Integrating Cloud Functions with GCP Endpoints

Question

Pulumi · Accepted Answer

Integrating Cloud Functions with Google Cloud Platform (GCP) Endpoints is a typical use case that involves creating a cloud function to handle backend logic and then exposing that function via an API endpoint. The API Management via Cloud Endpoints allows you to create, deploy, and manage APIs. When those APIs are called, they will execute the corresponding Cloud Functions. Below, I will show you how to create a GCP Cloud Function and set up an Endpoint service for it using Pulumi in Python.

Here's what we will do:

Create a Cloud Function: This function will have some basic logic, for example, to return a "Hello, World!" message. The function will be triggered via HTTP, making it accessible over the web.
Define an Endpoint Service: This will involve creating a configuration that defines how the Cloud Function can be accessed through the endpoint API, including the path, methods, and other settings.
Deploy the Endpoint Service: Once you have the Cloud Function and configuration ready, you will deploy the endpoint service so that it starts routing requests to your function.

For the purpose of this example, we assume that you have already set up GCP with Pulumi and configured your authentication credentials.

Below is a Python program implementing these steps:

import pulumi
import pulumi_gcp as gcp

# Step 1: Create a Cloud Function that returns "Hello, World!"
content = """
def hello_world(request):
    return 'Hello, World!'
"""

bucket = gcp.storage.Bucket('bucket')
source_archive_object = gcp.storage.BucketObject('source-archive-object',
    bucket=bucket.name,
    source=pulumi.AssetArchive({ 'index.py': pulumi.StringAsset(content) })
)

cloud_function = gcp.cloudfunctions.Function('hello-world-function',
    entry_point='hello_world',
    runtime='python37',
    source_archive_bucket=bucket.name,
    source_archive_object=source_archive_object.name,
    trigger_http=True,
    available_memory_mb=128,
)

# Make the cloud function public (This is optional and not recommended for production)
iam_member = gcp.cloudfunctions.FunctionIamMember('function-iam-member',
    project=cloud_function.project,
    region=cloud_function.region,
    cloud_function=cloud_function.name,
    role='roles/cloudfunctions.invoker',
    member='allUsers',
)

# Step 2: Define the API service configuration
api_config = gcp.endpoints.Service('api-service',
    service_name='hello-world-api.endpoints.<project-id>.cloud.goog',
    openapi_config=gcp.EndpointServiceOpenApiConfigArgs(
        title="Hello World API",
        version="1.0.0",
        apis=[gcp.EndpointServiceOpenApiConfigApiArgs(
            name="hello",
            methods=[gcp.EndpointServiceOpenApiConfigApiMethodArgs(
                name="get",
                http_method="GET",
                request_type="HelloRequest",
                response_type="HelloResponse",
            )],
        )],
        hosts=["hello-world-api.endpoints.<project-id>.cloud.goog"],
    ),
)

# Step 3: Deploy the Endpoint Service pointing to the Cloud Function
api_deployment = gcp.endpoints.ServiceIamPolicy('api-deployment',
    project=api_config.project,
    service=api_config.service_name,
    policy_data=cloud_function.https_trigger_url.apply(lambda url: json.dumps({
        "bindings": [{
            "role": "roles/endpoints.portalAdmin",
            "members": [f"serviceAccount:{url}"]
        }]
    })),
)

# Export the function URL and the API management URL
pulumi.export('function_url', cloud_function.https_trigger_url)
pulumi.export('api_endpoint', api_config.service_name)

This program does the following:

The cloud_function resource is where the function logic resides. For now, it just returns a string; though in real-world scenarios you might have it interact with other services or do data processing.
The api_config resource defines how the Cloud Function is exposed via an API endpoint. It uses the OpenAPI specification to describe the paths and methods available.
The api_deployment resource applies the IAM policy to the API service to securely invoke the Cloud Function. This includes setting up the right permissions so that the endpoint can call the function.
The pulumi.export statements at the end output the URLs for the function and the endpoint, so you can invoke the function via the HTTP endpoint.

Please replace <project-id> with your actual GCP project ID to configure the service name for the API correctly.

Keep in mind that you should not make the Cloud Function publicly invokable in production unless it's intended to be available without any authentication. This is configured in the iam_member resource, where member is set to 'allUsers'. For more secure implementations, you would restrict access to authorized identities only.

This program is basic and intended for demonstration purposes. Depending on your actual use case, you'd have more complex function logic, possibly include other GCP services, and secure the Cloud Function's invoker role accordingly.