This deploys a Cloud Function with an HTTP endpoint, using a pre-existing GCS bucket for deployment, setting the service account to the Cloud Function default one, and delegating access control to the containing project.
Other trigger types other than HTTP are configured via the `trigger_config` variable. This example shows a PubSub trigger via [Eventarc](https://cloud.google.com/eventarc/docs):
To allow anonymous access to the function, grant the `roles/run.invoker` role to the special `allUsers` identifier. Use specific identities (service accounts, groups, etc.) instead of `allUsers` to only allow selective access. The Cloud Run role needs to be used as explained in the [gcloud documentation](https://cloud.google.com/sdk/gcloud/reference/functions/add-invoker-policy-binding#DESCRIPTION).
You can have the module auto-create the GCS bucket used for deployment via the `bucket_config` variable. Setting `bucket_config.location` to `null` will also use the function region for GCS.
To use a custom service account managed by the module, set `service_account_create` to `true` and leave `service_account` set to `null` value (default).
When a GCS URI or a local zip file are used, a change in their names will trigger redeployment. When a local source folder is used a ZIP archive will be automatically generated and its internally derived checksum will drive redeployment. You can optionally control its name and exclusions via the attributes in `bundle_config.folder_options`.
This deploys a Cloud Function with an HTTP endpoint, using a pre-existing GCS bucket for deployment using a pre existing private Cloud Build worker pool.
When deploying multiple functions via local folders do not reuse `bundle_config.archive_path` between instances as the result is undefined. Default `archive_path` creates file in `/tmp` folder using project Id and function name to avoid name conflicts.
This provides the latest value of the secret `var_secret` as `VARIABLE_SECRET` environment variable and three values of `path_secret` mounted in filesystem:
| [bucket_name](variables.tf#L27) | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | <code>string</code> | ✓ | |
| [bundle_config](variables.tf#L51) | Cloud function source. Path can point to a GCS object URI, or a local path. A local path to a zip archive will generate a GCS object using its basename, a folder will be zipped and the GCS object name inferred when not specified. | <codetitle="object({ path = string folder_options = optional(object({ archive_path = optional(string) excludes = optional(list(string)) }), {}) })">object({…})</code> | ✓ | |
| [name](variables.tf#L148) | Name used for cloud function and associated resources. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L163) | Project id used for all resources. | <code>string</code> | ✓ | |
| [region](variables.tf#L168) | Region used for all resources. | <code>string</code> | ✓ | |
| [bucket_config](variables.tf#L17) | Enable and configure auto-created bucket. Set fields to null to use defaults. | <codetitle="object({ force_destroy = optional(bool) lifecycle_delete_age_days = optional(number) location = optional(string) })">object({…})</code> | | <code>null</code> |
| [build_environment_variables](variables.tf#L33) | A set of key/value environment variable pairs available during build time. | <code>map(string)</code> | | <code>{}</code> |
| [function_config](variables.tf#L104) | Cloud function configuration. Defaults to using main as entrypoint, 1 instance with 256MiB of memory, and 180 second timeout. | <codetitle="object({ entry_point = optional(string, "main") instance_count = optional(number, 1) memory_mb = optional(number, 256) # Memory in MB cpu = optional(string, "0.166") runtime = optional(string, "python310") timeout_seconds = optional(number, 180) })">object({…})</code> | | <codetitle="{ entry_point = "main" instance_count = 1 memory_mb = 256 cpu = "0.166" runtime = "python310" timeout_seconds = 180 }">{…}</code> |
| [iam](variables.tf#L124) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | <code>map(list(string))</code> | | <code>{}</code> |
| [ingress_settings](variables.tf#L130) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY . | <code>string</code> | | <code>null</code> |
| [kms_key](variables.tf#L136) | Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources in key id format. If specified, you must also provide an artifact registry repository using the docker_repository_id field that was created with the same KMS crypto key. | <code>string</code> | | <code>null</code> |
| [prefix](variables.tf#L153) | Optional prefix used for resource names. | <code>string</code> | | <code>null</code> |
| [secrets](variables.tf#L173) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | <codetitle="map(object({ is_volume = bool project_id = string secret = string versions = list(string) }))">map(object({…}))</code> | | <code>{}</code> |
| [service_account](variables.tf#L185) | Service account email. Unused if service account is auto-created. | <code>string</code> | | <code>null</code> |
| [vpc_connector](variables.tf#L215) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | <codetitle="object({ create = bool name = string egress_settings = string })">object({…})</code> | | <code>null</code> |
| [vpc_connector_config](variables.tf#L225) | VPC connector network configuration. Must be provided if new VPC connector is being created. | <codetitle="object({ ip_cidr_range = string network = string })">object({…})</code> | | <code>null</code> |