diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5b8bdd3ab..c2bfa1509 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
- add support for IAM and Cloud Build triggers to source repository module
- add `id` output to service account module
+- add support for secrets to cloud function module
**FAST**
diff --git a/modules/cloud-function/README.md b/modules/cloud-function/README.md
index 6eac68bf1..73a1d3f2a 100644
--- a/modules/cloud-function/README.md
+++ b/modules/cloud-function/README.md
@@ -173,11 +173,12 @@ module "cf-http" {
| [labels](variables.tf#L82) | Resource labels. | map(string) | | {} |
| [prefix](variables.tf#L93) | Optional prefix used for resource names. | string | | null |
| [region](variables.tf#L104) | Region used for all resources. | string | | "europe-west1" |
-| [service_account](variables.tf#L110) | Service account email. Unused if service account is auto-created. | string | | null |
-| [service_account_create](variables.tf#L116) | Auto-create service account. | bool | | false |
-| [trigger_config](variables.tf#L122) | Function trigger configuration. Leave null for HTTP trigger. | object({…}) | | null |
-| [vpc_connector](variables.tf#L132) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | object({…}) | | null |
-| [vpc_connector_config](variables.tf#L142) | VPC connector network configuration. Must be provided if new VPC connector is being created. | object({…}) | | null |
+| [secrets](variables.tf#L110) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | map(object({…})) | | {} |
+| [service_account](variables.tf#L122) | Service account email. Unused if service account is auto-created. | string | | null |
+| [service_account_create](variables.tf#L128) | Auto-create service account. | bool | | false |
+| [trigger_config](variables.tf#L134) | Function trigger configuration. Leave null for HTTP trigger. | object({…}) | | null |
+| [vpc_connector](variables.tf#L144) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | object({…}) | | null |
+| [vpc_connector_config](variables.tf#L154) | VPC connector network configuration. Must be provided if new VPC connector is being created. | object({…}) | | null |
## Outputs
diff --git a/modules/cloud-function/main.tf b/modules/cloud-function/main.tf
index 949cb69b1..0a26c1205 100644
--- a/modules/cloud-function/main.tf
+++ b/modules/cloud-function/main.tf
@@ -91,6 +91,35 @@ resource "google_cloudfunctions_function" "function" {
}
}
+ dynamic "secret_environment_variables" {
+ for_each = { for k, v in var.secrets : k => v if !v.is_volume }
+ iterator = secret
+ content {
+ key = secret.key
+ project_id = secret.value.project_id
+ secret = secret.value.secret
+ version = try(secret.value.versions.0, "latest")
+ }
+ }
+
+ dynamic "secret_volumes" {
+ for_each = { for k, v in var.secrets : k => v if v.is_volume }
+ iterator = secret
+ content {
+ mount_path = secret.key
+ project_id = secret.value.project_id
+ secret = secret.value.secret
+ dynamic "versions" {
+ for_each = secret.value.versions
+ iterator = version
+ content {
+ path = split(":", version)[1]
+ version = split(":", version)[0]
+ }
+ }
+ }
+ }
+
}
resource "google_cloudfunctions_function_iam_binding" "default" {
diff --git a/modules/cloud-function/variables.tf b/modules/cloud-function/variables.tf
index a613b2f68..ce8633c8f 100644
--- a/modules/cloud-function/variables.tf
+++ b/modules/cloud-function/variables.tf
@@ -107,6 +107,18 @@ variable "region" {
default = "europe-west1"
}
+variable "secrets" {
+ description = "Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format."
+ type = map(object({
+ is_volume = bool
+ project_id = number
+ secret = string
+ versions = list(string)
+ }))
+ nullable = false
+ default = {}
+}
+
variable "service_account" {
description = "Service account email. Unused if service account is auto-created."
type = string
diff --git a/tools/check_names.py b/tools/check_names.py
index 7e45fd877..e3fcf88f1 100755
--- a/tools/check_names.py
+++ b/tools/check_names.py
@@ -84,13 +84,21 @@ def main(dirs, prefix_length=None):
source_just = max(len(k) for k in MOD_LIMITS)
name_just = max(len(n.name) for n in names)
value_just = max(len(n.value) for n in names)
+ errors = []
for name in names:
name_length = name.length + prefix_length
- flag = '✗' if name_length >= MOD_LIMITS[name.source] else '✓'
- print(f'[{flag}] {name.source.ljust(source_just)} '
- f'{name.name.ljust(name_just)} '
- f'{name.value.ljust(value_just)} '
- f'({name_length})')
+ if name_length >= MOD_LIMITS[name.source]:
+ flag = "✗"
+ errors += [f"{name.source}:{name.name}:{name_length}"]
+ else:
+ flag = "✓"
+
+ print(f"[{flag}] {name.source.ljust(source_just)} "
+ f"{name.name.ljust(name_just)} "
+ f"{name.value.ljust(value_just)} "
+ f"({name_length})")
+ if errors:
+ raise ValueError(errors)
if __name__ == '__main__':