1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.functions.v1; 18 19import "google/api/annotations.proto"; 20import "google/api/client.proto"; 21import "google/api/field_behavior.proto"; 22import "google/api/resource.proto"; 23import "google/cloud/functions/v1/operations.proto"; 24import "google/iam/v1/iam_policy.proto"; 25import "google/iam/v1/policy.proto"; 26import "google/longrunning/operations.proto"; 27import "google/protobuf/duration.proto"; 28import "google/protobuf/empty.proto"; 29import "google/protobuf/field_mask.proto"; 30import "google/protobuf/timestamp.proto"; 31 32option go_package = "cloud.google.com/go/functions/apiv1/functionspb;functionspb"; 33option java_multiple_files = true; 34option java_outer_classname = "FunctionsProto"; 35option java_package = "com.google.cloud.functions.v1"; 36option objc_class_prefix = "GCF"; 37option (google.api.resource_definition) = { 38 type: "artifactregistry.googleapis.com/Repository" 39 pattern: "projects/{project}/locations/{location}/repositories/{repository}" 40}; 41option (google.api.resource_definition) = { 42 type: "cloudkms.googleapis.com/CryptoKey" 43 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}" 44}; 45 46// A service that application uses to manipulate triggers and functions. 47service CloudFunctionsService { 48 option (google.api.default_host) = "cloudfunctions.googleapis.com"; 49 option (google.api.oauth_scopes) = 50 "https://www.googleapis.com/auth/cloud-platform"; 51 52 // Returns a list of functions that belong to the requested project. 53 rpc ListFunctions(ListFunctionsRequest) returns (ListFunctionsResponse) { 54 option (google.api.http) = { 55 get: "/v1/{parent=projects/*/locations/*}/functions" 56 }; 57 } 58 59 // Returns a function with the given name from the requested project. 60 rpc GetFunction(GetFunctionRequest) returns (CloudFunction) { 61 option (google.api.http) = { 62 get: "/v1/{name=projects/*/locations/*/functions/*}" 63 }; 64 option (google.api.method_signature) = "name"; 65 } 66 67 // Creates a new function. If a function with the given name already exists in 68 // the specified project, the long running operation will return 69 // `ALREADY_EXISTS` error. 70 rpc CreateFunction(CreateFunctionRequest) 71 returns (google.longrunning.Operation) { 72 option (google.api.http) = { 73 post: "/v1/{location=projects/*/locations/*}/functions" 74 body: "function" 75 }; 76 option (google.api.method_signature) = "location,function"; 77 option (google.longrunning.operation_info) = { 78 response_type: "CloudFunction" 79 metadata_type: "OperationMetadataV1" 80 }; 81 } 82 83 // Updates existing function. 84 rpc UpdateFunction(UpdateFunctionRequest) 85 returns (google.longrunning.Operation) { 86 option (google.api.http) = { 87 patch: "/v1/{function.name=projects/*/locations/*/functions/*}" 88 body: "function" 89 }; 90 option (google.api.method_signature) = "function"; 91 option (google.longrunning.operation_info) = { 92 response_type: "CloudFunction" 93 metadata_type: "OperationMetadataV1" 94 }; 95 } 96 97 // Deletes a function with the given name from the specified project. If the 98 // given function is used by some trigger, the trigger will be updated to 99 // remove this function. 100 rpc DeleteFunction(DeleteFunctionRequest) 101 returns (google.longrunning.Operation) { 102 option (google.api.http) = { 103 delete: "/v1/{name=projects/*/locations/*/functions/*}" 104 }; 105 option (google.api.method_signature) = "name"; 106 option (google.longrunning.operation_info) = { 107 response_type: "google.protobuf.Empty" 108 metadata_type: "OperationMetadataV1" 109 }; 110 } 111 112 // Synchronously invokes a deployed Cloud Function. To be used for testing 113 // purposes as very limited traffic is allowed. For more information on 114 // the actual limits, refer to 115 // [Rate Limits](https://cloud.google.com/functions/quotas#rate_limits). 116 rpc CallFunction(CallFunctionRequest) returns (CallFunctionResponse) { 117 option (google.api.http) = { 118 post: "/v1/{name=projects/*/locations/*/functions/*}:call" 119 body: "*" 120 }; 121 option (google.api.method_signature) = "name,data"; 122 } 123 124 // Returns a signed URL for uploading a function source code. 125 // For more information about the signed URL usage see: 126 // https://cloud.google.com/storage/docs/access-control/signed-urls. 127 // Once the function source code upload is complete, the used signed 128 // URL should be provided in CreateFunction or UpdateFunction request 129 // as a reference to the function source code. 130 // 131 // When uploading source code to the generated signed URL, please follow 132 // these restrictions: 133 // 134 // * Source file type should be a zip file. 135 // * Source file size should not exceed 100MB limit. 136 // * No credentials should be attached - the signed URLs provide access to the 137 // target bucket using internal service identity; if credentials were 138 // attached, the identity from the credentials would be used, but that 139 // identity does not have permissions to upload files to the URL. 140 // 141 // When making a HTTP PUT request, these two headers need to be specified: 142 // 143 // * `content-type: application/zip` 144 // * `x-goog-content-length-range: 0,104857600` 145 // 146 // And this header SHOULD NOT be specified: 147 // 148 // * `Authorization: Bearer YOUR_TOKEN` 149 rpc GenerateUploadUrl(GenerateUploadUrlRequest) 150 returns (GenerateUploadUrlResponse) { 151 option (google.api.http) = { 152 post: "/v1/{parent=projects/*/locations/*}/functions:generateUploadUrl" 153 body: "*" 154 }; 155 } 156 157 // Returns a signed URL for downloading deployed function source code. 158 // The URL is only valid for a limited period and should be used within 159 // minutes after generation. 160 // For more information about the signed URL usage see: 161 // https://cloud.google.com/storage/docs/access-control/signed-urls 162 rpc GenerateDownloadUrl(GenerateDownloadUrlRequest) 163 returns (GenerateDownloadUrlResponse) { 164 option (google.api.http) = { 165 post: "/v1/{name=projects/*/locations/*/functions/*}:generateDownloadUrl" 166 body: "*" 167 }; 168 } 169 170 // Sets the IAM access control policy on the specified function. 171 // Replaces any existing policy. 172 rpc SetIamPolicy(google.iam.v1.SetIamPolicyRequest) 173 returns (google.iam.v1.Policy) { 174 option (google.api.http) = { 175 post: "/v1/{resource=projects/*/locations/*/functions/*}:setIamPolicy" 176 body: "*" 177 }; 178 } 179 180 // Gets the IAM access control policy for a function. 181 // Returns an empty policy if the function exists and does not have a policy 182 // set. 183 rpc GetIamPolicy(google.iam.v1.GetIamPolicyRequest) 184 returns (google.iam.v1.Policy) { 185 option (google.api.http) = { 186 get: "/v1/{resource=projects/*/locations/*/functions/*}:getIamPolicy" 187 }; 188 } 189 190 // Tests the specified permissions against the IAM access control policy 191 // for a function. 192 // If the function does not exist, this will return an empty set of 193 // permissions, not a NOT_FOUND error. 194 rpc TestIamPermissions(google.iam.v1.TestIamPermissionsRequest) 195 returns (google.iam.v1.TestIamPermissionsResponse) { 196 option (google.api.http) = { 197 post: "/v1/{resource=projects/*/locations/*/functions/*}:testIamPermissions" 198 body: "*" 199 }; 200 } 201} 202 203// Describes a Cloud Function that contains user computation executed in 204// response to an event. It encapsulate function and triggers configurations. 205message CloudFunction { 206 option (google.api.resource) = { 207 type: "cloudfunctions.googleapis.com/CloudFunction" 208 pattern: "projects/{project}/locations/{location}/functions/{function}" 209 }; 210 211 // Available egress settings. 212 // 213 // This controls what traffic is diverted through the VPC Access Connector 214 // resource. By default PRIVATE_RANGES_ONLY will be used. 215 enum VpcConnectorEgressSettings { 216 // Unspecified. 217 VPC_CONNECTOR_EGRESS_SETTINGS_UNSPECIFIED = 0; 218 219 // Use the VPC Access Connector only for private IP space from RFC1918. 220 PRIVATE_RANGES_ONLY = 1; 221 222 // Force the use of VPC Access Connector for all egress traffic from the 223 // function. 224 ALL_TRAFFIC = 2; 225 } 226 227 // Available ingress settings. 228 // 229 // This controls what traffic can reach the function. 230 // 231 // If unspecified, ALLOW_ALL will be used. 232 enum IngressSettings { 233 // Unspecified. 234 INGRESS_SETTINGS_UNSPECIFIED = 0; 235 236 // Allow HTTP traffic from public and private sources. 237 ALLOW_ALL = 1; 238 239 // Allow HTTP traffic from only private VPC sources. 240 ALLOW_INTERNAL_ONLY = 2; 241 242 // Allow HTTP traffic from private VPC sources and through GCLB. 243 ALLOW_INTERNAL_AND_GCLB = 3; 244 } 245 246 // Docker Registry to use for storing function Docker images. 247 enum DockerRegistry { 248 // Unspecified. 249 DOCKER_REGISTRY_UNSPECIFIED = 0; 250 251 // Docker images will be stored in multi-regional Container Registry 252 // repositories named `gcf`. 253 CONTAINER_REGISTRY = 1; 254 255 // Docker images will be stored in regional Artifact Registry repositories. 256 // By default, GCF will create and use repositories named `gcf-artifacts` 257 // in every region in which a function is deployed. But the repository to 258 // use can also be specified by the user using the `docker_repository` 259 // field. 260 ARTIFACT_REGISTRY = 2; 261 } 262 263 // Security patches are applied automatically to the runtime without requiring 264 // the function to be redeployed. 265 message AutomaticUpdatePolicy {} 266 267 // Security patches are only applied when a function is redeployed. 268 message OnDeployUpdatePolicy { 269 // Output only. contains the runtime version which was used during latest 270 // function deployment. 271 string runtime_version = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 272 } 273 274 // A user-defined name of the function. Function names must be unique 275 // globally and match pattern `projects/*/locations/*/functions/*` 276 string name = 1; 277 278 // User-provided description of a function. 279 string description = 2; 280 281 // The location of the function source code. 282 oneof source_code { 283 // The Google Cloud Storage URL, starting with `gs://`, pointing to the zip 284 // archive which contains the function. 285 string source_archive_url = 3; 286 287 // **Beta Feature** 288 // 289 // The source repository where a function is hosted. 290 SourceRepository source_repository = 4; 291 292 // The Google Cloud Storage signed URL used for source uploading, generated 293 // by calling [google.cloud.functions.v1.GenerateUploadUrl]. 294 // 295 // The signature is validated on write methods (Create, Update) 296 // The signature is stripped from the Function object on read methods (Get, 297 // List) 298 string source_upload_url = 16; 299 } 300 301 // An event that triggers the function. 302 oneof trigger { 303 // An HTTPS endpoint type of source that can be triggered via URL. 304 HttpsTrigger https_trigger = 5; 305 306 // A source that fires events in response to a condition in another service. 307 EventTrigger event_trigger = 6; 308 } 309 310 // Output only. Status of the function deployment. 311 CloudFunctionStatus status = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; 312 313 // The name of the function (as defined in source code) that will be 314 // executed. Defaults to the resource name suffix (ID of the function), if not 315 // specified. 316 string entry_point = 8; 317 318 // The runtime in which to run the function. Required when deploying a new 319 // function, optional when updating an existing function. For a complete 320 // list of possible choices, see the 321 // [`gcloud` command 322 // reference](https://cloud.google.com/sdk/gcloud/reference/functions/deploy#--runtime). 323 string runtime = 19; 324 325 // The function execution timeout. Execution is considered failed and 326 // can be terminated if the function is not completed at the end of the 327 // timeout period. Defaults to 60 seconds. 328 google.protobuf.Duration timeout = 9; 329 330 // The amount of memory in MB available for a function. 331 // Defaults to 256MB. 332 int32 available_memory_mb = 10; 333 334 // The email of the function's service account. If empty, defaults to 335 // `{project_id}@appspot.gserviceaccount.com`. 336 string service_account_email = 11; 337 338 // Output only. The last update timestamp of a Cloud Function. 339 google.protobuf.Timestamp update_time = 12 340 [(google.api.field_behavior) = OUTPUT_ONLY]; 341 342 // Output only. The version identifier of the Cloud Function. Each deployment 343 // attempt results in a new version of a function being created. 344 int64 version_id = 14 [(google.api.field_behavior) = OUTPUT_ONLY]; 345 346 // Labels associated with this Cloud Function. 347 map<string, string> labels = 15; 348 349 // Environment variables that shall be available during function execution. 350 map<string, string> environment_variables = 17; 351 352 // Build environment variables that shall be available during build time. 353 map<string, string> build_environment_variables = 28; 354 355 // Deprecated: use vpc_connector 356 string network = 18 [deprecated = true]; 357 358 // The limit on the maximum number of function instances that may coexist at a 359 // given time. 360 // 361 // In some cases, such as rapid traffic surges, Cloud Functions may, for a 362 // short period of time, create more instances than the specified max 363 // instances limit. If your function cannot tolerate this temporary behavior, 364 // you may want to factor in a safety margin and set a lower max instances 365 // value than your function can tolerate. 366 // 367 // See the [Max 368 // Instances](https://cloud.google.com/functions/docs/max-instances) Guide for 369 // more details. 370 int32 max_instances = 20; 371 372 // A lower bound for the number function instances that may coexist at a 373 // given time. 374 int32 min_instances = 32; 375 376 // The VPC Network Connector that this cloud function can connect to. It can 377 // be either the fully-qualified URI, or the short name of the network 378 // connector resource. The format of this field is 379 // `projects/*/locations/*/connectors/*` 380 // 381 // This field is mutually exclusive with `network` field and will eventually 382 // replace it. 383 // 384 // See [the VPC documentation](https://cloud.google.com/compute/docs/vpc) for 385 // more information on connecting Cloud projects. 386 string vpc_connector = 22; 387 388 // The egress settings for the connector, controlling what traffic is diverted 389 // through it. 390 VpcConnectorEgressSettings vpc_connector_egress_settings = 23; 391 392 // The ingress settings for the function, controlling what traffic can reach 393 // it. 394 IngressSettings ingress_settings = 24; 395 396 // Resource name of a KMS crypto key (managed by the user) used to 397 // encrypt/decrypt function resources. 398 // 399 // It must match the pattern 400 // `projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}`. 401 // 402 // If specified, you must also provide an artifact registry repository using 403 // the `docker_repository` field that was created with the same KMS crypto 404 // key. 405 // 406 // The following service accounts need to be granted the role 'Cloud KMS 407 // CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter)' 408 // on the Key/KeyRing/Project/Organization (least access preferred). 409 // 410 // 1. Google Cloud Functions service account 411 // (service-{project_number}@gcf-admin-robot.iam.gserviceaccount.com) - 412 // Required to protect the function's image. 413 // 2. Google Storage service account 414 // (service-{project_number}@gs-project-accounts.iam.gserviceaccount.com) - 415 // Required to protect the function's source code. 416 // If this service account does not exist, deploying a function without a 417 // KMS key or retrieving the service agent name provisions it. For more 418 // information, see 419 // https://cloud.google.com/storage/docs/projects#service-agents and 420 // https://cloud.google.com/storage/docs/getting-service-agent#gsutil. 421 // 422 // Google Cloud Functions delegates access to service agents to protect 423 // function resources in internal projects that are not accessible by the 424 // end user. 425 string kms_key_name = 25 [(google.api.resource_reference) = { 426 type: "cloudkms.googleapis.com/CryptoKey" 427 }]; 428 429 // Name of the Cloud Build Custom Worker Pool that should be used to build the 430 // function. The format of this field is 431 // `projects/{project}/locations/{region}/workerPools/{workerPool}` where 432 // `{project}` and `{region}` are the project id and region respectively where 433 // the worker pool is defined and `{workerPool}` is the short name of the 434 // worker pool. 435 // 436 // If the project id is not the same as the function, then the Cloud 437 // Functions Service Agent 438 // (`service-<project_number>@gcf-admin-robot.iam.gserviceaccount.com`) must 439 // be granted the role Cloud Build Custom Workers Builder 440 // (`roles/cloudbuild.customworkers.builder`) in the project. 441 string build_worker_pool = 26; 442 443 // Output only. The Cloud Build ID of the latest successful deployment of the 444 // function. 445 string build_id = 27 [(google.api.field_behavior) = OUTPUT_ONLY]; 446 447 // Output only. The Cloud Build Name of the function deployment. 448 // `projects/<project-number>/locations/<region>/builds/<build-id>`. 449 string build_name = 33 [(google.api.field_behavior) = OUTPUT_ONLY]; 450 451 // Secret environment variables configuration. 452 repeated SecretEnvVar secret_environment_variables = 29; 453 454 // Secret volumes configuration. 455 repeated SecretVolume secret_volumes = 30; 456 457 // Input only. An identifier for Firebase function sources. Disclaimer: This 458 // field is only supported for Firebase function deployments. 459 string source_token = 31 [(google.api.field_behavior) = INPUT_ONLY]; 460 461 // User managed repository created in Artifact Registry optionally with a 462 // customer managed encryption key. If specified, deployments will use 463 // Artifact Registry. If unspecified and the deployment is eligible to use 464 // Artifact Registry, GCF will create and use a repository named 465 // 'gcf-artifacts' for every deployed region. This is the repository to which 466 // the function docker image will be pushed after it is built by Cloud Build. 467 // 468 // It must match the pattern 469 // `projects/{project}/locations/{location}/repositories/{repository}`. 470 // 471 // Cross-project repositories are not supported. 472 // Cross-location repositories are not supported. 473 // Repository format must be 'DOCKER'. 474 string docker_repository = 34 [(google.api.resource_reference) = { 475 type: "artifactregistry.googleapis.com/Repository" 476 }]; 477 478 // Docker Registry to use for this deployment. 479 // 480 // If unspecified, it defaults to `ARTIFACT_REGISTRY`. 481 // If `docker_repository` field is specified, this field should either be left 482 // unspecified or set to `ARTIFACT_REGISTRY`. 483 DockerRegistry docker_registry = 35; 484 485 // Runtime update policy can be one of the following. 486 oneof runtime_update_policy { 487 // See the comment next to this message for more details. 488 AutomaticUpdatePolicy automatic_update_policy = 40; 489 490 // See the comment next to this message for more details. 491 OnDeployUpdatePolicy on_deploy_update_policy = 41; 492 } 493} 494 495// Describes SourceRepository, used to represent parameters related to 496// source repository where a function is hosted. 497message SourceRepository { 498 // The URL pointing to the hosted repository where the function is defined. 499 // There are supported Cloud Source Repository URLs in the following 500 // formats: 501 // 502 // To refer to a specific commit: 503 // `https://source.developers.google.com/projects/*/repos/*/revisions/*/paths/*` 504 // To refer to a moveable alias (branch): 505 // `https://source.developers.google.com/projects/*/repos/*/moveable-aliases/*/paths/*` 506 // In particular, to refer to HEAD use `master` moveable alias. 507 // To refer to a specific fixed alias (tag): 508 // `https://source.developers.google.com/projects/*/repos/*/fixed-aliases/*/paths/*` 509 // 510 // You may omit `paths/*` if you want to use the main directory. 511 string url = 1; 512 513 // Output only. The URL pointing to the hosted repository where the function 514 // were defined at the time of deployment. It always points to a specific 515 // commit in the format described above. 516 string deployed_url = 2 [(google.api.field_behavior) = OUTPUT_ONLY]; 517} 518 519// Describes HttpsTrigger, could be used to connect web hooks to function. 520message HttpsTrigger { 521 // Available security level settings. 522 // 523 // This controls the methods to enforce security (HTTPS) on a URL. 524 // 525 // If unspecified, SECURE_OPTIONAL will be used. 526 enum SecurityLevel { 527 // Unspecified. 528 SECURITY_LEVEL_UNSPECIFIED = 0; 529 530 // Requests for a URL that match this handler that do not use HTTPS are 531 // automatically redirected to the HTTPS URL with the same path. Query 532 // parameters are reserved for the redirect. 533 SECURE_ALWAYS = 1; 534 535 // Both HTTP and HTTPS requests with URLs that match the handler succeed 536 // without redirects. The application can examine the request to determine 537 // which protocol was used and respond accordingly. 538 SECURE_OPTIONAL = 2; 539 } 540 541 // Output only. The deployed URL for the function. 542 string url = 1 [(google.api.field_behavior) = OUTPUT_ONLY]; 543 544 // The security level for the function. 545 SecurityLevel security_level = 2; 546} 547 548// Describes EventTrigger, used to request events be sent from another 549// service. 550message EventTrigger { 551 // Required. The type of event to observe. For example: 552 // `providers/cloud.storage/eventTypes/object.change` and 553 // `providers/cloud.pubsub/eventTypes/topic.publish`. 554 // 555 // Event types match pattern `providers/*/eventTypes/*.*`. 556 // The pattern contains: 557 // 558 // 1. namespace: For example, `cloud.storage` and 559 // `google.firebase.analytics`. 560 // 2. resource type: The type of resource on which event occurs. For 561 // example, the Google Cloud Storage API includes the type `object`. 562 // 3. action: The action that generates the event. For example, action for 563 // a Google Cloud Storage Object is 'change'. 564 // These parts are lower case. 565 string event_type = 1; 566 567 // Required. The resource(s) from which to observe events, for example, 568 // `projects/_/buckets/myBucket`. 569 // 570 // Not all syntactically correct values are accepted by all services. For 571 // example: 572 // 573 // 1. The authorization model must support it. Google Cloud Functions 574 // only allows EventTriggers to be deployed that observe resources in the 575 // same project as the `CloudFunction`. 576 // 2. The resource type must match the pattern expected for an 577 // `event_type`. For example, an `EventTrigger` that has an 578 // `event_type` of "google.pubsub.topic.publish" should have a resource 579 // that matches Google Cloud Pub/Sub topics. 580 // 581 // Additionally, some services may support short names when creating an 582 // `EventTrigger`. These will always be returned in the normalized "long" 583 // format. 584 // 585 // See each *service's* documentation for supported formats. 586 string resource = 2; 587 588 // The hostname of the service that should be observed. 589 // 590 // If no string is provided, the default service implementing the API will 591 // be used. For example, `storage.googleapis.com` is the default for all 592 // event types in the `google.storage` namespace. 593 string service = 3; 594 595 // Specifies policy for failed executions. 596 FailurePolicy failure_policy = 5; 597} 598 599// Describes the policy in case of function's execution failure. 600// If empty, then defaults to ignoring failures (i.e. not retrying them). 601message FailurePolicy { 602 // Describes the retry policy in case of function's execution failure. 603 // A function execution will be retried on any failure. 604 // A failed execution will be retried up to 7 days with an exponential backoff 605 // (capped at 10 seconds). 606 // Retried execution is charged as any other execution. 607 message Retry {} 608 609 // Defines the action taken in case of a function execution failure. 610 oneof action { 611 // If specified, then the function will be retried in case of a failure. 612 Retry retry = 1; 613 } 614} 615 616// Describes the current stage of a deployment. 617enum CloudFunctionStatus { 618 // Not specified. Invalid state. 619 CLOUD_FUNCTION_STATUS_UNSPECIFIED = 0; 620 621 // Function has been successfully deployed and is serving. 622 ACTIVE = 1; 623 624 // Function deployment failed and the function isn’t serving. 625 OFFLINE = 2; 626 627 // Function is being created or updated. 628 DEPLOY_IN_PROGRESS = 3; 629 630 // Function is being deleted. 631 DELETE_IN_PROGRESS = 4; 632 633 // Function deployment failed and the function serving state is undefined. 634 // The function should be updated or deleted to move it out of this state. 635 UNKNOWN = 5; 636} 637 638// Configuration for a secret environment variable. It has the information 639// necessary to fetch the secret value from secret manager and expose it as an 640// environment variable. 641message SecretEnvVar { 642 // Name of the environment variable. 643 string key = 1; 644 645 // Project identifier (preferrably project number but can also be the project 646 // ID) of the project that contains the secret. If not set, it will be 647 // populated with the function's project assuming that the secret exists in 648 // the same project as of the function. 649 string project_id = 2; 650 651 // Name of the secret in secret manager (not the full resource name). 652 string secret = 3; 653 654 // Version of the secret (version number or the string 'latest'). It is 655 // recommended to use a numeric version for secret environment variables as 656 // any updates to the secret value is not reflected until new instances start. 657 string version = 4; 658} 659 660// Configuration for a secret volume. It has the information necessary to fetch 661// the secret value from secret manager and make it available as files mounted 662// at the requested paths within the application container. Secret value is not 663// a part of the configuration. Every filesystem read operation performs a 664// lookup in secret manager to retrieve the secret value. 665message SecretVolume { 666 // Configuration for a single version. 667 message SecretVersion { 668 // Version of the secret (version number or the string 'latest'). It is 669 // preferable to use `latest` version with secret volumes as secret value 670 // changes are reflected immediately. 671 string version = 1; 672 673 // Relative path of the file under the mount path where the secret value for 674 // this version will be fetched and made available. For example, setting the 675 // mount_path as '/etc/secrets' and path as `/secret_foo` would mount the 676 // secret value file at `/etc/secrets/secret_foo`. 677 string path = 2; 678 } 679 680 // The path within the container to mount the secret volume. For example, 681 // setting the mount_path as `/etc/secrets` would mount the secret value files 682 // under the `/etc/secrets` directory. This directory will also be completely 683 // shadowed and unavailable to mount any other secrets. 684 // 685 // Recommended mount paths: /etc/secrets 686 // Restricted mount paths: /cloudsql, /dev/log, /pod, /proc, /var/log 687 string mount_path = 1; 688 689 // Project identifier (preferrably project number but can also be the project 690 // ID) of the project that contains the secret. If not set, it will be 691 // populated with the function's project assuming that the secret exists in 692 // the same project as of the function. 693 string project_id = 2; 694 695 // Name of the secret in secret manager (not the full resource name). 696 string secret = 3; 697 698 // List of secret versions to mount for this secret. If empty, the `latest` 699 // version of the secret will be made available in a file named after the 700 // secret under the mount point. 701 repeated SecretVersion versions = 4; 702} 703 704// Request for the `CreateFunction` method. 705message CreateFunctionRequest { 706 // Required. The project and location in which the function should be created, 707 // specified in the format `projects/*/locations/*` 708 string location = 1 [ 709 (google.api.field_behavior) = REQUIRED, 710 (google.api.resource_reference) = { 711 type: "locations.googleapis.com/Location" 712 } 713 ]; 714 715 // Required. Function to be created. 716 CloudFunction function = 2 [(google.api.field_behavior) = REQUIRED]; 717} 718 719// Request for the `UpdateFunction` method. 720message UpdateFunctionRequest { 721 // Required. New version of the function. 722 CloudFunction function = 1 [(google.api.field_behavior) = REQUIRED]; 723 724 // Required. The list of fields in `CloudFunction` that have to be updated. 725 google.protobuf.FieldMask update_mask = 2; 726} 727 728// Request for the `GetFunction` method. 729message GetFunctionRequest { 730 // Required. The name of the function which details should be obtained. 731 string name = 1 [ 732 (google.api.field_behavior) = REQUIRED, 733 (google.api.resource_reference) = { 734 type: "cloudfunctions.googleapis.com/CloudFunction" 735 } 736 ]; 737 738 // Optional. The optional version of the function whose details should be 739 // obtained. The version of a 1st Gen function is an integer that starts from 740 // 1 and gets incremented on redeployments. Each deployment creates a config 741 // version of the underlying function. GCF may keep historical configs for old 742 // versions. This field can be specified to fetch the historical configs. 743 // Leave it blank or set to 0 to get the latest version of the function. 744 int64 version_id = 2 [(google.api.field_behavior) = OPTIONAL]; 745} 746 747// Request for the `ListFunctions` method. 748message ListFunctionsRequest { 749 // The project and location from which the function should be listed, 750 // specified in the format `projects/*/locations/*` 751 // If you want to list functions in all locations, use "-" in place of a 752 // location. When listing functions in all locations, if one or more 753 // location(s) are unreachable, the response will contain functions from all 754 // reachable locations along with the names of any unreachable locations. 755 string parent = 1 [(google.api.resource_reference) = { 756 type: "locations.googleapis.com/Location" 757 }]; 758 759 // Maximum number of functions to return per call. 760 int32 page_size = 2; 761 762 // The value returned by the last 763 // `ListFunctionsResponse`; indicates that 764 // this is a continuation of a prior `ListFunctions` call, and that the 765 // system should return the next page of data. 766 string page_token = 3; 767} 768 769// Response for the `ListFunctions` method. 770message ListFunctionsResponse { 771 // The functions that match the request. 772 repeated CloudFunction functions = 1; 773 774 // If not empty, indicates that there may be more functions that match 775 // the request; this value should be passed in a new 776 // [google.cloud.functions.v1.ListFunctionsRequest][google.cloud.functions.v1.ListFunctionsRequest] 777 // to get more functions. 778 string next_page_token = 2; 779 780 // Locations that could not be reached. The response does not include any 781 // functions from these locations. 782 repeated string unreachable = 3; 783} 784 785// Request for the `DeleteFunction` method. 786message DeleteFunctionRequest { 787 // Required. The name of the function which should be deleted. 788 string name = 1 [ 789 (google.api.field_behavior) = REQUIRED, 790 (google.api.resource_reference) = { 791 type: "cloudfunctions.googleapis.com/CloudFunction" 792 } 793 ]; 794} 795 796// Request for the `CallFunction` method. 797message CallFunctionRequest { 798 // Required. The name of the function to be called. 799 string name = 1 [ 800 (google.api.field_behavior) = REQUIRED, 801 (google.api.resource_reference) = { 802 type: "cloudfunctions.googleapis.com/CloudFunction" 803 } 804 ]; 805 806 // Required. Input to be passed to the function. 807 string data = 2 [(google.api.field_behavior) = REQUIRED]; 808} 809 810// Response of `CallFunction` method. 811message CallFunctionResponse { 812 // Execution id of function invocation. 813 string execution_id = 1; 814 815 // Result populated for successful execution of synchronous function. Will 816 // not be populated if function does not return a result through context. 817 string result = 2; 818 819 // Either system or user-function generated error. Set if execution 820 // was not successful. 821 string error = 3; 822} 823 824// Request of `GenerateSourceUploadUrl` method. 825message GenerateUploadUrlRequest { 826 // The project and location in which the Google Cloud Storage signed URL 827 // should be generated, specified in the format `projects/*/locations/*`. 828 string parent = 1; 829 830 // Resource name of a KMS crypto key (managed by the user) used to 831 // encrypt/decrypt function source code objects in intermediate Cloud Storage 832 // buckets. When you generate an upload url and upload your source code, it 833 // gets copied to an intermediate Cloud Storage bucket. The source code is 834 // then copied to a versioned directory in the sources bucket in the consumer 835 // project during the function deployment. 836 // 837 // It must match the pattern 838 // `projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}`. 839 // 840 // The Google Cloud Functions service account 841 // (service-{project_number}@gcf-admin-robot.iam.gserviceaccount.com) must be 842 // granted the role 'Cloud KMS CryptoKey Encrypter/Decrypter 843 // (roles/cloudkms.cryptoKeyEncrypterDecrypter)' on the 844 // Key/KeyRing/Project/Organization (least access preferred). GCF will 845 // delegate access to the Google Storage service account in the internal 846 // project. 847 string kms_key_name = 2 [(google.api.resource_reference) = { 848 type: "cloudkms.googleapis.com/CryptoKey" 849 }]; 850} 851 852// Response of `GenerateSourceUploadUrl` method. 853message GenerateUploadUrlResponse { 854 // The generated Google Cloud Storage signed URL that should be used for a 855 // function source code upload. The uploaded file should be a zip archive 856 // which contains a function. 857 string upload_url = 1; 858} 859 860// Request of `GenerateDownloadUrl` method. 861message GenerateDownloadUrlRequest { 862 // The name of function for which source code Google Cloud Storage signed 863 // URL should be generated. 864 string name = 1; 865 866 // The optional version of function. If not set, default, current version 867 // is used. 868 uint64 version_id = 2; 869} 870 871// Response of `GenerateDownloadUrl` method. 872message GenerateDownloadUrlResponse { 873 // The generated Google Cloud Storage signed URL that should be used for 874 // function source code download. 875 string download_url = 1; 876} 877