-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.tf
64 lines (56 loc) · 2.55 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
resource "google_pubsub_topic" "new-instance-topic" {
project = var.project_name
name = var.topic
}
resource "google_logging_project_sink" "new_instance_sink" {
project = var.project_name
name = "new_instance_sink"
destination = "pubsub.googleapis.com/projects/${var.project_name}/topics/${var.topic}"
filter = "protoPayload.methodName=v1.compute.instances.insert OR protoPayload.methodName=beta.compute.instances.insert"
unique_writer_identity = true
depends_on = [google_pubsub_topic.new-instance-topic]
}
resource "google_pubsub_topic_iam_member" "new_instance_writer" {
project = var.project_name
role = "roles/pubsub.publisher"
topic = "new-instance-event"
member = google_logging_project_sink.new_instance_sink.writer_identity
}
data "archive_file" "labelzip" {
type = "zip"
source_dir = "${path.module}/src/"
output_path = "${path.module}/label-function.zip"
}
resource "google_storage_bucket_object" "gslabelzip" {
name = "label-costing/${data.archive_file.labelzip.output_base64sha256}.zip"
source = data.archive_file.labelzip.output_path
bucket = var.bucket
}
resource "google_cloudfunctions_function" "label" {
project = var.project_name
name = var.function_name
description = "Labels VMs with instance-{name,id}"
region = var.region
source_archive_bucket = var.bucket
source_archive_object = google_storage_bucket_object.gslabelzip.name
entry_point = "Label"
runtime = "go111"
event_trigger {
event_type = "google.pubsub.topic.publish"
resource = var.topic
}
depends_on = [google_pubsub_topic.new-instance-topic]
}
// https://www.terraform.io/docs/providers/google/r/cloudfunctions_cloud_function_iam.html
// https://cloud.google.com/compute/docs/access/iam#compute.admin
// Runtime service account (aka App Engine default service account) is employed
// by default should be enough
// https://cloud.google.com/functions/docs/securing/function-identity#runtime_service_account
// So no need for binding below, unless attempting to attain least privilege
# resource "google_cloudfunctions_function_iam_member" "member" {
# project = google_cloudfunctions_function.label.project
# region = google_cloudfunctions_function.label.region
# cloud_function = google_cloudfunctions_function.label.name
# role = "roles/compute.admin"
# member = "serviceAccount:[email protected]"
# }