Add post-deploy script to make functions public

Shout out to this post for pointing out this workaround:
serverless/serverless-google-cloudfunctions#205 (comment)

Once this is natively supported in the serverless-google-cloudfunctions plugin, the serverless.yml file should be updated accordingly.

Author: cgossain

.gitignore

@@ -1,3 +1,5 @@
+.DS_Store
+
 # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
 # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
 

README.md

@@ -2,15 +2,15 @@
 
 This template project is designed to be used as a starting point for a Google Cloud Functions project using the Golang runtime and the Serverless Framework.
 
-## Requirements
+## Prerequisites
 
-- You have the [Serverless Framework](https://www.serverless.com/framework/docs/getting-started/) installed.
-- You have a project already created and configured in Google Cloud. You can follow [this guide](https://www.serverless.com/framework/docs/providers/google/guide/credentials/) to make sure its setup to work with Severless.
-- You've setup your overall environment to work with GCP and the Serverless Framework. You should follow [these guides](https://www.serverless.com/framework/docs/providers/google/guide/intro/) if not.
+- Install the [Serverless Framework](https://www.serverless.com/framework/docs/getting-started/)
+- Install the [Google Cloud SDK](https://cloud.google.com/sdk/docs/install), and then run `gcloud auth login` to authenticate
+- Create and configure a project in Google Cloud Console. You can follow [this guide](https://www.serverless.com/framework/docs/providers/google/guide/credentials/) to make sure its setup to work with Severless.
 
 ## Project structure
 
-The root directory contains a folder for each of your microservices (i.e. Go package).
+The root directory contains a folder for each microservice/package.
 
 The `go.mod` file also resides in the root directory.
 
@@ -42,21 +42,15 @@ Create a directory (i.e. package) for each logical microservice you intend to de
 cp -R templateservice <b>mynewservice</b>
 </pre>
 
-2. Navigate to the new directory and install the Google Cloud Functions Provider Plugin:
-
-<pre>
-cd <b>mynewservice</b> && serverless plugin install --name serverless-google-cloudfunctions
-</pre>
-
-3. Update the package name in both `fn.go` and `fn_test.go` to match your microservice/package name:
+2. Update the package name in both `fn.go` and `fn_test.go` to match your microservice/package name:
 
 <pre>
 package <b>mynewservice</b>
 
 ...
 </pre>
 
-4. Open `serverless.yml` and update the configuration (i.e. service name, GCP project name, GCP credentials keyfile, etc.):
+3. Open `serverless.yml` and update the configuration (i.e. service name, GCP project name, GCP credentials keyfile, etc.):
 
 <pre>
 service: <b>mynewservice</b>
@@ -80,10 +74,17 @@ functions:
     handler: Hello
     events:
       - http: path # https://www.serverless.com/framework/docs/providers/google/events/http#http-events
+    allowUnauthenticated: true # unofficial flag that ties into the post-deploy script
 
 ...
 </pre>
 
+4. Install the serverless plugin dependencies (specified in `package.json`):
+
+<pre>
+npm install
+</pre>
+
 ### Additional info
 
 Take a look at [this guide](https://cloud.google.com/functions/docs/writing#structuring_source_code) for ideas on how to structure your source code for different scenarios:
@@ -96,14 +97,70 @@ Run the following command from within your microservice/package directory to bui
 cd <b>mynewservice</b> && serverless deploy
 </pre>
 
-## Remove Deployment
+## Remove deployment
 
 Run the following command from within your microservice/package directory to remove the deployment of all functions:
 
 <pre>
 cd <b>mynewservice</b> && serverless remove
 </pre>
 
+## Access control (public vs. private functions)
+
+If you're deploying an HTTP triggered function you'll most likely want to have the HTTP function be publicly accessible and google seems to make them private by default. At this time it appears the `serverless-google-cloudfunctions` plugin does provide a way to make functions public in the `serverless.yml` file.
+
+Until this is supported by the plugin, we can work around it in a few ways.
+
+### Update manually
+
+This can be done either through the console or the gcloud cli [as detailed here](https://cloud.google.com/run/docs/authenticating/public#gcloud).
+
+### Update via plugin commands
+
+The included `serverless.yml` file uses the `serverless-plugin-scripts` plugin and defines 2 commands.
+
+To make a function public, run the following from within your microservice/package directory:
+
+```
+npx sls mkfunc-pub --function=hello
+```
+
+To make a function private, run the following from within your microservice/package directory:
+
+```
+npx sls mkfunc-pvt --function=hello
+```
+
+Note: Using the serverless plugin these commnads can build the full `gcloud` command that will update the iam-policy-binding for the specified function.
+
+### Update via script
+
+This project includes a script that can automate the whole update process.
+
+It works by first grabing all the functions defined in `serverless.yml` then sorting them as public or private (it does this by checking for the precence of the `allowUnauthenticated: true` key-value pair within the function definition), then runs `mkfunc-pub` or `mkfunc-pvt` for each function.
+
+To run the script manually, run the following from within your microservice/package directory:
+
+```
+../scripts/sls-update-allow-unauthenticated.sh
+```
+
+To have the script run automatically after every serverless deploy, uncomment the `custom.scripts.commands.hooks` section in the `serverless.yml` file:
+
+<pre>
+...
+
+custom:
+  scripts:
+    commands:
+      ...
+    <b>
+    hooks:
+      "after:deploy:deploy": ../scripts/sls-update-allow-unauthenticated.sh
+    </b>
+</pre>
+
 ## References
 
 1. [Serverless GCP Golang Example](https://github.com/serverless/examples/tree/master/google-golang-simple-http-endpoint)
+2. [Inspiration for Script Workaround](https://github.com/serverless/serverless-google-cloudfunctions/issues/205#issuecomment-658759740)

scripts/sls-update-allow-unauthenticated.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Get a list of functions in the serverless.yml file and format as args
+functions=$(sls print --path functions --transform keys --format text | xargs)
+
+# Sort functions as public and private
+pub=()
+prv=()
+for fn in ${functions[@]}; do
+    # if the `allowUnauthenticated: true` flag is defined for the function flag it to be made public
+    if [[ "$(sls print --path functions."$fn" --format yaml | xargs)" == *"allowUnauthenticated: true"* ]]; then
+        pub+=($fn)
+    else
+        prv+=($fn)
+    fi
+done
+
+# Run the mkfunc-pub command for each public function
+for fn in ${pub[@]}; do
+    echo "Making function \""$fn"\" public..."
+    npx sls mkfunc-pub --function="$fn"
+done
+
+# Run the mkfunc-pvt command for each private function
+for fn in ${prv[@]}; do
+    echo "Making function \""$fn"\" private..."
+    npx sls mkfunc-pvt --function="$fn"
+done

templateservice/.gitignore

@@ -1,3 +1,5 @@
+.DS_Store
+
 # Binaries for programs and plugins
 *.exe
 *.exe~
@@ -15,6 +17,5 @@
 # vendor/
 
 # Other
-.DS_Store
 node_modules
 .serverless