Add cloud-run push subscription

Author: q2w

examples/push_subscription-separate-pub-sub/README.md

@@ -0,0 +1,35 @@
+# Simple Example
+
+This example illustrates how to use the `pub` and `sub` module.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| project\_id | The project ID to manage the Pub/Sub resources | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| project\_id | The project ID |
+| topic\_labels | The labels of the Pub/Sub topic created |
+| topic\_name | The name of the Pub/Sub topic created |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Requirements
+
+The following sections describe the requirements which must be met in
+order to invoke this example. The requirements of the
+[root module][root-module-requirements] must be met.
+
+## Usage
+
+To provision this example, populate `terraform.tfvars` with the [required variables](#inputs) and run the following commands within
+this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/push_subscription-separate-pub-sub/main.tf

@@ -0,0 +1,55 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "pub" {
+  source  = "terraform-google-modules/pubsub/google//modules/pub"
+  version = "~> 7.0"
+
+  project_id = var.project_id
+  topic      = "cft-tf-pub-topic-cr-push"
+  topic_labels = {
+    foo_label = "foo_value"
+    bar_label = "bar_value"
+  }
+}
+
+module "sub" {
+  source  = "terraform-google-modules/pubsub/google//modules/sub"
+  version = "~> 7.0"
+
+  project_id = var.project_id
+  topic      = module.pub.topic
+
+  push_subscriptions = [
+    {
+      name                       = module.cloud-run.service_name
+      push_endpoint              = module.cloud-run.service_uri
+      oidc_service_account_email = module.cloud-run.service_account_id.email
+    },
+  ]
+}
+
+module "cloud-run" {
+  source                        = "GoogleCloudPlatform/cloud-run/google//modules/v2"
+  version                       = "~> 0.17"
+  project_id                    = var.project_id
+  location                      = "us-central1"
+  service_name                  = "cr-service"
+  containers                    = [{ "container_name" = "", "container_image" = "gcr.io/design-center-container-repo/pubsub-cr-push:latest-1703" }]
+  service_account_project_roles = ["roles/run.invoker"]
+  members                       = ["allUsers"]
+  cloud_run_deletion_protection = false
+}

examples/push_subscription-separate-pub-sub/outputs.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "project_id" {
+  value       = var.project_id
+  description = "The project ID"
+}
+
+output "topic_name" {
+  value       = module.pub.topic
+  description = "The name of the Pub/Sub topic created"
+}
+
+output "topic_labels" {
+  value       = module.pub.topic_labels
+  description = "The labels of the Pub/Sub topic created"
+}

examples/push_subscription-separate-pub-sub/variables.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  type        = string
+  description = "The project ID to manage the Pub/Sub resources"
+}

metadata.yaml

@@ -46,6 +46,8 @@ spec:
         location: examples/cloud_storage-separate-pub-sub
       - name: kms
         location: examples/kms
+      - name: push_subscription-separate-pub-sub
+        location: examples/push_subscription-separate-pub-sub
       - name: simple
         location: examples/simple
       - name: simple-separate-pub-sub
@@ -243,12 +245,18 @@ spec:
           - roles/resourcemanager.projectIamAdmin
           - roles/bigquery.admin
           - roles/storage.admin
+          - roles/run.admin
+          - roles/iam.serviceAccountAdmin
+          - roles/iam.serviceAccountUser
+          - roles/resourcemanager.projectIamAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - pubsub.googleapis.com
       - serviceusage.googleapis.com
       - bigquery.googleapis.com
       - storage.googleapis.com
+      - run.googleapis.com
+      - iam.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 6.2, < 7"

modules/pub/metadata.yaml

@@ -42,6 +42,8 @@ spec:
         location: examples/cloud_storage-separate-pub-sub
       - name: kms
         location: examples/kms
+      - name: push_subscription-separate-pub-sub
+        location: examples/push_subscription-separate-pub-sub
       - name: simple
         location: examples/simple
       - name: simple-separate-pub-sub
@@ -102,12 +104,18 @@ spec:
           - roles/resourcemanager.projectIamAdmin
           - roles/bigquery.admin
           - roles/storage.admin
+          - roles/run.admin
+          - roles/iam.serviceAccountAdmin
+          - roles/iam.serviceAccountUser
+          - roles/resourcemanager.projectIamAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - pubsub.googleapis.com
       - serviceusage.googleapis.com
       - bigquery.googleapis.com
       - storage.googleapis.com
+      - run.googleapis.com
+      - iam.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 6.2, < 7"

modules/sub/metadata.yaml

@@ -42,6 +42,8 @@ spec:
         location: examples/cloud_storage-separate-pub-sub
       - name: kms
         location: examples/kms
+      - name: push_subscription-separate-pub-sub
+        location: examples/push_subscription-separate-pub-sub
       - name: simple
         location: examples/simple
       - name: simple-separate-pub-sub
@@ -58,6 +60,12 @@ spec:
         description: The Pub/Sub topic name.
         varType: string
         required: true
+        connections:
+          - source:
+              source: github.com/terraform-google-modules/terraform-google-pubsub//modules/pub
+              version: ">= 7.0.0"
+            spec:
+              outputExpr: topic
       - name: create_subscriptions
         description: Specify true if you want to create subscriptions.
         varType: bool
@@ -83,6 +91,12 @@ spec:
               enable_message_ordering    = optional(bool),
             }))
         defaultValue: []
+        connections:
+          - source:
+              source: github.com/GoogleCloudPlatform/terraform-google-cloud-run//modules/v2
+              version: ">= 0.13"
+            spec:
+              outputExpr: "{ \"name\": service_name, \"push_endpoint\": service_uri, \"oidc_service_account_email\": service_account_id.email }"
       - name: pull_subscriptions
         description: The list of the pull subscriptions.
         varType: |-
@@ -123,6 +137,12 @@ spec:
               minimum_backoff            = optional(string)
             }))
         defaultValue: []
+        connections:
+          - source:
+              source: github.com/terraform-google-modules/terraform-google-bigquery
+              version: ">= 10.0.0"
+            spec:
+              outputExpr: "{ \"name\": external_table_ids[0], \"table\": external_table_ids[0]}"
       - name: cloud_storage_subscriptions
         description: The list of the Cloud Storage push subscriptions.
         varType: |-
@@ -149,6 +169,12 @@ spec:
               minimum_backoff            = optional(string)
             }))
         defaultValue: []
+        connections:
+          - source:
+              source: github.com/terraform-google-modules/terraform-google-cloud-storage//modules/simple_bucket
+              version: ">= 9.0.1"
+            spec:
+              outputExpr: "{ \"name\": name, \"bucket\": name}"
       - name: subscription_labels
         description: A map of labels to assign to every Pub/Sub subscription.
         varType: map(string)
@@ -174,12 +200,18 @@ spec:
           - roles/resourcemanager.projectIamAdmin
           - roles/bigquery.admin
           - roles/storage.admin
+          - roles/run.admin
+          - roles/iam.serviceAccountAdmin
+          - roles/iam.serviceAccountUser
+          - roles/resourcemanager.projectIamAdmin
     services:
       - cloudresourcemanager.googleapis.com
       - pubsub.googleapis.com
       - serviceusage.googleapis.com
       - bigquery.googleapis.com
       - storage.googleapis.com
+      - run.googleapis.com
+      - iam.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 6.2, < 7"

test/integration/push_subscription-separate-pub-sub/push_subscription_separate_pub_sub_test.go

@@ -0,0 +1,60 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package push_subscription_separate_pub_sub
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud"
+	"github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPushSubscriptionSeparatePubSub(t *testing.T) {
+	bpt := tft.NewTFBlueprintTest(t)
+
+	bpt.DefineVerify(func(assert *assert.Assertions) {
+		bpt.DefaultVerify(assert)
+
+		projectId := bpt.GetStringOutput("project_id")
+
+		op := gcloud.Runf(t, "pubsub topics describe cft-tf-pub-topic --project=%s", projectId)
+		assert.Equal(fmt.Sprintf("projects/%s/topics/cft-tf-pub-topic", projectId), op.Get("name").String(), "has expected name")
+		assert.Equal("bar_value", op.Get("labels.bar_label").String(), "has expected labels")
+		assert.Equal("foo_value", op.Get("labels.foo_label").String(), "has expected labels")
+
+		op = gcloud.Runf(t, "pubsub subscriptions describe cr-service --project=%s", projectId)
+		assert.Equal(fmt.Sprintf("projects/%s/subscriptions/cr-service", projectId), op.Get("name").String(), "has expected name")
+		assert.Equal(fmt.Sprintf("projects/%s/topics/cft-tf-pub-topic", projectId), op.Get("topic").String(), "has expected topic")
+		// Publish a test message
+		message := "Hello Runner!"
+		publishCmd := fmt.Sprintf("pubsub topics publish cft-tf-pub-topic --message='%s' --project=%s", message, projectId)
+		gcloud.Runf(t, publishCmd)
+
+		// Wait for a short time to allow the message to be processed. Adjust if necessary.
+		time.Sleep(30 * time.Second)
+
+		// Check Cloud Run logs for the message
+		logCmd := fmt.Sprintf("logging read \"resource.type=cloud_run_revision AND resource.labels.service_name=run-service AND textPayload:\\\"%s\\\"\" --project=%s --limit=1", message, projectId)
+		logOp := gcloud.Runf(t, logCmd)
+
+		// Assert that the log entry is found
+		assert.Contains(logOp.String(), message, "Cloud Run logs should contain the published message")
+	})
+
+	bpt.Test()
+}

test/setup/iam.tf

@@ -19,7 +19,11 @@ locals {
     "roles/pubsub.admin",
     "roles/resourcemanager.projectIamAdmin",
     "roles/bigquery.admin",
-    "roles/storage.admin"
+    "roles/storage.admin",
+    "roles/run.admin",
+    "roles/iam.serviceAccountAdmin",
+    "roles/iam.serviceAccountUser",
+    "roles/resourcemanager.projectIamAdmin"
   ]
 }
 

test/setup/main.tf

@@ -29,6 +29,8 @@ module "project-ci-int-pubsub" {
     "pubsub.googleapis.com",
     "serviceusage.googleapis.com",
     "bigquery.googleapis.com",
-    "storage.googleapis.com"
+    "storage.googleapis.com",
+    "run.googleapis.com",
+    "iam.googleapis.com"
   ]
 }