Overview
Magnus provides Workflow Triggers as a way to initiate a Workflow execution based on some predefined cloud events. When the watched event is fired, the Workflow is triggered to execute via Remote Workflow Execution v2 via queue. That is:
- the request to execute is queued and processed by the Fair Scheduler
- the quota for max enqueued requests per user applies
- multiple instances of the Workflow is allowed
- the Workflow state is not saved after execution
To Enable Workflow Triggers
To enable Workflow Triggers, org admins must provide the following to Potens.io Support.
- Name of GCF-project: This is the name of the Google cloud project in which the underlying Google Cloud Function (GCF) will be created. Prerequisites for this project are as follow, please check with the project owner:
- Cloud Functions API must be enabled.
- The Google-owned service account [PROJECT_ID]@appspot.gserviceaccount.com must pre-exist. This account is generated automatically by Google when any GCF or Google Application Engine (GAE) is deployed.
- [PROJECT_ID]@appspot.gserviceaccount.com must have Logging.LogsWriter permission.
- Trigger service account: The Trigger service account is used to manage and orchestrate Workflow Triggers. The Trigger service account must have permission to create GCF in the GCF-project. The following information of the account is required:
- Email address
- Private key p12 file
- The same private key p12 file stored in a Google Cloud Storage location. This Google Cloud Storage (GCS) location must be readable by [PROJECT_ID]@appspot.gserviceaccount.com of the GCF-project.
- Source code bucket: This is the GCS bucket where the source code of GCF will be stored. Trigger service account must have permission to create objects in this bucket.
- Trigger token bucket: This is the GCS bucket where Triggers Tokens will be stored. Trigger service account must have permission to create objects in this bucket.
Security Recommendations
- The Google Cloud Storage (GCS) location of the private key file of Trigger service account must be secured. This file must be readable by [PROJECT_ID]@appspot.gserviceaccount.com of the GCF-project. This service account is used to run Google Cloud Function (GCF) and Google Application Engine (GAE). By default, this service account has Project Editor role. So adjust the permission as needed, but make sure this service has the following permission:
- Can read the private key file of Trigger service account from the GCS location
- Has Logging.LogsWriter permission
- Trigger Token bucket must be secured. Trigger service account must be able to create objects in this bucket.
- Project owner should restrict who can create and run GCF.
- Project owner should restrict who can create GAE.