Add cloud-run push subscription

Author: q2w

examples/push_subscription-separate-pub-sub/README.md

@@ -0,0 +1,35 @@
+# Simple Example
+
+This example illustrates how to use the `pub` and `sub` module.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| project\_id | The project ID to manage the Pub/Sub resources | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| project\_id | The project ID |
+| topic\_labels | The labels of the Pub/Sub topic created |
+| topic\_name | The name of the Pub/Sub topic created |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Requirements
+
+The following sections describe the requirements which must be met in
+order to invoke this example. The requirements of the
+[root module][root-module-requirements] must be met.
+
+## Usage
+
+To provision this example, populate `terraform.tfvars` with the [required variables](#inputs) and run the following commands within
+this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/push_subscription-separate-pub-sub/main.tf

@@ -0,0 +1,55 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "pub" {
+  source  = "terraform-google-modules/pubsub/google//modules/pub"
+  version = "~> 7.0"
+
+  project_id = var.project_id
+  topic      = "cft-tf-pub-topic-cr-push"
+  topic_labels = {
+    foo_label = "foo_value"
+    bar_label = "bar_value"
+  }
+}
+
+module "sub" {
+  source  = "terraform-google-modules/pubsub/google//modules/sub"
+  version = "~> 7.0"
+
+  project_id = var.project_id
+  topic      = module.pub.topic
+
+  push_subscriptions = [
+    {
+      name                       = module.cloud-run.service_name
+      push_endpoint              = module.cloud-run.service_uri
+      oidc_service_account_email = module.cloud-run.service_account_id.email
+    },
+  ]
+}
+
+module "cloud-run" {
+  source                        = "GoogleCloudPlatform/cloud-run/google//modules/v2"
+  version                       = "~> 0.17"
+  project_id                    = var.project_id
+  location                      = "us-central1"
+  service_name                  = "cr-service"
+  containers                    = [{ "container_name" = "", "container_image" = "gcr.io/design-center-container-repo/pubsub-cr-push:latest-1703" }]
+  service_account_project_roles = ["roles/run.invoker"]
+  members                       = ["allUsers"]
+  cloud_run_deletion_protection = false
+}

examples/push_subscription-separate-pub-sub/outputs.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "project_id" {
+  value       = var.project_id
+  description = "The project ID"
+}
+
+output "topic_name" {
+  value       = module.pub.topic
+  description = "The name of the Pub/Sub topic created"
+}
+
+output "topic_labels" {
+  value       = module.pub.topic_labels
+  description = "The labels of the Pub/Sub topic created"
+}

examples/push_subscription-separate-pub-sub/variables.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  type        = string
+  description = "The project ID to manage the Pub/Sub resources"
+}

metadata.yaml

@@ -46,6 +46,8 @@ spec:
         location: examples/cloud_storage-separate-pub-sub
       - name: kms
         location: examples/kms
+      - name: push_subscription-separate-pub-sub
+        location: examples/push_subscription-separate-pub-sub
       - name: simple
         location: examples/simple
       - name: simple-separate-pub-sub
@@ -243,12 +245,19 @@ spec:
           - roles/resourcemanager.projectIamAdmin
           - roles/bigquery.admin
           - roles/storage.admin
+          - roles/run.admin
+          - roles/iam.serviceAccountAdmin
+          - roles/iam.serviceAccountUser
+          - roles/resourcemanager.projectIamAdmin
+          - roles/logging.viewer
     services:
       - cloudresourcemanager.googleapis.com
       - pubsub.googleapis.com
       - serviceusage.googleapis.com
       - bigquery.googleapis.com
       - storage.googleapis.com
+      - run.googleapis.com
+      - iam.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 6.2, < 7"

modules/pub/README.md

@@ -41,6 +41,7 @@ module "pub" {
 |------|-------------|------|---------|:--------:|
 | message\_storage\_policy | A map of storage policies. Default - inherit from organization's Resource Location Restriction policy. | `map(any)` | `{}` | no |
 | project\_id | The project ID to manage the Pub/Sub resources. | `string` | n/a | yes |
+| publisher\_service\_accounts | Service account email which required roles/pubsub.publisher role. | <pre>list(object({<br>    id              = string<br>    service_account = string<br>  }))</pre> | `[]` | no |
 | schema | Schema for the topic. | <pre>object({<br>    name       = string<br>    type       = string<br>    definition = string<br>    encoding   = string<br>  })</pre> | `null` | no |
 | topic | The Pub/Sub topic name. | `string` | n/a | yes |
 | topic\_kms\_key\_name | The resource name of the Cloud KMS CryptoKey to be used to protect access to messages published on this topic. | `string` | `null` | no |

modules/pub/main.tf

@@ -45,3 +45,12 @@ resource "google_pubsub_topic" "topic" {
   }
   depends_on = [google_pubsub_schema.schema]
 }
+
+resource "google_pubsub_topic_iam_member" "sa_binding_publisher" {
+  for_each = { for i in var.publisher_service_accounts : i.id => i if i.service_account != null }
+
+  project = var.project_id
+  topic   = var.topic
+  role    = "roles/pubsub.publisher"
+  member  = "serviceAccount:${each.value.service_account}"
+}

modules/pub/metadata.display.yaml

@@ -37,6 +37,9 @@ spec:
         project_id:
           name: project_id
           title: Project Id
+        publisher_service_accounts:
+          name: publisher_service_accounts
+          title: Publisher Service Accounts
         schema:
           name: schema
           title: Schema

modules/pub/metadata.yaml

@@ -42,6 +42,8 @@ spec:
         location: examples/cloud_storage-separate-pub-sub
       - name: kms
         location: examples/kms
+      - name: push_subscription-separate-pub-sub
+        location: examples/push_subscription-separate-pub-sub
       - name: simple
         location: examples/simple
       - name: simple-separate-pub-sub
@@ -81,6 +83,20 @@ spec:
               definition = string
               encoding   = string
             })
+      - name: publisher_service_accounts
+        description: Service account email which required roles/pubsub.publisher role.
+        varType: |-
+          list(object({
+              id              = string
+              service_account = string
+            }))
+        defaultValue: []
+        connections:
+          - source:
+              source: github.com/GoogleCloudPlatform/terraform-google-cloud-run//modules/v2
+              version: ">= 0.13"
+            spec:
+              outputExpr: "{ \"id\": service_account_id.id, \"service_account\": service_account_id.email }"
     outputs:
       - name: id
         description: The ID of the Pub/Sub topic
@@ -98,12 +114,19 @@ spec:
           - roles/resourcemanager.projectIamAdmin
           - roles/bigquery.admin
           - roles/storage.admin
+          - roles/run.admin
+          - roles/iam.serviceAccountAdmin
+          - roles/iam.serviceAccountUser
+          - roles/resourcemanager.projectIamAdmin
+          - roles/logging.viewer
     services:
       - cloudresourcemanager.googleapis.com
       - pubsub.googleapis.com
       - serviceusage.googleapis.com
       - bigquery.googleapis.com
       - storage.googleapis.com
+      - run.googleapis.com
+      - iam.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 6.2, < 7"

modules/pub/variables.tf

@@ -58,3 +58,12 @@ variable "schema" {
   description = "Schema for the topic."
   default     = null
 }
+
+variable "publisher_service_accounts" {
+  type = list(object({
+    id              = string
+    service_account = string
+  }))
+  description = "Service account email which required roles/pubsub.publisher role."
+  default     = []
+}