1. How do I use TLS with Google Cloud Functions?


    To secure Google Cloud Functions with TLS, you'll follow these high-level steps:

    1. Deploy a Google Cloud Function.
    2. Setup Google Cloud Load Balancer (since Google Cloud Functions doesn't directly expose TLS settings).
    3. Configure SSL certificates to the Load Balancer.
    4. Attach the Load Balancer to the Cloud Function through a Serverless Network Endpoint Group (NEG).

    Pulumi does not currently have a high-level module for setting up a Google Cloud Load Balancer. But there's a way to do it by creating individual components manually.

    Here is a high-level pseudo-code version of what you need to do. Please convert this to real code:

    import ( gcp "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp" pulumi "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { // Create a cloud function function, err := gcp.cloudfunctions.NewFunction(ctx, "function", &gcp.cloudfunctions.FunctionArgs{ ... }) if err != nil { return err } // Create a serverless network endpoint group attached to the cloud function neg, err := gcp.compute.NewGlobalNetworkEndpointGroup(ctx, "neg", &gcp.compute.GlobalNetworkEndpointGroupArgs{ GlobalNetworkEndpointType: pulumi.String("SERVERLESS"), ServerlessFunction: &compute.GlobalNetworkEndpointGroupServerlessFunction{ Function: function.HttpsTriggerUrl, }, }) if err != nil { return err } // Create managed SSL Certificate sslCert, err := gcp.compute.NewManagedSslCertificate(ctx, "sslCert", &gcp.compute.ManagedSslCertificateArgs{ ... }) if err != nil { return err } // Create HTTPS Load Balancer resources // - Backend Services backendService, err := gcp.compute.NewRegionBackendService(ctx, "backendService", &gcp.compute.RegionBackendServiceArgs{ ... }) if err != nil { return err } // - URL Map urlMap, err := gcp.compute.NewUrlMap(ctx, "urlMap", &gcp.compute.UrlMapArgs{ ... }) if err != nil { return err } // - Target HTTPS Proxy targetProxy, err := gcp.compute.NewTargetHttpsProxy(ctx, "targetProxy", &gcp.compute.TargetHttpsProxyArgs{ UrlMap: urlMap.ID(), SslCertificates: []pulumi.Input{sslCert.SelfLink}, SslPolicy: pulumi.String("TODO") // Put your SSL Policy }) if err != nil { return err } // - Global Forwarding Rule _, err := gcp.compute.NewGlobalForwardingRule(ctx, "forwardingRule", &gcp.compute.GlobalForwardingRuleArgs{ IPAddress: pulumi.String(""), // Wildcard IP Target: targetProxy.SelfLink, PortRange: pulumi.String("443-443"), // HTTPS Default Port }) if err != nil { return err } // Finish return nil }) }

    This program will run and deploy the following resources:

    • A Google Cloud Function
    • A Serverless Network Endpoint Group (NEG)
    • A managed SSL Certificate
    • HTTPS Load Balancer consisting of backend services, a URL map, a target HTTPS proxy, and a global forwarding rule

    Before running this Pulumi program, you’ll need to ensure you have configured Pulumi for Google Cloud and replaced the placeholders (TODO) with appropriate values.

    I have omitted various configuration options for brevity. Please refer to the official Google Cloud, and Google Compute packages documentation for specific settings.

    Disclaimer: This is a pseudo-code and not a final working code. However, it contains references to all necessary components and can serve as a base for your real implementation.