This module configures a system which responds to events by invoking a Cloud Functions function.
The root module configures a function sourced from a directory on localhost to respond to a given event trigger. The source directory is compressed and uploaded as a Cloud Storage bucket object which will be leveraged by the function.
Alternatively, the repository-function submodule configures a function sourced from a Cloud Source Repositories repository.
This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+.
If you find incompatibilities using Terraform >=0.13, please open an issue.
If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is v1.6.0.
The automatic-labelling-from-localhost example is a tested reference of how to use the root module with the event-project-log-entry submodule.
If you have local_file Terraform resources that need to be included in the function's archive include them in the optional source_dependent_files.
This will tell the module to wait until those files exist before creating the archive.
Example can also be seen in examples/dynamic-files
resource "local_file" "file" {
content = "some content"
filename = "${path.module}/function_source/terraform_created_file.txt"
}
module "localhost_function" {
...
source_dependent_files = [local_file.file]
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| available_memory_mb | The amount of memory in megabytes allotted for the function to use. | number |
256 |
no |
| bucket_force_destroy | When deleting the GCS bucket containing the cloud function, delete all objects in the bucket first. | bool |
false |
no |
| bucket_labels | A set of key/value label pairs to assign to the function source archive bucket. | map(string) |
{} |
no |
| bucket_name | The name to apply to the bucket. Will default to a string of the function name. | string |
"" |
no |
| build_environment_variables | A set of key/value environment variable pairs available during build time. | map(string) |
{} |
no |
| create_bucket | Whether to create a new bucket or use an existing one. If false, bucket_name should reference the name of the alternate bucket to use. |
bool |
true |
no |
| description | The description of the function. | string |
"Processes events." |
no |
| docker_registry | Docker Registry to use for storing the function's Docker images. Allowed values are CONTAINER_REGISTRY (default) and ARTIFACT_REGISTRY. | string |
null |
no |
| docker_repository | User managed repository created in Artifact Registry optionally with a customer managed encryption key. If specified, deployments will use Artifact Registry. | string |
null |
no |
| entry_point | The name of a method in the function source which will be invoked when the function is executed. | string |
n/a | yes |
| environment_variables | A set of key/value environment variable pairs to assign to the function. | map(string) |
{} |
no |
| event_trigger | A source that fires events in response to a condition in another service. | map(string) |
{} |
no |
| event_trigger_failure_policy_retry | A toggle to determine if the function should be retried on failure. | bool |
false |
no |
| files_to_exclude_in_source_dir | Specify files to ignore when reading the source_dir | list(string) |
[] |
no |
| ingress_settings | The ingress settings for the function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY. Changes to this field will recreate the cloud function. | string |
"ALLOW_ALL" |
no |
| kms_key_name | Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources. | string |
null |
no |
| labels | A set of key/value label pairs to assign to the Cloud Function. | map(string) |
{} |
no |
| log_bucket | Log bucket | string |
null |
no |
| log_object_prefix | Log object prefix | string |
null |
no |
| max_instances | The maximum number of parallel executions of the function. | number |
0 |
no |
| name | The name to apply to any nameable resources. | string |
n/a | yes |
| project_id | The ID of the project to which resources will be applied. | string |
n/a | yes |
| region | The region in which resources will be applied. | string |
n/a | yes |
| runtime | The runtime in which the function will be executed. | string |
n/a | yes |
| secret_environment_variables | A list of maps which contains key, project_id, secret_name (not the full secret id) and version to assign to the function as a set of secret environment variables. | list(map(string)) |
[] |
no |
| service_account_email | The service account to run the function as. | string |
"" |
no |
| source_dependent_files | A list of any Terraform created local_files that the module will wait for before creating the archive. |
list(object({ |
[] |
no |
| source_directory | The pathname of the directory which contains the function source code. | string |
n/a | yes |
| timeout_s | The amount of time in seconds allotted for the execution of the function. | number |
60 |
no |
| trigger_http | Wheter to use HTTP trigger instead of the event trigger. | bool |
null |
no |
| vpc_connector | The VPC Network Connector that this cloud function can connect to. It should be set up as fully-qualified URI. The format of this field is projects//locations//connectors/*. | string |
null |
no |
| vpc_connector_egress_settings | The egress settings for the connector, controlling what traffic is diverted through it. Allowed values are ALL_TRAFFIC and PRIVATE_RANGES_ONLY. If unset, this field preserves the previously set value. | string |
null |
no |
| Name | Description |
|---|---|
| https_trigger_url | URL which triggers function execution. |
| name | The name of the function. |
The following sections describe the requirements which must be met in order to invoke this module.
The following software dependencies must be installed on the system from which this module will be invoked:
- Terraform >= 0.13.0
- [Terraform Provider for Archive][terraform-provider-archive-site]
- Terraform Provider for Google Cloud Platform
The Service Account which will be used to invoke this module must have the following IAM roles:
- Cloud Functions Developer:
roles/cloudfunctions.developer - Storage Admin:
roles/storage.admin - Secret Manager Accessor:
roles/secretmanager.secretAccessor
The project against which this module will be invoked must have the following APIs enabled:
- Cloud Functions API:
cloudfunctions.googleapis.com - Cloud Storage API:
storage-component.googleapis.com - Secret Manager API:
secretmanager.googleapis.com
The Project Factory module can be used to provision projects with specific APIs activated.
Refer to the contribution guidelines for information on contributing to this module.