Table: gcp_cloudfunctions_function - Query Google Cloud Platform Cloud Functions using SQL

Google Cloud Functions is a lightweight, event-based, asynchronous compute solution that allows you to create small, single-purpose functions that respond to cloud events without the need to manage a server or a runtime environment. Events from Google Cloud Storage and Pub/Sub can trigger Cloud Functions asynchronously, or you can use HTTP invocation for synchronous execution. It allows developers to run their code in response to events without needing to provision or manage servers.

Table Usage Guide

The gcp_cloudfunctions_function table provides insights into Cloud Functions within Google Cloud Platform. As a DevOps engineer, explore function-specific details through this table, including configuration, status, and associated metadata. Utilize it to uncover information about functions, such as their event triggers, resource usage, and execution environment.

Examples

Basic function info

Explore the operational status of various cloud functions to manage resources effectively. Analyze the settings to understand the runtime, available memory, and maximum instances for optimal performance.

select
  name,
  description,
  status,
  runtime,
  available_memory_mb,
  max_instances,
  ingress_settings,
  timeout
from
  gcp_cloudfunctions_function;

select
  name,
  description,
  status,
  runtime,
  available_memory_mb,
  max_instances,
  ingress_settings,
  timeout
from
  gcp_cloudfunctions_function;

Count of cloud functions by runtime engines

Analyze the distribution of cloud functions across different runtime engines, providing a useful overview to optimize resource allocation and understand usage patterns.

select
  runtime,
  count(*)
from
  gcp_cloudfunctions_function
group by
  runtime;

select
  runtime,
  count(*)
from
  gcp_cloudfunctions_function
group by
  runtime;

Cloud functions service account info

Explore which cloud functions are linked to specific service accounts. This can help manage and secure access to resources, by ensuring only authorized accounts are connected to specific functions.

select
  f.name as function_name,
  f.service_account_email as service_account_email,
  a.display_name as service_account_display_name
from
  gcp_cloudfunctions_function as f,
  gcp_service_account as a
where
  f.service_account_email = a.email;

select
  f.name as function_name,
  f.service_account_email as service_account_email,
  a.display_name as service_account_display_name
from
  gcp_cloudfunctions_function as f,
  gcp_service_account as a
where
  f.service_account_email = a.email;

Cloud functions service account info, including roles assigned in the project IAM policy

Determine the roles assigned to various service accounts within your project's IAM policy, particularly those associated with cloud functions. This can help maintain security by ensuring only necessary permissions are granted.

select
  f.name as function_name,
  f.service_account_email as service_account_email,
  a.display_name as service_account_display_name,
  b ->> 'role' as role_name
from
  gcp_cloudfunctions_function as f,
  gcp_service_account as a,
  gcp_iam_policy as p,
  jsonb_array_elements(bindings) as b,
  jsonb_array_elements_text(b -> 'members') as m
where
  f.service_account_email = a.email
  and m = ('serviceAccount:' || f.service_account_email);

select
  f.name as function_name,
  f.service_account_email as service_account_email,
  a.display_name as service_account_display_name,
  json_extract(b.value, '$.role') as role_name
from
  gcp_cloudfunctions_function as f,
  gcp_service_account as a,
  gcp_iam_policy as p,
  json_each(bindings) as b,
  json_each(json_extract(b.value, '$.members')) as m
where
  f.service_account_email = a.email
  and m.value = ('serviceAccount:' || f.service_account_email);

View the resource-level IAM policy on cloud functions

Explore the access control measures applied to your cloud functions. This query is useful to understand the security configuration and permissions associated with each function, helping to maintain robust access management.

select
  name,
  jsonb_pretty(iam_policy)
from
  gcp_cloudfunctions_function;

select
  name,
  iam_policy
from
  gcp_cloudfunctions_function;

Find members assigned in resource-level IAM policy on cloud functions that are not in your email domain

Explore which members are assigned in resource-level IAM policy on cloud functions that are not within your email domain. This is useful to identify potential security risks by detecting unauthorized users who might have access to your cloud functions.

select
  name,
  b ->> 'role' as role_name,
  m as member
from
  gcp_cloudfunctions_function,
  jsonb_array_elements(iam_policy -> 'bindings') as b,
  jsonb_array_elements_text(b -> 'members') as m
where
  m not like '%@turbot.com';

select
  name,
  json_extract(b.value, '$.role') as role_name,
  m.value as member
from
  gcp_cloudfunctions_function,
  json_each(iam_policy, '$.bindings') as b,
  json_each(b.value, '$.members') as m
where
  m.value not like '%@turbot.com';

Query examples

cloudfunction_functions_for_iam_service_account

Control examples

Schema for gcp_cloudfunctions_function

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form, e.g. connection_name.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
available_memory_mb	bigint		The amount of memory in MB available for the function.
build_environment_variables	jsonb		Environment variables that shall be available during build time
build_id	text		The Cloud Build ID of the latest successful deployment of the function.
description	text		User-provided description of a function.
entry_point	text		The name of the function (as defined in source code) that will be executed.
environment_variables	jsonb		Environment variables that shall be available during function execution.
event_trigger	jsonb		A source that fires events in response to a condition in another service.
https_trigger	jsonb		An HTTPS endpoint type of source that can be triggered via URL.
iam_policy	jsonb		The IAM policy for the function.
ingress_settings	text		The ingress settings for the function, controlling what traffic can reach it (INGRESS_SETTINGS_UNSPECIFIED, ALLOW_ALL, ALLOW_INTERNAL_ONLY, ALLOW_INTERNAL_AND_GCLB).
labels	jsonb		Labels that apply to this function.
location	text	=	The GCP multi-region, region, or zone in which the resource is located.
max_instances	bigint		The limit on the maximum number of function instances that may coexist at a given time. In some cases, such as rapid traffic surges, Cloud Functions may, for a short period of time, create more instances than the specified max instances limit.
name	text	=	The name of the function.
network	text		The VPC Network that this cloud function can connect to.
project	text		The GCP Project in which the resource is located.
runtime	text		The runtime in which to run the function.
self_link	text		Server-defined URL for the resource.
service_account_email	text		The email of the function's service account.
source_archive_url	text		The Google Cloud Storage URL, starting with gs://, pointing to the zip archive which contains the function.
source_repository	text		Beta Feature The source repository where a function is hosted.
source_upload_url	text		The Google Cloud Storage signed URL used for source uploading, generated by google.cloud.functions.v1.GenerateUploadUrl
status	text		Status of the function deployment (ACTIVE, OFFLINE, CLOUD_FUNCTION_STATUS_UNSPECIFIED,DEPLOY_IN_PROGRESS, DELETE_IN_PROGRESS, UNKNOWN).
tags	jsonb		A map of tags for the resource.
timeout	text		The function execution timeout. Execution is consideredfailed and can be terminated if the function is not completed at the end of the timeout period. Defaults to 60 seconds.
title	text		Title of the resource.
update_time	timestamp with time zone		The last update timestamp of the Cloud Function.
version_id	bigint		The version identifier of the Cloud Function. Each deployment attempt results in a new version of a function being created.
vpc_connector	text		The VPC Network Connector that this cloud function can connect to. This field is mutually exclusive with `network` field and will eventually replace it.
vpc_connector_egress_settings	text		The egress settings for the connector, controlling what traffic is diverted through it (VPC_CONNECTOR_EGRESS_SETTINGS_UNSPECIFIED, PRIVATE_RANGES_ONLY, ALL_TRAFFIC).

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcp

You can pass the configuration to the command with the --config argument:

steampipe_export_gcp --config '<your_config>' gcp_cloudfunctions_function