Skip to content

Latest commit

 

History

History

secure-cloud-function-core

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

Secure Cloud Function (2nd Gen) Core

This module handles the basic deployment core configurations for Cloud Function (2nd Gen) module.

The resources/services/activations/deletions that this module will create/trigger are:

  • Creates a Cloud Function (2nd Gen).
  • Creates the Cloud Function source bucket in the same location as the Cloud Function.
  • Configure the EventArc Google Channel to use Customer Encryption Key in the Cloud Function location.
    • Warning: If there is another CMEK configured for the same region, it will be overwritten.
  • Creates a private worker pool for Cloud Build configured to not use External IP.
  • Grants Cloud Functions Invoker to EventArc Trigger Service Account.
  • Enables Container Scanning.

Usage

module "secure_cloud_function_core" {
  source  = "GoogleCloudPlatform/cloud-functions/google//modules/secure-cloud-function-core"
  version = "~> 0.6"

  function_name               = <FUNCTION-NAME>
  function_description        = <FUNCTION-DESCRIPTION>
  project_id                  = <PROJECT-ID>
  project_number              = <PROJECT-NUMBER>
  labels                      = <RESOURCES-LABELS>
  location                    = <FUNCTION-LOCATION>
  runtime                     = <FUNCTION-RUNTIME>
  entry_point                 = <FUNCTION-ENTRY-POINT>
  storage_source              = <FUNCTION-SOURCE-BUCKET>
  build_environment_variables = <FUNCTION-BUILD-ENV-VARS>
  event_trigger               = <FUNCTION-EVENT-TRIGGER>
  encryption_key              = <CUSTOMER-ENCRYPTION-KEY>

  service_config = {
    vpc_connector                  = <FUNCTION-VPC-CONNECTOR>
    service_account_email          = <FUNCTION-SERVICE-ACCOUNT-EMAIL>
    ingress_settings               = "ALLOW_INTERNAL_AND_GCLB"
    all_traffic_on_latest_revision = true
    vpc_connector_egress_settings  = "ALL_TRAFFIC"
    runtime_env_variables          = <FUNCTION-RUNTIME-ENV-VARS>

    runtime_secret_env_variables = <FUNCTION-RUNTIME-SECRET-ENV-VARS>
    secret_volumes               = <FUNCTION-SECRET-VOLUMES>
}

Inputs

Name Description Type Default Required
bucket_cors Configuration of CORS for bucket with structure as defined in https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#cors. any 
[
  {
    "max_age_seconds": 0,
    "method": [
      "GET"
    ],
    "origin": [
      "https://.cloud.google.com",
      "https://.corp.google.com",
      "https://.corp.google.com:",
      "https://.cloud.google",
      "https://.byoid.goog"
    ],
    "response_header": []
  }
]
 no
bucket_lifecycle_rules The bucket's Lifecycle Rules configuration. 
list(object({
    # Object with keys:
    # - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.
    # - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.
    action = any

    # Object with keys:
    # - age - (Optional) Minimum age of an object in days to satisfy this condition.
    # - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.
    # - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".
    # - matches_storage_class - (Optional) Storage Class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY.
    # - matches_prefix - (Optional) One or more matching name prefixes to satisfy this condition.
    # - matches_suffix - (Optional) One or more matching name suffixes to satisfy this condition
    # - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.
    condition = any
  }))
 
[
  {
    "action": {
      "type": "Delete"
    },
    "condition": {
      "age": 0,
      "days_since_custom_time": 0,
      "days_since_noncurrent_time": 0,
      "num_newer_versions": 3,
      "with_state": "ARCHIVED"
    }
  }
]
 no
build_environment_variables A set of key/value environment variable pairs to be used when building the Function. map(string) {} no
encryption_key The KMS Key to Encrypt Event Arc, source Bucket, docker repository. string n/a yes
entry_point The name of a method in the function source which will be invoked when the function is executed. string n/a yes
event_trigger A source that fires events in response to a condition in another service. 
object({
    trigger_region        = optional(string)
    event_type            = string
    service_account_email = string
    pubsub_topic          = optional(string)
    retry_policy          = string
    event_filters = optional(set(object({
      attribute       = string
      attribute_value = string
      operator        = optional(string)
    })))
  })
 n/a yes
force_destroy Set the force_destroy attribute on the Cloud Storage. bool false no
function_description The description of the Cloud Function to create. string "" no
function_name The name of the Cloud Function to create. string n/a yes
labels Labels to be assigned to resources. map(any) {} no
location Cloud Function deployment location. string "us-east4" no
network_id VPC network ID which is going to be used to connect the WorkerPool. string n/a yes
project_id The project ID to deploy to. string n/a yes
project_number The project number to deploy to. number null no
repo_source The source repository where the Cloud Function Source is stored. Do not use combined with source_path. 
object({
    project_id   = optional(string)
    repo_name    = string
    branch_name  = string
    dir          = optional(string)
    tag_name     = optional(string)
    commit_sha   = optional(string)
    invert_regex = optional(bool, false)
  })
 null no
runtime The runtime in which the function will be executed. string n/a yes
service_config Details of the service 
object({
    max_instance_count    = optional(string, 100)
    min_instance_count    = optional(string, 1)
    available_memory      = optional(string, "256M")
    timeout_seconds       = optional(string, 60)
    runtime_env_variables = optional(map(string), null)
    runtime_secret_env_variables = optional(set(object({
      key_name   = string
      project_id = optional(string)
      secret     = string
      version    = string
    })), null)
    secret_volumes = optional(set(object({
      mount_path = string
      project_id = optional(string)
      secret     = string
      versions = set(object({
        version = string
        path    = string
      }))
    })), null)
    vpc_connector                  = string
    vpc_connector_egress_settings  = optional(string, "ALL_TRAFFIC")
    ingress_settings               = optional(string, "ALLOW_INTERNAL_AND_GCLB")
    service_account_email          = string
    all_traffic_on_latest_revision = optional(bool, true)
  })
 n/a yes
storage_source Get the source from this location in Google Cloud Storage. 
object({
    bucket     = string
    object     = string
    generation = optional(string, null)
  })
 null no

Outputs

Name Description
artifact_registry_repository_id The ID of the Artifact Registry created to store Cloud Function images.
cloudbuild_worker_pool_id The ID of the Cloud Build worker pool created to build Cloud Function images.
cloudfunction_bucket The Cloud Function source bucket.
cloudfunction_bucket_name Name of the Cloud Function source bucket.
cloudfunction_name Name of the created service.
cloudfunction_url The URL on which the deployed service is available.
eventarc_google_channel_id The ID of the Google Eventarc Channel.

Requirements

Software

The following dependencies must be available:

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Serverless Project
    • Container Scanning: containerscanning.googleapis.com

Service Account

A service account with the following roles must be used to provision the resources of this module:

  • Viewer: roles/viewer
  • Cloud Function Developer: roles/cloudfunctions.developer
  • Compute Network User: roles/compute.networkUser
  • Artifact Registry Admin: roles/artifactregistry.admin
  • Cloud Build Editor: roles/cloudbuild.builds.editor
  • Cloud Build Worker Pool Owner: roles/cloudbuild.workerPoolOwner
  • Pub/Sub Admin: roles/pubsub.admin
  • Storage Admin: roles/storage.admin
  • Service Usage Admin: roles/serviceusage.serviceUsageAdmin
  • Eventarc Developer: roles/eventarc.developer