-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path__main__.py
103 lines (90 loc) · 2.96 KB
/
__main__.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
import pulumi
from pulumi_gcp import projects, storage, cloudfunctions, serviceaccount, cloudscheduler
# Get stack config
config = pulumi.Config('gcp')
project = config.require('project')
region = config.require('region')
apis = {
'compute.googleapis.com': None,
'logging.googleapis.com': None,
'cloudfunctions.googleapis.com': None,
'cloudbuild.googleapis.com': None,
'cloudresourcemanager.googleapis.com': None,
'cloudscheduler.googleapis.com': None,
}
# enable needed APIs for Cloud Functions
def enable_service_apis(apis):
for servicename in apis:
api = projects.Service(
servicename.split('.')[0],
service=servicename,
project=project,
disable_dependent_services=True,
)
apis[servicename] = api
enable_service_apis(apis)
bucket = storage.Bucket('bucket', location=region)
py_bucket_object = storage.BucketObject(
'python-zip',
bucket=bucket.name,
source=pulumi.asset.AssetArchive(
{'.': pulumi.asset.FileArchive('./resourcemanager')}
),
)
py_function = cloudfunctions.Function(
'python-func',
runtime='python38',
source_archive_bucket=bucket.name,
source_archive_object=py_bucket_object.name,
entry_point='entry_point',
trigger_http=True,
https_trigger_security_level='SECURE_ALWAYS',
available_memory_mb=128,
environment_variables={'PROJECT_LIFETIME': 7},
service_account_email=f'resourcemanager@{project}.iam.gserviceaccount.com',
opts=pulumi.ResourceOptions(
depends_on=[
apis['cloudfunctions.googleapis.com'],
apis['cloudbuild.googleapis.com'],
apis['cloudresourcemanager.googleapis.com'],
]
),
)
invoker = cloudfunctions.FunctionIamMember(
'python-invoker',
project=py_function.project,
region=py_function.region,
cloud_function=py_function.name,
role='roles/cloudfunctions.invoker',
member=f'serviceAccount:resourcemanager@{project}.iam.gserviceaccount.com',
)
service_account = serviceaccount.Account(
'python-serviceaccount',
account_id='resourcemanager',
)
for role in ['roles/resourcemanager.projectDeleter', 'roles/viewer']:
projects.IAMMember(
role.split('/')[-1],
project=py_function.project,
role=role,
member=f'serviceAccount:resourcemanager@{project}.iam.gserviceaccount.com',
)
job = cloudscheduler.Job(
'python-scheduler',
description='Resourcemanager Function Scheduler',
schedule='01 * * * *',
time_zone='Europe/London',
http_target=cloudscheduler.JobHttpTargetArgs(
http_method="GET",
uri=py_function.https_trigger_url,
oidc_token=cloudscheduler.JobHttpTargetOidcTokenArgs(
service_account_email=service_account.email,
),
),
opts=pulumi.ResourceOptions(
depends_on=[
apis['cloudscheduler.googleapis.com'],
],
),
)
pulumi.export('cloud_function_trigger_url', py_function.https_trigger_url)