zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Cloud functions module (#102) 

* wip

* cloud function module

* wip

* cloud function module

* update top-level READMEs and CHANGELOG

* update top-level READMEs and CHANGELOG

* remove duplicate boilerplate in variables

* implement suggestions in PR review
This commit is contained in:
Ludovico Magnocavallo 2020-06-29 08:05:44 +02:00 committed by GitHub
parent eedabe9f3d
commit c4850b8391
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 490 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@ -3,8 +3,10 @@
All notable changes to this project will be documented in this file.
## [Unreleased]
- new 'Cloud Endpoints' module
- make project creation optional in `project` module to allow managing a pre-existing project
- new `cloud-endpoints` module
- new `cloud-function` module
## [2.1.0] - 2020-06-22

3
README.md
View File

@ -37,7 +37,8 @@ Currently available modules:
- **networking** - [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), [VPN static](./modules/net-vpn-static), [VPN dynamic](./modules/net-vpn-dynamic), [VPN HA](./modules/net-vpn-ha), [NAT](./modules/net-cloudnat), [address reservation](./modules/net-address), [DNS](./modules/dns), [L4 ILB](./modules/net-ilb), [Service Directory](./modules/service-directory), [Cloud Endpoints](./modules/cloudenpoints)
- **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [GKE cluster](./modules/gke-cluster), [GKE nodepool](./modules/gke-nodepool), [COS container](./modules/cos-container) (coredns, mysql, onprem, squid)
- **data** - [GCS](./modules/gcs), [BigQuery dataset](./modules/bigquery-dataset), [Pub/Sub](./modules/pubsub), [Datafusion](./modules/datafusion), [Bigtable instance](./modules/bigtable-instance)
- **security** - [KMS](./modules/kms), [SecretManager](./modules/secret-manager)
- **development** - [Cloud Source Repository](./modules/source-repository), [Container Registry](./modules/container-registry), [Artifact Registry](./modules/artifact-registry)
- **security** - [KMS](./modules/kms), [SecretManager](./modules/secret-manager)
- **serverless** - [Cloud Functions](./cloud-functions)
For more information and usage examples see each module's README file.

4
modules/README.md
View File

@ -58,3 +58,7 @@ Specific modules also offer support for non-authoritative bindings (e.g. `google
- [Cloud KMS](./kms)
- [Secret Manager](./secret-manager)
## Serverless
- [Cloud Functions](./cloud-function)

162
modules/cloud-function/README.md Normal file
View File

@ -0,0 +1,162 @@
# Cloud Function Module
Cloud Function management, with support for IAM roles and optional bucket creation.
The GCS object used for deployment uses a hash of the bundle zip contents in its name, which ensures change tracking and avoids recreating the function if the GCS object is deleted and needs recreating.
## TODO
- [ ] add support for `ingress_settings`
- [ ] add support for `vpc_connector` and `vpc_connector_egress_settings`
- [ ] add support for `source_repository`
## Examples
### HTTP trigger
This deploys a Cloud Function with an HTTP endpoint, using a pre-existing GCS bucket for deployment, setting the service account to the Cloud Function default one, and delegating access control to the containing project.
```hcl
module "cf-http" {
source = "../modules/net-cloudnat"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bundle_config = {
source_dir = "my-cf-source-folder
output_path = "bundle.zip"
}
}
```
### Non-HTTP triggers
Other trigger types other than HTTP are configured via the `trigger_config` variable. This example shows a PubSub trigger.
```hcl
module "cf-http" {
source = "../modules/net-cloudnat"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bundle_config = {
source_dir = "my-cf-source-folder
output_path = "bundle.zip"
}
trigger_config = {
event = "google.pubsub.topic.publish"
resource = local.my-topic
retry = null
}
}
```
### Controlling HTTP access
To allow anonymous access to the function, grant the `roles/cloudfunctions.invoker` role to the special `allUsers` identifier. Use specific identities (service accounts, groups, etc.) instead of `allUsers` to only allow selective access.
```hcl
module "cf-http" {
source = "../modules/net-cloudnat"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bundle_config = {
source_dir = "my-cf-source-folder
output_path = "bundle.zip"
}
iam_roles = ["roles/cloudfunctions.invoker"]
iam_members = {
"roles/cloudfunctions.invoker" = ["allUsers"]
}
}
```
### GCS bucket creation
You can have the module auto-create the GCS bucket used for deployment via the `bucket_config` variable. Setting `bucket_config.location` to `null` will also use the function region for GCS.
```hcl
module "cf-http" {
source = "../modules/net-cloudnat"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bucket_config = {
location = null
lifecycle_delete_age = 1
}
bundle_config = {
source_dir = "my-cf-source-folder
output_path = "bundle.zip"
}
}
```
### Service account management
To use a custom service account managed by the module, set `service_account_create` to `true` and leave `service_account` set to `null` value (default).
```hcl
module "cf-http" {
source = "../modules/net-cloudnat"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bundle_config = {
source_dir = "my-cf-source-folder
output_path = "bundle.zip"
}
service_account_create = true
}
```
To use an externally managed service account, pass its email in `service_account` and leave `service_account_create` to `false` (the default).
```hcl
module "cf-http" {
source = "../modules/net-cloudnat"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bundle_config = {
source_dir = "my-cf-source-folder
output_path = "bundle.zip"
}
service_account = local.service_account_email
}
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| bucket_name | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | <code title="">string</code> | ✓ | |
| bundle_config | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | <code title="object&#40;&#123;&#10;source_dir &#61; string&#10;output_path &#61; string&#10;&#125;&#41;">object({...})</code> | ✓ | |
| name | Name used for cloud function and associated resources. | <code title="">string</code> | ✓ | |
| project_id | Project id used for all resources. | <code title="">string</code> | ✓ | |
| *bucket_config* | Enable and configure auto-created bucket. Set fields to null to use defaults. | <code title="object&#40;&#123;&#10;location &#61; string&#10;lifecycle_delete_age &#61; number&#10;&#125;&#41;">object({...})</code> | | <code title="">null</code> |
| *environment_variables* | Cloud function environment variables. | <code title="map&#40;string&#41;">map(string)</code> | | <code title="">{}</code> |
| *function_config* | Cloud function configuration. | <code title="object&#40;&#123;&#10;entry_point &#61; string&#10;instances &#61; number&#10;memory &#61; number&#10;runtime &#61; string&#10;timeout &#61; number&#10;&#125;&#41;">object({...})</code> | | <code title="&#123;&#10;entry_point &#61; &#34;main&#34;&#10;instances &#61; 1&#10;memory &#61; 256&#10;runtime &#61; &#34;python37&#34;&#10;timeout &#61; 180&#10;&#125;">...</code> |
| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> | | <code title="">{}</code> |
| *iam_roles* | List of roles used to set authoritative bindings. Ignored for template use. | <code title="list&#40;string&#41;">list(string)</code> | | <code title="">[]</code> |
| *labels* | Resource labels | <code title="map&#40;string&#41;">map(string)</code> | | <code title="">{}</code> |
| *prefix* | Optional prefix used for resource names. | <code title="">string</code> | | <code title="">null</code> |
| *region* | Region used for all resources. | <code title="">string</code> | | <code title="">us-central1</code> |
| *service_account* | Service account email. Unused if service account is auto-created. | <code title="">string</code> | | <code title="">null</code> |
| *service_account_create* | Auto-create service account. | <code title="">bool</code> | | <code title="">false</code> |
| *trigger_config* | Function trigger configuration. Leave null for HTTP trigger. | <code title="object&#40;&#123;&#10;event &#61; string&#10;resource &#61; string&#10;retry &#61; bool&#10;&#125;&#41;">object({...})</code> | | <code title="">null</code> |
## Outputs
| name | description | sensitive |
|---|---|:---:|
| bucket | Bucket resource (only if auto-created). | |
| bucket_name | Bucket name. | |
| function | Cloud function resources. | |
| function_name | Cloud function name. | |
| service_account | Service account resource. | |
| service_account_email | Service account email. | |
| service_account_iam_email | Service account email. | |
<!-- END TFDOC -->

122
modules/cloud-function/main.tf Normal file
View File

@ -0,0 +1,122 @@
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
locals {
bucket = (
var.bucket_name != null
? var.bucket_name
: (
length(google_storage_bucket.bucket) > 0
? google_storage_bucket.bucket[0].name
: null
)
)
prefix = var.prefix == null ? "" : "${var.prefix}-"
service_account_email = (
var.service_account_create
? (
length(google_service_account.service_account) > 0
? google_service_account.service_account[0].email
: null
)
: var.service_account
)
}
resource "google_cloudfunctions_function" "function" {
project = var.project_id
region = var.region
name = "${local.prefix}${var.name}"
description = "Terraform managed."
runtime = var.function_config.runtime
available_memory_mb = var.function_config.memory
max_instances = var.function_config.instances
timeout = var.function_config.timeout
entry_point = var.function_config.entry_point
environment_variables = var.environment_variables
service_account_email = local.service_account_email
source_archive_bucket = local.bucket
source_archive_object = google_storage_bucket_object.bundle.name
labels = var.labels
trigger_http = var.trigger_config == null ? true : null
dynamic event_trigger {
for_each = var.trigger_config == null ? [] : [""]
content {
event_type = var.trigger_config.event
resource = var.trigger_config.resource
dynamic failure_policy {
for_each = var.trigger_config.retry == null ? [] : [""]
content {
retry = var.trigger_config.retry
}
}
}
}
}
resource "google_cloudfunctions_function_iam_binding" "default" {
for_each = toset(var.iam_roles)
project = var.project_id
region = var.region
cloud_function = google_cloudfunctions_function.function.name
role = each.value
members = try(var.iam_members[each.value], {})
}
resource "google_storage_bucket" "bucket" {
count = var.bucket_config == null ? 0 : 1
project = var.project_id
name = "${local.prefix}${var.bucket_name}"
location = (
var.bucket_config.location == null
? var.region
: var.bucket_config.location
)
labels = var.labels
dynamic lifecycle_rule {
for_each = var.bucket_config.lifecycle_delete_age == null ? [] : [""]
content {
action { type = "Delete" }
condition { age = var.bucket_config.lifecycle_delete_age }
}
}
}
resource "google_storage_bucket_object" "bundle" {
name = "bundle-${data.archive_file.bundle.output_md5}.zip"
bucket = local.bucket
source = data.archive_file.bundle.output_path
}
data "archive_file" "bundle" {
type = "zip"
source_dir = var.bundle_config.source_dir
output_path = (
var.bundle_config.output_path == null
? "/tmp/bundle.zip"
: var.bundle_config.output_path
)
}
resource "google_service_account" "service_account" {
count = var.service_account_create ? 1 : 0
project = var.project_id
account_id = "tf-cf-${var.name}"
display_name = "Terraform Cloud Function ${var.name}."
}

55
modules/cloud-function/outputs.tf Normal file
View File

@ -0,0 +1,55 @@
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
output "bucket" {
description = "Bucket resource (only if auto-created)."
value = var.bucket_config == null ? null : google_storage_bucket.bucket.0
}
output "bucket_name" {
description = "Bucket name."
value = local.bucket
}
output "function" {
description = "Cloud function resources."
value = google_cloudfunctions_function.function
}
output "function_name" {
description = "Cloud function name."
value = google_cloudfunctions_function.function.name
}
output "service_account" {
description = "Service account resource."
value = (
var.service_account_create ? google_service_account.service_account[0] : null
)
}
output "service_account_email" {
description = "Service account email."
value = local.service_account_email
}
output "service_account_iam_email" {
description = "Service account email."
value = join("", [
"serviceAccount:",
local.service_account_email == null ? "" : local.service_account_email
])
}

123
modules/cloud-function/variables.tf Normal file
View File

@ -0,0 +1,123 @@
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "bucket_config" {
description = "Enable and configure auto-created bucket. Set fields to null to use defaults."
type = object({
location = string
lifecycle_delete_age = number
})
default = null
}
variable "bucket_name" {
description = "Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null."
type = string
}
variable "bundle_config" {
description = "Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null."
type = object({
source_dir = string
output_path = string
})
}
variable "environment_variables" {
description = "Cloud function environment variables."
type = map(string)
default = {}
}
variable "iam_members" {
description = "Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use."
type = map(list(string))
default = {}
}
variable "iam_roles" {
description = "List of roles used to set authoritative bindings. Ignored for template use."
type = list(string)
default = []
}
variable "function_config" {
description = "Cloud function configuration."
type = object({
entry_point = string
instances = number
memory = number
runtime = string
timeout = number
})
default = {
entry_point = "main"
instances = 1
memory = 256
runtime = "python37"
timeout = 180
}
}
variable "labels" {
description = "Resource labels"
type = map(string)
default = {}
}
variable "name" {
description = "Name used for cloud function and associated resources."
type = string
}
variable "prefix" {
description = "Optional prefix used for resource names."
type = string
default = null
}
variable "project_id" {
description = "Project id used for all resources."
type = string
}
variable "region" {
description = "Region used for all resources."
type = string
default = "europe-west1"
}
variable "service_account" {
description = "Service account email. Unused if service account is auto-created."
type = string
default = null
}
variable "service_account_create" {
description = "Auto-create service account."
type = bool
default = false
}
variable "trigger_config" {
description = "Function trigger configuration. Leave null for HTTP trigger."
type = object({
event = string
resource = string
retry = bool
})
default = null
}

19
modules/cloud-function/versions.tf Normal file
View File

@ -0,0 +1,19 @@
/**
* Copyright 2020 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
terraform {
required_version = ">= 0.12.6"
}