https://github.com/multani/terraform-google-function

https://github.com/multani/terraform-google-function

Last synced: 2 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/multani/terraform-google-function
• Owner: multani
• License: mit
• Created: 2024-03-05T19:14:33.000Z (about 2 years ago)
• Default Branch: main
• Last Pushed: 2024-08-20T20:51:41.000Z (almost 2 years ago)
• Last Synced: 2024-08-20T22:45:21.170Z (almost 2 years ago)
• Language: HCL
• Size: 9.77 KB
• Stars: 0
• Watchers: 2
• Forks: 0
• Open Issues: 3
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Terraform module to manage Google Cloud Function

This is a personal (opiniated) Terraform module to manage [Google Cloud Function](https://cloud.google.com/functions/docs/).

## How to use?

```hcl

module "stuff" {

  source  = "multani/function/google"

  version = "1.0.2"

  name        = "do-stuff"

  description = "Do some stuff"

  location    = "europe-west6"

  runtime     = "python312"

  entry_point = "stuff_doer"

  source_code = {

    bucket = module.functions.bucket

    object = module.functions.object

  }

  environment_variables = {

    SOMETHING = "stuff"

  }

}

# Authorize stuff to read GCP secrets

resource "google_project_iam_member" "stuff" {

  role    = "roles/secretmanager.secretAccessor"

  member  = "serviceAccount:${module.stuff.service_account_email}"

  project = data.google_project.this.project_id

}

```

### Help me, it doesn't work!

> [!IMPORTANT]

>

> If you are trying to deploy this module and you authenticate on Google Cloud

> using a GCP service account (for instance, when running Terraform via

> Terraform Cloud or a similar service ; in the example below, the service

> account is called `terraform-sa`), you may get the following error while

> trying to deploy the function:

>

> > Error while updating cloudfunction configuration: googleapi: Error 403: Missing necessary permission `iam.serviceAccounts.actAs` for `terraform-sa` on the service account `fun-stuff@my-gcp-project.iam.gserviceaccount.com`.

> >

> > Grant the role `roles/iam.serviceAccountUser` to `terraform-sa` on the service account `functions@multani-admin.iam.gserviceaccount.com`.

> > You can do that by running `gcloud iam service-accounts add-iam-policy-binding functions@multani-admin.iam.gserviceaccount.com --member=terraform-sa --role=roles/iam.serviceAccountUser`.

> > In case the member is a service account please use the prefix `serviceAccount:` instead of `user:`.

> >

> > If this is a cross-project service account usage ask a project owner to grant you the `iam.serviceAccountUser` role on the service account and/or set the `iam.disableCrossProjectServiceAccountUsage` org policy to `NOT ENFORCED` on the service account project.

> >

> > Please visit https://cloud.google.com/functions/docs/troubleshooting for in-depth troubleshooting documentation.

>

> Read the [IAM Cloud Function

> documentation](https://developer.hashicorp.com/terraform/cloud-docs/workspaces)

> for more information.

In this case, reconfigure the "deployer" service account with the following:

```hcl

resource "google_service_account_iam_binding" "stuff" {

  service_account_id = module.stuff.service_account_name

  role               = "roles/iam.serviceAccountUser"

  # The service account that tries to deploy the Cloud Function

  members = ["serviceAccount:${google_service_account.deployer.email}"]

}

```