+ region: europe-west1
+ service: hello
+ gke: []
+ workflow: null
+ event_data_content_type: null
+ labels: null
+ location: europe-west1
+ matching_criteria:
+ - attribute: type
+ operator: ''
+ value: google.cloud.pubsub.topic.v1.messagePublished
+ name: pubsub-topic-1
+ project: my-project
+ timeouts: null
+ transport:
+ - pubsub:
+ - topic: topic1
+ module.cloud_run.google_eventarc_trigger.pubsub_triggers["topic-2"]:
+ channel: null
+ destination:
+ - cloud_function: null
+ cloud_run_service:
+ - path: null
+ region: europe-west1
+ service: hello
+ gke: []
+ workflow: null
+ event_data_content_type: null
+ labels: null
+ location: europe-west1
+ matching_criteria:
+ - attribute: type
+ operator: ''
+ value: google.cloud.pubsub.topic.v1.messagePublished
+ name: pubsub-topic-2
+ project: my-project
+ timeouts: null
+ transport:
+ - pubsub:
+ - topic: topic2
module.cloud_run.google_service_account.trigger_service_account[0]:
account_id: tf-cr-trigger-hello
+ description: null
+ disabled: false
display_name: Terraform trigger for Cloud Run hello.
project: my-project
+ timeouts: null
counts:
google_cloud_run_service: 1
- google_cloud_run_service_iam_binding: 1
+ google_cloud_run_service_iam_member: 1
google_eventarc_trigger: 2
google_service_account: 1
+ modules: 1
+ resources: 5
+
+outputs: {}
+