How do I use TLS with Google Cloud Functions?

Question

Pulumi · Accepted Answer

To secure Google Cloud Functions with TLS, you'll follow these high-level steps:

1. Deploy a Google Cloud Function.
2. Setup Google Cloud Load Balancer (since Google Cloud Functions doesn't directly expose TLS settings).
3. Configure SSL certificates to the Load Balancer.
4. Attach the Load Balancer to the Cloud Function through a Serverless Network Endpoint Group (NEG).

Pulumi does not currently have a high-level module for setting up a Google Cloud Load Balancer. But there's a way to do it by creating individual components manually.

Here is a high-level pseudo-code version of what you need to do. Please convert this to real code:

```go
import (
  gcp "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp"
  pulumi "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
  pulumi.Run(func(ctx *pulumi.Context) error {

// Create a cloud function
    function, err := gcp.cloudfunctions.NewFunction(ctx, "function", &gcp.cloudfunctions.FunctionArgs{ ... })
    if err != nil { return err }

// Create a serverless network endpoint group attached to the cloud function
    neg, err := gcp.compute.NewGlobalNetworkEndpointGroup(ctx, "neg", &gcp.compute.GlobalNetworkEndpointGroupArgs{
      GlobalNetworkEndpointType: pulumi.String("SERVERLESS"),
      ServerlessFunction: &compute.GlobalNetworkEndpointGroupServerlessFunction{
          Function: function.HttpsTriggerUrl,
      },
    })
    if err != nil { return err }
    
    // Create managed SSL Certificate
    sslCert, err := gcp.compute.NewManagedSslCertificate(ctx, "sslCert", &gcp.compute.ManagedSslCertificateArgs{ ... })
    if err != nil { return err }

// Create HTTPS Load Balancer resources
    // - Backend Services
    backendService, err := gcp.compute.NewRegionBackendService(ctx, "backendService", &gcp.compute.RegionBackendServiceArgs{ ... })
    if err != nil { return err }
    // - URL Map
    urlMap, err := gcp.compute.NewUrlMap(ctx, "urlMap", &gcp.compute.UrlMapArgs{ ... })
    if err != nil { return err }
    // - Target HTTPS Proxy
    targetProxy, err := gcp.compute.NewTargetHttpsProxy(ctx, "targetProxy", &gcp.compute.TargetHttpsProxyArgs{
      UrlMap:      urlMap.ID(),
      SslCertificates: []pulumi.Input{sslCert.SelfLink},
      SslPolicy:       pulumi.String("TODO") // Put your SSL Policy
    })
    if err != nil { return err }
    // - Global Forwarding Rule
    _, err := gcp.compute.NewGlobalForwardingRule(ctx, "forwardingRule", &gcp.compute.GlobalForwardingRuleArgs{
      IPAddress: pulumi.String("0.0.0.0"), // Wildcard IP
      Target:    targetProxy.SelfLink,
      PortRange: pulumi.String("443-443"), // HTTPS Default Port
    })
    if err != nil { return err }

// Finish
    return nil
  })
}
```

This program will run and deploy the following resources:
* A Google Cloud Function
* A Serverless Network Endpoint Group (NEG)
* A managed SSL Certificate
* HTTPS Load Balancer consisting of backend services, a URL map, a target HTTPS proxy, and a global forwarding rule

Before running this Pulumi program, you’ll need to ensure you have [configured Pulumi for Google Cloud](https://www.pulumi.com/docs/intro/cloud-providers/gcp/setup/) and replaced the placeholders (`TODO`) with appropriate values.

I have omitted various configuration options for brevity. Please refer to the official [Google Cloud](https://www.pulumi.com/docs/reference/pkg/gcp/), and [Google Compute](https://www.pulumi.com/docs/reference/pkg/gcp/compute) packages documentation for specific settings.

**Disclaimer:** This is a pseudo-code and not a final working code. However, it contains references to all necessary components and can serve as a base for your real implementation.