This module handles the basic deployment core configurations for Cloud Function (2nd Gen) module.
The resources/services/activations/deletions that this module will create/trigger are:
- Creates a Cloud Function (2nd Gen).
- Creates the Cloud Function source bucket in the same location as the Cloud Function.
- Configure the EventArc Google Channel to use Customer Encryption Key in the Cloud Function location.
- Warning: If there is another CMEK configured for the same region, it will be overwritten.
- Creates a private worker pool for Cloud Build configured to not use External IP.
- Grants Cloud Functions Invoker to EventArc Trigger Service Account.
- Enables Container Scanning.
module "secure_cloud_function_core" {
source = "GoogleCloudPlatform/cloud-functions/google//modules/secure-cloud-function-core"
version = "~> 0.6"
function_name = <FUNCTION-NAME>
function_description = <FUNCTION-DESCRIPTION>
project_id = <PROJECT-ID>
project_number = <PROJECT-NUMBER>
labels = <RESOURCES-LABELS>
location = <FUNCTION-LOCATION>
runtime = <FUNCTION-RUNTIME>
entry_point = <FUNCTION-ENTRY-POINT>
storage_source = <FUNCTION-SOURCE-BUCKET>
build_environment_variables = <FUNCTION-BUILD-ENV-VARS>
event_trigger = <FUNCTION-EVENT-TRIGGER>
encryption_key = <CUSTOMER-ENCRYPTION-KEY>
service_config = {
vpc_connector = <FUNCTION-VPC-CONNECTOR>
service_account_email = <FUNCTION-SERVICE-ACCOUNT-EMAIL>
ingress_settings = "ALLOW_INTERNAL_AND_GCLB"
all_traffic_on_latest_revision = true
vpc_connector_egress_settings = "ALL_TRAFFIC"
runtime_env_variables = <FUNCTION-RUNTIME-ENV-VARS>
runtime_secret_env_variables = <FUNCTION-RUNTIME-SECRET-ENV-VARS>
secret_volumes = <FUNCTION-SECRET-VOLUMES>
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
bucket_cors | Configuration of CORS for bucket with structure as defined in https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#cors. | any |
[ |
no |
bucket_lifecycle_rules | The bucket's Lifecycle Rules configuration. | list(object({ |
[ |
no |
build_environment_variables | A set of key/value environment variable pairs to be used when building the Function. | map(string) |
{} |
no |
encryption_key | The KMS Key to Encrypt Event Arc, source Bucket, docker repository. | string |
n/a | yes |
entry_point | The name of a method in the function source which will be invoked when the function is executed. | string |
n/a | yes |
event_trigger | A source that fires events in response to a condition in another service. | object({ |
n/a | yes |
force_destroy | Set the force_destroy attribute on the Cloud Storage. |
bool |
false |
no |
function_description | The description of the Cloud Function to create. | string |
"" |
no |
function_name | The name of the Cloud Function to create. | string |
n/a | yes |
labels | Labels to be assigned to resources. | map(any) |
{} |
no |
location | Cloud Function deployment location. | string |
"us-east4" |
no |
network_id | VPC network ID which is going to be used to connect the WorkerPool. | string |
n/a | yes |
project_id | The project ID to deploy to. | string |
n/a | yes |
project_number | The project number to deploy to. | number |
null |
no |
repo_source | The source repository where the Cloud Function Source is stored. Do not use combined with source_path. | object({ |
null |
no |
runtime | The runtime in which the function will be executed. | string |
n/a | yes |
service_config | Details of the service | object({ |
n/a | yes |
storage_source | Get the source from this location in Google Cloud Storage. | object({ |
null |
no |
Name | Description |
---|---|
artifact_registry_repository_id | The ID of the Artifact Registry created to store Cloud Function images. |
cloudbuild_worker_pool_id | The ID of the Cloud Build worker pool created to build Cloud Function images. |
cloudfunction_bucket | The Cloud Function source bucket. |
cloudfunction_bucket_name | Name of the Cloud Function source bucket. |
cloudfunction_name | Name of the created service. |
cloudfunction_url | The URL on which the deployed service is available. |
eventarc_google_channel_id | The ID of the Google Eventarc Channel. |
The following dependencies must be available:
- Terraform >= 1.3
- Terraform Provider for GCP plugin < 5.0
A project with the following APIs enabled must be used to host the resources of this module:
- Serverless Project
- Container Scanning:
containerscanning.googleapis.com
- Container Scanning:
A service account with the following roles must be used to provision the resources of this module:
- Viewer:
roles/viewer
- Cloud Function Developer:
roles/cloudfunctions.developer
- Compute Network User:
roles/compute.networkUser
- Artifact Registry Admin:
roles/artifactregistry.admin
- Cloud Build Editor:
roles/cloudbuild.builds.editor
- Cloud Build Worker Pool Owner:
roles/cloudbuild.workerPoolOwner
- Pub/Sub Admin:
roles/pubsub.admin
- Storage Admin:
roles/storage.admin
- Service Usage Admin:
roles/serviceusage.serviceUsageAdmin
- Eventarc Developer:
roles/eventarc.developer