GCP Cloud Functions deployment fails with a generic DeploymentError when using Terraform. This typically occurs due to missing API enablement, IAM permission issues, source code configuration problems, or build service account misconfiguration.
The DeploymentError occurs when Google Cloud Functions fails to deploy through Terraform, indicating a problem with the deployment pipeline itself rather than your function code. This could be a configuration issue, permissions problem, or a failure in the Cloud Build process that Terraform relies on to package and deploy your function.
First, enable all necessary APIs in your GCP project. Run the following commands:
gcloud services enable cloudfunctions.googleapis.com
gcloud services enable run.googleapis.com
gcloud services enable artifactregistry.googleapis.com
gcloud services enable cloudbuild.googleapis.com
gcloud services enable storage-api.googleapis.comVerify the APIs are enabled by checking your Google Cloud Console under APIs & Services.
Ensure your user account and build service account have the necessary permissions:
# Grant Cloud Functions Developer role to your user
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=user:YOUR_EMAIL \
--role=roles/cloudfunctions.developer
# Grant Storage Admin role for Cloud Storage access
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=user:YOUR_EMAIL \
--role=roles/storage.admin
# For build service account (usually the default compute service account)
[email protected]
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:$BUILD_SA \
--role=roles/cloudfunctions.developerReplace PROJECT_ID with your actual Google Cloud project ID.
Ensure your Terraform configuration correctly specifies the Cloud Storage bucket and archive object:
resource "google_cloudfunctions_function" "my_function" {
name = "my-function"
runtime = "python39"
trigger_http = true
available_memory_mb = 256
source_archive_bucket = google_storage_bucket.bucket.name
source_archive_object = google_storage_bucket_object.archive.name
entry_point = "hello_world"
}Make sure the source code zip file is uploaded to the correct bucket before Terraform attempts the deployment.
To ensure Terraform detects source code changes and triggers redeployments, add a source_code_hash attribute:
data "archive_file" "function_zip" {
type = "zip"
source_dir = "${path.module}/function"
output_path = "${path.module}/function.zip"
}
resource "google_storage_bucket_object" "archive" {
name = "function-${data.archive_file.function_zip.output_base64sha256}.zip"
bucket = google_storage_bucket.bucket.id
source = data.archive_file.function_zip.output_path
}This appends a checksum to the archive filename, triggering redeployment when code changes.
If deployment succeeds but the function is marked as unhealthy, check the Cloud Build and function logs:
# View recent Cloud Build logs
gcloud builds list --limit=10
gcloud builds log BUILD_ID
# View Cloud Functions logs
gcloud functions describe FUNCTION_NAME --gen2
gcloud functions logs read FUNCTION_NAME --gen2 --limit 50Look for errors in the function's global scope that might be causing the health check to fail. These could include unhandled exceptions, timeouts, or missing dependencies.
For Cloud Functions Gen 2, explicitly specify the build service account in Terraform:
resource "google_cloudfunctions2_function" "my_function" {
name = "my-function"
location = "us-central1"
build_config {
runtime = "python39"
entry_point = "hello_world"
source {
storage_source {
bucket = google_storage_bucket.bucket.id
object = google_storage_bucket_object.archive.name
}
}
build_service_account = google_service_account.build_sa.email
}
}
resource "google_service_account" "build_sa" {
account_id = "cloud-functions-build-sa"
}
resource "google_project_iam_member" "build_invoker" {
project = var.project_id
role = "roles/cloudfunctions.developer"
member = "serviceAccount:${google_service_account.build_sa.email}"
}Ensuring the build service account is explicitly configured and has proper permissions prevents permission-related DeploymentErrors.
DeploymentError is a broad category that can indicate different underlying issues. The error message itself is often not detailed enough, so always check the Cloud Build logs and Cloud Functions logs for the actual failure reason. In new GCP organizations, the default compute service account may not have any roles assigned, requiring explicit permission grants. For Cloud Functions Gen 2 (recommended), use the newer google_cloudfunctions2_function resource with explicit build service account configuration rather than relying on defaults. If you manually changed resources in the GCP Console after creating them with Terraform, those changes may conflict with Terraform's state and cause deployment errors.
Error: Error installing helm release: cannot re-use a name that is still in use
How to fix "release name in use" error in Terraform with Helm
Error: Error creating GKE Cluster: BadRequest
BadRequest error creating GKE cluster in Terraform
Error: External program failed to produce valid JSON
External program failed to produce valid JSON
Error: Unsupported argument in child module call
How to fix "Unsupported argument in child module call" in Terraform
Error: network is unreachable
How to fix "network is unreachable" in Terraform