feat: added iam membership

GoogleCloudPlatform · Jan 23, 2023 · 393b404 · 393b404
1 parent 6ff316e
commit 393b404
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -5,6 +5,7 @@ The Terraform module handles the deployment of Cloud Functions (Gen 2) on GCP.
 The resources/services/activations/deletions that this module will create/trigger are:
 
 - Deploy Cloud Functions (2nd Gen) with provided source code and trigger
+- Provide Cloud Functions Invoker or Developer roles to the users and service accounts
 
 ## Assumptions and Prerequisites
 
@@ -29,10 +30,9 @@ module "cloud_functions2" {
   runtime        = "<RUNTIME>"
   entrypoint     = "<ENTRYPOINT>"
   storage_source = {
-    filepath    = "<sourcefilepath>"
-    filename    = "<sourcefilename>"
-    source_path = "<dirname>"
-    bucketname  = "<GCS NAME>"
+    bucket      = "<BUCEKTNAME>"
+    object      = "<ARCHIVE_PATH>"
+    generation  = "<GCS_GENERATION>"
   }
 }
 ```
@@ -53,6 +53,7 @@ Functional examples are included in the
 | function\_location | The location of this cloud function | `string` | n/a | yes |
 | function\_name | A user-defined name of the function | `string` | n/a | yes |
 | labels | A set of key/value label pairs associated with this Cloud Function | `map(string)` | `null` | no |
+| members | Cloud Function Invoker and Developer roles for Users/SAs. Key names must be developers and/or invokers | `map(list(string))` | `{}` | no |
 | project\_id | Project ID to create Cloud Function | `string` | n/a | yes |
 | repo\_source | Get the source from this location in a Cloud Source Repository | <pre>object({<br>    project_id   = string<br>    repo_name    = string<br>    branch_name  = string<br>    dir          = string<br>    tag_name     = string<br>    commit_sha   = string<br>    invert_regex = bool<br>  })</pre> | `null` | no |
 | runtime | The runtime in which to run the function. | `string` | n/a | yes |

diff --git a/main.tf b/main.tf
@@ -124,3 +124,23 @@ resource "google_cloudfunctions2_function" "function" {
 
   labels = var.labels != null ? var.labels : {}
 }
+
+// IAM for invoking HTTP functions (roles/cloudfunctions.invoker)
+resource "google_cloudfunctions2_function_iam_member" "invokers" {
+  count          = contains(keys(var.members), "invokers") ? length(var.members["invokers"]) : 0
+  location       = google_cloudfunctions2_function.function.location
+  project        = google_cloudfunctions2_function.function.project
+  cloud_function = google_cloudfunctions2_function.function.name
+  role           = "roles/cloudfunctions.invoker"
+  member         = var.members["invokers"][count.index]
+}
+
+// Read and write access to all functions-related resources (roles/cloudfunctions.developer)
+resource "google_cloudfunctions2_function_iam_member" "developers" {
+  count          = contains(keys(var.members), "developers") ? length(var.members["developers"]) : 0
+  location       = google_cloudfunctions2_function.function.location
+  project        = google_cloudfunctions2_function.function.project
+  cloud_function = google_cloudfunctions2_function.function.name
+  role           = "roles/cloudfunctions.developer"
+  member         = var.members["developers"][count.index]
+}
diff --git a/variables.tf b/variables.tf
@@ -154,3 +154,10 @@ variable "service_config" {
     secret_volumes                 = null
   }
 }
+
+// IAM
+variable "members" {
+  type        = map(list(string))
+  description = "Cloud Function Invoker and Developer roles for Users/SAs. Key names must be developers and/or invokers"
+  default     = {}
+}