3d7cc9810d
|
||
|---|---|---|
| .. | ||
| README.md | ||
| main.tf | ||
| outputs.tf | ||
| variables.tf | ||
| versions.tf | ||
README.md
Cloud Function Module
Cloud Function management, with support for IAM roles and optional bucket creation.
The GCS object used for deployment uses a hash of the bundle zip contents in its name, which ensures change tracking and avoids recreating the function if the GCS object is deleted and needs recreating.
TODO
- add support for
source_repository
Examples
HTTP trigger
This deploys a Cloud Function with an HTTP endpoint, using a pre-existing GCS bucket for deployment, setting the service account to the Cloud Function default one, and delegating access control to the containing project.
module "cf-http" {
source = "./modules/cloud-function"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bundle_config = {
source_dir = "my-cf-source-folder"
output_path = "bundle.zip"
}
}
# tftest:skip
PubSub and non-HTTP triggers
Other trigger types other than HTTP are configured via the trigger_config variable. This example shows a PubSub trigger.
module "cf-http" {
source = "./modules/cloud-function"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bundle_config = {
source_dir = "my-cf-source-folder"
output_path = "bundle.zip"
}
trigger_config = {
event = "google.pubsub.topic.publish"
resource = local.my-topic
retry = null
}
}
# tftest:skip
Controlling HTTP access
To allow anonymous access to the function, grant the roles/cloudfunctions.invoker role to the special allUsers identifier. Use specific identities (service accounts, groups, etc.) instead of allUsers to only allow selective access.
module "cf-http" {
source = "./modules/cloud-function"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bundle_config = {
source_dir = "my-cf-source-folder"
output_path = "bundle.zip"
}
iam = {
"roles/cloudfunctions.invoker" = ["allUsers"]
}
}
# tftest:skip
GCS bucket creation
You can have the module auto-create the GCS bucket used for deployment via the bucket_config variable. Setting bucket_config.location to null will also use the function region for GCS.
module "cf-http" {
source = "./modules/cloud-function"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bucket_config = {
location = null
lifecycle_delete_age = 1
}
bundle_config = {
source_dir = "my-cf-source-folder"
output_path = "bundle.zip"
}
}
# tftest:skip
Service account management
To use a custom service account managed by the module, set service_account_create to true and leave service_account set to null value (default).
module "cf-http" {
source = "./modules/cloud-function"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bundle_config = {
source_dir = "my-cf-source-folder"
output_path = "bundle.zip"
}
service_account_create = true
}
# tftest:skip
To use an externally managed service account, pass its email in service_account and leave service_account_create to false (the default).
module "cf-http" {
source = "./modules/cloud-function"
project_id = "my-project"
name = "test-cf-http"
bucket_name = "test-cf-bundles"
bundle_config = {
source_dir = "my-cf-source-folder"
output_path = "bundle.zip"
}
service_account = local.service_account_email
}
# tftest:skip
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| bucket_name | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | string |
✓ | |
| bundle_config | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | object({...}) |
✓ | |
| name | Name used for cloud function and associated resources. | string |
✓ | |
| project_id | Project id used for all resources. | string |
✓ | |
| bucket_config | Enable and configure auto-created bucket. Set fields to null to use defaults. | object({...}) |
null |
|
| environment_variables | Cloud function environment variables. | map(string) |
{} |
|
| function_config | Cloud function configuration. | object({...}) |
... |
|
| iam | IAM bindings for topic in {ROLE => [MEMBERS]} format. | map(list(string)) |
{} |
|
| ingress_settings | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL and ALLOW_INTERNAL_ONLY. | string |
null |
|
| labels | Resource labels | map(string) |
{} |
|
| prefix | Optional prefix used for resource names. | string |
null |
|
| region | Region used for all resources. | string |
europe-west1 |
|
| service_account | Service account email. Unused if service account is auto-created. | string |
null |
|
| service_account_create | Auto-create service account. | bool |
false |
|
| trigger_config | Function trigger configuration. Leave null for HTTP trigger. | object({...}) |
null |
|
| vpc_connector_config | VPC connector configuration. Set create_config attributes to trigger creation. |
object({...}) |
null |
Outputs
| name | description | sensitive |
|---|---|---|
| bucket | Bucket resource (only if auto-created). | |
| bucket_name | Bucket name. | |
| function | Cloud function resources. | |
| function_name | Cloud function name. | |
| service_account | Service account resource. | |
| service_account_email | Service account email. | |
| service_account_iam_email | Service account email. | |
| vpc_connector | VPC connector resource if created. |