diff --git a/build/terraform b/build/terraform index ecda9f292a53..e03659313c9d 160000 --- a/build/terraform +++ b/build/terraform @@ -1 +1 @@ -Subproject commit ecda9f292a53e4dc7d1e8c1502f3eb30b122b157 +Subproject commit e03659313c9d4745fc29ea7af1d673fc8e616929 diff --git a/build/terraform-beta b/build/terraform-beta index a1d05c614bcc..c10b8693d56d 160000 --- a/build/terraform-beta +++ b/build/terraform-beta @@ -1 +1 @@ -Subproject commit a1d05c614bcc45e86765a71dcc523b1ddae75a9a +Subproject commit c10b8693d56dae9400512368fadfc74722667eda diff --git a/third_party/terraform/website/docs/r/cloudfunctions_function.html.markdown b/third_party/terraform/website/docs/r/cloudfunctions_function.html.markdown index c6173913814e..c7d720a55274 100644 --- a/third_party/terraform/website/docs/r/cloudfunctions_function.html.markdown +++ b/third_party/terraform/website/docs/r/cloudfunctions_function.html.markdown @@ -13,8 +13,15 @@ Creates a new Cloud Function. For more information see and [API](https://cloud.google.com/functions/docs/apis). +~> **Warning:** As of November 1, 2019, newly created Functions are +private-by-default and will require [appropriate IAM permissions](https://cloud.google.com/functions/docs/reference/iam/roles) +to be invoked. See below examples for how to set up the appropriate permissions, +or view the [Cloud Functions IAM resources](/docs/r/cloudfunctions_cloud_function_iam.html) +for Cloud Functions. + ## Example Usage +Secured function with a user allowed to invoke: ```hcl resource "google_storage_bucket" "bucket" { name = "test-bucket" @@ -40,13 +47,59 @@ resource "google_cloudfunctions_function" "function" { labels = { my-label = "my-label-value" } - + environment_variables = { MY_ENV_VAR = "my-env-var-value" } } + +# Add IAM member for a user who can invoke the function (no admin actions) +resource "google_cloudfunctions_function_iam_member" "invoker" { + project = "${google_cloudfunctions_function.function.project}" + region = "${google_cloudfunctions_function.function.region}" + cloud_function = "${google_cloudfunctions_function.function.name}" + + role = "roles/cloudfunctions.invoker" + member = "user:myFunctionInvoker@example.com" +} ``` +A publically invocable function (similar behavior to functions created before +private-by-default): + +```hcl +resource "google_storage_bucket" "bucket" { + name = "test-bucket" +} + +resource "google_storage_bucket_object" "archive" { + name = "index.zip" + bucket = "${google_storage_bucket.bucket.name}" + source = "./path/to/zip/file/which/contains/code" +} + +resource "google_cloudfunctions_function" "function" { + name = "function-test" + description = "My function" + runtime = "nodejs10" + + available_memory_mb = 128 + source_archive_bucket = "${google_storage_bucket.bucket.name}" + source_archive_object = "${google_storage_bucket_object.archive.name}" + trigger_http = true + entry_point = "helloGET" +} + +# Add IAM member for a user who can invoke the function (no admin actions) +resource "google_cloudfunctions_function_iam_member" "invoker" { + project = "${google_cloudfunctions_function.function.project}" + region = "${google_cloudfunctions_function.function.region}" + cloud_function = "${google_cloudfunctions_function.function.name}" + + role = "roles/cloudfunctions.invoker" + member = "allUsers" +} +``` ## Argument Reference The following arguments are supported: