From c5d170de6b11d9183cfa2c82e0f8ec18a1319aea Mon Sep 17 00:00:00 2001 From: David Gamez Diaz <1192523+davidgamez@users.noreply.github.com> Date: Wed, 3 Sep 2025 10:53:31 -0400 Subject: [PATCH 1/4] fix permissions --- infra/functions-python/main.tf | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/infra/functions-python/main.tf b/infra/functions-python/main.tf index c1daea39d..de620059a 100644 --- a/infra/functions-python/main.tf +++ b/infra/functions-python/main.tf @@ -32,6 +32,9 @@ locals { vpc_connector_name = lower(var.environment) == "dev" ? "vpc-connector-qa" : "vpc-connector-${lower(var.environment)}" vpc_connector_project = lower(var.environment) == "dev" ? "mobility-feeds-qa" : var.project_id + # This is as a constant due to the existent of two independent infra modules + batchfunctions_sa_email = "batchfunctions-service-account@${var.project_id}.iam.gserviceaccount.com" + function_process_validation_report_config = jsondecode(file("${path.module}/../../functions-python/process_validation_report/function_config.json")) function_process_validation_report_zip = "${path.module}/../../functions-python/process_validation_report/.dist/process_validation_report.zip" public_hosted_datasets_url = lower(var.environment) == "prod" ? "https://${var.public_hosted_datasets_dns}" : "https://${var.environment}-${var.public_hosted_datasets_dns}" @@ -349,6 +352,10 @@ resource "google_cloudfunctions2_function" "process_validation_report" { vpc_connector_egress_settings = "PRIVATE_RANGES_ONLY" environment_variables = { + ENV = var.environment + PROJECT_ID = var.project_id + GCP_REGION = var.gcp_region + SERVICE_ACCOUNT_EMAIL = google_service_account.functions_service_account.email FILES_ENDPOINT = local.public_hosted_datasets_url # prevents multiline logs from being truncated on GCP console PYTHONNODEBUGRANGES = 0 @@ -534,6 +541,7 @@ resource "google_cloud_scheduler_job" "gbfs_validator_batch_scheduler" { headers = { "Content-Type" = "application/json" } + body = {} } attempt_deadline = "320s" } @@ -1060,6 +1068,15 @@ resource "google_cloud_tasks_queue" "reverse_geolocation_task_queue_processor" { } } +# Grant execution permission to bathcfunctions service account to the reverse_geolocation_processor function +resource "google_cloudfunctions2_function_iam_member" "reverse_geolocation_processor_invoker" { + project = var.project_id + location = var.gcp_region + cloud_function = google_cloudfunctions2_function.reverse_geolocation_processor.name + role = "roles/run.invoker" + member = "serviceAccount:${local.batchfunctions_sa_email}" +} + # 13.3 functions/reverse_geolocation - batch cloud function resource "google_cloudfunctions2_function" "reverse_geolocation_batch" { name = "${local.function_reverse_geolocation_config.name}-batch" From 2e9fd0c200e89b48ed57be94f9dffc216bb8236c Mon Sep 17 00:00:00 2001 From: David Gamez Diaz <1192523+davidgamez@users.noreply.github.com> Date: Wed, 3 Sep 2025 11:23:14 -0400 Subject: [PATCH 2/4] fix scheduler body formatting --- infra/functions-python/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/functions-python/main.tf b/infra/functions-python/main.tf index de620059a..7466bc570 100644 --- a/infra/functions-python/main.tf +++ b/infra/functions-python/main.tf @@ -541,7 +541,7 @@ resource "google_cloud_scheduler_job" "gbfs_validator_batch_scheduler" { headers = { "Content-Type" = "application/json" } - body = {} + body = base64encode("{}") } attempt_deadline = "320s" } From df6e8568b69b01ad601e4ac20a4d09fe122ec904 Mon Sep 17 00:00:00 2001 From: David Gamez Diaz <1192523+davidgamez@users.noreply.github.com> Date: Wed, 3 Sep 2025 12:19:57 -0400 Subject: [PATCH 3/4] change roles --- infra/functions-python/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/functions-python/main.tf b/infra/functions-python/main.tf index 7466bc570..9d7cecb11 100644 --- a/infra/functions-python/main.tf +++ b/infra/functions-python/main.tf @@ -1073,7 +1073,7 @@ resource "google_cloudfunctions2_function_iam_member" "reverse_geolocation_proce project = var.project_id location = var.gcp_region cloud_function = google_cloudfunctions2_function.reverse_geolocation_processor.name - role = "roles/run.invoker" + role = "roles/cloudfunctions.invoker" member = "serviceAccount:${local.batchfunctions_sa_email}" } From 1e5a7110d2c63784b561181fe16786ae59922806 Mon Sep 17 00:00:00 2001 From: David Gamez Diaz <1192523+davidgamez@users.noreply.github.com> Date: Wed, 3 Sep 2025 12:53:15 -0400 Subject: [PATCH 4/4] add missing task executor permission --- infra/functions-python/main.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/infra/functions-python/main.tf b/infra/functions-python/main.tf index 9d7cecb11..85fea2d03 100644 --- a/infra/functions-python/main.tf +++ b/infra/functions-python/main.tf @@ -1178,6 +1178,15 @@ resource "google_cloudfunctions2_function" "tasks_executor" { } } +# Grant execution permission to bathcfunctions service account to the tasks_executor function +resource "google_cloudfunctions2_function_iam_member" "tasks_executor_invoker" { + project = var.project_id + location = var.gcp_region + cloud_function = google_cloudfunctions2_function.tasks_executor.name + role = "roles/cloudfunctions.invoker" + member = "serviceAccount:${local.batchfunctions_sa_email}" +} + # 15. functions/pmtiles_builder cloud function resource "google_cloudfunctions2_function" "pmtiles_builder" { name = "${local.function_pmtiles_builder_config.name}-${var.environment}"