Skip to content

Commit a8194a6

Browse files
multanimultani
committed
doc
1 parent 5822213 commit a8194a6

File tree

3 files changed

+118
-0
lines changed

3 files changed

+118
-0
lines changed

LICENSE

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
MIT License
2+
3+
Copyright (c) 2024 Jonathan Ballet
4+
5+
Permission is hereby granted, free of charge, to any person obtaining a copy
6+
of this software and associated documentation files (the "Software"), to deal
7+
in the Software without restriction, including without limitation the rights
8+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9+
copies of the Software, and to permit persons to whom the Software is
10+
furnished to do so, subject to the following conditions:
11+
12+
The above copyright notice and this permission notice shall be included in all
13+
copies or substantial portions of the Software.
14+
15+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21+
SOFTWARE.

README.md

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
# Terraform module to manage Google Cloud Function
2+
3+
This is a personal (opiniated) Terraform module to manage [Google Cloud Function](https://cloud.google.com/functions/docs/).
4+
5+
## How to use?
6+
7+
```hcl
8+
module "stuff" {
9+
source = "app.terraform.io/multani/function/google"
10+
version = "1.0.0"
11+
12+
name = "do-stuff"
13+
description = "Do some stuff"
14+
15+
location = "europe-west6"
16+
runtime = "python312"
17+
entry_point = "stuff_doer"
18+
19+
source_code = {
20+
bucket = module.functions.bucket
21+
object = module.functions.object
22+
}
23+
24+
environment_variables = {
25+
SOMETHING = "stuff"
26+
}
27+
}
28+
29+
# Authorize stuff to read GCP secrets
30+
resource "google_project_iam_member" "stuff" {
31+
role = "roles/secretmanager.secretAccessor"
32+
member = "serviceAccount:${module.stuff.service_account_email}"
33+
project = data.google_project.this.project_id
34+
}
35+
```
36+
37+
### Help me, it doesn't work!
38+
39+
> [!IMPORTANT]
40+
>
41+
> If you are trying to deploy this module and you authenticate on Google Cloud
42+
> using a GCP service account (for instance, when running Terraform via
43+
> Terraform Cloud or a similar service ; in the example below, the service
44+
> account is called `terraform-sa`), you may get the following error while
45+
> trying to deploy the function:
46+
>
47+
> > Error while updating cloudfunction configuration: googleapi: Error 403: Missing necessary permission `iam.serviceAccounts.actAs` for `terraform-sa` on the service account `fun-stuff@my-gcp-project.iam.gserviceaccount.com`.
48+
> >
49+
> > Grant the role `roles/iam.serviceAccountUser` to `terraform-sa` on the service account `functions@multani-admin.iam.gserviceaccount.com`.
50+
> > You can do that by running `gcloud iam service-accounts add-iam-policy-binding functions@multani-admin.iam.gserviceaccount.com --member=terraform-sa --role=roles/iam.serviceAccountUser`.
51+
> > In case the member is a service account please use the prefix `serviceAccount:` instead of `user:`.
52+
> >
53+
> > If this is a cross-project service account usage ask a project owner to grant you the `iam.serviceAccountUser` role on the service account and/or set the `iam.disableCrossProjectServiceAccountUsage` org policy to `NOT ENFORCED` on the service account project.
54+
> >
55+
> > Please visit https://cloud.google.com/functions/docs/troubleshooting for in-depth troubleshooting documentation.
56+
>
57+
> Read the [IAM Cloud Function
58+
> documentation](https://developer.hashicorp.com/terraform/cloud-docs/workspaces)
59+
> for more information.
60+
61+
In this case, reconfigure the "deployer" service account with the following:
62+
63+
```hcl
64+
resource "google_service_account_iam_binding" "stuff" {
65+
service_account_id = module.stuff.service_account_name
66+
role = "roles/iam.serviceAccountUser"
67+
68+
# The service account that tries to deploy the Cloud Function
69+
members = ["serviceAccount:${google_service_account.deployer.email}"]
70+
}
71+
```

modules/code/README.md

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
# Terraform module to manage Google Cloud Function source code
2+
3+
This is a personal (opiniated) Terraform module to manage source code for [Google Cloud Function](https://cloud.google.com/functions/docs/).
4+
5+
It uploads source code to a Google Cloud Storage bucket and "version" it using a checksum.
6+
7+
8+
## How to use?
9+
10+
```hcl
11+
module "functions" {
12+
source = "app.terraform.io/multani/function/google//modules/code"
13+
version = "1.0.0"
14+
15+
name = "my-functions"
16+
source_dir = "${path.module}/src"
17+
18+
# A previously created storage bucket
19+
bucket_name = data.google_storage_bucket.functions.name
20+
}
21+
```
22+
23+
Use the following output to create a Cloud Function:
24+
25+
* `bucket`: the name of the bucket where the source code is stored
26+
* `object`: the name of the object inside the bucket, where the source code is stored

0 commit comments

Comments
 (0)