diff --git a/CHANGELOG.md b/CHANGELOG.md
index f0de265f3..9a10e8274 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,8 +3,10 @@
All notable changes to this project will be documented in this file.
## [Unreleased]
-- new 'Cloud Endpoints' module
+
- make project creation optional in `project` module to allow managing a pre-existing project
+- new `cloud-endpoints` module
+- new `cloud-function` module
## [2.1.0] - 2020-06-22
diff --git a/README.md b/README.md
index db02b66e5..14aa61861 100644
--- a/README.md
+++ b/README.md
@@ -37,7 +37,8 @@ Currently available modules:
- **networking** - [VPC](./modules/net-vpc), [VPC firewall](./modules/net-vpc-firewall), [VPC peering](./modules/net-vpc-peering), [VPN static](./modules/net-vpn-static), [VPN dynamic](./modules/net-vpn-dynamic), [VPN HA](./modules/net-vpn-ha), [NAT](./modules/net-cloudnat), [address reservation](./modules/net-address), [DNS](./modules/dns), [L4 ILB](./modules/net-ilb), [Service Directory](./modules/service-directory), [Cloud Endpoints](./modules/cloudenpoints)
- **compute** - [VM/VM group](./modules/compute-vm), [MIG](./modules/compute-mig), [GKE cluster](./modules/gke-cluster), [GKE nodepool](./modules/gke-nodepool), [COS container](./modules/cos-container) (coredns, mysql, onprem, squid)
- **data** - [GCS](./modules/gcs), [BigQuery dataset](./modules/bigquery-dataset), [Pub/Sub](./modules/pubsub), [Datafusion](./modules/datafusion), [Bigtable instance](./modules/bigtable-instance)
-- **security** - [KMS](./modules/kms), [SecretManager](./modules/secret-manager)
- **development** - [Cloud Source Repository](./modules/source-repository), [Container Registry](./modules/container-registry), [Artifact Registry](./modules/artifact-registry)
+- **security** - [KMS](./modules/kms), [SecretManager](./modules/secret-manager)
+- **serverless** - [Cloud Functions](./cloud-functions)
For more information and usage examples see each module's README file.
diff --git a/modules/README.md b/modules/README.md
index d94f6dc06..4c73872af 100644
--- a/modules/README.md
+++ b/modules/README.md
@@ -58,3 +58,7 @@ Specific modules also offer support for non-authoritative bindings (e.g. `google
- [Cloud KMS](./kms)
- [Secret Manager](./secret-manager)
+
+## Serverless
+
+- [Cloud Functions](./cloud-function)
diff --git a/modules/cloud-function/README.md b/modules/cloud-function/README.md
new file mode 100644
index 000000000..fb386a0c4
--- /dev/null
+++ b/modules/cloud-function/README.md
@@ -0,0 +1,162 @@
+# Cloud Function Module
+
+Cloud Function management, with support for IAM roles and optional bucket creation.
+
+The GCS object used for deployment uses a hash of the bundle zip contents in its name, which ensures change tracking and avoids recreating the function if the GCS object is deleted and needs recreating.
+
+## TODO
+
+- [ ] add support for `ingress_settings`
+- [ ] add support for `vpc_connector` and `vpc_connector_egress_settings`
+- [ ] add support for `source_repository`
+
+## Examples
+
+### HTTP trigger
+
+This deploys a Cloud Function with an HTTP endpoint, using a pre-existing GCS bucket for deployment, setting the service account to the Cloud Function default one, and delegating access control to the containing project.
+
+```hcl
+module "cf-http" {
+ source = "../modules/net-cloudnat"
+ project_id = "my-project"
+ name = "test-cf-http"
+ bucket_name = "test-cf-bundles"
+ bundle_config = {
+ source_dir = "my-cf-source-folder
+ output_path = "bundle.zip"
+ }
+}
+```
+
+### Non-HTTP triggers
+
+Other trigger types other than HTTP are configured via the `trigger_config` variable. This example shows a PubSub trigger.
+
+```hcl
+module "cf-http" {
+ source = "../modules/net-cloudnat"
+ project_id = "my-project"
+ name = "test-cf-http"
+ bucket_name = "test-cf-bundles"
+ bundle_config = {
+ source_dir = "my-cf-source-folder
+ output_path = "bundle.zip"
+ }
+ trigger_config = {
+ event = "google.pubsub.topic.publish"
+ resource = local.my-topic
+ retry = null
+ }
+}
+```
+
+### Controlling HTTP access
+
+To allow anonymous access to the function, grant the `roles/cloudfunctions.invoker` role to the special `allUsers` identifier. Use specific identities (service accounts, groups, etc.) instead of `allUsers` to only allow selective access.
+
+```hcl
+module "cf-http" {
+ source = "../modules/net-cloudnat"
+ project_id = "my-project"
+ name = "test-cf-http"
+ bucket_name = "test-cf-bundles"
+ bundle_config = {
+ source_dir = "my-cf-source-folder
+ output_path = "bundle.zip"
+ }
+ iam_roles = ["roles/cloudfunctions.invoker"]
+ iam_members = {
+ "roles/cloudfunctions.invoker" = ["allUsers"]
+ }
+}
+```
+
+### GCS bucket creation
+
+You can have the module auto-create the GCS bucket used for deployment via the `bucket_config` variable. Setting `bucket_config.location` to `null` will also use the function region for GCS.
+
+```hcl
+module "cf-http" {
+ source = "../modules/net-cloudnat"
+ project_id = "my-project"
+ name = "test-cf-http"
+ bucket_name = "test-cf-bundles"
+ bucket_config = {
+ location = null
+ lifecycle_delete_age = 1
+ }
+ bundle_config = {
+ source_dir = "my-cf-source-folder
+ output_path = "bundle.zip"
+ }
+}
+```
+
+### Service account management
+
+To use a custom service account managed by the module, set `service_account_create` to `true` and leave `service_account` set to `null` value (default).
+
+```hcl
+module "cf-http" {
+ source = "../modules/net-cloudnat"
+ project_id = "my-project"
+ name = "test-cf-http"
+ bucket_name = "test-cf-bundles"
+ bundle_config = {
+ source_dir = "my-cf-source-folder
+ output_path = "bundle.zip"
+ }
+ service_account_create = true
+}
+```
+
+To use an externally managed service account, pass its email in `service_account` and leave `service_account_create` to `false` (the default).
+
+```hcl
+module "cf-http" {
+ source = "../modules/net-cloudnat"
+ project_id = "my-project"
+ name = "test-cf-http"
+ bucket_name = "test-cf-bundles"
+ bundle_config = {
+ source_dir = "my-cf-source-folder
+ output_path = "bundle.zip"
+ }
+ service_account = local.service_account_email
+}
+```
+
+
+## Variables
+
+| name | description | type | required | default |
+|---|---|:---: |:---:|:---:|
+| bucket_name | Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null. | string | ✓ | |
+| bundle_config | Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null. | object({...}) | ✓ | |
+| name | Name used for cloud function and associated resources. | string | ✓ | |
+| project_id | Project id used for all resources. | string | ✓ | |
+| *bucket_config* | Enable and configure auto-created bucket. Set fields to null to use defaults. | object({...}) | | null |
+| *environment_variables* | Cloud function environment variables. | map(string) | | {} |
+| *function_config* | Cloud function configuration. | object({...}) | | ... |
+| *iam_members* | Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use. | map(list(string)) | | {} |
+| *iam_roles* | List of roles used to set authoritative bindings. Ignored for template use. | list(string) | | [] |
+| *labels* | Resource labels | map(string) | | {} |
+| *prefix* | Optional prefix used for resource names. | string | | null |
+| *region* | Region used for all resources. | string | | us-central1 |
+| *service_account* | Service account email. Unused if service account is auto-created. | string | | null |
+| *service_account_create* | Auto-create service account. | bool | | false |
+| *trigger_config* | Function trigger configuration. Leave null for HTTP trigger. | object({...}) | | null |
+
+## Outputs
+
+| name | description | sensitive |
+|---|---|:---:|
+| bucket | Bucket resource (only if auto-created). | |
+| bucket_name | Bucket name. | |
+| function | Cloud function resources. | |
+| function_name | Cloud function name. | |
+| service_account | Service account resource. | |
+| service_account_email | Service account email. | |
+| service_account_iam_email | Service account email. | |
+
diff --git a/modules/cloud-function/main.tf b/modules/cloud-function/main.tf
new file mode 100644
index 000000000..a668a8bcc
--- /dev/null
+++ b/modules/cloud-function/main.tf
@@ -0,0 +1,122 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+ bucket = (
+ var.bucket_name != null
+ ? var.bucket_name
+ : (
+ length(google_storage_bucket.bucket) > 0
+ ? google_storage_bucket.bucket[0].name
+ : null
+ )
+ )
+ prefix = var.prefix == null ? "" : "${var.prefix}-"
+ service_account_email = (
+ var.service_account_create
+ ? (
+ length(google_service_account.service_account) > 0
+ ? google_service_account.service_account[0].email
+ : null
+ )
+ : var.service_account
+ )
+}
+
+resource "google_cloudfunctions_function" "function" {
+ project = var.project_id
+ region = var.region
+ name = "${local.prefix}${var.name}"
+ description = "Terraform managed."
+ runtime = var.function_config.runtime
+ available_memory_mb = var.function_config.memory
+ max_instances = var.function_config.instances
+ timeout = var.function_config.timeout
+ entry_point = var.function_config.entry_point
+ environment_variables = var.environment_variables
+ service_account_email = local.service_account_email
+ source_archive_bucket = local.bucket
+ source_archive_object = google_storage_bucket_object.bundle.name
+ labels = var.labels
+ trigger_http = var.trigger_config == null ? true : null
+
+ dynamic event_trigger {
+ for_each = var.trigger_config == null ? [] : [""]
+ content {
+ event_type = var.trigger_config.event
+ resource = var.trigger_config.resource
+ dynamic failure_policy {
+ for_each = var.trigger_config.retry == null ? [] : [""]
+ content {
+ retry = var.trigger_config.retry
+ }
+ }
+ }
+ }
+
+}
+
+resource "google_cloudfunctions_function_iam_binding" "default" {
+ for_each = toset(var.iam_roles)
+ project = var.project_id
+ region = var.region
+ cloud_function = google_cloudfunctions_function.function.name
+ role = each.value
+ members = try(var.iam_members[each.value], {})
+}
+
+resource "google_storage_bucket" "bucket" {
+ count = var.bucket_config == null ? 0 : 1
+ project = var.project_id
+ name = "${local.prefix}${var.bucket_name}"
+ location = (
+ var.bucket_config.location == null
+ ? var.region
+ : var.bucket_config.location
+ )
+ labels = var.labels
+
+ dynamic lifecycle_rule {
+ for_each = var.bucket_config.lifecycle_delete_age == null ? [] : [""]
+ content {
+ action { type = "Delete" }
+ condition { age = var.bucket_config.lifecycle_delete_age }
+ }
+ }
+}
+
+resource "google_storage_bucket_object" "bundle" {
+ name = "bundle-${data.archive_file.bundle.output_md5}.zip"
+ bucket = local.bucket
+ source = data.archive_file.bundle.output_path
+}
+
+data "archive_file" "bundle" {
+ type = "zip"
+ source_dir = var.bundle_config.source_dir
+ output_path = (
+ var.bundle_config.output_path == null
+ ? "/tmp/bundle.zip"
+ : var.bundle_config.output_path
+ )
+}
+
+resource "google_service_account" "service_account" {
+ count = var.service_account_create ? 1 : 0
+ project = var.project_id
+ account_id = "tf-cf-${var.name}"
+ display_name = "Terraform Cloud Function ${var.name}."
+}
diff --git a/modules/cloud-function/outputs.tf b/modules/cloud-function/outputs.tf
new file mode 100644
index 000000000..43e0eda7f
--- /dev/null
+++ b/modules/cloud-function/outputs.tf
@@ -0,0 +1,55 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "bucket" {
+ description = "Bucket resource (only if auto-created)."
+ value = var.bucket_config == null ? null : google_storage_bucket.bucket.0
+}
+
+output "bucket_name" {
+ description = "Bucket name."
+ value = local.bucket
+}
+
+output "function" {
+ description = "Cloud function resources."
+ value = google_cloudfunctions_function.function
+}
+
+output "function_name" {
+ description = "Cloud function name."
+ value = google_cloudfunctions_function.function.name
+}
+
+output "service_account" {
+ description = "Service account resource."
+ value = (
+ var.service_account_create ? google_service_account.service_account[0] : null
+ )
+}
+
+output "service_account_email" {
+ description = "Service account email."
+ value = local.service_account_email
+}
+
+output "service_account_iam_email" {
+ description = "Service account email."
+ value = join("", [
+ "serviceAccount:",
+ local.service_account_email == null ? "" : local.service_account_email
+ ])
+}
diff --git a/modules/cloud-function/variables.tf b/modules/cloud-function/variables.tf
new file mode 100644
index 000000000..83c8c048a
--- /dev/null
+++ b/modules/cloud-function/variables.tf
@@ -0,0 +1,123 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "bucket_config" {
+ description = "Enable and configure auto-created bucket. Set fields to null to use defaults."
+ type = object({
+ location = string
+ lifecycle_delete_age = number
+ })
+ default = null
+}
+
+variable "bucket_name" {
+ description = "Name of the bucket that will be used for the function code. It will be created with prefix prepended if bucket_config is not null."
+ type = string
+}
+
+variable "bundle_config" {
+ description = "Cloud function source folder and generated zip bundle paths. Output path defaults to '/tmp/bundle.zip' if null."
+ type = object({
+ source_dir = string
+ output_path = string
+ })
+}
+
+variable "environment_variables" {
+ description = "Cloud function environment variables."
+ type = map(string)
+ default = {}
+}
+
+variable "iam_members" {
+ description = "Map of member lists used to set authoritative bindings, keyed by role. Ignored for template use."
+ type = map(list(string))
+ default = {}
+}
+
+variable "iam_roles" {
+ description = "List of roles used to set authoritative bindings. Ignored for template use."
+ type = list(string)
+ default = []
+}
+
+variable "function_config" {
+ description = "Cloud function configuration."
+ type = object({
+ entry_point = string
+ instances = number
+ memory = number
+ runtime = string
+ timeout = number
+ })
+ default = {
+ entry_point = "main"
+ instances = 1
+ memory = 256
+ runtime = "python37"
+ timeout = 180
+ }
+}
+
+variable "labels" {
+ description = "Resource labels"
+ type = map(string)
+ default = {}
+}
+
+variable "name" {
+ description = "Name used for cloud function and associated resources."
+ type = string
+}
+
+variable "prefix" {
+ description = "Optional prefix used for resource names."
+ type = string
+ default = null
+}
+
+variable "project_id" {
+ description = "Project id used for all resources."
+ type = string
+}
+
+variable "region" {
+ description = "Region used for all resources."
+ type = string
+ default = "europe-west1"
+}
+
+variable "service_account" {
+ description = "Service account email. Unused if service account is auto-created."
+ type = string
+ default = null
+}
+
+variable "service_account_create" {
+ description = "Auto-create service account."
+ type = bool
+ default = false
+}
+
+variable "trigger_config" {
+ description = "Function trigger configuration. Leave null for HTTP trigger."
+ type = object({
+ event = string
+ resource = string
+ retry = bool
+ })
+ default = null
+}
diff --git a/modules/cloud-function/versions.tf b/modules/cloud-function/versions.tf
new file mode 100644
index 000000000..bc4c2a9d7
--- /dev/null
+++ b/modules/cloud-function/versions.tf
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+ required_version = ">= 0.12.6"
+}