Skip to content

GoogleCloudPlatform/terraform-google-cloud-functions

Repository files navigation

Terraform Google Cloud Functions (Gen 2) module

The Terraform module handles the deployment of Cloud Functions (Gen 2) on GCP.

The resources/services/activations/deletions that this module will create/trigger are:

  • Deploy Cloud Functions (2nd Gen) with provided source code and trigger
  • Provide Cloud Functions Invoker or Developer roles to the users and service accounts

Assumptions and Prerequisites

This module assumes that below mentioned prerequisites are in place before consuming the module.

  • APIs are enabled
  • Permissions are available.
  • You have explicitly granted the necessary IAM roles for the underlying service account used by Cloud Build, build_service_account. If build_service_account is not specified, then the default compute service account is used, which has no default IAM roles in new organizations. At a minimum, the following IAM roles are required for the build service account:
    • roles/logging.logWriter
    • roles/storage.objectViewer
    • roles/artifactregistry.writer

Usage

Basic usage of this module is as follows:

module "cloud_functions2" {
  source  = "GoogleCloudPlatform/cloud-functions/google"
  version = "~> 0.6"

  # Required variables
  function_name      = "<FUNCTION_NAME>"
  project_id         = "<PROJECT_ID>"
  function_location  = "<LOCATION>"
  runtime            = "<RUNTIME>"
  entrypoint         = "<ENTRYPOINT>"
  storage_source = {
    bucket      = "<BUCKET_NAME>"
    object      = "<ARCHIVE_PATH>"
    generation  = "<GCS_GENERATION>"
  }
}

Functional examples are included in the examples directory.

Inputs

Name Description Type Default Required
build_env_variables User-provided build-time environment variables map(string) null no
build_service_account Cloud Function Build Service Account Id. This is The fully-qualified name of the service account to be used for building the container. string null no
description Short description of the function string null no
docker_repository User managed repository created in Artifact Registry optionally with a customer managed encryption key. string null no
entrypoint The name of the function (as defined in source code) that will be executed. Defaults to the resource name suffix, if not specified string n/a yes
event_trigger Event triggers for the function
object({
trigger_region = optional(string)
event_type = string
service_account_email = string
pubsub_topic = optional(string)
retry_policy = string
event_filters = optional(set(object({
attribute = string
attribute_value = string
operator = optional(string)
})))
})
null no
function_location The location of this cloud function string n/a yes
function_name A user-defined name of the function string n/a yes
labels A set of key/value label pairs associated with this Cloud Function map(string) null no
members Cloud Function Invoker and Developer roles for Users/SAs. Key names must be developers and/or invokers map(list(string)) {} no
project_id Project ID to create Cloud Function string n/a yes
repo_source Get the source from this location in a Cloud Source Repository
object({
project_id = optional(string)
repo_name = string
branch_name = string
dir = optional(string)
tag_name = optional(string)
commit_sha = optional(string)
invert_regex = optional(bool, false)
})
null no
runtime The runtime in which to run the function. string n/a yes
service_config Details of the service
object({
max_instance_count = optional(string, 100)
min_instance_count = optional(string, 1)
available_memory = optional(string, "256M")
available_cpu = optional(string, 1)
timeout_seconds = optional(string, 60)
runtime_env_variables = optional(map(string), null)
runtime_secret_env_variables = optional(set(object({
key_name = string
project_id = optional(string)
secret = string
version = string
})), null)
secret_volumes = optional(set(object({
mount_path = string
project_id = optional(string)
secret = string
versions = set(object({
version = string
path = string
}))
})), null)
vpc_connector = optional(string, null)
vpc_connector_egress_settings = optional(string, null)
ingress_settings = optional(string, null)
service_account_email = optional(string, null)
all_traffic_on_latest_revision = optional(bool, true)
})
{} no
storage_source Get the source from this location in Google Cloud Storage
object({
bucket = string
object = string
generation = optional(string, null)
})
null no
worker_pool Name of the Cloud Build Custom Worker Pool that should be used to build the function. string null no

Outputs

Name Description
function_name Name of the Cloud Function (Gen 2)
function_uri URI of the Cloud Function (Gen 2)

Requirements

These sections describe requirements for using this module.

Software

The following dependencies must be available:

Service Account

A service account with the following roles must be used to provision the resources of this module:

  • Storage Admin: roles/storage.admin
  • Cloud Functions Admin: roles/cloudfunctions.admin
  • Cloud Run Admin: roles/run.admin
  • Pub/Sub Admin: roles/pubsub.admin
  • Artifact Registry Admin: roles/artifactregistry.admin
  • Cloud Build Editor: roles/cloudbuild.builds.editor
  • Secret Manager Admin: roles/secretmanager.admin

The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Google Cloud Storage JSON API: storage-api.googleapis.com
  • Cloud Functions API: cloudfunctions.googleapis.com
  • Cloud Run Admin API: run.googleapis.com
  • Cloud Build API: cloudbuild.googleapis.com
  • Artifact Registry API: artifactregistry.googleapis.com
  • Pub/Sub API: pubsub.googleapis.com
  • Secret Manager API: secretmanager.googleapis.com
  • EventArc API: eventarc.googleapis.com

The Project Factory module can be used to provision a project with the necessary APIs enabled.

Contributing

Refer to the contribution guidelines for information on contributing to this module.

Security Disclosures

Please see our security disclosure process.