From 3cad63285fb128e0e8d9955eb4067da990672fbc Mon Sep 17 00:00:00 2001
From: Ludovico Magnocavallo <ludomagno@google.com>
Date: Fri, 24 Jul 2020 08:55:58 +0200
Subject: [PATCH] Add support for vpc connector and ingress settings to
 cloud-function (#116)

* add support for ingress/egress/vpc connector to cloud function

* refactor vpc connector support

* refactor ingress settings support

* fix vpc connector value

* fix vpc connector value
---
 modules/cloud-function/README.md    |  7 ++---
 modules/cloud-function/main.tf      | 25 ++++++++++++++++++
 modules/cloud-function/outputs.tf   |  5 ++++
 modules/cloud-function/variables.tf | 41 ++++++++++++++++++++++-------
 4 files changed, 65 insertions(+), 13 deletions(-)

diff --git a/modules/cloud-function/README.md b/modules/cloud-function/README.md
index 9114b9eba..ca9848f42 100644
--- a/modules/cloud-function/README.md
+++ b/modules/cloud-function/README.md
@@ -6,8 +6,6 @@ The GCS object used for deployment uses a hash of the bundle zip contents in its
 
 ## TODO
 
-- [ ] add support for `ingress_settings`
-- [ ] add support for `vpc_connector` and `vpc_connector_egress_settings`
 - [ ] add support for `source_repository`
 
 ## Examples
@@ -138,15 +136,17 @@ module "cf-http" {
 | project_id | Project id used for all resources. | <code title="">string</code> | ✓ |  |
 | *bucket_config* | Enable and configure auto-created bucket. Set fields to null to use defaults. | <code title="object&#40;&#123;&#10;location             &#61; string&#10;lifecycle_delete_age &#61; number&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
 | *environment_variables* | Cloud function environment variables. | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="">{}</code> |
-| *function_config* | Cloud function configuration. | <code title="object&#40;&#123;&#10;entry_point &#61; string&#10;instances   &#61; number&#10;memory      &#61; number&#10;runtime     &#61; string&#10;timeout     &#61; number&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;entry_point &#61; &#34;main&#34;&#10;instances   &#61; 1&#10;memory      &#61; 256&#10;runtime     &#61; &#34;python37&#34;&#10;timeout     &#61; 180&#10;&#125;">...</code> |
+| *function_config* | Cloud function configuration. | <code title="object&#40;&#123;&#10;entry_point      &#61; string&#10;ingress_settings &#61; string&#10;instances        &#61; number&#10;memory           &#61; number&#10;runtime          &#61; string&#10;timeout          &#61; number&#10;&#125;&#41;">object({...})</code> |  | <code title="&#123;&#10;entry_point      &#61; &#34;main&#34;&#10;ingress_settings &#61; null&#10;instances        &#61; 1&#10;memory           &#61; 256&#10;runtime          &#61; &#34;python37&#34;&#10;timeout          &#61; 180&#10;&#125;">...</code> |
 | *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use. | <code title="map&#40;list&#40;string&#41;&#41;">map(list(string))</code> |  | <code title="">{}</code> |
 | *iam_roles* | List of roles used to set authoritative bindings. Ignored for template use. | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
+| *ingress_settings* | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL and ALLOW_INTERNAL_ONLY. | <code title="">string</code> |  | <code title="">null</code> |
 | *labels* | Resource labels | <code title="map&#40;string&#41;">map(string)</code> |  | <code title="">{}</code> |
 | *prefix* | Optional prefix used for resource names. | <code title="">string</code> |  | <code title="">null</code> |
 | *region* | Region used for all resources. | <code title="">string</code> |  | <code title="">europe-west1</code> |
 | *service_account* | Service account email. Unused if service account is auto-created. | <code title="">string</code> |  | <code title="">null</code> |
 | *service_account_create* | Auto-create service account. | <code title="">bool</code> |  | <code title="">false</code> |
 | *trigger_config* | Function trigger configuration. Leave null for HTTP trigger. | <code title="object&#40;&#123;&#10;event    &#61; string&#10;resource &#61; string&#10;retry    &#61; bool&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
+| *vpc_connector_config* | VPC connector configuration. Set `create_config` attributes to trigger creation. | <code title="object&#40;&#123;&#10;egress_settings &#61; string&#10;name            &#61; string&#10;create_config &#61; object&#40;&#123;&#10;ip_cidr_range &#61; string&#10;network       &#61; string&#10;&#125;&#41;&#10;&#125;&#41;">object({...})</code> |  | <code title="">null</code> |
 
 ## Outputs
 
@@ -159,4 +159,5 @@ module "cf-http" {
 | service_account | Service account resource. |  |
 | service_account_email | Service account email. |  |
 | service_account_iam_email | Service account email. |  |
+| vpc_connector | VPC connector resource if created. |  |
 <!-- END TFDOC -->
diff --git a/modules/cloud-function/main.tf b/modules/cloud-function/main.tf
index a668a8bcc..224247655 100644
--- a/modules/cloud-function/main.tf
+++ b/modules/cloud-function/main.tf
@@ -34,8 +34,27 @@ locals {
     )
     : var.service_account
   )
+  vpc_connector = (
+    var.vpc_connector_config == null
+    ? null
+    : (
+      var.vpc_connector_config.create_config == null
+      ? var.vpc_connector_config.name
+      : google_vpc_access_connector.connector.0.id
+    )
+  )
 }
 
+resource "google_vpc_access_connector" "connector" {
+  count         = try(var.vpc_connector_config.create_config, null) != null ? 1 : 0
+  project       = var.project_id
+  name          = var.vpc_connector_config.name
+  region        = var.region
+  ip_cidr_range = var.vpc_connector_config.create_config.ip_cidr_range
+  network       = var.vpc_connector_config.create_config.network
+}
+
+
 resource "google_cloudfunctions_function" "function" {
   project               = var.project_id
   region                = var.region
@@ -52,6 +71,12 @@ resource "google_cloudfunctions_function" "function" {
   source_archive_object = google_storage_bucket_object.bundle.name
   labels                = var.labels
   trigger_http          = var.trigger_config == null ? true : null
+  ingress_settings      = var.ingress_settings
+
+  vpc_connector = local.vpc_connector
+  vpc_connector_egress_settings = try(
+    var.vpc_connector_config.egress_settings, null
+  )
 
   dynamic event_trigger {
     for_each = var.trigger_config == null ? [] : [""]
diff --git a/modules/cloud-function/outputs.tf b/modules/cloud-function/outputs.tf
index 43e0eda7f..b5b646f1d 100644
--- a/modules/cloud-function/outputs.tf
+++ b/modules/cloud-function/outputs.tf
@@ -53,3 +53,8 @@ output "service_account_iam_email" {
     local.service_account_email == null ? "" : local.service_account_email
   ])
 }
+
+output "vpc_connector" {
+  description = "VPC connector resource if created."
+  value       = try(google_vpc_access_connector.connector.0.id, null)
+}
diff --git a/modules/cloud-function/variables.tf b/modules/cloud-function/variables.tf
index 83c8c048a..eea9131fd 100644
--- a/modules/cloud-function/variables.tf
+++ b/modules/cloud-function/variables.tf
@@ -57,21 +57,29 @@ variable "iam_roles" {
 variable "function_config" {
   description = "Cloud function configuration."
   type = object({
-    entry_point = string
-    instances   = number
-    memory      = number
-    runtime     = string
-    timeout     = number
+    entry_point      = string
+    ingress_settings = string
+    instances        = number
+    memory           = number
+    runtime          = string
+    timeout          = number
   })
   default = {
-    entry_point = "main"
-    instances   = 1
-    memory      = 256
-    runtime     = "python37"
-    timeout     = 180
+    entry_point      = "main"
+    ingress_settings = null
+    instances        = 1
+    memory           = 256
+    runtime          = "python37"
+    timeout          = 180
   }
 }
 
+variable "ingress_settings" {
+  description = "Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL and ALLOW_INTERNAL_ONLY."
+  type        = string
+  default     = null
+}
+
 variable "labels" {
   description = "Resource labels"
   type        = map(string)
@@ -121,3 +129,16 @@ variable "trigger_config" {
   })
   default = null
 }
+
+variable "vpc_connector_config" {
+  description = "VPC connector configuration. Set `create_config` attributes to trigger creation."
+  type = object({
+    egress_settings = string
+    name            = string
+    create_config = object({
+      ip_cidr_range = string
+      network       = string
+    })
+  })
+  default = null
+}