Terraform Google Cloud Functions (Gen 2) module

The Terraform module handles the deployment of Cloud Functions (Gen 2) on GCP.

The resources/services/activations/deletions that this module will create/trigger are:

• Deploy Cloud Functions (2nd Gen) with provided source code and trigger
• Provide Cloud Functions Invoker or Developer roles to the users and service accounts

Assumptions and Prerequisites

This module assumes that below mentioned prerequisites are in place before consuming the module.

• APIs are enabled
• Permissions are available.
• You have explicitly granted the necessary IAM roles for the underlying service account used by Cloud Build, build_service_account. If build_service_account is not specified, then the default compute service account is used, which has no default IAM roles in new organizations. At a minimum, the following IAM roles are required for the build service account:
  • roles/logging.logWriter
  • roles/storage.objectViewer
  • roles/artifactregistry.writer

Usage

Basic usage of this module is as follows:

module "cloud_functions2" {
  source  = "GoogleCloudPlatform/cloud-functions/google"
  version = "~> 0.6"

  # Required variables
  function_name      = "<FUNCTION_NAME>"
  project_id         = "<PROJECT_ID>"
  function_location  = "<LOCATION>"
  runtime            = "<RUNTIME>"
  entrypoint         = "<ENTRYPOINT>"
  storage_source = {
    bucket      = "<BUCKET_NAME>"
    object      = "<ARCHIVE_PATH>"
    generation  = "<GCS_GENERATION>"
  }
}

Functional examples are included in the examples directory.

Inputs

Name	Description	Type	Default	Required
build_env_variables	User-provided build-time environment variables	map(string)	null	no
build_service_account	Cloud Function Build Service Account Id. This is The fully-qualified name of the service account to be used for building the container.	string	null	no
description	Short description of the function	string	null	no
docker_repository	User managed repository created in Artifact Registry optionally with a customer managed encryption key.	string	null	no
entrypoint	The name of the function (as defined in source code) that will be executed. Defaults to the resource name suffix, if not specified	string	n/a	yes
event_trigger	Event triggers for the function	object({ trigger_region = optional(string) event_type = string service_account_email = string pubsub_topic = optional(string) retry_policy = string event_filters = optional(set(object({ attribute = string attribute_value = string operator = optional(string) }))) })	null	no
function_location	The location of this cloud function	string	n/a	yes
function_name	A user-defined name of the function	string	n/a	yes
labels	A set of key/value label pairs associated with this Cloud Function	map(string)	null	no
members	Cloud Function Invoker and Developer roles for Users/SAs. Key names must be developers and/or invokers	map(list(string))	{}	no
project_id	Project ID to create Cloud Function	string	n/a	yes
repo_source	Get the source from this location in a Cloud Source Repository	object({ project_id = optional(string) repo_name = string branch_name = string dir = optional(string) tag_name = optional(string) commit_sha = optional(string) invert_regex = optional(bool, false) })	null	no
runtime	The runtime in which to run the function.	string	n/a	yes
service_config	Details of the service	object({ max_instance_count = optional(string, 100) min_instance_count = optional(string, 1) available_memory = optional(string, "256M") available_cpu = optional(string, 1) timeout_seconds = optional(string, 60) runtime_env_variables = optional(map(string), null) runtime_secret_env_variables = optional(set(object({ key_name = string project_id = optional(string) secret = string version = string })), null) secret_volumes = optional(set(object({ mount_path = string project_id = optional(string) secret = string versions = set(object({ version = string path = string })) })), null) vpc_connector = optional(string, null) vpc_connector_egress_settings = optional(string, null) ingress_settings = optional(string, null) service_account_email = optional(string, null) all_traffic_on_latest_revision = optional(bool, true) })	{}	no
storage_source	Get the source from this location in Google Cloud Storage	object({ bucket = string object = string generation = optional(string, null) })	null	no
worker_pool	Name of the Cloud Build Custom Worker Pool that should be used to build the function.	string	null	no

Outputs

Name	Description
function_name	Name of the Cloud Function (Gen 2)
function_uri	URI of the Cloud Function (Gen 2)

Requirements

These sections describe requirements for using this module.

Software

The following dependencies must be available:

• Terraform v1.3+
• Terraform Provider for GCP plugin v3.0

Service Account

A service account with the following roles must be used to provision the resources of this module:

• Storage Admin: roles/storage.admin
• Cloud Functions Admin: roles/cloudfunctions.admin
• Cloud Run Admin: roles/run.admin
• Pub/Sub Admin: roles/pubsub.admin
• Artifact Registry Admin: roles/artifactregistry.admin
• Cloud Build Editor: roles/cloudbuild.builds.editor
• Secret Manager Admin: roles/secretmanager.admin

The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.

APIs

A project with the following APIs enabled must be used to host the resources of this module:

• Google Cloud Storage JSON API: storage-api.googleapis.com
• Cloud Functions API: cloudfunctions.googleapis.com
• Cloud Run Admin API: run.googleapis.com
• Cloud Build API: cloudbuild.googleapis.com
• Artifact Registry API: artifactregistry.googleapis.com
• Pub/Sub API: pubsub.googleapis.com
• Secret Manager API: secretmanager.googleapis.com
• EventArc API: eventarc.googleapis.com

The Project Factory module can be used to provision a project with the necessary APIs enabled.

Contributing

Refer to the contribution guidelines for information on contributing to this module.

Security Disclosures

Please see our security disclosure process.