googlecloudplatform / terraform-google-cloud-functions Goto Github PK

View Code? Open in Web Editor NEW

30.0 19.0 22.0 491 KB

Deploys Cloud Functions (Gen 2)

Home Page: https://registry.terraform.io/modules/GoogleCloudPlatform/cloud-functions/google

License: Apache License 2.0

Makefile 2.41% HCL 59.47% Go 36.65% Shell 1.47%

cft-terraform cloudfunctions functions google-cloud-platform serverless-computing terraform-modules

terraform-google-cloud-functions's Introduction

Terraform Google Cloud Functions (Gen 2) module

The Terraform module handles the deployment of Cloud Functions (Gen 2) on GCP.

The resources/services/activations/deletions that this module will create/trigger are:

Deploy Cloud Functions (2nd Gen) with provided source code and trigger
Provide Cloud Functions Invoker or Developer roles to the users and service accounts

Assumptions and Prerequisites

This module assumes that below mentioned prerequisites are in place before consuming the module.

APIs are enabled
Permissions are available

Usage

Basic usage of this module is as follows:

module "cloud_functions2" {
  source  = "GoogleCloudPlatform/cloud-functions/google"
  version = "~> 0.4"

  # Required variables
  function_name  = "<FUNCTION_NAME>"
  project_id     = "<PROJECT_ID>"
  location       = "<LOCATION>"
  runtime        = "<RUNTIME>"
  entrypoint     = "<ENTRYPOINT>"
  storage_source = {
    bucket      = "<BUCKET_NAME>"
    object      = "<ARCHIVE_PATH>"
    generation  = "<GCS_GENERATION>"
  }
}

Functional examples are included in the examples directory.

Inputs

Name	Description	Type	Default	Required
build_env_variables	User-provided build-time environment variables	`map(string)`	`null`	no
description	Short description of the function	`string`	`null`	no
docker_repository	User managed repository created in Artifact Registry optionally with a customer managed encryption key.	`string`	`null`	no
entrypoint	The name of the function (as defined in source code) that will be executed. Defaults to the resource name suffix, if not specified	`string`	n/a	yes
event_trigger	Event triggers for the function	object({ trigger_region = optional(string) event_type = string service_account_email = string pubsub_topic = optional(string) retry_policy = string event_filters = optional(set(object({ attribute = string attribute_value = string operator = optional(string) }))) })	`null`	no
function_location	The location of this cloud function	`string`	n/a	yes
function_name	A user-defined name of the function	`string`	n/a	yes
labels	A set of key/value label pairs associated with this Cloud Function	`map(string)`	`null`	no
members	Cloud Function Invoker and Developer roles for Users/SAs. Key names must be developers and/or invokers	`map(list(string))`	`{}`	no
project_id	Project ID to create Cloud Function	`string`	n/a	yes
repo_source	Get the source from this location in a Cloud Source Repository	object({ project_id = optional(string) repo_name = string branch_name = string dir = optional(string) tag_name = optional(string) commit_sha = optional(string) invert_regex = optional(bool, false) })	`null`	no
runtime	The runtime in which to run the function.	`string`	n/a	yes
service_config	Details of the service	object({ max_instance_count = optional(string, 100) min_instance_count = optional(string, 1) available_memory = optional(string, "256M") available_cpu = optional(string, 1) timeout_seconds = optional(string, 60) runtime_env_variables = optional(map(string), null) runtime_secret_env_variables = optional(set(object({ key_name = string project_id = optional(string) secret = string version = string })), null) secret_volumes = optional(set(object({ mount_path = string project_id = optional(string) secret = string versions = set(object({ version = string path = string })) })), null) vpc_connector = optional(string, null) vpc_connector_egress_settings = optional(string, null) ingress_settings = optional(string, null) service_account_email = optional(string, null) all_traffic_on_latest_revision = optional(bool, true) })	`{}`	no
storage_source	Get the source from this location in Google Cloud Storage	object({ bucket = string object = string generation = optional(string, null) })	`null`	no
worker_pool	Name of the Cloud Build Custom Worker Pool that should be used to build the function.	`string`	`null`	no

Outputs

Name	Description
function_name	Name of the Cloud Function (Gen 2)
function_uri	URI of the Cloud Function (Gen 2)

Requirements

These sections describe requirements for using this module.

Software

The following dependencies must be available:

Terraform v1.3+
Terraform Provider for GCP plugin v3.0

Service Account

A service account with the following roles must be used to provision the resources of this module:

Storage Admin: roles/storage.admin
Cloud Functions Admin: roles/cloudfunctions.admin
Cloud Run Admin: roles/run.admin
Pub/Sub Admin: roles/pubsub.admin
Artifact Registry Admin: roles/artifactregistry.admin
Cloud Build Editor: roles/cloudbuild.builds.editor
Secret Manager Admin: roles/secretmanager.admin

The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.

APIs

A project with the following APIs enabled must be used to host the resources of this module:

Google Cloud Storage JSON API: storage-api.googleapis.com
Cloud Functions API: cloudfunctions.googleapis.com
Cloud Run Admin API: run.googleapis.com
Cloud Build API: cloudbuild.googleapis.com
Artifact Registry API: artifactregistry.googleapis.com
Pub/Sub API: pubsub.googleapis.com
Secret Manager API: secretmanager.googleapis.com
EventArc API: eventarc.googleapis.com

The Project Factory module can be used to provision a project with the necessary APIs enabled.

Contributing

Refer to the contribution guidelines for information on contributing to this module.

Security Disclosures

Please see our security disclosure process.

terraform-google-cloud-functions's People

Contributors

Stargazers

Watchers

terraform-google-cloud-functions's Issues

Update to Terraform Provider Google 5+

Hello!
TGP 5 was released on Oct 2, 2023, are there any plans to start supporting TGP 5 in this module?
Thank you.

Add available_cpu to service_config in functions

Hi there, I was hoping to include CPU in the functions config as one needs at least 1 CPU to up the concurrent requests.
I made a pr but cannot push because of access issues.
It should be an easy win:

in main.tf:80

dynamic "service_config" {
    for_each = var.service_config != null ? [var.service_config] : []
    content {
      max_instance_count    = service_config.value.max_instance_count
      min_instance_count    = service_config.value.min_instance_count
      available_memory      = service_config.value.available_memory
      available_cpu         = service_config.value.available_cpu  #### addition

and variables.tf:113:

variable "service_config" {
  description = "Details of the service"
  type = object({
    max_instance_count    = optional(string, 100)
    min_instance_count    = optional(string, 1)
    available_memory      = optional(string, "256M")
    available_cpu         = optional(string, "1") #### addition

Cloud Functions v2 must use roles/run.invoker

Same issue as the one described here #71 .
The proper way of authenticating Cloud Functions v2 is described here
https://cloud.google.com/functions/docs/securing/authenticating#authenticating_function_to_function_calls

Could you consider implementing it in this TF module ?

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Pending Status Checks

These updates await pending status checks. To force their creation now, click the checkbox below.

chore(deps): Update Terraform terraform-google-modules/project-factory/google to v15

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

chore(deps): Update go modules and/or dev-tools (cft/developer-tools, cloud.google.com/go/cloudsqlconn, cloud.google.com/go/storage, github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test, github.com/GoogleCloudPlatform/functions-framework-go, github.com/go-sql-driver/mysql, golang.org/x/oauth2, golang.org/x/sync, google.golang.org/api)
chore(deps): Update Terraform GoogleCloudPlatform/sql-db/google to v20

Detected dependencies

gomod

examples/secure_cloud_function_bigquery_trigger/functions/bq-to-cf/go.mod

go 1.18

cloud.google.com/go/storage v1.29.0

github.com/GoogleCloudPlatform/functions-framework-go v1.6.1

github.com/cloudevents/sdk-go/v2 v2.15.2

golang.org/x/oauth2 v0.6.0

google.golang.org/api v0.113.0

examples/secure_cloud_function_internal_server/function/go.mod

github.com/GoogleCloudPlatform/functions-framework-go v1.6.1

examples/secure_cloud_function_with_sql/functions/cf-to-sql/go.mod

go 1.18

cloud.google.com/go/cloudsqlconn v1.2.3

github.com/GoogleCloudPlatform/functions-framework-go v1.7.1

github.com/cloudevents/sdk-go/v2 v2.15.2

github.com/go-sql-driver/mysql v1.7.1

golang.org/x/sync v0.1.0

test/integration/go.mod

go 1.21

go 1.21.9

github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.2

github.com/stretchr/testify v1.9.0

github.com/tidwall/gjson v1.17.1

regex

Makefile

cft/developer-tools 1.19

build/int.cloudbuild.yaml

cft/developer-tools 1.19

build/lint.cloudbuild.yaml

cft/developer-tools 1.19

terraform

examples/cloud_function2_gcs_source/main.tf

GoogleCloudPlatform/cloud-functions/google ~> 0.4

examples/cloud_function2_pubsub_trigger/main.tf

GoogleCloudPlatform/cloud-functions/google ~> 0.4

terraform-google-modules/pubsub/google ~> 6.0

examples/secure_cloud_function_bigquery_trigger/main.tf

terraform-google-modules/bigquery/google ~> 7.0

terraform-google-modules/kms/google ~> 2.2

terraform-google-modules/cloud-storage/google ~> 5.0

GoogleCloudPlatform/cloud-functions/google ~> 0.4

GoogleCloudPlatform/cloud-run/google ~> 0.10.0

GoogleCloudPlatform/cloud-functions/google ~> 0.4

examples/secure_cloud_function_bigquery_trigger/providers.tf

examples/secure_cloud_function_internal_server/internal_server.tf

terraform-google-modules/service-accounts/google ~> 4.0

terraform-google-modules/network/google ~> 9.0

examples/secure_cloud_function_internal_server/main.tf

terraform-google-modules/cloud-storage/google ~> 5.0

GoogleCloudPlatform/cloud-functions/google ~> 0.4

GoogleCloudPlatform/cloud-run/google ~> 0.10.0

GoogleCloudPlatform/cloud-functions/google ~> 0.4

examples/secure_cloud_function_internal_server/providers.tf

examples/secure_cloud_function_with_sql/main.tf

terraform-google-modules/network/google ~> 9.0

terraform-google-modules/cloud-storage/google ~> 5.0

terraform-google-modules/cloud-storage/google ~> 5.0

terraform-google-modules/kms/google ~> 2.2

terraform-google-modules/pubsub/google ~> 6.0

GoogleCloudPlatform/sql-db/google ~> 15.0

GoogleCloudPlatform/cloud-functions/google ~> 0.4

GoogleCloudPlatform/cloud-run/google ~> 0.10.0

GoogleCloudPlatform/cloud-functions/google ~> 0.4

examples/secure_cloud_function_with_sql/providers.tf

modules/secure-cloud-function-core/main.tf

terraform-google-modules/cloud-storage/google ~> 5.0

terraform-google-modules/pubsub/google ~> 6.0

modules/secure-cloud-function-core/versions.tf

google >= 4.74, < 6.0

google-beta < 6.0

hashicorp/terraform >= 1.3

modules/secure-cloud-function-security/kms.tf

terraform-google-modules/kms/google ~> 2.1

modules/secure-cloud-function-security/org_policies.tf

terraform-google-modules/org-policy/google ~> 5.1

terraform-google-modules/org-policy/google ~> 5.1

terraform-google-modules/org-policy/google ~> 5.1

terraform-google-modules/org-policy/google ~> 5.1

terraform-google-modules/org-policy/google ~> 5.1

modules/secure-cloud-function-security/versions.tf

google >= 4.74, < 6.0

google-beta < 6.0

hashicorp/terraform >= 1.3

modules/secure-cloud-function/main.tf

GoogleCloudPlatform/cloud-run/google ~> 0.10.0

modules/secure-cloud-function/versions.tf

google >= 4.74, < 6.0

google-beta < 6.0

hashicorp/terraform >= 1.3

modules/secure-web-proxy/main.tf

terraform-google-modules/network/google ~> 9.0

modules/secure-web-proxy/versions.tf

google >= 4.74, < 6.0

google-beta < 6.0

null >= 3.2.0

time >= 0.9.1

hashicorp/terraform >= 1.3

test/setup/main.tf

terraform-google-modules/project-factory/google ~> 14.0

test/setup/versions.tf

google >= 3.25.0

google-beta >= 3.25.0

hashicorp/terraform >= 0.13

versions.tf

google >= 4.48, < 6

google-beta >= 4.48, < 6

hashicorp/terraform >= 1.3

Check this box to trigger a request for Renovate to run again on this repository

Include GCS as part of the module

Include GCS in this module similar to this module where users can just provide a path, which would be useful so the full lifecycle can be managed within the module.

@bharathkkb

Investigate vpcServiceControlsUniqueIdentifier policy violation for secure-cloud-func-internal-server teardown

Error details:

Step #11 - "secure-cloud-func-internal-server-teardown": Error: Error when reading or editing Resource projects/prj-scf-internal-server-8820/serviceAccounts/sa-cloud-function@prj-scf-internal-server-8820.iam.gserviceaccount.com for IAM Member (role "serviceAccount:[email protected]", "roles/iam.serviceAccountUser"): Error retrieving IAM policy for service account 'projects/prj-scf-internal-server-8820/serviceAccounts/sa-cloud-function@prj-scf-internal-server-8820.iam.gserviceaccount.com': googleapi: Error 403: Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: VQQnKfXtZ16NHnOmdJAy0E92tVT_8fZZRGvnndBWXZLKFx_KItn1EA
Step #11 - "secure-cloud-func-internal-server-teardown": Details:
Step #11 - "secure-cloud-func-internal-server-teardown": [
Step #11 - "secure-cloud-func-internal-server-teardown":   {
Step #11 - "secure-cloud-func-internal-server-teardown":     "@type": "type.googleapis.com/google.rpc.PreconditionFailure",
Step #11 - "secure-cloud-func-internal-server-teardown":     "violations": [
Step #11 - "secure-cloud-func-internal-server-teardown":       {
Step #11 - "secure-cloud-func-internal-server-teardown":         "description": "VQQnKfXtZ16NHnOmdJAy0E92tVT_8fZZRGvnndBWXZLKFx_KItn1EA",
Step #11 - "secure-cloud-func-internal-server-teardown":         "type": "VPC_SERVICE_CONTROLS"
Step #11 - "secure-cloud-func-internal-server-teardown":       }
Step #11 - "secure-cloud-func-internal-server-teardown":     ]
Step #11 - "secure-cloud-func-internal-server-teardown":   },
Step #11 - "secure-cloud-func-internal-server-teardown":   {
Step #11 - "secure-cloud-func-internal-server-teardown":     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
Step #11 - "secure-cloud-func-internal-server-teardown":     "domain": "googleapis.com",
Step #11 - "secure-cloud-func-internal-server-teardown":     "metadata": {
Step #11 - "secure-cloud-func-internal-server-teardown":       "consumer": "projects/891562977321",
Step #11 - "secure-cloud-func-internal-server-teardown":       "service": "iam.googleapis.com",
Step #11 - "secure-cloud-func-internal-server-teardown":       "uid": "VQQnKfXtZ16NHnOmdJAy0E92tVT_8fZZRGvnndBWXZLKFx_KItn1EA"
Step #11 - "secure-cloud-func-internal-server-teardown":     },
Step #11 - "secure-cloud-func-internal-server-teardown":     "reason": "SECURITY_POLICY_VIOLATED"
Step #11 - "secure-cloud-func-internal-server-teardown":   }
Step #11 - "secure-cloud-func-internal-server-teardown": ]
Step #11 - "secure-cloud-func-internal-server-teardown": , forbidden
Step #11 - "secure-cloud-func-internal-server-teardown": }
Step #11 - "secure-cloud-func-internal-server-teardown":     destroy.go:11: 
Step #11 - "secure-cloud-func-internal-server-teardown":             Error Trace:    /builder/home/go/pkg/mod/github.com/gruntwork-io/[email protected]/modules/terraform/destroy.go:11

Cloud functions2 is getting updated everytime even if no changes done in the terraform code

Terraform version - 1.4.5

provider version - 4.58.0

resource "google_storage_bucket" "storage_bucket_cloudfunctions" {
project =
name =
location = "US"
uniform_bucket_level_access = true
force_destroy = var.force_destroy_flg
encryption {
default_kms_key_name = var.data_encryption_key

}
}

resource "google_storage_bucket_object" "storage_bucket_object_cloudfunctions" {
name = "index-cloudfunctions-cfs.zip"
bucket = google_storage_bucket.storage_bucket_cloudfunctions.name
source = "./modules/cfs/index-cloudfunctions-cfs.zip"
kms_key_name = var.data_encryption_key
depends_on = [google_storage_bucket.storage_bucket_cloudfunctions]
}

resource "google_cloudfunctions2_function" "cfs_function_cloud" {
name = "dataload_cloudfunction_cfs"
location = "us-central1"
description =
project =
build_config {
runtime = "python311"
entry_point = "main" # Set the entry point in the code
source {
storage_source {
bucket = google_storage_bucket.storage_bucket_cloudfunctions.name
object = google_storage_bucket_object.storage_bucket_object_cloudfunctions.name
}
}
}
service_config {
max_instance_count = 100
min_instance_count = 0
available_memory = "256M"
timeout_seconds = 60
environment_variables = {
GCP_PROJECT_ID =
AIRFLOW_URI = var.airflow_uri
}
service_account_email =
}
event_trigger {
trigger_region = "us-central1"
event_type = "google.cloud.pubsub.topic.v1.messagePublished"
retry_policy = "RETRY_POLICY_DO_NOT_RETRY"
service_account_email =
pubsub_topic = google_pubsub_topic.pubsub_topic.id
}

}

terraform plan command updates the below
~ build_config {
# (4 unchanged attributes hidden)

      ~ source {
          ~ storage_source {
              - generation = 1690270530751 -> null
                # (2 unchanged attributes hidden)
            }
        }
    }

Cloud Function 2 is using role roles/run.invoker

Cloud Function Gen 2 is using roles/run.invoker instead of roles/cloudfunctions.invoker
Due to this all requests for invocation to Cloud Functions are failing.

https://cloud.google.com/functions/docs/securing/authenticating?&_ga=2.39379811.-1341522563.1687225628#authenticating_function_to_function_calls