FAQ | This is a LIVE service | Changelog

Skip to content
Snippets Groups Projects

Add initial (trivial) pubsub module and faas module that supports pubsub

Merged E. Kirk requested to merge ek599-3-faas-and-pub-sub-terraform-module-boilerplate into main
7 files
+ 153
0
Compare changes
  • Side-by-side
  • Inline
Files
7
+ 144
0
# FIXME Currently subscription and cloud service account are shared
resource "google_service_account" "cloud_run_sa" {
project = var.project
account_id = "${var.name}-cloud-run"
}
resource "google_cloud_run_service_iam_binding" "binding" {
location = var.location
service = var.name
role = "roles/run.invoker"
members = ["serviceAccount:${google_service_account.cloud_run_sa.email}"]
}
resource "google_project_service_identity" "pubsub_agent" {
provider = google-beta
project = var.project
service = "pubsub.googleapis.com"
}
# This only providing access to a role to the service account/pubsub
#trivy:ignore:AVD-GCP-0011
resource "google_project_iam_binding" "project_token_creator" {
project = var.project
role = "roles/iam.serviceAccountTokenCreator"
members = ["serviceAccount:${google_project_service_identity.pubsub_agent.email}"]
}
resource "google_cloud_run_v2_service" "faas" {
name = var.name
location = var.location
template {
service_account = google_service_account.cloud_run_sa.email
containers {
image = var.function_container_image
args = var.function != null ? [var.function] : null
dynamic "env" {
for_each = var.function_env
content {
name = env.value["name"]
value = env.value["value"]
dynamic "value_source" {
for_each = env.value["value_source"] != null ? [env.value["value_source"]] : []
content {
dynamic "secret_key_ref" {
for_each = value_source.value["secret_key_ref"] != null ? [value_source.value["secret_key_ref"]] : []
content {
secret = secret_key_ref.value["secret"]
version = secret_key_ref.value["version"]
}
}
}
}
}
}
liveness_probe {
http_get {
path = "/healthy"
}
}
startup_probe {
http_get {
path = "/healthy"
}
}
}
scaling {
min_instance_count = 0
max_instance_count = var.concurrency.max_concurrent_functions > var.concurrency.max_container_concurrency ? (var.concurrency.max_concurrent_functions - (var.concurrency.max_concurrent_functions % var.concurrency.max_container_concurrency)) / var.concurrency.max_container_concurrency : 1
}
max_instance_request_concurrency = var.concurrency.max_concurrent_functions > var.concurrency.max_container_concurrency ? var.concurrency.max_container_concurrency : var.concurrency.max_concurrent_functions
dynamic "vpc_access" {
for_each = var.vpc_access != null ? [var.vpc_access] : []
content {
connector = vpc_access.value["connector"]
egress = vpc_access.value["egress"]
dynamic "network_interfaces" {
for_each = vpc_access.value["network_interfaces"] != null ? [vpc_access.value["network_interfaces"]] : []
iterator = network_interface
content {
network = network_interface.value["network"]
subnetwork = network_interface.value["subnetwork"]
}
}
}
}
}
}
resource "google_pubsub_subscription" "provided_topic" {
for_each = { for i, v in [var.triggers.pubsub_topic_id] : i => v }
name = var.name
topic = var.triggers.pubsub_topic_id
push_config {
push_endpoint = google_cloud_run_v2_service.faas.uri
oidc_token {
service_account_email = google_service_account.cloud_run_sa.email
}
attributes = {
x-goog-version = "v1"
}
}
dead_letter_policy {
dead_letter_topic = google_pubsub_topic.dead_letter.id
max_delivery_attempts = var.retry_count + 1
}
retry_policy {
minimum_backoff = "30s"
maximum_backoff = "600s"
}
expiration_policy {
ttl = "" # Never expire
}
ack_deadline_seconds = var.timeout_seconds
}
# FIXME when deadletter functionality added, ensure subscription exists
# Currently just used to provider retry count control
resource "google_pubsub_topic" "dead_letter" {
name = "${var.name}-dl"
project = var.project
}
Loading