Securing Your Cloud Function
Security architecture of the Fireconduit trigger function
The Cloud Function deployed by Fireconduit is triggered exclusively via Pub/Sub messages delivered through Eventarc. It has no public HTTP endpoint — only messages published to your trigger topic can invoke it. This eliminates entire classes of attacks (DDoS, injection, unauthorized access) by design.
Security Layers
| Layer | Enabled By | Protection |
|---|---|---|
| Eventarc trigger | Default | Function only invoked by Pub/Sub messages, no public HTTP endpoint |
| Telemetry push auth | Default | Shared secret validates telemetry push deliveries to Fireconduit |
| IAM bindings | Default | Only Fireconduit’s publisher SA can publish to trigger topic |
| Cloud Armor | Manual setup | Enterprise-grade DDoS protection for telemetry endpoint |
How It Works
Trigger Flow (Fireconduit → Your Function)
- Fireconduit publishes a trigger message to your trigger topic using a dedicated publisher service account
- Eventarc delivers the message to your Cloud Function as a CloudEvent
- Your Cloud Function validates the message payload and launches a Dataflow job
- The function publishes lifecycle events (triggered, succeeded, failed) to your telemetry topic
Telemetry Flow (Your Function → Fireconduit)
- Your Cloud Function publishes job status events to the telemetry topic
- A push subscription delivers these events to Fireconduit’s API endpoint
- Fireconduit validates the shared secret token before processing
IAM-Based Access Control
- Only Fireconduit’s publisher SA (
fireconduit-publisher@fireconduit.iam.gserviceaccount.com) hasroles/pubsub.publisheron your trigger topic - Your Cloud Function SA has
roles/eventarc.eventReceiverto receive Eventarc-delivered messages - Your Cloud Function SA has
roles/pubsub.publisheron the telemetry topic to publish job events - Fireconduit’s publisher SA has
roles/pubsub.subscriberon the telemetry topic
Private Cloud Function (VPC-SC)
For the highest security, deploy the Cloud Function within a VPC Service Controls perimeter:
module "fireconduit" {
source = "github.com/fireconduit/terraform-fireconduit"
project_id = var.project_id
region = var.region
fireconduit_api_key = var.fireconduit_api_key
# VPC-SC configuration
enable_vpc_connector = true
vpc_connector = "projects/my-project/locations/us-central1/connectors/my-connector"
dataflow_network = "my-vpc"
dataflow_subnetwork = "projects/my-project/regions/us-central1/subnetworks/my-subnet"
disable_public_ips = true
}See Infrastructure Setup for more details on VPC-SC configuration.
Security Best Practices
-
Keep
terraform.tfvarsprivate — This file contains sensitive values (API key, telemetry secret). It’s automatically added to.gitignoreby the CLI. -
Rotate API keys periodically — Generate new API keys in the Fireconduit dashboard and update your Terraform configuration.
-
Monitor Cloud Function logs — Check for unusual patterns or unexpected invocations.
-
Set up alerting — Create Cloud Monitoring alerts for:
- Function error rates exceeding baseline
- Unexpected Pub/Sub publish patterns
- IAM policy changes on your topics
-
Enable Cloud Audit Logs — Track who accesses your Cloud Function and Pub/Sub topics.
-
Use least-privilege IAM — The Terraform module creates dedicated service accounts with minimal permissions.