Text file src/github.com/GoogleCloudPlatform/k8s-config-connector/scripts/resource-autogen/generated/samples/CloudFunctions2-CloudFunctions2Function-cloudfunctions2_basic_auditlogs/main.tf

Documentation: github.com/GoogleCloudPlatform/k8s-config-connector/scripts/resource-autogen/generated/samples/CloudFunctions2-CloudFunctions2Function-cloudfunctions2_basic_auditlogs

     1/**
     2 * Copyright 2022 Google LLC
     3 *
     4 * Licensed under the Apache License, Version 2.0 (the "License");
     5 * you may not use this file except in compliance with the License.
     6 * You may obtain a copy of the License at
     7 *
     8 *      http://www.apache.org/licenses/LICENSE-2.0
     9 *
    10 * Unless required by applicable law or agreed to in writing, software
    11 * distributed under the License is distributed on an "AS IS" BASIS,
    12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13 * See the License for the specific language governing permissions and
    14 * limitations under the License.
    15 */
    16
    17```hcl
    18# [START functions_v2_basic_auditlogs]
    19# This example follows the examples shown in this Google Cloud Community blog post
    20# https://medium.com/google-cloud/applying-a-path-pattern-when-filtering-in-eventarc-f06b937b4c34
    21# and the docs:
    22# https://cloud.google.com/eventarc/docs/path-patterns
    23
    24resource "google_storage_bucket" "source-bucket" {
    25  name     = "gcf-source-bucket"
    26  location = "US"
    27  uniform_bucket_level_access = true
    28}
    29 
    30resource "google_storage_bucket_object" "object" {
    31  name   = "function-source.zip"
    32  bucket = google_storage_bucket.source-bucket.name
    33  source = "function-source.zip"  # Add path to the zipped function source code
    34}
    35
    36resource "google_service_account" "account" {
    37  account_id   = "gcf-sa"
    38  display_name = "Test Service Account - used for both the cloud function and eventarc trigger in the test"
    39}
    40
    41# Note: The right way of listening for Cloud Storage events is to use a Cloud Storage trigger.
    42# Here we use Audit Logs to monitor the bucket so path patterns can be used in the example of
    43# google_cloudfunctions2_function below (Audit Log events have path pattern support)
    44resource "google_storage_bucket" "audit-log-bucket" {
    45  name     = "gcf-auditlog-bucket"
    46  location = "us-central1"  # The trigger must be in the same location as the bucket
    47  uniform_bucket_level_access = true
    48}
    49
    50# Permissions on the service account used by the function and Eventarc trigger
    51resource "google_project_iam_member" "invoking" {
    52  project = "my-project-name"
    53  role    = "roles/run.invoker"
    54  member  = "serviceAccount:${google_service_account.account.email}"
    55}
    56
    57resource "google_project_iam_member" "event-receiving" {
    58  project = "my-project-name"
    59  role    = "roles/eventarc.eventReceiver"
    60  member  = "serviceAccount:${google_service_account.account.email}"
    61  depends_on = [google_project_iam_member.invoking]
    62}
    63
    64resource "google_project_iam_member" "artifactregistry-reader" {
    65  project = "my-project-name"
    66  role     = "roles/artifactregistry.reader"
    67  member   = "serviceAccount:${google_service_account.account.email}"
    68  depends_on = [google_project_iam_member.event-receiving]
    69}
    70
    71resource "google_cloudfunctions2_function" "function" {
    72  depends_on = [
    73    google_project_iam_member.event-receiving,
    74    google_project_iam_member.artifactregistry-reader,
    75  ]
    76  name = "gcf-function"
    77  location = "us-central1"
    78  description = "a new function"
    79 
    80  build_config {
    81    runtime     = "nodejs12"
    82    entry_point = "entryPoint" # Set the entry point in the code
    83    environment_variables = {
    84      BUILD_CONFIG_TEST = "build_test"
    85    }
    86    source {
    87      storage_source {
    88        bucket = google_storage_bucket.source-bucket.name
    89        object = google_storage_bucket_object.object.name
    90      }
    91    }
    92  }
    93 
    94  service_config {
    95    max_instance_count  = 3
    96    min_instance_count = 1
    97    available_memory    = "256M"
    98    timeout_seconds     = 60
    99    environment_variables = {
   100        SERVICE_CONFIG_TEST = "config_test"
   101    }
   102    ingress_settings = "ALLOW_INTERNAL_ONLY"
   103    all_traffic_on_latest_revision = true
   104    service_account_email = google_service_account.account.email
   105  }
   106
   107  event_trigger {
   108    trigger_region = "us-central1" # The trigger must be in the same location as the bucket
   109    event_type = "google.cloud.audit.log.v1.written"
   110    retry_policy = "RETRY_POLICY_RETRY"
   111    service_account_email = google_service_account.account.email
   112    event_filters {
   113      attribute = "serviceName"
   114      value = "storage.googleapis.com"
   115    }
   116    event_filters {
   117      attribute = "methodName"
   118      value = "storage.objects.create"
   119    }
   120    event_filters {
   121      attribute = "resourceName"
   122      value = "/projects/_/buckets/${google_storage_bucket.audit-log-bucket.name}/objects/*.txt" # Path pattern selects all .txt files in the bucket
   123      operator = "match-path-pattern" # This allows path patterns to be used in the value field
   124    }
   125  }
   126}
   127# [END functions_v2_basic_auditlogs]
   128```

View as plain text