How do I use TLS with Google Cloud Functions?
GoTo secure Google Cloud Functions with TLS, you'll follow these high-level steps:
- Deploy a Google Cloud Function.
- Setup Google Cloud Load Balancer (since Google Cloud Functions doesn't directly expose TLS settings).
- Configure SSL certificates to the Load Balancer.
- Attach the Load Balancer to the Cloud Function through a Serverless Network Endpoint Group (NEG).
Pulumi does not currently have a high-level module for setting up a Google Cloud Load Balancer. But there's a way to do it by creating individual components manually.
Here is a high-level pseudo-code version of what you need to do. Please convert this to real code:
import ( gcp "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp" pulumi "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { // Create a cloud function function, err := gcp.cloudfunctions.NewFunction(ctx, "function", &gcp.cloudfunctions.FunctionArgs{ ... }) if err != nil { return err } // Create a serverless network endpoint group attached to the cloud function neg, err := gcp.compute.NewGlobalNetworkEndpointGroup(ctx, "neg", &gcp.compute.GlobalNetworkEndpointGroupArgs{ GlobalNetworkEndpointType: pulumi.String("SERVERLESS"), ServerlessFunction: &compute.GlobalNetworkEndpointGroupServerlessFunction{ Function: function.HttpsTriggerUrl, }, }) if err != nil { return err } // Create managed SSL Certificate sslCert, err := gcp.compute.NewManagedSslCertificate(ctx, "sslCert", &gcp.compute.ManagedSslCertificateArgs{ ... }) if err != nil { return err } // Create HTTPS Load Balancer resources // - Backend Services backendService, err := gcp.compute.NewRegionBackendService(ctx, "backendService", &gcp.compute.RegionBackendServiceArgs{ ... }) if err != nil { return err } // - URL Map urlMap, err := gcp.compute.NewUrlMap(ctx, "urlMap", &gcp.compute.UrlMapArgs{ ... }) if err != nil { return err } // - Target HTTPS Proxy targetProxy, err := gcp.compute.NewTargetHttpsProxy(ctx, "targetProxy", &gcp.compute.TargetHttpsProxyArgs{ UrlMap: urlMap.ID(), SslCertificates: []pulumi.Input{sslCert.SelfLink}, SslPolicy: pulumi.String("TODO") // Put your SSL Policy }) if err != nil { return err } // - Global Forwarding Rule _, err := gcp.compute.NewGlobalForwardingRule(ctx, "forwardingRule", &gcp.compute.GlobalForwardingRuleArgs{ IPAddress: pulumi.String("0.0.0.0"), // Wildcard IP Target: targetProxy.SelfLink, PortRange: pulumi.String("443-443"), // HTTPS Default Port }) if err != nil { return err } // Finish return nil }) }
This program will run and deploy the following resources:
- A Google Cloud Function
- A Serverless Network Endpoint Group (NEG)
- A managed SSL Certificate
- HTTPS Load Balancer consisting of backend services, a URL map, a target HTTPS proxy, and a global forwarding rule
Before running this Pulumi program, you’ll need to ensure you have configured Pulumi for Google Cloud and replaced the placeholders (
TODO
) with appropriate values.I have omitted various configuration options for brevity. Please refer to the official Google Cloud, and Google Compute packages documentation for specific settings.
Disclaimer: This is a pseudo-code and not a final working code. However, it contains references to all necessary components and can serve as a base for your real implementation.