Add post-deploy script to make functions public

Shout out to this post for pointing out this workaround:
serverless/serverless-google-cloudfunctions#205 (comment)

Once this is natively supported in the serverless-google-cloudfunctions plugin, the serverless.yml file should be updated accordingly.

Author: cgossain

.gitignore

@@ -1,3 +1,5 @@
+.DS_Store
+
 # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
 # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
 

README.md

@@ -2,15 +2,15 @@
 
 This template project is designed to be used as a starting point for a Google Cloud Functions project using the Golang runtime and the Serverless Framework.
 
-## Requirements
+## Prerequisites
 
-- You have the [Serverless Framework](https://www.serverless.com/framework/docs/getting-started/) installed.
-- You have a project already created and configured in Google Cloud. You can follow [this guide](https://www.serverless.com/framework/docs/providers/google/guide/credentials/) to make sure its setup to work with Severless.
-- You've setup your overall environment to work with GCP and the Serverless Framework. You should follow [these guides](https://www.serverless.com/framework/docs/providers/google/guide/intro/) if not.
+- Install the [Serverless Framework](https://www.serverless.com/framework/docs/getting-started/)
+- Install the [Google Cloud SDK](https://cloud.google.com/sdk/docs/install), and then run `gcloud auth login` to authenticate
+- Create and configure a project in Google Cloud Console. You can follow [this guide](https://www.serverless.com/framework/docs/providers/google/guide/credentials/) to make sure its setup to work with Severless.
 
 ## Project structure
 
-The root directory contains a folder for each of your microservices (i.e. Go package).
+The root directory contains a folder for each microservice/package.
 
 The `go.mod` file also resides in the root directory.
 
@@ -42,21 +42,15 @@ Create a directory (i.e. package) for each logical microservice you intend to de
 cp -R templateservice <b>mynewservice</b>
 </pre>
 
-2. Navigate to the new directory and install the Google Cloud Functions Provider Plugin:
-
-<pre>
-cd <b>mynewservice</b> && serverless plugin install --name serverless-google-cloudfunctions
-</pre>
-
-3. Update the package name in both `fn.go` and `fn_test.go` to match your microservice/package name:
+2. Update the package name in both `fn.go` and `fn_test.go` to match your microservice/package name:
 
 <pre>
 package <b>mynewservice</b>
 
 ...
 </pre>
 
-4. Open `serverless.yml` and update the configuration (i.e. service name, GCP project name, GCP credentials keyfile, etc.):
+3. Open `serverless.yml` and update the configuration (i.e. service name, GCP project name, GCP credentials keyfile, etc.):
 
 <pre>
 service: <b>mynewservice</b>
@@ -80,10 +74,17 @@ functions:
     handler: Hello
     events:
       - http: path # https://www.serverless.com/framework/docs/providers/google/events/http#http-events
+    allowUnauthenticated: true # unofficial flag that ties into the post-deploy script
 
 ...
 </pre>
 
+4. Install the serverless plugin dependencies (specified in `package.json`):
+
+<pre>
+npm install
+</pre>
+
 ### Additional info
 
 Take a look at [this guide](https://cloud.google.com/functions/docs/writing#structuring_source_code) for ideas on how to structure your source code for different scenarios:
@@ -96,14 +97,68 @@ Run the following command from within your microservice/package directory to bui
 cd <b>mynewservice</b> && serverless deploy
 </pre>
 
-## Remove Deployment
+## Remove deployment
 
 Run the following command from within your microservice/package directory to remove the deployment of all functions:
 
 <pre>
 cd <b>mynewservice</b> && serverless remove
 </pre>
 
+## Access control (public vs. private functions)
+
+At this time, the `serverless-google-cloudfunctions` plugin does not appear to allow setting an iam-policy-binding in `serverless.yml` for each function to allow unauthenticated access to their HTTP endpoints created via the deploy (google makes them private by default).
+
+### Update manually
+
+This can be done either through the console or the gcloud cli [as detailed here](https://cloud.google.com/run/docs/authenticating/public#gcloud).
+
+### Update via plugin commands
+
+The included `serverless.yml` file uses the `serverless-plugin-scripts` plugin and defines 2 commands.
+
+To make a function public, run the following from within your microservice/package directory:
+
+```
+npx sls mkfunc-pub --function=hello
+```
+
+To make a function private, run the following from within your microservice/package directory:
+
+```
+npx sls mkfunc-pvt --function=hello
+```
+
+Note: Using the serverless plugin these commnads can build the full `gcloud` command that will update the iam-policy-binding for the specified function.
+
+### Update via script
+
+This project includes a script that can automate the whole update process.
+
+It works by first grabing all the functions defined in `serverless.yml` then sorting them as public or private (it does this by checking for the precence of the `allowUnauthenticated: true` key-value pair within the function definition), then runs `mkfunc-pub` or `mkfunc-pvt` for each function.
+
+To run the script manually, run the following from within your microservice/package directory:
+
+```
+../scripts/sls-update-allow-unauthenticated.sh
+```
+
+To have the script run automatically after every serverless deploy, uncomment the `custom.scripts.commands.hooks` section in the `serverless.yml` file:
+
+<pre>
+...
+
+custom:
+  scripts:
+    commands:
+      ...
+    <b>
+    hooks:
+      "after:deploy:deploy": ../scripts/sls-update-allow-unauthenticated.sh
+    </b>
+</pre>
+
 ## References
 
 1. [Serverless GCP Golang Example](https://github.com/serverless/examples/tree/master/google-golang-simple-http-endpoint)
+2. [Inspiration for Script Workaround](https://github.com/serverless/serverless-google-cloudfunctions/issues/205#issuecomment-658759740)

scripts/sls-update-allow-unauthenticated.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Get a list of functions in the serverless.yml file and format as args
+functions=$(sls print --path functions --transform keys --format text | xargs)
+
+# Sort functions as public and private
+pub=()
+prv=()
+for fn in ${functions[@]}; do
+    # if the `allowUnauthenticated: true` flag is defined for the function flag it to be made public
+    if [[ "$(sls print --path functions."$fn" --format yaml | xargs)" == *"allowUnauthenticated: true"* ]]; then
+        pub+=($fn)
+    else
+        prv+=($fn)
+    fi
+done
+
+# Run the mkfunc-pub command for each public function
+for fn in ${pub[@]}; do
+    echo "Making function \""$fn"\" public..."
+    npx sls mkfunc-pub --function="$fn"
+done
+
+# Run the mkfunc-pvt command for each private function
+for fn in ${prv[@]}; do
+    echo "Making function \""$fn"\" private..."
+    npx sls mkfunc-pvt --function="$fn"
+done

templateservice/.gitignore

@@ -1,3 +1,5 @@
+.DS_Store
+
 # Binaries for programs and plugins
 *.exe
 *.exe~
@@ -15,6 +17,5 @@
 # vendor/
 
 # Other
-.DS_Store
 node_modules
 .serverless