This module handles the deployment required for Cloud Function (2nd Gen) usage. Secure-cloud-function module will call the secure-cloud-function-core, secure-cloud-serverless-net and secure-cloud-function-security modules.
When using a Shared VPC, you can chose where to create the VPC Connector.
Note: When using a single VPC you should provides VPC and Serverless project id with the same value and the value for connector_on_host_project
variable must be false
.
The resources/services/activations/deletions that this module will create/trigger are:
-
secure-cloud-serverless-network module will apply:
- Creates Firewall rules on your VPC Project.
- Serverless to VPC Connector
- VPC Connector to Serverless
- VPC Connector to LB
- VPC Connector Health Checks
- Creates a sub network to VPC Connector usage purpose.
- Creates Serverless Connector on your VPC Project or Serverless Project. Refer the comparison below:
- Advantages of creating connectors in the VPC Project
- Advantages of creating connectors in the Serverless Project
- Grant the necessary roles for Cloud Function are able to use VPC Connector on your Shared VPC when creating VPC Connector in host project.
- Grant Network User role to Cloud Services service account.
- Grant VPC Access User to Cloud Function Service Identity when deploying VPC Access.
- Creates Firewall rules on your VPC Project.
-
secure-cloud-function-security module will apply:
- Creates KMS Keyring and Key for customer managed encryption keys in the KMS Project to be used by Cloud Function (2nd Gen).
- Enables Organization Policies related to Cloud Function (2nd Gen) in the Serverless Project.
- Allow Ingress only from internal and Cloud Load Balancing.
- Allow VPC Egress to Private Ranges Only.
- When groups emails are provided, this module will grant the roles for each persona.
- Serverless administrator - Service Project
- roles/run.admin
- roles/cloudfunctions.admin
- roles/compute.networkViewer
- compute.networkUser
- Servervless Security Administrator - Security project
- roles/cloudfunctions.viewer
- roles/run.viewer
- roles/cloudkms.viewer
- roles/artifactregistry.reader
- Cloud Function (2nd Gen) developer - Security project
- roles/cloudfunctions.developer
- roles/artifactregistry.writer
- roles/cloudkms.cryptoKeyEncrypter
- Cloud Function (2nd Gen) user - Service project
- roles/cloudfunctions.invoker
- Serverless administrator - Service Project
-
secure-cloud-function-core module will apply:
- Creates a Cloud Function (2nd Gen).
- Creates the Cloud Function source bucket in the same location as the Cloud Function.
- Configure the EventArc Google Channel to use Customer Encryption Key in the Cloud Function location.
- Warning: If there is another CMEK configured for the same region, it will be overwritten.
- Creates a private worker pool for Cloud Build configured to not use External IP.
- Grants Cloud Functions Invoker to EventArc Trigger Service Account.
- Enables Container Scanning.
Basic usage of this module is as follows:
module "secure_cloud_function" {
source = "GoogleCloudPlatform/cloud-functions/google//modules/secure-cloud-function"
version = "~> 0.6"
function_name = <FUNCTION-NAME>
function_description = <FUNCTION-DESCRIPTION>
location = <FUNCTION-LOCATION>
region = <FUNCTION-REGION>
serverless_project_id = <FUNCTION-PROJECT-ID>
vpc_project_id = <VPC-PROJECT-ID>
kms_project_id = <KMS-PROJECT-IF>
key_name = <KMS-KEY-NAME>
keyring_name = <KMS-KEYRING-NAME>
service_account_email = <FUNCTION-SERVICE-ACCOUNT>
connector_name = <VPC-CONNECTOR-NAME>
subnet_name = <SUBNET-NAME>
create_subnet = false
shared_vpc_name = <SHARE-VPC-NAME>
ip_cidr_range = "10.0.0.0/28"
storage_source = {
bucket = <SOURCE-BUCKET-NAME>
object = <SOURCE-FILE-NAME>
}
runtime = <FUNCTION-RUNTIME>
entry_point = <FUNCTION-ENTRY-POINT>
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
all_traffic_on_latest_revision | Timeout for each request. | bool |
true |
no |
available_memory_mb | The amount of memory in megabytes allotted for the function to use. | string |
"256Mi" |
no |
bucket_cors | Configuration of CORS for bucket with structure as defined in https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#cors. | any |
[ |
no |
bucket_lifecycle_rules | The bucket's Lifecycle Rules configuration. | list(object({ |
[ |
no |
build_environment_variables | A set of key/value environment variable pairs to be used when building the Function. | map(string) |
{} |
no |
connector_name | The name for the connector to be created. | string |
"serverless-vpc-connector" |
no |
create_subnet | The subnet will be created with the subnet_name variable if true. When false, it will use the subnet_name for the subnet. | bool |
true |
no |
entry_point | The name of a method in the function source which will be invoked when the function is executed. | string |
n/a | yes |
environment_variables | A set of key/value environment variable pairs to assign to the function. | map(string) |
{} |
no |
event_trigger | A source that fires events in response to a condition in another service. | object({ |
n/a | yes |
folder_id | The folder ID to apply the policy to. | string |
"" |
no |
function_description | Cloud Function description. | string |
n/a | yes |
function_name | Cloud Function name. | string |
n/a | yes |
groups | Groups which will have roles assigned. The Serverless Administrators email group which the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User. The Serverless Security Administrators email group which the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader. The Cloud Run Developer email group which the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter. The Cloud Run User email group which the following roles will be added: Cloud Run Invoker. |
object({ |
{} |
no |
ingress_settings | The ingress settings for the function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY. Changes to this field will recreate the cloud function. | string |
"ALLOW_INTERNAL_AND_GCLB" |
no |
ip_cidr_range | The range of internal addresses that are owned by the subnetwork and which is going to be used by VPC Connector. For example, 10.0.0.0/28 or 192.168.0.0/28. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported. | string |
n/a | yes |
key_name | The name of KMS Key to be created and used in Cloud Run. | string |
"cloud-run-kms-key" |
no |
key_protection_level | The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"] | string |
"HSM" |
no |
key_rotation_period | Period of key rotation in seconds. | string |
"2592000s" |
no |
keyring_name | Keyring name. | string |
"cloud-run-kms-keyring" |
no |
kms_project_id | The project where KMS will be created. | string |
n/a | yes |
labels | Labels to be assigned to resources. | map(any) |
{} |
no |
location | The location where resources are going to be deployed. | string |
n/a | yes |
max_scale_instances | Sets the maximum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this documentation. | number |
2 |
no |
min_scale_instances | Sets the minimum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this documentation. | number |
1 |
no |
network_id | VPC network ID which is going to be used to connect the WorkerPool. | string |
n/a | yes |
organization_id | The organization ID to apply the policy to. | string |
"" |
no |
policy_for | Policy Root: set one of the following values to determine where the policy is applied. Possible values: ["project", "folder", "organization"]. | string |
"project" |
no |
prevent_destroy | Set the prevent_destroy lifecycle attribute on the Cloud KMS key. |
bool |
true |
no |
repo_source | The source repository where the Cloud Function Source is stored. Do not use combined with source_path. | object({ |
null |
no |
resource_names_suffix | A suffix to concat in the end of the network resources names being created. | string |
null |
no |
runtime | The runtime in which the function will be executed. | string |
n/a | yes |
secret_environment_variables | A list of maps which contains key, project_id, secret_name (not the full secret id) and version to assign to the function as a set of secret environment variables. | set(object({ |
null |
no |
secret_volumes | [Beta] Environment variables (Secret Manager). | set(object({ |
null |
no |
serverless_project_id | The project to deploy the cloud function service. | string |
n/a | yes |
serverless_project_number | The project number to deploy to. | number |
null |
no |
service_account_email | Service account to be used on Cloud Function. | string |
n/a | yes |
shared_vpc_name | Shared VPC name which is going to be re-used to create Serverless Connector. | string |
n/a | yes |
storage_source | Get the source from this location in Google Cloud Storage. | object({ |
null |
no |
subnet_name | Subnet name to be re-used to create Serverless Connector. | string |
null |
no |
timeout_seconds | Timeout for each request. | number |
120 |
no |
vpc_egress_value | Sets VPC Egress firewall rule. Supported values are VPC_CONNECTOR_EGRESS_SETTINGS_UNSPECIFIED, PRIVATE_RANGES_ONLY, and ALL_TRAFFIC. | string |
"ALL_TRAFFIC" |
no |
vpc_project_id | The host project for the shared vpc. | string |
n/a | yes |
Name | Description |
---|---|
cloud_services_sa | Service Account for Cloud Function. |
cloudfunction_bucket | The Cloud Function source bucket. |
cloudfunction_bucket_name | The Cloud Function source bucket. |
cloudfunction_name | ID of the created Cloud Function. |
cloudfunction_url | Url of the created Cloud Function. |
connector_id | VPC serverless connector ID. |
gca_vpcaccess_sa | Service Account for VPC Access. |
key_self_link | Name of the Cloud KMS crypto key. |
keyring_self_link | Name of the Cloud KMS keyring. |
serverless_identity_services_sa | Service Identity to serverless services. |
The following dependencies must be available:
- Terraform >= 1.3
- Terraform Provider for GCP < 5.0
The Secure-cloud-function module will enable the following APIs to the Serverless Project:
- Serverless Project
- Container Scanning:
containerscanning.googleapis.com
- Container Scanning:
A service account with the following roles must be used to provision the resources of this module:
- VPC Project
- Compute Shared VPC Admin:
roles/compute.xpnAdmin
- Network Admin:
roles/compute.networkAdmin
- Security Admin:
roles/compute.securityAdmin
- Serverless VPC Access Admin:
roles/vpcaccess.admin
- Compute Shared VPC Admin:
- KMS Project
- Cloud KMS Admin:
roles/cloudkms.admin
- Cloud KMS Admin:
- Serverless Project
- Viewer:
roles/viewer
- Cloud Function Developer:
roles/cloudfunctions.developer
- Compute Network User:
roles/compute.networkUser
- Artifact Registry Admin:
roles/artifactregistry.admin
- Cloud Build Editor:
roles/cloudbuild.builds.editor
- Cloud Build Worker Pool Owner:
roles/cloudbuild.workerPoolOwner
- Pub/Sub Admin:
roles/pubsub.admin
- Storage Admin:
roles/storage.admin
- Service Usage Admin:
roles/serviceusage.serviceUsageAdmin
- Eventarc Developer:
roles/eventarc.developer
- Organization Policy Administrator:
roles/orgpolicy.policyAdmin
- Project IAM Admin:
roles/resourcemanager.projectIamAdmin
- Viewer: