Skip to content

Latest commit

 

History

History

secure-cloud-function

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

Secure Cloud Function

This module handles the deployment required for Cloud Function (2nd Gen) usage. Secure-cloud-function module will call the secure-cloud-function-core, secure-cloud-serverless-net and secure-cloud-function-security modules.

When using a Shared VPC, you can chose where to create the VPC Connector.

Note: When using a single VPC you should provides VPC and Serverless project id with the same value and the value for connector_on_host_project variable must be false.

The resources/services/activations/deletions that this module will create/trigger are:

  • secure-cloud-serverless-network module will apply:

    • Creates Firewall rules on your VPC Project.
      • Serverless to VPC Connector
      • VPC Connector to Serverless
      • VPC Connector to LB
      • VPC Connector Health Checks
    • Creates a sub network to VPC Connector usage purpose.
    • Creates Serverless Connector on your VPC Project or Serverless Project. Refer the comparison below:
    • Grant the necessary roles for Cloud Function are able to use VPC Connector on your Shared VPC when creating VPC Connector in host project.
      • Grant Network User role to Cloud Services service account.
      • Grant VPC Access User to Cloud Function Service Identity when deploying VPC Access.

  • secure-cloud-function-security module will apply:

    • Creates KMS Keyring and Key for customer managed encryption keys in the KMS Project to be used by Cloud Function (2nd Gen).
    • Enables Organization Policies related to Cloud Function (2nd Gen) in the Serverless Project.
      • Allow Ingress only from internal and Cloud Load Balancing.
      • Allow VPC Egress to Private Ranges Only.
    • When groups emails are provided, this module will grant the roles for each persona.
      • Serverless administrator - Service Project
        • roles/run.admin
        • roles/cloudfunctions.admin
        • roles/compute.networkViewer
        • compute.networkUser
      • Servervless Security Administrator - Security project
        • roles/cloudfunctions.viewer
        • roles/run.viewer
        • roles/cloudkms.viewer
        • roles/artifactregistry.reader
      • Cloud Function (2nd Gen) developer - Security project
        • roles/cloudfunctions.developer
        • roles/artifactregistry.writer
        • roles/cloudkms.cryptoKeyEncrypter
      • Cloud Function (2nd Gen) user - Service project
        • roles/cloudfunctions.invoker

  • secure-cloud-function-core module will apply:

    • Creates a Cloud Function (2nd Gen).
    • Creates the Cloud Function source bucket in the same location as the Cloud Function.
    • Configure the EventArc Google Channel to use Customer Encryption Key in the Cloud Function location.
      • Warning: If there is another CMEK configured for the same region, it will be overwritten.
    • Creates a private worker pool for Cloud Build configured to not use External IP.
    • Grants Cloud Functions Invoker to EventArc Trigger Service Account.
    • Enables Container Scanning.

Usage

Basic usage of this module is as follows:

module "secure_cloud_function" {
  source  = "GoogleCloudPlatform/cloud-functions/google//modules/secure-cloud-function"
  version = "~> 0.6"

  function_name             = <FUNCTION-NAME>
  function_description      = <FUNCTION-DESCRIPTION>
  location                  = <FUNCTION-LOCATION>
  region                    = <FUNCTION-REGION>
  serverless_project_id     = <FUNCTION-PROJECT-ID>
  vpc_project_id            = <VPC-PROJECT-ID>
  kms_project_id            = <KMS-PROJECT-IF>
  key_name                  = <KMS-KEY-NAME>
  keyring_name              = <KMS-KEYRING-NAME>
  service_account_email     = <FUNCTION-SERVICE-ACCOUNT>
  connector_name            = <VPC-CONNECTOR-NAME>
  subnet_name               = <SUBNET-NAME>
  create_subnet             = false
  shared_vpc_name           = <SHARE-VPC-NAME>
  ip_cidr_range             = "10.0.0.0/28"

  storage_source = {
     bucket = <SOURCE-BUCKET-NAME>
     object = <SOURCE-FILE-NAME>
  }
  runtime     = <FUNCTION-RUNTIME>
  entry_point = <FUNCTION-ENTRY-POINT>
}

Inputs

Name Description Type Default Required
all_traffic_on_latest_revision Timeout for each request. bool true no
available_memory_mb The amount of memory in megabytes allotted for the function to use. string "256Mi" no
bucket_cors Configuration of CORS for bucket with structure as defined in https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#cors. any 
[
  {
    "max_age_seconds": 0,
    "method": [
      "GET"
    ],
    "origin": [
      "https://.cloud.google.com",
      "https://.corp.google.com",
      "https://.corp.google.com:",
      "https://.cloud.google",
      "https://.byoid.goog"
    ],
    "response_header": []
  }
]
 no
bucket_lifecycle_rules The bucket's Lifecycle Rules configuration. 
list(object({
    # Object with keys:
    # - type - The type of the action of this Lifecycle Rule. Supported values: Delete and SetStorageClass.
    # - storage_class - (Required if action type is SetStorageClass) The target Storage Class of objects affected by this Lifecycle Rule.
    action = any

    # Object with keys:
    # - age - (Optional) Minimum age of an object in days to satisfy this condition.
    # - created_before - (Optional) Creation date of an object in RFC 3339 (e.g. 2017-06-13) to satisfy this condition.
    # - with_state - (Optional) Match to live and/or archived objects. Supported values include: "LIVE", "ARCHIVED", "ANY".
    # - matches_storage_class - (Optional) Storage Class of objects to satisfy this condition. Supported values include: MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, DURABLE_REDUCED_AVAILABILITY.
    # - matches_prefix - (Optional) One or more matching name prefixes to satisfy this condition.
    # - matches_suffix - (Optional) One or more matching name suffixes to satisfy this condition
    # - num_newer_versions - (Optional) Relevant only for versioned objects. The number of newer versions of an object to satisfy this condition.
    condition = any
  }))
 
[
  {
    "action": {
      "type": "Delete"
    },
    "condition": {
      "age": 0,
      "days_since_custom_time": 0,
      "days_since_noncurrent_time": 0,
      "num_newer_versions": 3,
      "with_state": "ARCHIVED"
    }
  }
]
 no
build_environment_variables A set of key/value environment variable pairs to be used when building the Function. map(string) {} no
connector_name The name for the connector to be created. string "serverless-vpc-connector" no
create_subnet The subnet will be created with the subnet_name variable if true. When false, it will use the subnet_name for the subnet. bool true no
entry_point The name of a method in the function source which will be invoked when the function is executed. string n/a yes
environment_variables A set of key/value environment variable pairs to assign to the function. map(string) {} no
event_trigger A source that fires events in response to a condition in another service. 
object({
    trigger_region        = optional(string)
    event_type            = string
    service_account_email = string
    pubsub_topic          = optional(string)
    retry_policy          = string
    event_filters = optional(set(object({
      attribute       = string
      attribute_value = string
      operator        = optional(string)
    })))
  })
 n/a yes
folder_id The folder ID to apply the policy to. string "" no
function_description Cloud Function description. string n/a yes
function_name Cloud Function name. string n/a yes
groups Groups which will have roles assigned.
The Serverless Administrators email group which the following roles will be added: Cloud Run Admin, Compute Network Viewer and Compute Network User.
The Serverless Security Administrators email group which the following roles will be added: Cloud Run Viewer, Cloud KMS Viewer and Artifact Registry Reader.
The Cloud Run Developer email group which the following roles will be added: Cloud Run Developer, Artifact Registry Writer and Cloud KMS CryptoKey Encrypter.
The Cloud Run User email group which the following roles will be added: Cloud Run Invoker.		 
object({
    group_serverless_administrator          = optional(string, null)
    group_serverless_security_administrator = optional(string, null)
    group_cloud_run_developer               = optional(string, null)
    group_cloud_run_user                    = optional(string, null)
  })
 {} no
ingress_settings The ingress settings for the function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY. Changes to this field will recreate the cloud function. string "ALLOW_INTERNAL_AND_GCLB" no
ip_cidr_range The range of internal addresses that are owned by the subnetwork and which is going to be used by VPC Connector. For example, 10.0.0.0/28 or 192.168.0.0/28. Ranges must be unique and non-overlapping within a network. Only IPv4 is supported. string n/a yes
key_name The name of KMS Key to be created and used in Cloud Run. string "cloud-run-kms-key" no
key_protection_level The protection level to use when creating a version based on this template. Possible values: ["SOFTWARE", "HSM"] string "HSM" no
key_rotation_period Period of key rotation in seconds. string "2592000s" no
keyring_name Keyring name. string "cloud-run-kms-keyring" no
kms_project_id The project where KMS will be created. string n/a yes
labels Labels to be assigned to resources. map(any) {} no
location The location where resources are going to be deployed. string n/a yes
max_scale_instances Sets the maximum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this documentation. number 2 no
min_scale_instances Sets the minimum number of container instances needed to handle all incoming requests or events from each revison from Cloud Run. For more information, access this documentation. number 1 no
network_id VPC network ID which is going to be used to connect the WorkerPool. string n/a yes
organization_id The organization ID to apply the policy to. string "" no
policy_for Policy Root: set one of the following values to determine where the policy is applied. Possible values: ["project", "folder", "organization"]. string "project" no
prevent_destroy Set the prevent_destroy lifecycle attribute on the Cloud KMS key. bool true no
repo_source The source repository where the Cloud Function Source is stored. Do not use combined with source_path. 
object({
    project_id   = optional(string)
    repo_name    = string
    branch_name  = string
    dir          = optional(string)
    tag_name     = optional(string)
    commit_sha   = optional(string)
    invert_regex = optional(bool, false)
  })
 null no
resource_names_suffix A suffix to concat in the end of the network resources names being created. string null no
runtime The runtime in which the function will be executed. string n/a yes
secret_environment_variables A list of maps which contains key, project_id, secret_name (not the full secret id) and version to assign to the function as a set of secret environment variables. 
set(object({
    key_name   = string
    project_id = optional(string)
    secret     = string
    version    = string
  }))
 null no
secret_volumes [Beta] Environment variables (Secret Manager). 
set(object({
    mount_path = string
    project_id = optional(string)
    secret     = string
    versions = set(object({
      version = string
      path    = string
    }))
  }))
 null no
serverless_project_id The project to deploy the cloud function service. string n/a yes
serverless_project_number The project number to deploy to. number null no
service_account_email Service account to be used on Cloud Function. string n/a yes
shared_vpc_name Shared VPC name which is going to be re-used to create Serverless Connector. string n/a yes
storage_source Get the source from this location in Google Cloud Storage. 
object({
    bucket     = string
    object     = string
    generation = optional(string, null)
  })
 null no
subnet_name Subnet name to be re-used to create Serverless Connector. string null no
timeout_seconds Timeout for each request. number 120 no
vpc_egress_value Sets VPC Egress firewall rule. Supported values are VPC_CONNECTOR_EGRESS_SETTINGS_UNSPECIFIED, PRIVATE_RANGES_ONLY, and ALL_TRAFFIC. string "ALL_TRAFFIC" no
vpc_project_id The host project for the shared vpc. string n/a yes

Outputs

Name Description
cloud_services_sa Service Account for Cloud Function.
cloudfunction_bucket The Cloud Function source bucket.
cloudfunction_bucket_name The Cloud Function source bucket.
cloudfunction_name ID of the created Cloud Function.
cloudfunction_url Url of the created Cloud Function.
connector_id VPC serverless connector ID.
gca_vpcaccess_sa Service Account for VPC Access.
key_self_link Name of the Cloud KMS crypto key.
keyring_self_link Name of the Cloud KMS keyring.
serverless_identity_services_sa Service Identity to serverless services.

Requirements

Software

The following dependencies must be available:

APIs

The Secure-cloud-function module will enable the following APIs to the Serverless Project:

  • Serverless Project
    • Container Scanning: containerscanning.googleapis.com

Service Account

A service account with the following roles must be used to provision the resources of this module:

  • VPC Project
    • Compute Shared VPC Admin: roles/compute.xpnAdmin
    • Network Admin: roles/compute.networkAdmin
    • Security Admin: roles/compute.securityAdmin
    • Serverless VPC Access Admin: roles/vpcaccess.admin
  • KMS Project
    • Cloud KMS Admin: roles/cloudkms.admin
  • Serverless Project
    • Viewer: roles/viewer
    • Cloud Function Developer: roles/cloudfunctions.developer
    • Compute Network User: roles/compute.networkUser
    • Artifact Registry Admin: roles/artifactregistry.admin
    • Cloud Build Editor: roles/cloudbuild.builds.editor
    • Cloud Build Worker Pool Owner: roles/cloudbuild.workerPoolOwner
    • Pub/Sub Admin: roles/pubsub.admin
    • Storage Admin: roles/storage.admin
    • Service Usage Admin: roles/serviceusage.serviceUsageAdmin
    • Eventarc Developer: roles/eventarc.developer
    • Organization Policy Administrator: roles/orgpolicy.policyAdmin
    • Project IAM Admin: roles/resourcemanager.projectIamAdmin