Terraform 教學課程

本教學課程示範如何將函式原始碼 ZIP 檔案上傳至 Cloud Storage 值區,並使用 Terraform 佈建資源,藉此部署 HTTP 函式。Terraform 是一項開放原始碼工具,可讓您透過宣告式設定檔佈建 Google Cloud 資源。

本教學課程以 Node.js HTTP 函式為例,但同樣適用於 Python、Go 和 Java HTTP 函式。無論使用哪個執行階段,操作說明都相同。

使用 Terraform 部署時,您必須將函式的壓縮來源檔案上傳至 Cloud Storage 值區 (source_archive_bucket),並在 Terraform 設定中指定 Cloud Storage 物件名稱 (source_archive_object)。詳情請參閱 Terraform 規格指南

Cloud Run functions 會將您在 source_archive_bucket 中上傳的來源檔案複製到專案的 bucket,bucket 名稱格式為 gcf-v2-sources-PROJECT_NUMBER-REGION(Cloud Run functions)gcf-sources-PROJECT_NUMBER-REGION Cloud Run functions (第 1 代)。這項設定會因 CMEK 依附元件而異。

目標

  • 瞭解如何使用 Terraform 部署 HTTP 函式。

費用

在本文件中,您會使用下列 Google Cloud的計費元件:

For details, see Cloud Run functions pricing.

如要根據預測用量估算費用,請使用 Pricing Calculator

初次使用 Google Cloud 的使用者可能符合免費試用資格。

事前準備

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Cloud Functions, Cloud Run, Cloud Build, Artifact Registry, and Cloud Storage APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  5. Install the Google Cloud CLI.

  6. 如果您使用外部識別資訊提供者 (IdP),請先 使用聯合身分登入 gcloud CLI

  7. 如要初始化 gcloud CLI,請執行下列指令: 

    gcloud init

  8. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  9. Verify that billing is enabled for your Google Cloud project.

  10. Enable the Cloud Functions, Cloud Run, Cloud Build, Artifact Registry, and Cloud Storage APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  11. Install the Google Cloud CLI.

  12. 如果您使用外部識別資訊提供者 (IdP),請先 使用聯合身分登入 gcloud CLI

  13. 如要初始化 gcloud CLI,請執行下列指令: 

    gcloud init

    14. 如果您已安裝 gcloud CLI,請執行下列指令來更新:

    gcloud components update
  14. 準備開發環境。

    前往 Node.js 設定指南

    15. 必要的角色

    • 部署函式的使用者必須具備「Cloud Functions 開發人員」 (roles/cloudfunctions.developer) IAM 角色,或包含相同權限的角色。另請參閱部署作業的其他設定

    • 如要取得存取 Cloud Storage 值區的權限,請要求管理員授予部署函式的 IAM 身分「Storage 管理員」 (roles/storage.admin) 角色。如要進一步瞭解 Cloud Storage 角色和權限,請參閱適用於 Cloud Storage 的 IAM

    正在設定環境

    在本教學課程中,您將使用 Cloud Shell 執行指令。Cloud Shell 是已安裝 Google Cloud CLI 的殼層環境,並已針對您目前的專案設定好適用值。Cloud Shell 可能需要幾分鐘的時間才能初始化:

    開啟 Cloud Shell

    準備應用程式

    在 Cloud Shell 中執行下列步驟:

    1. 將範例應用程式存放區複製到 Cloud Shell 執行個體:

      git clone https://github.com/terraform-google-modules/terraform-docs-samples.git

    2. 變更為包含 Cloud Run 函式程式碼範例的目錄:

      cd terraform-docs-samples/functions/basic

      本教學課程使用的 Node.JS 範例是基本的「Hello World」HTTP 函式。以下是 main.tf 檔案:

      terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = ">= 4.34.0"
    }
  }
}

resource "random_id" "default" {
  byte_length = 8
}

resource "google_storage_bucket" "default" {
  name                        = "${random_id.default.hex}-gcf-source" # Every bucket name must be globally unique
  location                    = "US"
  uniform_bucket_level_access = true
}

data "archive_file" "default" {
  type        = "zip"
  output_path = "/tmp/function-source.zip"
  source_dir  = "functions/hello-world/"
}
resource "google_storage_bucket_object" "object" {
  name   = "function-source.zip"
  bucket = google_storage_bucket.default.name
  source = data.archive_file.default.output_path # Add path to the zipped function source code
}

resource "google_cloudfunctions2_function" "default" {
  name        = "function-v2"
  location    = "us-central1"
  description = "a new function"

  build_config {
    runtime     = "nodejs22"
    entry_point = "helloHttp" # Set the entry point
    source {
      storage_source {
        bucket = google_storage_bucket.default.name
        object = google_storage_bucket_object.object.name
      }
    }
  }

  service_config {
    max_instance_count = 1
    available_memory   = "256M"
    timeout_seconds    = 60
  }
}

resource "google_cloud_run_service_iam_member" "member" {
  location = google_cloudfunctions2_function.default.location
  service  = google_cloudfunctions2_function.default.name
  role     = "roles/run.invoker"
  member   = "allUsers"
}

output "function_uri" {
  value = google_cloudfunctions2_function.default.service_config[0].uri
}

    初始化 Terraform

    在含有 main.tf 檔案的 terraform-docs-samples/functions/basic 目錄中,執行下列指令來新增必要的外掛程式,並建構 .terraform 目錄:

    terraform init

    套用 Terraform 設定

    在包含 main.tf 檔案的同一個 terraform-docs-samples/functions/basic 目錄中,套用設定來部署函式。系統顯示提示訊息時,請輸入 yes

    terraform apply

    測試函式

    1. 當函式完成部署時,記下 URI 屬性,或使用下列指令找到這個屬性:

      gcloud functions describe function-v2 --gen2 --region=us-central1 --format="value(serviceConfig.uri)"

    2. 對這個網址發出要求,即可查看函式的「Hello World」訊息。請注意,部署函式時需要驗證。因此,您必須在要求中提供憑證:

      curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" YOUR_FUNCTION_URL

    清除所用資源

    完成本教學課程後,您可以刪除所有建立的項目,以免產生任何額外費用。

    您可以在包含 main.tf 檔案的 terraform-docs-samples/functions/basic 目錄中執行 terraform destroy 指令,移除設定檔中定義的所有資源:

    terraform destroy

    輸入 yes,允許 Terraform 刪除資源。