gcp_alloydb_clustergcp_alloydb_instancegcp_apikeys_keygcp_app_engine_applicationgcp_artifact_registry_repositorygcp_audit_policygcp_bigquery_datasetgcp_bigquery_jobgcp_bigquery_tablegcp_bigtable_instancegcp_billing_accountgcp_billing_budgetgcp_cloud_assetgcp_cloud_identity_groupgcp_cloud_identity_group_membershipgcp_cloud_run_servicegcp_cloudfunctions_functiongcp_composer_environmentgcp_compute_addressgcp_compute_autoscalergcp_compute_backend_bucketgcp_compute_backend_servicegcp_compute_diskgcp_compute_disk_metric_read_opsgcp_compute_disk_metric_read_ops_dailygcp_compute_disk_metric_read_ops_hourlygcp_compute_disk_metric_write_opsgcp_compute_disk_metric_write_ops_dailygcp_compute_disk_metric_write_ops_hourlygcp_compute_firewallgcp_compute_forwarding_rulegcp_compute_global_addressgcp_compute_global_forwarding_rulegcp_compute_ha_vpn_gatewaygcp_compute_imagegcp_compute_instancegcp_compute_instance_groupgcp_compute_instance_metric_cpu_utilizationgcp_compute_instance_metric_cpu_utilization_dailygcp_compute_instance_metric_cpu_utilization_hourlygcp_compute_instance_templategcp_compute_machine_imagegcp_compute_machine_typegcp_compute_networkgcp_compute_node_groupgcp_compute_node_templategcp_compute_project_metadatagcp_compute_regiongcp_compute_resource_policygcp_compute_routegcp_compute_routergcp_compute_snapshotgcp_compute_ssl_policygcp_compute_subnetworkgcp_compute_target_https_proxygcp_compute_target_poolgcp_compute_target_ssl_proxygcp_compute_target_vpn_gatewaygcp_compute_url_mapgcp_compute_vpn_tunnelgcp_compute_zonegcp_dataplex_assetgcp_dataplex_lakegcp_dataplex_taskgcp_dataplex_zonegcp_dataproc_clustergcp_dataproc_metastore_servicegcp_dns_managed_zonegcp_dns_policygcp_dns_record_setgcp_iam_policygcp_iam_rolegcp_kms_keygcp_kms_key_ringgcp_kms_key_versiongcp_kubernetes_clustergcp_kubernetes_node_poolgcp_logging_bucketgcp_logging_exclusiongcp_logging_log_entrygcp_logging_metricgcp_logging_sinkgcp_monitoring_alert_policygcp_monitoring_groupgcp_monitoring_notification_channelgcp_organizationgcp_projectgcp_project_organization_policygcp_project_servicegcp_pubsub_snapshotgcp_pubsub_subscriptiongcp_pubsub_topicgcp_redis_instancegcp_secret_manager_secretgcp_service_accountgcp_service_account_keygcp_sql_backupgcp_sql_databasegcp_sql_database_instancegcp_sql_database_instance_metric_connectionsgcp_sql_database_instance_metric_connections_dailygcp_sql_database_instance_metric_connections_hourlygcp_sql_database_instance_metric_cpu_utilizationgcp_sql_database_instance_metric_cpu_utilization_dailygcp_sql_database_instance_metric_cpu_utilization_hourlygcp_storage_bucketgcp_storage_objectgcp_tag_bindinggcp_vertex_ai_endpointgcp_vertex_ai_modelgcp_vertex_ai_notebook_runtime_templategcp_vertex_ai_notebook_runtime_template,mdgcp_vpc_access_connector
Table: gcp_cloudfunctions_function - Query Google Cloud Platform Cloud Functions using SQL
Google Cloud Functions is a lightweight, event-based, asynchronous compute solution that allows you to create small, single-purpose functions that respond to cloud events without the need to manage a server or a runtime environment. Events from Google Cloud Storage and Pub/Sub can trigger Cloud Functions asynchronously, or you can use HTTP invocation for synchronous execution. It allows developers to run their code in response to events without needing to provision or manage servers.
Table Usage Guide
The gcp_cloudfunctions_function table provides insights into Cloud Functions within Google Cloud Platform. As a DevOps engineer, explore function-specific details through this table, including configuration, status, and associated metadata. Utilize it to uncover information about functions, such as their event triggers, resource usage, and execution environment.
Examples
Basic function info
Explore the operational status of various cloud functions to manage resources effectively. Analyze the settings to understand the runtime, available memory, and maximum instances for optimal performance.
select name, description, status, runtime, available_memory_mb, max_instances, ingress_settings, service_timeoutfrom gcp_cloudfunctions_function;select name, description, status, runtime, available_memory_mb, max_instances, ingress_settings, service_timeoutfrom gcp_cloudfunctions_function;Count of cloud functions by runtime engines
Analyze the distribution of cloud functions across different runtime engines, providing a useful overview to optimize resource allocation and understand usage patterns.
select runtime, count(*)from gcp_cloudfunctions_functiongroup by runtime;select runtime, count(*)from gcp_cloudfunctions_functiongroup by runtime;Cloud functions service account info
Explore which cloud functions are linked to specific service accounts. This can help manage and secure access to resources, by ensuring only authorized accounts are connected to specific functions.
select f.name as function_name, f.service_account_email as service_account_email, a.display_name as service_account_display_namefrom gcp_cloudfunctions_function as f, gcp_service_account as awhere f.service_account_email = a.email;select f.name as function_name, f.service_account_email as service_account_email, a.display_name as service_account_display_namefrom gcp_cloudfunctions_function as f, gcp_service_account as awhere f.service_account_email = a.email;Cloud functions service account info, including roles assigned in the project IAM policy
Determine the roles assigned to various service accounts within your project's IAM policy, particularly those associated with cloud functions. This can help maintain security by ensuring only necessary permissions are granted.
select f.name as function_name, f.service_account_email as service_account_email, a.display_name as service_account_display_name, b ->> 'role' as role_namefrom gcp_cloudfunctions_function as f, gcp_service_account as a, gcp_iam_policy as p, jsonb_array_elements(bindings) as b, jsonb_array_elements_text(b -> 'members') as mwhere f.service_account_email = a.email and m = ('serviceAccount:' || f.service_account_email);select f.name as function_name, f.service_account_email as service_account_email, a.display_name as service_account_display_name, json_extract(b.value, '$.role') as role_namefrom gcp_cloudfunctions_function as f, gcp_service_account as a, gcp_iam_policy as p, json_each(bindings) as b, json_each(json_extract(b.value, '$.members')) as mwhere f.service_account_email = a.email and m.value = ('serviceAccount:' || f.service_account_email);View the resource-level IAM policy on cloud functions
Explore the access control measures applied to your cloud functions. This query is useful to understand the security configuration and permissions associated with each function, helping to maintain robust access management.
select name, jsonb_pretty(iam_policy)from gcp_cloudfunctions_function;select name, iam_policyfrom gcp_cloudfunctions_function;Find members assigned in resource-level IAM policy on cloud functions that are not in your email domain
Explore which members are assigned in resource-level IAM policy on cloud functions that are not within your email domain. This is useful to identify potential security risks by detecting unauthorized users who might have access to your cloud functions.
select name, b ->> 'role' as role_name, m as memberfrom gcp_cloudfunctions_function, jsonb_array_elements(iam_policy -> 'bindings') as b, jsonb_array_elements_text(b -> 'members') as mwhere m not like '%@turbot.com';select name, json_extract(b.value, '$.role') as role_name, m.value as memberfrom gcp_cloudfunctions_function, json_each(iam_policy, '$.bindings') as b, json_each(b.value, '$.members') as mwhere m.value not like '%@turbot.com';Query examples
Control examples
- All Controls > Cloud Functions > Cloudfunction functions ingress settings should not be set to allow all
- All Controls > Cloud Functions > Cloudfunction functions no roles/editor or roles/owner permission
- All Controls > Cloud Functions > Cloudfunction functions should restrict deployments manager permission
- All Controls > Cloud Functions > Cloudfunction functions should restrict disrupt logging permission
- All Controls > Cloud Functions > Cloudfunction functions should restrict public access
- All Controls > Cloud Functions > Cloudfunction functions VPC connector should be enabled
Schema for gcp_cloudfunctions_function
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| available_memory_mb | text | The amount of memory in MB available for the function. | |
| build_config | jsonb | Describes the Build step of the function that builds a container from the given source. | |
| build_environment_variables | jsonb | Environment variables that shall be available during build time | |
| build_id | text | The Cloud Build ID of the latest successful deployment of the function. | |
| build_source | jsonb | The location of the function source code. | |
| description | text | User-provided description of a function. | |
| entry_point | text | The name of the function (as defined in source code) that will be executed. | |
| event_trigger | jsonb | A source that fires events in response to a condition in another service. | |
| https_trigger | jsonb | An HTTPS endpoint type of source that can be triggered via URL. | |
| iam_policy | jsonb | The IAM policy for the function. | |
| ingress_settings | text | The ingress settings for the function, controlling what traffic can reach it (INGRESS_SETTINGS_UNSPECIFIED, ALLOW_ALL, ALLOW_INTERNAL_ONLY, ALLOW_INTERNAL_AND_GCLB). | |
| kms_key_name | text | Resource name of a KMS crypto key (managed by the user) used to encrypt/decrypt function resources. | |
| labels | jsonb | Labels that apply to this function. | |
| location | text | = | The GCP multi-region, region, or zone in which the resource is located. |
| max_instance_request_concurrency | bigint | The maximum number of concurrent requests that each instance can receive. | |
| max_instances | bigint | The limit on the maximum number of function instances that may coexist at a given time. In some cases, such as rapid traffic surges, Cloud Functions may, for a short period of time, create more instances than the specified max instances limit. | |
| min_instances | bigint | The minimum number of function instances that may coexist at a given time. | |
| name | text | = | The name of the function. |
| network | text | The VPC Network that this cloud function can connect to. | |
| project | text | =, !=, ~~, ~~*, !~~, !~~* | The GCP Project in which the resource is located. |
| runtime | text | The runtime in which to run the function. | |
| satisfies_pzs | boolean | Reserved for future use. | |
| self_link | text | Server-defined URL for the resource. | |
| service | text | Name of the service associated with the function. | |
| service_account_email | text | The email of the function's service account. | |
| service_all_traffic_on_latest_revision | boolean | Whether 100% of traffic is routed to the latest revision. | |
| service_available_cpu | text | The number of CPUs used in a single container instance. | |
| service_config | jsonb | Describes the Service being deployed. Currently deploys services to Cloud Run (fully managed). | |
| service_environment_variables | jsonb | Environment variables that shall be available during function execution. | |
| service_revision | text | The name of the service revision. | |
| service_secret_environment_variables | jsonb | Secret environment variables configuration. | |
| service_secret_volumes | jsonb | Secret volumes configuration. | |
| service_security_level | text | Configure whether the function only accepts HTTPS. | |
| service_timeout | text | The function execution timeout. Execution is consideredfailed and can be terminated if the function is not completed at the end of the timeout period. Defaults to 60 seconds. | |
| source_archive_url | text | The Google Cloud Storage URL, starting with gs://, pointing to the zip archive which contains the function. | |
| source_repository | text | **Beta Feature** The source repository where a function is hosted. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| state_messages | jsonb | State Messages for this Cloud Function. | |
| status | text | Status of the function deployment (ACTIVE, OFFLINE, CLOUD_FUNCTION_STATUS_UNSPECIFIED,DEPLOY_IN_PROGRESS, DELETE_IN_PROGRESS, UNKNOWN). | |
| tags | jsonb | A map of tags for the resource. | |
| title | text | Title of the resource. | |
| update_time | timestamp with time zone | The last update timestamp of the Cloud Function. | |
| url | text | The deployed URL for the function. | |
| vpc_connector | text | The VPC Network Connector that this cloud function can connect to. This field is mutually exclusive with `network` field and will eventually replace it. | |
| vpc_connector_egress_settings | text | The egress settings for the connector, controlling what traffic is diverted through it (VPC_CONNECTOR_EGRESS_SETTINGS_UNSPECIFIED, PRIVATE_RANGES_ONLY, ALL_TRAFFIC). |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcpYou can pass the configuration to the command with the --config argument:
steampipe_export_gcp --config '<your_config>' gcp_cloudfunctions_function