# Cloud Function Module
Cloud Function management, with support for IAM roles and optional bucket creation.
The GCS object used for deployment uses a hash of the bundle zip contents in its name, which ensures change tracking and avoids recreating the function if the GCS object is deleted and needs recreating.
## TODO
- [ ] add support for `ingress_settings`
- [ ] add support for `vpc_connector` and `vpc_connector_egress_settings`
- [ ] add support for `source_repository`
## Examples
### HTTP trigger
This deploys a Cloud Function with an HTTP endpoint, using a pre-existing GCS bucket for deployment, setting the service account to the Cloud Function default one, and delegating access control to the containing project.
```hcl
module "cf-http" {
source = "../modules/net-cloudnat"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bundle_config = {
source_dir = "my-cf-source-folder
output_path = "bundle.zip"
}
}
```
### Non-HTTP triggers
Other trigger types other than HTTP are configured via the `trigger_config` variable. This example shows a PubSub trigger.
```hcl
module "cf-http" {
source = "../modules/net-cloudnat"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bundle_config = {
source_dir = "my-cf-source-folder
output_path = "bundle.zip"
}
trigger_config = {
event = "google.pubsub.topic.publish"
resource = local.my-topic
retry = null
}
}
```
### Controlling HTTP access
To allow anonymous access to the function, grant the `roles/cloudfunctions.invoker` role to the special `allUsers` identifier. Use specific identities (service accounts, groups, etc.) instead of `allUsers` to only allow selective access.
```hcl
module "cf-http" {
source = "../modules/net-cloudnat"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bundle_config = {
source_dir = "my-cf-source-folder
output_path = "bundle.zip"
}
iam_roles = ["roles/cloudfunctions.invoker"]
iam_members = {
"roles/cloudfunctions.invoker" = ["allUsers"]
}
}
```
### GCS bucket creation
You can have the module auto-create the GCS bucket used for deployment via the `bucket_config` variable. Setting `bucket_config.location` to `null` will also use the function region for GCS.
```hcl
module "cf-http" {
source = "../modules/net-cloudnat"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bucket_config = {
location = null
lifecycle_delete_age = 1
}
bundle_config = {
source_dir = "my-cf-source-folder
output_path = "bundle.zip"
}
}
```
### Service account management
To use a custom service account managed by the module, set `service_account_create` to `true` and leave `service_account` set to `null` value (default).
```hcl
module "cf-http" {
source = "../modules/net-cloudnat"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bundle_config = {
source_dir = "my-cf-source-folder
output_path = "bundle.zip"
}
service_account_create = true
}
```
To use an externally managed service account, pass its email in `service_account` and leave `service_account_create` to `false` (the default).
```hcl
module "cf-http" {
source = "../modules/net-cloudnat"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bundle_config = {
source_dir = "my-cf-source-folder
output_path = "bundle.zip"
}
service_account = local.service_account_email
}
```
## Variables
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| bucket_name | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | string
| ✓ | |
| bundle_config | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | object({...})
| ✓ | |
| name | Name used for cloud function and associated resources. | string
| ✓ | |
| project_id | Project id used for all resources. | string
| ✓ | |
| *bucket_config* | Enable and configure auto-created bucket. Set fields to null to use defaults. | object({...})
| | null
|
| *environment_variables* | Cloud function environment variables. | map(string)
| | {}
|
| *function_config* | Cloud function configuration. | object({...})
| | ...
|
| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use. | map(list(string))
| | {}
|
| *iam_roles* | List of roles used to set authoritative bindings. Ignored for template use. | list(string)
| | []
|
| *labels* | Resource labels | map(string)
| | {}
|
| *prefix* | Optional prefix used for resource names. | string
| | null
|
| *region* | Region used for all resources. | string
| | europe-west1
|
| *service_account* | Service account email. Unused if service account is auto-created. | string
| | null
|
| *service_account_create* | Auto-create service account. | bool
| | false
|
| *trigger_config* | Function trigger configuration. Leave null for HTTP trigger. | object({...})
| | null
|
## Outputs
| name | description | sensitive |
|---|---|:---:|
| bucket | Bucket resource (only if auto-created). | |
| bucket_name | Bucket name. | |
| function | Cloud function resources. | |
| function_name | Cloud function name. | |
| service_account | Service account resource. | |
| service_account_email | Service account email. | |
| service_account_iam_email | Service account email. | |