From 755ff7b1d2fb9aef3627efd19cbd720fa8cddf68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wiktor=20Niesiob=C4=99dzki?= Date: Tue, 15 Nov 2022 13:35:27 +0100 Subject: [PATCH] Add trigger service account creation --- .../network-dashboard/main.tf | 6 +-- modules/cloud-function/README.md | 15 ++++--- modules/cloud-function/main.tf | 39 ++++++++++++++++++- modules/cloud-function/outputs.tf | 18 +++++++++ modules/cloud-function/variables.tf | 7 ++-- 5 files changed, 72 insertions(+), 13 deletions(-) diff --git a/blueprints/cloud-operations/network-dashboard/main.tf b/blueprints/cloud-operations/network-dashboard/main.tf index 5dd62761a..1c5fd58f6 100644 --- a/blueprints/cloud-operations/network-dashboard/main.tf +++ b/blueprints/cloud-operations/network-dashboard/main.tf @@ -169,9 +169,9 @@ module "cloud-function" { trigger_config = var.cf_version == "V2" ? { v2 = { - event_type = "google.cloud.pubsub.topic.v1.messagePublished" - pubsub_topic = module.pubsub.topic.id - # TODO: service_account_email + event_type = "google.cloud.pubsub.topic.v1.messagePublished" + pubsub_topic = module.pubsub.topic.id + service_account_create = true } } : { v1 = { diff --git a/modules/cloud-function/README.md b/modules/cloud-function/README.md index eb64cf551..40619d403 100644 --- a/modules/cloud-function/README.md +++ b/modules/cloud-function/README.md @@ -234,7 +234,7 @@ module "cf-http" { | [build_worker_pool](variables.tf#L31) | Build worker pool, in projects//locations//workerPools/ format | string | | null | | [description](variables.tf#L46) | Optional description. | string | | "Terraform managed." | | [environment_variables](variables.tf#L52) | Cloud function environment variables. | map(string) | | {} | -| [function_config](variables.tf#L58) | Cloud function configuration. Defaults to using main as entrypoint, 1 instance with 256MiB of memory, and 180 second timeout | object({…}) | | {…} | +| [function_config](variables.tf#L58) | Cloud function configuration. Defaults to using main as entrypoint, 1 instance with 256MiB of memory, and 180 second timeout | object({…}) | | {…} | | [iam](variables.tf#L76) | IAM bindings for topic in {ROLE => [MEMBERS]} format. | map(list(string)) | | {} | | [ingress_settings](variables.tf#L82) | Control traffic that reaches the cloud function. Allowed values are ALLOW_ALL, ALLOW_INTERNAL_AND_GCLB and ALLOW_INTERNAL_ONLY . | string | | null | | [labels](variables.tf#L88) | Resource labels. | map(string) | | {} | @@ -243,10 +243,10 @@ module "cf-http" { | [secrets](variables.tf#L120) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | map(object({…})) | | {} | | [service_account](variables.tf#L132) | Service account email. Unused if service account is auto-created. | string | | null | | [service_account_create](variables.tf#L138) | Auto-create service account. | bool | | false | -| [trigger_config](variables.tf#L144) | Function trigger configuration. Leave null for HTTP trigger. | object({…}) | | null | -| [v2](variables.tf#L191) | Whether to use Cloud Function version 2nd Gen or 1st Gen. | bool | | false | -| [vpc_connector](variables.tf#L172) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | object({…}) | | null | -| [vpc_connector_config](variables.tf#L182) | VPC connector network configuration. Must be provided if new VPC connector is being created. | object({…}) | | null | +| [trigger_config](variables.tf#L144) | Function trigger configuration. Leave null for HTTP trigger. | object({…}) | | null | +| [v2](variables.tf#L192) | Whether to use Cloud Function version 2nd Gen or 1st Gen. | bool | | false | +| [vpc_connector](variables.tf#L173) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | object({…}) | | null | +| [vpc_connector_config](variables.tf#L183) | VPC connector network configuration. Must be provided if new VPC connector is being created. | object({…}) | | null | ## Outputs @@ -259,7 +259,10 @@ module "cf-http" { | [service_account](outputs.tf#L42) | Service account resource. | | | [service_account_email](outputs.tf#L47) | Service account email. | | | [service_account_iam_email](outputs.tf#L52) | Service account email. | | +| [trigger_service_account](outputs.tf#L60) | Service account resource. | | +| [trigger_service_account_email](outputs.tf#L65) | Service account email. | | +| [trigger_service_account_iam_email](outputs.tf#L70) | Service account email. | | | [uri](outputs.tf#L38) | Cloud function service uri. | | -| [vpc_connector](outputs.tf#L60) | VPC connector resource if created. | | +| [vpc_connector](outputs.tf#L78) | VPC connector resource if created. | | diff --git a/modules/cloud-function/main.tf b/modules/cloud-function/main.tf index 816ed2592..f81f69849 100644 --- a/modules/cloud-function/main.tf +++ b/modules/cloud-function/main.tf @@ -39,6 +39,16 @@ locals { ) : var.service_account ) + trigger_service_account_email = ( + try(var.trigger_config.v2.service_account_create, null) == null + ? false + : var.trigger_config.v2.service_account_create ? ( + length(google_service_account.trigger_service_account) > 0 + ? google_service_account.trigger_service_account[0].email + : null + ) + : try(var.trigger_config.v2.service_account_email, null) + ) vpc_connector = ( var.vpc_connector == null ? null @@ -212,7 +222,7 @@ resource "google_cloudfunctions2_function" "function" { } resource "google_cloudfunctions_function_iam_binding" "default" { - for_each = var.iam + for_each = var.v2 == false ? var.iam : {} project = var.project_id region = var.region cloud_function = local.function.name @@ -220,6 +230,15 @@ resource "google_cloudfunctions_function_iam_binding" "default" { members = each.value } +resource "google_cloudfunctions2_function_iam_binding" "default" { + for_each = var.v2 == true ? var.iam : {} + project = var.project_id + location = google_cloudfunctions2_function.function[0].location + cloud_function = local.function.name + role = each.key + members = each.value +} + resource "google_storage_bucket" "bucket" { count = var.bucket_config == null ? 0 : 1 project = var.project_id @@ -271,3 +290,21 @@ resource "google_service_account" "service_account" { account_id = "tf-cf-${var.name}" display_name = "Terraform Cloud Function ${var.name}." } + +resource "google_service_account" "trigger_service_account" { + count = try(var.trigger_config.v2.service_account_create, null) == null ? 0 : ( + var.trigger_config.v2.service_account_create ? 1 : 0 + ) + project = var.project_id + account_id = "tf-cf-trigger-${var.name}" + display_name = "Terraform trigger for Cloud Function ${var.name}." +} + +resource "google_project_iam_member" "trigger_iam" { + count = try(var.trigger_config.v2.service_account_create, null) == null ? 0 : ( + var.trigger_config.v2.service_account_create ? 1 : 0 + ) + project = var.project_id + member = "serviceAccount:${google_service_account.trigger_service_account[0].email}" + role = "roles/run.invoker" +} diff --git a/modules/cloud-function/outputs.tf b/modules/cloud-function/outputs.tf index a4bbcebb4..5f6e12bef 100644 --- a/modules/cloud-function/outputs.tf +++ b/modules/cloud-function/outputs.tf @@ -57,6 +57,24 @@ output "service_account_iam_email" { ]) } +output "trigger_service_account" { + description = "Service account resource." + value = try(google_service_account.trigger_service_account[0], null) +} + +output "trigger_service_account_email" { + description = "Service account email." + value = local.trigger_service_account_email +} + +output "trigger_service_account_iam_email" { + description = "Service account email." + value = join("", [ + "serviceAccount:", + local.trigger_service_account_email == null ? "" : local.trigger_service_account_email + ]) +} + output "vpc_connector" { description = "VPC connector resource if created." value = try(google_vpc_access_connector.connector.0.id, null) diff --git a/modules/cloud-function/variables.tf b/modules/cloud-function/variables.tf index 93d3634a0..c701dbe33 100644 --- a/modules/cloud-function/variables.tf +++ b/modules/cloud-function/variables.tf @@ -68,7 +68,7 @@ variable "function_config" { entry_point = "main" instances = 1 memory = 256 - runtime = "python37" + runtime = "python310" timeout = 180 } } @@ -158,8 +158,9 @@ variable "trigger_config" { value = string operator = string }))) - service_account_email = optional(string) - retry_policy = optional(string) + service_account_email = optional(string) + service_account_create = optional(bool) + retry_policy = optional(string) })) }) default = null