# Cloud Function Module Cloud Function management, with support for IAM roles and optional bucket creation. The GCS object used for deployment uses a hash of the bundle zip contents in its name, which ensures change tracking and avoids recreating the function if the GCS object is deleted and needs recreating. ## TODO - [ ] add support for `source_repository` ## Examples ### HTTP trigger This deploys a Cloud Function with an HTTP endpoint, using a pre-existing GCS bucket for deployment, setting the service account to the Cloud Function default one, and delegating access control to the containing project. ```hcl module "cf-http" { source = "../modules/cloud-function" project_id = "my-project" name = "test-cf-http" bucket_name = "test-cf-bundles" bundle_config = { source_dir = "my-cf-source-folder" output_path = "bundle.zip" } } ``` ### PubSub and non-HTTP triggers Other trigger types other than HTTP are configured via the `trigger_config` variable. This example shows a PubSub trigger. ```hcl module "cf-http" { source = "../modules/cloud-function" project_id = "my-project" name = "test-cf-http" bucket_name = "test-cf-bundles" bundle_config = { source_dir = "my-cf-source-folder" output_path = "bundle.zip" } trigger_config = { event = "google.pubsub.topic.publish" resource = local.my-topic retry = null } } ``` ### Controlling HTTP access To allow anonymous access to the function, grant the `roles/cloudfunctions.invoker` role to the special `allUsers` identifier. Use specific identities (service accounts, groups, etc.) instead of `allUsers` to only allow selective access. ```hcl module "cf-http" { source = "../modules/cloud-function" project_id = "my-project" name = "test-cf-http" bucket_name = "test-cf-bundles" bundle_config = { source_dir = "my-cf-source-folder" output_path = "bundle.zip" } iam_roles = ["roles/cloudfunctions.invoker"] iam_members = { "roles/cloudfunctions.invoker" = ["allUsers"] } } ``` ### GCS bucket creation You can have the module auto-create the GCS bucket used for deployment via the `bucket_config` variable. Setting `bucket_config.location` to `null` will also use the function region for GCS. ```hcl module "cf-http" { source = "../modules/cloud-function" project_id = "my-project" name = "test-cf-http" bucket_name = "test-cf-bundles" bucket_config = { location = null lifecycle_delete_age = 1 } bundle_config = { source_dir = "my-cf-source-folder" output_path = "bundle.zip" } } ``` ### Service account management To use a custom service account managed by the module, set `service_account_create` to `true` and leave `service_account` set to `null` value (default). ```hcl module "cf-http" { source = "../modules/cloud-function" project_id = "my-project" name = "test-cf-http" bucket_name = "test-cf-bundles" bundle_config = { source_dir = "my-cf-source-folder" output_path = "bundle.zip" } service_account_create = true } ``` To use an externally managed service account, pass its email in `service_account` and leave `service_account_create` to `false` (the default). ```hcl module "cf-http" { source = "../modules/cloud-function" project_id = "my-project" name = "test-cf-http" bucket_name = "test-cf-bundles" bundle_config = { source_dir = "my-cf-source-folder" output_path = "bundle.zip" } service_account = local.service_account_email } ``` ## Variables | name | description | type | required | default | |---|---|:---: |:---:|:---:| | bucket_name | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | string | ✓ | | | bundle_config | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | object({...}) | ✓ | | | name | Name used for cloud function and associated resources. | string | ✓ | | | project_id | Project id used for all resources. | string | ✓ | | | *bucket_config* | Enable and configure auto-created bucket. Set fields to null to use defaults. | object({...}) | | null | | *environment_variables* | Cloud function environment variables. | map(string) | | {} | | *function_config* | Cloud function configuration. | object({...}) | | ... | | *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use. | map(list(string)) | | {} | | *iam_roles* | List of roles used to set authoritative bindings. Ignored for template use. | list(string) | | [] | | *ingress_settings* | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL and ALLOW_INTERNAL_ONLY. | string | | null | | *labels* | Resource labels | map(string) | | {} | | *prefix* | Optional prefix used for resource names. | string | | null | | *region* | Region used for all resources. | string | | europe-west1 | | *service_account* | Service account email. Unused if service account is auto-created. | string | | null | | *service_account_create* | Auto-create service account. | bool | | false | | *trigger_config* | Function trigger configuration. Leave null for HTTP trigger. | object({...}) | | null | | *vpc_connector_config* | VPC connector configuration. Set `create_config` attributes to trigger creation. | object({...}) | | null | ## Outputs | name | description | sensitive | |---|---|:---:| | bucket | Bucket resource (only if auto-created). | | | bucket_name | Bucket name. | | | function | Cloud function resources. | | | function_name | Cloud function name. | | | service_account | Service account resource. | | | service_account_email | Service account email. | | | service_account_iam_email | Service account email. | | | vpc_connector | VPC connector resource if created. | |