FAQ | This is a LIVE service | Changelog

Skip to content
Snippets Groups Projects

Add initial (trivial) pubsub module and faas module that supports pubsub

Merged Add initial (trivial) pubsub module and faas module that supports pubsub
ek599-3-faas-and-pub-sub-terraform-module-boilerplate into main
Merged E. Kirk requested to merge ek599-3-faas-and-pub-sub-terraform-module-boilerplate into main
Viewing commit fd271a13
Show latest version
7 files
+ 153
0
Compare changes
  • Side-by-side
  • Inline
Files
7
terraform/modules/faas/main.tf 0 → 100644
+ 144
0
# FIXME Currently subscription and cloud service account are shared
resource "google_service_account" "cloud_run_sa" {
project = var.project
account_id = "${var.name}-cloud-run"
}
resource "google_cloud_run_service_iam_binding" "binding" {
location = var.location
service = var.name
role = "roles/run.invoker"
members = ["serviceAccount:${google_service_account.cloud_run_sa.email}"]
}
resource "google_project_service_identity" "pubsub_agent" {
provider = google-beta
project = var.project
service = "pubsub.googleapis.com"
}
# This only providing access to a role to the service account/pubsub
#trivy:ignore:AVD-GCP-0011
resource "google_project_iam_binding" "project_token_creator" {
project = var.project
role = "roles/iam.serviceAccountTokenCreator"
members = ["serviceAccount:${google_project_service_identity.pubsub_agent.email}"]
}
resource "google_cloud_run_v2_service" "faas" {
name = var.name
location = var.location
template {
service_account = google_service_account.cloud_run_sa.email
containers {
image = var.function_container_image
args = var.function != null ? [var.function] : null
dynamic "env" {
for_each = var.function_env
content {
name = env.value["name"]
value = env.value["value"]
dynamic "value_source" {
for_each = env.value["value_source"] != null ? [env.value["value_source"]] : []
content {
dynamic "secret_key_ref" {
for_each = value_source.value["secret_key_ref"] != null ? [value_source.value["secret_key_ref"]] : []
content {
secret = secret_key_ref.value["secret"]
version = secret_key_ref.value["version"]
}
}
}
}
}
}
liveness_probe {
http_get {
path = "/healthy"
}
}
startup_probe {
http_get {
path = "/healthy"
}
}
}
scaling {
min_instance_count = 0
max_instance_count = var.concurrency.max_concurrent_functions > var.concurrency.max_container_concurrency ? (var.concurrency.max_concurrent_functions - (var.concurrency.max_concurrent_functions % var.concurrency.max_container_concurrency)) / var.concurrency.max_container_concurrency : 1
}
max_instance_request_concurrency = var.concurrency.max_concurrent_functions > var.concurrency.max_container_concurrency ? var.concurrency.max_container_concurrency : var.concurrency.max_concurrent_functions
dynamic "vpc_access" {
for_each = var.vpc_access != null ? [var.vpc_access] : []
content {
connector = vpc_access.value["connector"]
egress = vpc_access.value["egress"]
dynamic "network_interfaces" {
for_each = vpc_access.value["network_interfaces"] != null ? [vpc_access.value["network_interfaces"]] : []
iterator = network_interface
content {
network = network_interface.value["network"]
subnetwork = network_interface.value["subnetwork"]
}
}
}
}
}
}
resource "google_pubsub_subscription" "provided_topic" {
for_each = { for i, v in [var.triggers.pubsub_topic_id] : i => v }
name = var.name
topic = var.triggers.pubsub_topic_id
push_config {
push_endpoint = google_cloud_run_v2_service.faas.uri
oidc_token {
service_account_email = google_service_account.cloud_run_sa.email
}
attributes = {
x-goog-version = "v1"
}
}
dead_letter_policy {
dead_letter_topic = google_pubsub_topic.dead_letter.id
max_delivery_attempts = var.retry_count + 1
}
retry_policy {
minimum_backoff = "30s"
maximum_backoff = "600s"
}
expiration_policy {
ttl = "" # Never expire
}
ack_deadline_seconds = var.timeout_seconds
}
# FIXME when deadletter functionality added, ensure subscription exists
# Currently just used to provider retry count control
resource "google_pubsub_topic" "dead_letter" {
name = "${var.name}-dl"
project = var.project
}