# Copyright 2024 Google Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- name: 'function' api_resource_type_kind: Function description: | A Cloud Function that contains user computation executed in response to an event. references: guides: api: 'https://cloud.google.com/functions/docs/reference/rest/v2beta/projects.locations.functions' docs: id_format: 'projects/{{project}}/locations/{{location}}/functions/{{name}}' base_url: 'projects/{{project}}/locations/{{location}}/functions' self_link: 'projects/{{project}}/locations/{{location}}/functions/{{name}}' create_url: 'projects/{{project}}/locations/{{location}}/functions?functionId={{name}}' update_verb: 'PATCH' update_mask: true import_format: - 'projects/{{project}}/locations/{{location}}/functions/{{name}}' timeouts: insert_minutes: 60 update_minutes: 60 delete_minutes: 60 autogen_async: true async: actions: ['create', 'delete', 'update'] type: 'OpAsync' operation: base_url: '{{op_id}}' # It takes about 35-40 mins to get the resource created timeouts: insert_minutes: 60 update_minutes: 60 delete_minutes: 60 result: resource_inside_response: true iam_policy: method_name_separator: ':' parent_resource_attribute: 'cloud_function' example_config_body: 'templates/terraform/iam/iam_attributes.go.tmpl' import_format: - 'projects/{{project}}/locations/{{location}}/functions/{{cloud_function}}' - '{{cloud_function}}' custom_code: constants: 'templates/terraform/constants/cloudfunctions2_function.go.tmpl' encoder: 'templates/terraform/encoders/cloudfunctions2_runtime_update_policy.go.tmpl' taint_resource_on_failed_create: true sweeper: url_substitutions: - region: "us-central1" - region: "europe-west6" - region: "us-west1" examples: - name: 'cloudfunctions2_basic' primary_resource_id: 'function' primary_resource_name: 'fmt.Sprintf("tf-test-function-v2%s", context["random_suffix"])' vars: function: 'function-v2' bucket_name: 'gcf-source' zip_path: 'function-source.zip' test_env_vars: project: 'PROJECT_NAME' test_vars_overrides: 'location': '"us-central1"' 'zip_path': '"./test-fixtures/function-source.zip"' # ignore these fields during import step ignore_read_extra: - 'build_config.0.source.0.storage_source.0.object' - 'build_config.0.source.0.storage_source.0.bucket' - name: 'cloudfunctions2_full' primary_resource_id: 'function' vars: bucket_name: 'gcf-source' service_account: 'gcf-sa' topic: 'functions2-topic' function: 'gcf-function' zip_path: 'function-source.zip' test_env_vars: project: 'PROJECT_NAME' test_vars_overrides: 'zip_path': '"./test-fixtures/function-source-pubsub.zip"' 'primary_resource_id': '"terraform-test"' 'location': '"us-central1"' # ignore these fields during import step ignore_read_extra: - 'build_config.0.source.0.storage_source.0.object' - 'build_config.0.source.0.storage_source.0.bucket' - name: 'cloudfunctions2_scheduler_auth' primary_resource_id: 'function' vars: bucket_name: 'gcf-source' service_account: 'gcf-sa' function: 'gcf-function' zip_path: 'function-source.zip' test_env_vars: project: 'PROJECT_NAME' test_vars_overrides: 'primary_resource_id': '"terraform-test"' 'location': '"us-central1"' 'zip_path': '"./test-fixtures/function-source.zip"' # ignore these fields during import step ignore_read_extra: - 'build_config.0.source.0.storage_source.0.object' - 'build_config.0.source.0.storage_source.0.bucket' exclude_test: true - name: 'cloudfunctions2_basic_gcs' primary_resource_id: 'function' bootstrap_iam: - member: "serviceAccount:service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com" role: "roles/cloudkms.cryptoKeyEncrypterDecrypter" vars: bucket_name_source: 'gcf-source-bucket' bucket_name_trigger: 'gcf-trigger-bucket' service_account: 'gcf-sa' function_name: 'gcf-function' zip_path: 'function-source.zip' test_env_vars: project: 'PROJECT_NAME' test_vars_overrides: 'zip_path': '"./test-fixtures/function-source-eventarc-gcs.zip"' 'primary_resource_id': '"terraform-test"' # ignore these fields during import step ignore_read_extra: - 'build_config.0.source.0.storage_source.0.object' - 'build_config.0.source.0.storage_source.0.bucket' - name: 'cloudfunctions2_basic_auditlogs' primary_resource_id: 'function' bootstrap_iam: - member: "serviceAccount:service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com" role: "roles/cloudkms.cryptoKeyEncrypterDecrypter" vars: bucket_name_source: 'gcf-source-bucket' bucket_name_auditlogs: 'gcf-auditlog-bucket' service_account: 'gcf-sa' function_name: 'gcf-function' zip_path: 'function-source.zip' test_env_vars: project: 'PROJECT_NAME' test_vars_overrides: 'zip_path': '"./test-fixtures/function-source-eventarc-gcs.zip"' 'primary_resource_id': '"terraform-test"' # ignore these fields during import step ignore_read_extra: - 'build_config.0.source.0.storage_source.0.object' - 'build_config.0.source.0.storage_source.0.bucket' - name: 'cloudfunctions2_basic_builder' primary_resource_id: 'function' primary_resource_name: 'fmt.Sprintf("tf-test-function-v2%s", context["random_suffix"])' vars: function: 'function-v2' bucket_name: 'gcf-source' zip_path: 'function-source.zip' service_account: 'gcf-sa' test_env_vars: project: 'PROJECT_NAME' test_vars_overrides: 'location': '"us-central1"' 'zip_path': '"./test-fixtures/function-source.zip"' # ignore these fields during import step ignore_read_extra: - 'build_config.0.source.0.storage_source.0.object' - 'build_config.0.source.0.storage_source.0.bucket' external_providers: ["random", "time"] - name: 'cloudfunctions2_secret_env' primary_resource_id: 'function' bootstrap_iam: - member: "serviceAccount:service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com" role: "roles/cloudkms.cryptoKeyEncrypterDecrypter" vars: function: 'function-secret' bucket_name: 'gcf-source' zip_path: 'function-source.zip' secret: 'secret' test_env_vars: project: 'PROJECT_NAME' test_vars_overrides: 'location': '"us-central1"' 'zip_path': '"./test-fixtures/function-source.zip"' # ignore these fields during import step ignore_read_extra: - 'build_config.0.source.0.storage_source.0.object' - 'build_config.0.source.0.storage_source.0.bucket' - name: 'cloudfunctions2_secret_volume' primary_resource_id: 'function' bootstrap_iam: - member: "serviceAccount:service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com" role: "roles/cloudkms.cryptoKeyEncrypterDecrypter" vars: function: 'function-secret' bucket_name: 'gcf-source' zip_path: 'function-source.zip' secret: 'secret' test_env_vars: project: 'PROJECT_NAME' test_vars_overrides: 'location': '"us-central1"' 'zip_path': '"./test-fixtures/function-source.zip"' # ignore these fields during import step ignore_read_extra: - 'build_config.0.source.0.storage_source.0.object' - 'build_config.0.source.0.storage_source.0.bucket' - name: 'cloudfunctions2_private_workerpool' primary_resource_id: 'function' vars: function: 'function-workerpool' bucket_name: 'gcf-source' zip_path: 'function-source.zip' pool: 'workerpool' test_env_vars: project: 'PROJECT_NAME' test_vars_overrides: 'location': '"us-central1"' 'zip_path': '"./test-fixtures/function-source.zip"' # ignore these fields during import step ignore_read_extra: - 'build_config.0.source.0.storage_source.0.object' - 'build_config.0.source.0.storage_source.0.bucket' - name: 'cloudfunctions2_cmek' primary_resource_id: 'function' min_version: 'beta' vars: function: 'function-cmek' bucket_name: 'gcf-source' zip_path: 'function-source.zip' kms_service_name: 'cloudkms.googleapis.com' cmek-repo: 'cmek-repo' unencoded-ar-repo: 'ar-repo' kms_key_name: 'cmek-key' test_env_vars: project: 'PROJECT_NAME' test_vars_overrides: 'kms_key_name': 'acctest.BootstrapKMSKeyInLocation(t, "us-central1").CryptoKey.Name' 'location': '"us-central1"' 'zip_path': '"./test-fixtures/function-source.zip"' # ignore these fields during import step ignore_read_extra: - 'build_config.0.source.0.storage_source.0.object' - 'build_config.0.source.0.storage_source.0.bucket' # the example file is written in a repetitive way to help acc tests, so exclude exclude_docs: true skip_vcr: true - name: 'cloudfunctions2_cmek_docs' primary_resource_id: 'function' min_version: 'beta' vars: function: 'function-cmek' bucket_name: 'gcf-source' zip_path: 'function-source.zip' kms_service_name: 'cloudkms.googleapis.com' cmek-repo: 'cmek-repo' unencoded-ar-repo: 'ar-repo' kms_key_name: 'cmek-key' project: 'my-project-name' # this example file will cause IAM conflicts between tests if used to make a test exclude_test: true - name: 'cloudfunctions2_abiu' primary_resource_id: 'function' min_version: 'beta' vars: bucket_name: 'gcf-source' service_account: 'gcf-sa' topic: 'functions2-topic' function: 'gcf-function' zip_path: 'function-source.zip' test_env_vars: project: 'PROJECT_NAME' test_vars_overrides: 'zip_path': '"./test-fixtures/function-source-pubsub.zip"' 'primary_resource_id': '"terraform-test"' 'location': '"europe-west6"' # ignore these fields during import step ignore_read_extra: - 'build_config.0.source.0.storage_source.0.object' - 'build_config.0.source.0.storage_source.0.bucket' - name: 'cloudfunctions2_abiu_on_deploy' primary_resource_id: 'function' min_version: 'beta' vars: bucket_name: 'gcf-source' service_account: 'gcf-sa' topic: 'functions2-topic' function: 'gcf-function' zip_path: 'function-source.zip' test_env_vars: project: 'PROJECT_NAME' test_vars_overrides: 'zip_path': '"./test-fixtures/function-source-pubsub.zip"' 'primary_resource_id': '"terraform-test"' 'location': '"europe-west6"' # ignore these fields during import step ignore_read_extra: - 'build_config.0.source.0.storage_source.0.object' - 'build_config.0.source.0.storage_source.0.bucket' parameters: - name: 'location' type: String description: The location of this cloud function. url_param_only: true required: true immutable: true properties: - name: 'name' type: String description: | A user-defined name of the function. Function names must be unique globally and match pattern `projects/*/locations/*/functions/*`. required: true immutable: true custom_flatten: 'templates/terraform/custom_flatten/name_from_self_link.tmpl' custom_expand: 'templates/terraform/custom_expand/shortname_to_url.go.tmpl' - name: 'description' type: String description: 'User-provided description of a function.' - name: 'environment' type: Enum description: 'The environment the function is hosted on.' output: true enum_values: - 'ENVIRONMENT_UNSPECIFIED' - 'GEN_1' - 'GEN_2' - name: 'url' type: String description: 'Output only. The deployed url for the function.' output: true - name: 'state' type: Enum description: 'Describes the current state of the function.' output: true enum_values: - 'STATE_UNSPECIFIED' - 'ACTIVE' - 'FAILED' - 'DEPLOYING' - 'DELETING' - 'UNKNOWN' - name: 'buildConfig' type: NestedObject description: | Describes the Build step of the function that builds a container from the given source. properties: - name: 'build' type: String description: | The Cloud Build name of the latest successful deployment of the function. output: true - name: 'runtime' type: String description: | The runtime in which to run the function. Required when deploying a new function, optional when updating an existing function. - name: 'entryPoint' type: String description: | The name of the function (as defined in source code) that will be executed. Defaults to the resource name suffix, if not specified. For backward compatibility, if function with given name is not found, then the system will try to use function named "function". For Node.js this is name of a function exported by the module specified in source_location. - name: 'source' type: NestedObject description: 'The location of the function source code.' properties: - name: 'storageSource' type: NestedObject description: 'If provided, get the source from this location in Google Cloud Storage.' exactly_one_of: - 'storage_source' - 'repo_source' properties: - name: 'bucket' type: String description: 'Google Cloud Storage bucket containing the source' custom_flatten: 'templates/terraform/custom_flatten/cloudfunctions2_function_source_bucket.go.tmpl' - name: 'object' type: String description: 'Google Cloud Storage object containing the source.' custom_flatten: 'templates/terraform/custom_flatten/cloudfunctions2_function_source_object.go.tmpl' - name: 'generation' type: Integer description: | Google Cloud Storage generation for the object. If the generation is omitted, the latest generation will be used. default_from_api: true custom_flatten: 'templates/terraform/custom_flatten/cloudfunctions2_function_source_generation.go.tmpl' - name: 'repoSource' type: NestedObject description: 'If provided, get the source from this location in a Cloud Source Repository.' exactly_one_of: - 'storage_source' - 'repo_source' properties: - name: 'projectId' type: String description: | ID of the project that owns the Cloud Source Repository. If omitted, the project ID requesting the build is assumed. immutable: true - name: 'repoName' type: String description: 'Name of the Cloud Source Repository.' - name: 'branchName' type: String description: 'Regex matching branches to build.' exactly_one_of: - 'branch_name' - 'tag_name' - 'commit_sha' - name: 'tagName' type: String description: 'Regex matching tags to build.' exactly_one_of: - 'branch_name' - 'tag_name' - 'commit_sha' - name: 'commitSha' type: String description: 'Regex matching tags to build.' exactly_one_of: - 'branch_name' - 'tag_name' - 'commit_sha' - name: 'dir' type: String description: | Directory, relative to the source root, in which to run the build. - name: 'invertRegex' type: Boolean description: | Only trigger a build if the revision regex does NOT match the revision regex. - name: 'workerPool' type: String description: 'Name of the Cloud Build Custom Worker Pool that should be used to build the function.' - name: 'environmentVariables' type: KeyValuePairs description: | User-provided build-time environment variables for the function. default_from_api: true - name: 'dockerRepository' type: String description: | User managed repository created in Artifact Registry optionally with a customer managed encryption key. default_from_api: true - name: 'serviceAccount' type: String description: 'The fully-qualified name of the service account to be used for building the container.' default_from_api: true - name: 'automaticUpdatePolicy' type: NestedObject description: | Security patches are applied automatically to the runtime without requiring the function to be redeployed. default_from_api: true send_empty_value: true allow_empty_object: true exactly_one_of: - 'automatic_update_policy' - 'on_deploy_update_policy' properties: [] - name: 'onDeployUpdatePolicy' type: NestedObject description: | Security patches are only applied when a function is redeployed. send_empty_value: true allow_empty_object: true exactly_one_of: - 'automatic_update_policy' - 'on_deploy_update_policy' properties: - name: 'runtimeVersion' type: String description: | The runtime version which was used during latest function deployment. output: true - name: 'serviceConfig' type: NestedObject description: 'Describes the Service being deployed.' properties: - name: 'service' type: String description: | Name of the service associated with a Function. default_from_api: true - name: 'timeoutSeconds' type: Integer description: | The function execution timeout. Execution is considered failed and can be terminated if the function is not completed at the end of the timeout period. Defaults to 60 seconds. default_from_api: true - name: 'availableMemory' type: String description: | The amount of memory available for a function. Defaults to 256M. Supported units are k, M, G, Mi, Gi. If no unit is supplied the value is interpreted as bytes. default_from_api: true - name: 'maxInstanceRequestConcurrency' type: Integer description: 'Sets the maximum number of concurrent requests that each instance can receive. Defaults to 1.' default_from_api: true - name: 'availableCpu' type: String description: 'The number of CPUs used in a single container instance. Default value is calculated from available memory.' default_from_api: true - name: 'environmentVariables' type: KeyValuePairs description: 'Environment variables that shall be available during function execution.' default_from_api: true diff_suppress_func: 'environmentVariablesDiffSuppress' - name: 'maxInstanceCount' type: Integer description: | The limit on the maximum number of function instances that may coexist at a given time. default_from_api: true - name: 'minInstanceCount' type: Integer description: | The limit on the minimum number of function instances that may coexist at a given time. - name: 'vpcConnector' type: String description: 'The Serverless VPC Access connector that this cloud function can connect to.' - name: 'vpcConnectorEgressSettings' type: Enum description: 'Available egress settings.' enum_values: - 'VPC_CONNECTOR_EGRESS_SETTINGS_UNSPECIFIED' - 'PRIVATE_RANGES_ONLY' - 'ALL_TRAFFIC' - name: 'ingressSettings' type: Enum description: 'Available ingress settings. Defaults to "ALLOW_ALL" if unspecified.' default_value: "ALLOW_ALL" enum_values: - 'ALLOW_ALL' - 'ALLOW_INTERNAL_ONLY' - 'ALLOW_INTERNAL_AND_GCLB' - name: 'uri' type: String description: 'URI of the Service deployed.' output: true - name: 'gcfUri' type: String description: 'URIs of the Service deployed' output: true - name: 'serviceAccountEmail' type: String description: 'The email of the service account for this function.' default_from_api: true - name: 'allTrafficOnLatestRevision' type: Boolean description: 'Whether 100% of traffic is routed to the latest revision. Defaults to true.' default_value: true - name: 'secretEnvironmentVariables' type: Array description: 'Secret environment variables configuration.' item_type: type: NestedObject properties: - name: 'key' type: String description: | Name of the environment variable. required: true - name: 'projectId' type: String description: | Project identifier (preferably project number but can also be the project ID) of the project that contains the secret. If not set, it will be populated with the function's project assuming that the secret exists in the same project as of the function. required: true - name: 'secret' type: String description: | Name of the secret in secret manager (not the full resource name). required: true - name: 'version' type: String description: | Version of the secret (version number or the string 'latest'). It is recommended to use a numeric version for secret environment variables as any updates to the secret value is not reflected until new instances start. required: true - name: 'secretVolumes' type: Array description: 'Secret volumes configuration.' item_type: type: NestedObject properties: - name: 'mountPath' type: String description: | The path within the container to mount the secret volume. For example, setting the mountPath as /etc/secrets would mount the secret value files under the /etc/secrets directory. This directory will also be completely shadowed and unavailable to mount any other secrets. Recommended mount path: /etc/secrets required: true - name: 'projectId' type: String description: | Project identifier (preferably project number but can also be the project ID) of the project that contains the secret. If not set, it will be populated with the function's project assuming that the secret exists in the same project as of the function. required: true - name: 'secret' type: String description: | Name of the secret in secret manager (not the full resource name). required: true - name: 'versions' type: Array description: List of secret versions to mount for this secret. If empty, the latest version of the secret will be made available in a file named after the secret under the mount point.' default_from_api: true item_type: type: NestedObject properties: - name: 'version' type: String description: | Version of the secret (version number or the string 'latest'). It is preferable to use latest version with secret volumes as secret value changes are reflected immediately. required: true - name: 'path' type: String description: | Relative path of the file under the mount path where the secret value for this version will be fetched and made available. For example, setting the mountPath as '/etc/secrets' and path as secret_foo would mount the secret value file at /etc/secrets/secret_foo. required: true - name: 'binaryAuthorizationPolicy' type: String description: | The binary authorization policy to be checked when deploying the Cloud Run service. - name: 'eventTrigger' type: NestedObject description: | An Eventarc trigger managed by Google Cloud Functions that fires events in response to a condition in another service. properties: - name: 'trigger' type: String description: 'Output only. The resource name of the Eventarc trigger.' output: true - name: 'triggerRegion' type: String description: | The region that the trigger will be in. The trigger will only receive events originating in this region. It can be the same region as the function, a different region or multi-region, or the global region. If not provided, defaults to the same region as the function. default_from_api: true - name: 'eventType' type: String description: 'Required. The type of event to observe.' - name: 'eventFilters' type: Array description: 'Criteria used to filter events.' is_set: true item_type: type: NestedObject properties: - name: 'attribute' type: String description: | 'Required. The name of a CloudEvents attribute. Currently, only a subset of attributes are supported for filtering. Use the `gcloud eventarc providers describe` command to learn more about events and their attributes. Do not filter for the 'type' attribute here, as this is already achieved by the resource's `event_type` attribute. required: true - name: 'value' type: String description: | Required. The value for the attribute. If the operator field is set as `match-path-pattern`, this value can be a path pattern instead of an exact value. required: true - name: 'operator' type: String description: | Optional. The operator used for matching the events with the value of the filter. If not specified, only events that have an exact key-value pair specified in the filter are matched. The only allowed value is `match-path-pattern`. [See documentation on path patterns here](https://cloud.google.com/eventarc/docs/path-patterns)' - name: 'pubsubTopic' type: String description: | The name of a Pub/Sub topic in the same project that will be used as the transport topic for the event delivery. default_from_api: true - name: 'serviceAccountEmail' type: String description: | Optional. The email of the trigger's service account. The service account must have permission to invoke Cloud Run services. If empty, defaults to the Compute Engine default service account: {project_number}-compute@developer.gserviceaccount.com. default_from_api: true - name: 'retryPolicy' type: Enum description: | Describes the retry policy in case of function's execution failure. Retried execution is charged as any other execution. enum_values: - 'RETRY_POLICY_UNSPECIFIED' - 'RETRY_POLICY_DO_NOT_RETRY' - 'RETRY_POLICY_RETRY' - name: 'updateTime' type: String description: 'The last update timestamp of a Cloud Function.' output: true - name: 'labels' type: KeyValueLabels description: | A set of key/value label pairs associated with this Cloud Function. - name: 'kmsKeyName' type: String description: | Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources. It must match the pattern projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}.