feat: add security_level field for https triggers (#266)

Author: sethvargo

.github/workflows/integration.yml

@@ -188,6 +188,48 @@ jobs:
         CLEANUP_FUNCTION_NAME: '${{ steps.deploy.outputs.id }}'
       run: 'npm run cleanup'
 
+  https_trigger:
+    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
+    name: 'https_trigger'
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    runs-on: 'ubuntu-latest'
+    steps:
+    - uses: 'actions/checkout@v2'
+
+    - uses: 'actions/setup-node@v2'
+      with:
+        node-version: '12.x'
+
+    - name: 'npm build'
+      run: 'npm ci && npm run build'
+
+    - uses: 'google-github-actions/auth@main'
+      with:
+        workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}'
+        service_account: '${{ secrets.DEPLOY_CF_SA_EMAIL }}'
+
+    - id: 'deploy'
+      uses: './'
+      with:
+        name: 'https-trigger-${{ github.run_number }}'
+        runtime: 'nodejs10'
+        entry_point: 'helloWorld'
+        source_dir: './tests/test-node-func/'
+        https_trigger_security_level: 'secure_always'
+
+    # Auth as the main account for integration and cleanup
+    - uses: 'google-github-actions/auth@main'
+      with:
+        credentials_json: '${{ secrets.DEPLOY_CF_SA_KEY_JSON }}'
+
+    - name: 'cleanup'
+      if: ${{ always() }}
+      env:
+        CLEANUP_FUNCTION_NAME: '${{ steps.deploy.outputs.id }}'
+      run: 'npm run cleanup'
+
   event_trigger:
     if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
     name: 'event_trigger'

README.md

@@ -133,6 +133,14 @@ jobs:
 
 - `max_instances`: (Optional) The maximum number of instances for the function.
 
+- `https_trigger_security_level`: (Optional) The security level for an
+  HTTP(s)trigger. If set to `"secure_always"`, the function will only be
+  accessible over the https protocol. If set to `"secure_optional"`, the
+  function will be accessible over the http and https protocols. The default
+  value is `"security_level_unspecified"`, which uses the platform's default
+  value. We recommend setting this value to `"secure_always"` unless you need
+  your function to be accessible over a non-TLS connection.
+
 - `event_trigger_type`: (Optional) Specifies which action should trigger the function. Defaults to creation of http trigger.
 
 - `event_trigger_resource`: (Optional) Specifies which resource from eventTrigger is observed.

action.yaml

@@ -105,7 +105,7 @@ inputs:
       resource name of a Google Secret Manager secret of the format
       "projects/p/secrets/s/versions/v". If the project is omitted, it will be
       inferred from the Cloud Function project ID. If the version is omitted, it
-      will default to "latest"
+      will default to "latest".
     required: false
 
   secret_volumes:
@@ -116,7 +116,7 @@ inputs:
       resource name of a Google Secret Manager secret of the format
       "projects/p/secrets/s/versions/v". If the project is omitted, it will be
       inferred from the Cloud Function project ID. If the version is omitted, it
-      will default to "latest"
+      will default to "latest".
     required: false
 
   service_account_email:
@@ -140,6 +140,16 @@ inputs:
       The maximum number of instances for the function.
     required: false
 
+  https_trigger_security_level:
+    description: |-
+      The security level for an HTTP(s) trigger. If set to "secure_always", the
+      function will only be accessible over the https protocol. If set to
+      "secure_optional", the function will be accessible over the http and https
+      protocols. The default value is "security_level_unspecified", which uses
+      the platform's default value.
+    default: "security_level_unspecified"
+    required: false
+
   event_trigger_type:
     description: |-
       Specifies which action should trigger the function.

src/main.ts

@@ -66,6 +66,9 @@ async function run(): Promise<void> {
     const timeout = parseDuration(getInput('timeout'));
     const maxInstances = presence(getInput('max_instances'));
     const minInstances = presence(getInput('min_instances'));
+    const httpsTriggerSecurityLevel = presence(
+      getInput('https_trigger_security_level'),
+    );
     const eventTriggerType = presence(getInput('event_trigger_type'));
     const eventTriggerResource = presence(getInput('event_trigger_resource'));
     const eventTriggerService = presence(getInput('event_trigger_service'));
@@ -111,6 +114,16 @@ async function run(): Promise<void> {
     }
 
     // Validation
+    if (
+      httpsTriggerSecurityLevel &&
+      httpsTriggerSecurityLevel.toUpperCase() != 'SECURITY_LEVEL_UNSPECIFIED' &&
+      eventTriggerType
+    ) {
+      throw new Error(
+        `Only one of 'https_trigger_security_level' or 'event_trigger_type' ` +
+          `may be specified.`,
+      );
+    }
     if (!sourceDir) {
       // Note: this validation will need to go away once we support deploying
       // from a docker repo.
@@ -211,6 +224,7 @@ async function run(): Promise<void> {
     };
 
     if (eventTriggerType && eventTriggerResource) {
+      // Set event trigger properties.
       cf.eventTrigger = {
         eventType: eventTriggerType,
         resource: eventTriggerResource,
@@ -233,7 +247,12 @@ async function run(): Promise<void> {
         `Event triggered functions must define 'event_trigger_type' and 'event_trigger_resource'`,
       );
     } else {
+      // Set https trigger properties.
       cf.httpsTrigger = {};
+
+      if (httpsTriggerSecurityLevel) {
+        cf.httpsTrigger.securityLevel = httpsTriggerSecurityLevel.toUpperCase();
+      }
     }
 
     // Deploy the Cloud Function