[SLS] Add workarroud to make functions public.

serverless/serverless-google-cloudfunctions#205 (comment)

Author: weynhamz

sls/package.json

@@ -24,6 +24,7 @@
     "eslint": "^7.28.0",
     "eslint-config-google": "^0.14.0",
     "jsdoc": "^3.6.7",
-    "pre-commit": "^1.2.2"
+    "pre-commit": "^1.2.2",
+    "serverless-plugin-scripts": "^1.0.2"
   }
 }

sls/scripts/sls-update-allow-unauthenticated.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# Get a list of functions in the serverless.yml file and format as args
+functions=$(sls print --path functions --transform keys --format text 2>/dev/null | xargs)
+
+# Sort functions as public and private
+echo "-------------------------------------------------------------------------"
+echo "sorting functions as public or private"
+echo "-------------------------------------------------------------------------"
+pub=()
+prv=()
+for fn in ${functions[@]}; do
+    # if the `allowUnauthenticated: true` flag is defined for the function flag it to be made public
+    if [[ "$(sls print --path functions."$fn" --format yaml 2>/dev/null | xargs)" == *"allowUnauthenticated: true"* ]]; then
+        pub+=($fn)
+    else
+        prv+=($fn)
+    fi
+done
+echo "done"
+
+# Run the mkfunc-pub command for each public function
+echo "-------------------------------------------------------------------------"
+echo "updating public functions"
+echo "-------------------------------------------------------------------------"
+for fn in ${pub[@]}; do
+    echo "Making function \""$fn"\" public..."
+    sls mkfunc-pub --function="$fn"
+done
+echo "done"
+
+echo "-------------------------------------------------------------------------"
+echo "updating private functions"
+echo "-------------------------------------------------------------------------"
+# Run the mkfunc-pvt command for each private function
+for fn in ${prv[@]}; do
+    echo "Making function \""$fn"\" private..."
+    sls mkfunc-pvt --function="$fn"
+done
+echo "done"

sls/serverless.yml

@@ -25,29 +25,64 @@ provider:
 frameworkVersion: '3'
 
 plugins:
+  - serverless-plugin-scripts
   - serverless-google-cloudfunctions
 
 # needs more granular excluding in production as only the serverless provider npm
 # package should be excluded (and not the whole node_modules directory)
 package:
   exclude:
     - node_modules/**
+    - scripts/**
     - .gitignore
     - .git/**
 
 custom:
   topicName: ${self:service}-gmail-push
   topicResource: projects/${env:GCP_PROJECT}/topics/${self:custom.topicName}
+  scripts:
+    # NOTE: uncomment the following if you want the `sls-update-allow-unauthenticated.sh` script to
+    # run after every deploy. Otherwise just run the script manually.
+    hooks:
+      "after:deploy:deploy": ./scripts/sls-update-allow-unauthenticated.sh
+    commands:
+      # make the specified function public
+      mkfunc-pub: gcloud functions add-iam-policy-binding ${self:service}-${self:provider.stage}-${opt:function, ""} --member="allUsers" --role="roles/cloudfunctions.invoker" --project=${self:provider.project} --region=${self:provider.region}
+      # make the specified function private
+      mkfunc-pvt: gcloud functions remove-iam-policy-binding ${self:service}-${self:provider.stage}-${opt:function, ""} --member="allUsers" --role="roles/cloudfunctions.invoker" --project=${self:provider.project} --region=${self:provider.region}
 
 functions:
   auth_init:
     handler: auth_init
     events:
       - http: true
+  # TODO: Grant public access
+    accessControl:
+      gcpIamPolicy:
+        bindings:
+        - role: roles/cloudfunctions.invoker
+          members:
+          - "allUsers"
+    # unofficial flag that ties into the post-deploy script; set to false or omit the key if you
+    # don't want to make the function public; you will need to run the `sls-update-allow-unauthenticated.sh`
+    # script to update the function permissions
+    allowUnauthenticated: true
+
   auth_callback:
     handler: auth_callback
     events:
       - http: true
+  # TODO: Grant public access
+    accessControl:
+      gcpIamPolicy:
+        bindings:
+        - role: roles/cloudfunctions.invoker
+          members:
+          - "allUsers"
+    # unofficial flag that ties into the post-deploy script; set to false or omit the key if you
+    # don't want to make the function public; you will need to run the `sls-update-allow-unauthenticated.sh`
+    # script to update the function permissions
+    allowUnauthenticated: true
 
   # NOTE: the following uses an "event" event (pubSub event in this case).
   # Please create the corresponding resources in the Google Cloud

sls/yarn.lock

@@ -2437,6 +2437,11 @@ serverless-google-cloudfunctions@^4.1.0:
     googleapis "^50.0.0"
     lodash "^4.17.21"
 
+serverless-plugin-scripts@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/serverless-plugin-scripts/-/serverless-plugin-scripts-1.0.2.tgz#21808c3cfd0a1a84e48c0660b0f6f370b5665486"
+  integrity sha512-+OL9fFz5r6BXNHfpu9MDLehS/haC0fy/T3V5uJsTfLAnNsn+PzM6BmvefUfWG372hBT7piTbywB1Vl1+4LmI5Q==
+
 set-blocking@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/set-blocking/-/set-blocking-2.0.0.tgz#045f9782d011ae9a6803ddd382b24392b3d890f7"