Terraform and Google Cloud Functions: How to disable Unauthenticated Invocations

1
votes

I've been trying to replicate the creation a Google Cloud Function via Terraform.

As part of the security, I am trying to disable unauthenticated invocations as this is enabled by default in the GUI of creating a cloud task:

enter image description here

However, looking at the examples found at the terraform documentation. It does not seem to offer this as a option aside from authenticating with all users / a single user. But this does not seem to replicate the functionality of reaching the 403 page when clicking the link, rather, just creating a entry into IAM and Admin where the user is being assigned a role Cloud Function Invoker. My Terraform code is given below: 

resource "google_cloudfunctions_function" "function-api" {
    name = "terraform-insert-group-members-api"
    runtime = "python37"
    timeout = 540
    trigger_http = true
    entry_point = "hello"
    source_archive_bucket = google_storage_bucket.resource-storage.name
    source_archive_object = google_storage_bucket_object.storage-object-code-api.name
  }

What do I need to include to achieve this? Or is this achievable for Terraform?

Thanks, Jordan

1
google-cloud-platformgoogle-cloud-functionsterraform

1 Answers

0
votes

I searched for this from the Google cloud documentation, and it looks like GCP do this as well.

You can control who can invoke the functions if you edit the permissions on the cloud function.

Basically following this link you can select your function (clicking on the check box) and remove from "cloud functions invoker" section the allUsers user in order to avoid the function to be public. This will limit who can access to your function. Then in the same screen you can ad a invoker so that the user can invoke the Cloud Function.

So it looks like terraform is doing this already at this link as Google documentation specifies it.