Deploy Cloud Function 2nd gen with Cloud Storage trigger using Terraform
Stay organized with collections
Save and categorize content based on your preferences.
Full terraform config to deploy an event-driven Cloud Function 2nd gen with resources
Code sample
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],[],[[["\u003cp\u003eThis Terraform configuration deploys an event-driven Cloud Function (2nd gen) that responds to finalized object events in a specified Google Cloud Storage bucket.\u003c/p\u003e\n"],["\u003cp\u003eThe configuration creates two Google Cloud Storage buckets: one to store the function's source code and another to act as the event trigger for the function.\u003c/p\u003e\n"],["\u003cp\u003eThe Terraform setup includes the creation of a service account for the function and event trigger, with necessary IAM roles for invoking the function, receiving events, and accessing Artifact Registry.\u003c/p\u003e\n"],["\u003cp\u003eThe Cloud Function's build and service configurations are defined, specifying runtime, memory, timeout, environment variables, and ingress settings, along with the connection to the source code.\u003c/p\u003e\n"],["\u003cp\u003eThe configuration ensures the Google Cloud Storage service account has the necessary Pub/Sub Publisher role to enable CloudEvent triggers, alongside the creation of the appropriate event trigger.\u003c/p\u003e\n"]]],[],null,["# Deploy Cloud Function 2nd gen with Cloud Storage trigger using Terraform\n\nFull terraform config to deploy an event-driven Cloud Function 2nd gen with resources\n\nCode sample\n-----------\n\n### Terraform\n\n\nTo learn how to apply or remove a Terraform configuration, see\n[Basic Terraform commands](/docs/terraform/basic-commands).\n\n\nFor more information, see the\n[Terraform provider reference documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs).\n\n\n terraform {\n required_providers {\n google = {\n source = \"hashicorp/google\"\n version = \"\u003e= 4.34.0\"\n }\n }\n }\n\n resource \"random_id\" \"bucket_prefix\" {\n byte_length = 8\n }\n\n resource \"google_storage_bucket\" \"source_bucket\" {\n name = \"${random_id.bucket_prefix.hex}-gcf-source-bucket\"\n location = \"US\"\n uniform_bucket_level_access = true\n }\n\n data \"archive_file\" \"default\" {\n type = \"zip\"\n output_path = \"/tmp/function-source.zip\"\n source_dir = \"function-source/\"\n }\n\n resource \"google_storage_bucket_object\" \"default\" {\n name = \"function-source.zip\"\n bucket = google_storage_bucket.source_bucket.name\n source = data.archive_file.default.output_path # Path to the zipped function source code\n }\n\n resource \"google_storage_bucket\" \"trigger_bucket\" {\n name = \"${random_id.bucket_prefix.hex}-gcf-trigger-bucket\"\n location = \"us-central1\" # The trigger must be in the same location as the bucket\n uniform_bucket_level_access = true\n }\n\n data \"google_storage_project_service_account\" \"default\" {\n }\n\n # To use GCS CloudEvent triggers, the GCS service account requires the Pub/Sub Publisher(roles/pubsub.publisher) IAM role in the specified project.\n # (See https://cloud.google.com/eventarc/docs/run/quickstart-storage#before-you-begin)\n data \"google_project\" \"project\" {\n }\n\n resource \"google_project_iam_member\" \"gcs_pubsub_publishing\" {\n project = data.google_project.project.project_id\n role = \"roles/pubsub.publisher\"\n member = \"serviceAccount:${data.google_storage_project_service_account.default.email_address}\"\n }\n\n resource \"google_service_account\" \"account\" {\n account_id = \"gcf-sa\"\n display_name = \"Test Service Account - used for both the cloud function and eventarc trigger in the test\"\n }\n\n # Permissions on the service account used by the function and Eventarc trigger\n resource \"google_project_iam_member\" \"invoking\" {\n project = data.google_project.project.project_id\n role = \"roles/run.invoker\"\n member = \"serviceAccount:${google_service_account.account.email}\"\n depends_on = [google_project_iam_member.gcs_pubsub_publishing]\n }\n\n resource \"google_project_iam_member\" \"event_receiving\" {\n project = data.google_project.project.project_id\n role = \"roles/eventarc.eventReceiver\"\n member = \"serviceAccount:${google_service_account.account.email}\"\n depends_on = [google_project_iam_member.invoking]\n }\n\n resource \"google_project_iam_member\" \"artifactregistry_reader\" {\n project = data.google_project.project.project_id\n role = \"roles/artifactregistry.reader\"\n member = \"serviceAccount:${google_service_account.account.email}\"\n depends_on = [google_project_iam_member.event_receiving]\n }\n\n resource \"google_cloudfunctions2_function\" \"default\" {\n depends_on = [\n google_project_iam_member.event_receiving,\n google_project_iam_member.artifactregistry_reader,\n ]\n name = \"function\"\n location = \"us-central1\"\n description = \"a new function\"\n\n build_config {\n runtime = \"nodejs22\"\n entry_point = \"entryPoint\" # Set the entry point in the code\n environment_variables = {\n BUILD_CONFIG_TEST = \"build_test\"\n }\n source {\n storage_source {\n bucket = google_storage_bucket.source_bucket.name\n object = google_storage_bucket_object.default.name\n }\n }\n }\n\n service_config {\n max_instance_count = 3\n min_instance_count = 1\n available_memory = \"256M\"\n timeout_seconds = 60\n environment_variables = {\n SERVICE_CONFIG_TEST = \"config_test\"\n }\n ingress_settings = \"ALLOW_INTERNAL_ONLY\"\n all_traffic_on_latest_revision = true\n service_account_email = google_service_account.account.email\n }\n\n event_trigger {\n trigger_region = \"us-central1\" # The trigger must be in the same location as the bucket\n event_type = \"google.cloud.storage.object.v1.finalized\"\n retry_policy = \"RETRY_POLICY_RETRY\"\n service_account_email = google_service_account.account.email\n event_filters {\n attribute = \"bucket\"\n value = google_storage_bucket.trigger_bucket.name\n }\n }\n }\n\nWhat's next\n-----------\n\n\nTo search and filter code samples for other Google Cloud products, see the\n[Google Cloud sample browser](/docs/samples?product=functions)."]]
