google_cloudfunctions_function base image policy fields (#14552) (#10448)

[upstream:f9f4fc5cf971a406015ecf994f8db33c6fa51d04]

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/14552.txt

@@ -0,0 +1 @@
+unknown: google_cloudfunctions_function base image policy fields 

google-beta/services/cloudfunctions/resource_cloudfunctions_function.go

@@ -508,11 +508,42 @@ func ResourceCloudFunctionsFunction() *schema.Resource {
 					},
 				},
 			},
+
+			"automatic_update_policy": {
+				Type:          schema.TypeList,
+				Optional:      true,
+				Computed:      true,
+				ConflictsWith: []string{"on_deploy_update_policy"},
+				MaxItems:      1,
+				Description:   `Security patches are applied automatically to the runtime without requiring the function to be redeployed.`,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{},
+				},
+			},
+
+			"on_deploy_update_policy": {
+				Type:          schema.TypeList,
+				Optional:      true,
+				ConflictsWith: []string{"automatic_update_policy"},
+				MaxItems:      1,
+				Description:   `Security patches are only applied when a function is redeployed.`,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"runtime_version": {
+							Type:        schema.TypeString,
+							Computed:    true,
+							Description: `The runtime version which was used during latest function deployment.`,
+						},
+					},
+				},
+			},
+
 			"status": {
 				Type:        schema.TypeString,
 				Computed:    true,
 				Description: `Describes the current stage of a deployment.`,
 			},
+
 			"version_id": {
 				Type:        schema.TypeString,
 				Computed:    true,
@@ -606,6 +637,14 @@ func resourceCloudFunctionsCreate(d *schema.ResourceData, meta interface{}) erro
 			"You must specify a trigger when deploying a new function.")
 	}
 
+	if v, ok := d.GetOk("automatic_update_policy"); ok {
+		function.AutomaticUpdatePolicy = expandAutomaticUpdatePolicy(v.([]interface{}))
+		function.OnDeployUpdatePolicy = nil
+	} else if v, ok := d.GetOk("on_deploy_update_policy"); ok {
+		function.OnDeployUpdatePolicy = expandOnDeployUpdatePolicy(v.([]interface{}))
+		function.AutomaticUpdatePolicy = nil
+	}
+
 	if v, ok := d.GetOk("ingress_settings"); ok {
 		function.IngressSettings = v.(string)
 	}
@@ -824,6 +863,25 @@ func resourceCloudFunctionsRead(d *schema.ResourceData, meta interface{}) error
 	if err := d.Set("version_id", strconv.FormatInt(function.VersionId, 10)); err != nil {
 		return fmt.Errorf("Error setting version_id: %s", err)
 	}
+	// check the on_deploy_update_policy first as it's mutually exclusive to automatice_update_policy, and the latter is system default
+	if function.OnDeployUpdatePolicy != nil {
+		if err := d.Set("on_deploy_update_policy", flattenOnDeployUpdatePolicy(function.OnDeployUpdatePolicy)); err != nil {
+			return fmt.Errorf("Error setting on_deploy_update_policy: %s", err)
+		}
+		function.AutomaticUpdatePolicy = nil
+		d.Set("automatic_update_policy", nil)
+	} else {
+		d.Set("on_deploy_update_policy", nil)
+	}
+
+	if function.AutomaticUpdatePolicy != nil {
+		if err := d.Set("automatic_update_policy", flattenAutomaticUpdatePolicy(function.AutomaticUpdatePolicy)); err != nil {
+			return fmt.Errorf("Error setting automatic_update_policy: %s", err)
+		}
+		d.Set("on_deploy_update_policy", nil)
+	} else {
+		d.Set("automatic_update_policy", nil)
+	}
 
 	return nil
 }
@@ -980,6 +1038,22 @@ func resourceCloudFunctionsUpdate(d *schema.ResourceData, meta interface{}) erro
 		updateMaskArr = append(updateMaskArr, "buildServiceAccount")
 	}
 
+	if d.HasChange("automatic_update_policy") {
+		function.AutomaticUpdatePolicy = expandAutomaticUpdatePolicy(d.Get("automatic_update_policy").([]interface{}))
+		if function.AutomaticUpdatePolicy != nil {
+			function.OnDeployUpdatePolicy = nil
+		}
+		updateMaskArr = append(updateMaskArr, "automatic_update_policy")
+	}
+
+	if d.HasChange("on_deploy_update_policy") {
+		function.OnDeployUpdatePolicy = expandOnDeployUpdatePolicy(d.Get("on_deploy_update_policy").([]interface{}))
+		if function.OnDeployUpdatePolicy != nil {
+			function.AutomaticUpdatePolicy = nil
+		}
+		updateMaskArr = append(updateMaskArr, "on_deploy_update_policy")
+	}
+
 	if len(updateMaskArr) > 0 {
 		log.Printf("[DEBUG] Send Patch CloudFunction Configuration request: %#v", function)
 		updateMask := strings.Join(updateMaskArr, ",")
@@ -1248,3 +1322,42 @@ func flattenSecretVersion(secretVersions []*cloudfunctions.SecretVersion) []map[
 	}
 	return result
 }
+
+func expandAutomaticUpdatePolicy(configured []interface{}) *cloudfunctions.AutomaticUpdatePolicy {
+	if len(configured) == 0 {
+		return nil
+	}
+	return &cloudfunctions.AutomaticUpdatePolicy{}
+}
+
+func flattenAutomaticUpdatePolicy(policy *cloudfunctions.AutomaticUpdatePolicy) []map[string]interface{} {
+	result := make([]map[string]interface{}, 0, 1)
+	if policy == nil {
+		return nil
+	}
+	// Have to append an empty element for empty message type
+	result = append(result, map[string]interface{}{})
+	return result
+}
+
+func expandOnDeployUpdatePolicy(configured []interface{}) *cloudfunctions.OnDeployUpdatePolicy {
+	if len(configured) == 0 {
+		return nil
+	}
+	return &cloudfunctions.OnDeployUpdatePolicy{}
+}
+
+func flattenOnDeployUpdatePolicy(policy *cloudfunctions.OnDeployUpdatePolicy) []map[string]interface{} {
+	result := make([]map[string]interface{}, 0, 1)
+	if policy == nil {
+		return nil
+	}
+
+	result = append(result, map[string]interface{}{
+		"runtime_version": policy.RuntimeVersion,
+	})
+
+	log.Printf("flatten on_deploy_update_policy to: %s", result)
+
+	return result
+}

google-beta/services/cloudfunctions/resource_cloudfunctions_function_meta.yaml

@@ -51,3 +51,5 @@ fields:
   - field: 'version_id'
   - field: 'vpc_connector'
   - field: 'vpc_connector_egress_settings'
+  - field: 'automatic_update_policy'
+  - field: 'on_deploy_update_policy.runtime_version'

google-beta/services/cloudfunctions/resource_cloudfunctions_function_test.go

@@ -640,6 +640,70 @@ func TestAccCloudFunctionsFunction_buildServiceAccount(t *testing.T) {
 	})
 }
 
+func TestAccCloudFunctionsFunction_abiuCRUD(t *testing.T) {
+	t.Parallel()
+
+	var function cloudfunctions.CloudFunction
+
+	funcResourceName := "google_cloudfunctions_function.function"
+	functionName := fmt.Sprintf("tf-test-%s", acctest.RandString(t, 10))
+	bucketName := fmt.Sprintf("tf-test-bucket-%d", acctest.RandInt(t))
+	zipFilePath := acctest.CreateZIPArchiveForCloudFunctionSource(t, testHTTPTriggerPath)
+	defer os.Remove(zipFilePath) // clean up
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudFunctionsFunction_abiuAutomatic(functionName, bucketName, zipFilePath),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCloudFunctionsFunctionExists(
+						t, funcResourceName, &function),
+					resource.TestCheckResourceAttrSet(funcResourceName,
+						"automatic_update_policy.#"),
+				),
+			},
+			{
+				ResourceName:            funcResourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"build_environment_variables", "labels", "terraform_labels"},
+			},
+			{
+				Config: testAccCloudFunctionsFunction_abiuOndeploy(functionName, bucketName, zipFilePath),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCloudFunctionsFunctionExists(
+						t, funcResourceName, &function),
+					resource.TestCheckResourceAttrSet(funcResourceName,
+						"on_deploy_update_policy.#"),
+				),
+			},
+			{
+				ResourceName:            funcResourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"build_environment_variables", "labels", "terraform_labels"},
+			},
+			{
+				Config: testAccCloudFunctionsFunction_basic(functionName, bucketName, zipFilePath),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCloudFunctionsFunctionExists(
+						t, funcResourceName, &function),
+					resource.TestCheckResourceAttrSet(funcResourceName,
+						"automatic_update_policy.#"),
+				),
+			},
+			{
+				ResourceName:            funcResourceName,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"build_environment_variables", "labels", "terraform_labels"},
+			},
+		},
+	})
+}
+
 func testAccCheckCloudFunctionsFunctionDestroyProducer(t *testing.T) func(s *terraform.State) error {
 	return func(s *terraform.State) error {
 		config := acctest.GoogleProviderConfig(t)
@@ -1510,3 +1574,87 @@ resource "google_cloudfunctions_function" "function" {
 }
 `, bucketName, zipFilePath, saName, serviceAccount, functionName)
 }
+
+func testAccCloudFunctionsFunction_abiuAutomatic(functionName string, bucketName string, zipFilePath string) string {
+	return fmt.Sprintf(`
+resource "google_storage_bucket" "bucket" {
+  name     = "%s"
+  location = "US"
+  uniform_bucket_level_access = true
+}
+
+resource "google_storage_bucket_object" "archive" {
+  name   = "index.zip"
+  bucket = google_storage_bucket.bucket.name
+  source = "%s"
+}
+
+resource "google_cloudfunctions_function" "function" {
+  name                  = "%s"
+  runtime               = "nodejs20"
+  description           = "test function"
+  docker_registry       = "ARTIFACT_REGISTRY"
+  available_memory_mb   = 128
+  source_archive_bucket = google_storage_bucket.bucket.name
+  source_archive_object = google_storage_bucket_object.archive.name
+  trigger_http          = true
+  timeout               = 61
+  entry_point           = "helloGET"
+  ingress_settings      = "ALLOW_INTERNAL_ONLY"
+  labels = {
+    my-label = "my-label-value"
+  }
+  environment_variables = {
+    TEST_ENV_VARIABLE = "test-env-variable-value"
+  }
+  build_environment_variables = {
+    TEST_ENV_VARIABLE = "test-build-env-variable-value"
+  }
+  automatic_update_policy {}
+  max_instances = 10
+  min_instances = 3
+}
+`, bucketName, zipFilePath, functionName)
+}
+
+func testAccCloudFunctionsFunction_abiuOndeploy(functionName string, bucketName string, zipFilePath string) string {
+	return fmt.Sprintf(`
+resource "google_storage_bucket" "bucket" {
+  name     = "%s"
+  location = "US"
+  uniform_bucket_level_access = true
+}
+
+resource "google_storage_bucket_object" "archive" {
+  name   = "index.zip"
+  bucket = google_storage_bucket.bucket.name
+  source = "%s"
+}
+
+resource "google_cloudfunctions_function" "function" {
+  name                  = "%s"
+  runtime               = "nodejs20"
+  description           = "test function"
+  docker_registry       = "ARTIFACT_REGISTRY"
+  available_memory_mb   = 128
+  source_archive_bucket = google_storage_bucket.bucket.name
+  source_archive_object = google_storage_bucket_object.archive.name
+  trigger_http          = true
+  timeout               = 61
+  entry_point           = "helloGET"
+  ingress_settings      = "ALLOW_INTERNAL_ONLY"
+  labels = {
+    my-label = "my-label-value"
+  }
+  environment_variables = {
+    TEST_ENV_VARIABLE = "test-env-variable-value"
+  }
+  build_environment_variables = {
+    TEST_ENV_VARIABLE = "test-build-env-variable-value"
+  }
+  on_deploy_update_policy {}
+  max_instances = 10
+  min_instances = 3
+}
+`, bucketName, zipFilePath, functionName)
+}

website/docs/r/cloudfunctions_function.html.markdown

@@ -193,6 +193,10 @@ Please refer to the field 'effective_labels' for all of the labels present on th
 
 * `secret_volumes` - (Optional) Secret volumes configuration. Structure is [documented below](#nested_secret_volumes).
 
+* `automatic_update_policy` - (Optional) Security patches are applied automatically to the runtime without requiring the function to be redeployed. This should be specified as an empty block and cannot be set alongside `on_deploy_update_policy`.
+
+* `on_deploy_update_policy` - (Optional) Security patches are only applied when a function is redeployed. This should be specified as an empty block and cannot be set alongside `automatic_update_policy`. Structure is [documented below](#nested_on_deploy_update_policy).
+
 <a name="nested_event_trigger"></a>The `event_trigger` block supports:
 
 * `event_type` - (Required) The type of event to observe. For example: `"google.storage.object.finalize"`.
@@ -226,6 +230,10 @@ which to observe events. For example, `"myBucket"` or `"projects/my-project/topi
 
 * `version` - (Required) Version of the secret (version number or the string "latest"). It is recommended to use a numeric version for secret environment variables as any updates to the secret value is not reflected until new clones start.
 
+<a name="nested_on_deploy_update_policy"></a>The `on_deploy_update_policy` block supports:
+
+* `runtime_version` - (Output) The runtime version which was used during latest function deployment.
+
 <a name="nested_secret_volumes"></a>The `secret_volumes` block supports:
 
 * `mount_path` - (Required) The path within the container to mount the secret volume. For example, setting the mount_path as "/etc/secrets" would mount the secret value files under the "/etc/secrets" directory. This directory will also be completely shadowed and unavailable to mount any other secrets. Recommended mount paths: "/etc/secrets" Restricted mount paths: "/cloudsql", "/dev/log", "/pod", "/proc", "/var/log".