chore: add test/example for push subscription with cloud-run

examples/push_subscription-separate-pub-sub/README.md

@@ -0,0 +1,35 @@
+# Simple Example
+
+This example illustrates how to use the `pub` and `sub` module.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| project\_id | The project ID to manage the Pub/Sub resources | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| project\_id | The project ID |
+| topic\_labels | The labels of the Pub/Sub topic created |
+| topic\_name | The name of the Pub/Sub topic created |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Requirements
+
+The following sections describe the requirements which must be met in
+order to invoke this example. The requirements of the
+[root module][root-module-requirements] must be met.
+
+## Usage
+
+To provision this example, populate `terraform.tfvars` with the [required variables](#inputs) and run the following commands within
+this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/push_subscription-separate-pub-sub/main.tf

@@ -0,0 +1,55 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "pub" {
+  source  = "terraform-google-modules/pubsub/google//modules/pub"
+  version = "~> 7.0"
+
+  project_id = var.project_id
+  topic      = "cft-tf-pub-topic-cr-push"
+  topic_labels = {
+    foo_label = "foo_value"
+    bar_label = "bar_value"
+  }
+}
+
+module "sub" {
+  source  = "terraform-google-modules/pubsub/google//modules/sub"
+  version = "~> 7.0"
+
+  project_id = var.project_id
+  topic      = module.pub.topic
+
+  push_subscriptions = [
+    {
+      name                       = module.cloud-run.service_name
+      push_endpoint              = module.cloud-run.service_uri
+      oidc_service_account_email = module.cloud-run.service_account_id.email
+    },
+  ]
+}
+
+module "cloud-run" {
+  source                        = "GoogleCloudPlatform/cloud-run/google//modules/v2"
+  version                       = "~> 0.17"
+  project_id                    = var.project_id
+  location                      = "us-central1"
+  service_name                  = "cr-service"
+  containers                    = [{ "container_name" = "", "container_image" = "gcr.io/design-center-container-repo/pubsub-cr-push:latest-1703" }]
+  service_account_project_roles = ["roles/run.invoker"]
+  members                       = ["allUsers"]
+  cloud_run_deletion_protection = false
+}

examples/push_subscription-separate-pub-sub/outputs.tf

@@ -0,0 +1,30 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "project_id" {
+  value       = var.project_id
+  description = "The project ID"
+}
+
+output "topic_name" {
+  value       = module.pub.topic
+  description = "The name of the Pub/Sub topic created"
+}
+
+output "topic_labels" {
+  value       = module.pub.topic_labels
+  description = "The labels of the Pub/Sub topic created"
+}

examples/push_subscription-separate-pub-sub/variables.tf

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  type        = string
+  description = "The project ID to manage the Pub/Sub resources"
+}

metadata.yaml

@@ -46,6 +46,8 @@ spec:
         location: examples/cloud_storage-separate-pub-sub
       - name: kms
         location: examples/kms
+      - name: push_subscription-separate-pub-sub
+        location: examples/push_subscription-separate-pub-sub
       - name: simple
         location: examples/simple
       - name: simple-separate-pub-sub
@@ -166,12 +168,19 @@ spec:
           - roles/resourcemanager.projectIamAdmin
           - roles/bigquery.admin
           - roles/storage.admin
+          - roles/run.admin
+          - roles/iam.serviceAccountAdmin
+          - roles/iam.serviceAccountUser
+          - roles/resourcemanager.projectIamAdmin
+          - roles/logging.viewer
     services:
       - cloudresourcemanager.googleapis.com
       - pubsub.googleapis.com
       - serviceusage.googleapis.com
       - bigquery.googleapis.com
       - storage.googleapis.com
+      - run.googleapis.com
+      - iam.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 6.2, < 7"

modules/pub/README.md

@@ -41,6 +41,7 @@ module "pub" {
 |------|-------------|------|---------|:--------:|
 | message\_storage\_policy | A map of storage policies. Default - inherit from organization's Resource Location Restriction policy. | `map(any)` | `{}` | no |
 | project\_id | The project ID to manage the Pub/Sub resources. | `string` | n/a | yes |
+| publisher\_service\_accounts | Service account email which required roles/pubsub.publisher role. | <pre>list(object({<br>    id              = string<br>    service_account = string<br>  }))</pre> | `[]` | no |
 | schema | Schema for the topic. | <pre>object({<br>    name       = string<br>    type       = string<br>    definition = string<br>    encoding   = string<br>  })</pre> | `null` | no |
 | topic | The Pub/Sub topic name. | `string` | n/a | yes |
 | topic\_kms\_key\_name | The resource name of the Cloud KMS CryptoKey to be used to protect access to messages published on this topic. | `string` | `null` | no |

modules/pub/main.tf

@@ -45,3 +45,12 @@ resource "google_pubsub_topic" "topic" {
   }
   depends_on = [google_pubsub_schema.schema]
 }
+
+resource "google_pubsub_topic_iam_member" "sa_binding_publisher" {
+  for_each = { for i in var.publisher_service_accounts : i.id => i if i.service_account != null }
+
+  project = var.project_id
+  topic   = var.topic
+  role    = "roles/pubsub.publisher"
+  member  = "serviceAccount:${each.value.service_account}"
+}

modules/pub/metadata.display.yaml

@@ -37,6 +37,9 @@ spec:
         project_id:
           name: project_id
           title: Project Id
+        publisher_service_accounts:
+          name: publisher_service_accounts
+          title: Publisher Service Accounts
         schema:
           name: schema
           title: Schema

modules/pub/metadata.yaml

@@ -42,6 +42,8 @@ spec:
         location: examples/cloud_storage-separate-pub-sub
       - name: kms
         location: examples/kms
+      - name: push_subscription-separate-pub-sub
+        location: examples/push_subscription-separate-pub-sub
       - name: simple
         location: examples/simple
       - name: simple-separate-pub-sub
@@ -81,6 +83,25 @@ spec:
               definition = string
               encoding   = string
             })
+      - name: publisher_service_accounts
+        description: Service account email which required roles/pubsub.publisher role.
+        varType: |-
+          list(object({
+              id              = string
+              service_account = string
+            }))
+        defaultValue: []
+        connections:
+          - source:
+              source: github.com/GoogleCloudPlatform/terraform-google-cloud-run//modules/v2
+              version: ">= 0.13"
+            spec:
+              outputExpr: "{ \"id\": service_account_id.id, \"service_account\": service_account_id.email }"
+          - source:
+              source: github.com/terraform-google-modules/terraform-google-service-accounts//modules/simple-sa
+              version: ">= 4.4"
+            spec:
+              outputExpr: "{ \"id\": account_details.id, \"service_account\": account_details.email }"
     outputs:
       - name: id
         description: The ID of the Pub/Sub topic
@@ -98,12 +119,19 @@ spec:
           - roles/resourcemanager.projectIamAdmin
           - roles/bigquery.admin
           - roles/storage.admin
+          - roles/run.admin
+          - roles/iam.serviceAccountAdmin
+          - roles/iam.serviceAccountUser
+          - roles/resourcemanager.projectIamAdmin
+          - roles/logging.viewer
     services:
       - cloudresourcemanager.googleapis.com
       - pubsub.googleapis.com
       - serviceusage.googleapis.com
       - bigquery.googleapis.com
       - storage.googleapis.com
+      - run.googleapis.com
+      - iam.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 6.2, < 7"

modules/pub/variables.tf

@@ -58,3 +58,12 @@ variable "schema" {
   description = "Schema for the topic."
   default     = null
 }
+
+variable "publisher_service_accounts" {
+  type = list(object({
+    id              = string
+    service_account = string
+  }))
+  description = "Service account email which required roles/pubsub.publisher role."
+  default     = []
+}

modules/sub/README.md

@@ -71,6 +71,7 @@ module "sub" {
 
 | Name | Description |
 |------|-------------|
+| pull\_subscription\_env\_vars | Map of pull subscription IDs, keyed by project\_subscription name for environment variables. |
 | subscription\_names | The name list of Pub/Sub subscriptions |
 | subscription\_paths | The path list of Pub/Sub subscriptions |
 

modules/sub/metadata.yaml

@@ -42,6 +42,8 @@ spec:
         location: examples/cloud_storage-separate-pub-sub
       - name: kms
         location: examples/kms
+      - name: push_subscription-separate-pub-sub
+        location: examples/push_subscription-separate-pub-sub
       - name: simple
         location: examples/simple
       - name: simple-separate-pub-sub
@@ -58,6 +60,12 @@ spec:
         description: The Pub/Sub topic name.
         varType: string
         required: true
+        connections:
+          - source:
+              source: github.com/terraform-google-modules/terraform-google-pubsub//modules/pub
+              version: ">= 7.0.0"
+            spec:
+              outputExpr: topic
       - name: push_subscriptions
         description: The list of the push subscriptions.
         varType: |-
@@ -79,6 +87,12 @@ spec:
               enable_message_ordering    = optional(bool),
             }))
         defaultValue: []
+        connections:
+          - source:
+              source: github.com/GoogleCloudPlatform/terraform-google-cloud-run//modules/v2
+              version: ">= 0.13"
+            spec:
+              outputExpr: "{ \"name\": apphub_service_uri.service_id, \"push_endpoint\": service_uri, \"oidc_service_account_email\": service_account_id.email }"
       - name: pull_subscriptions
         description: The list of the pull subscriptions.
         varType: |-
@@ -98,6 +112,17 @@ spec:
               enable_exactly_once_delivery = optional(bool),
             }))
         defaultValue: []
+        connections:
+          - source:
+              source: github.com/GoogleCloudPlatform/terraform-google-cloud-run//modules/v2
+              version: ">= 0.13"
+            spec:
+              outputExpr: "{ \"name\": service_name, \"service_account\": service_account_id.email }"
+          - source:
+              source: github.com/terraform-google-modules/terraform-google-service-accounts//modules/simple-sa
+              version: ">= 4.4"
+            spec:
+              outputExpr: "{ \"name\": account_details.id, \"service_account\": account_details.email }"
       - name: bigquery_subscriptions
         description: The list of the Bigquery push subscriptions.
         varType: |-
@@ -119,6 +144,12 @@ spec:
               minimum_backoff            = optional(string)
             }))
         defaultValue: []
+        connections:
+          - source:
+              source: github.com/terraform-google-modules/terraform-google-bigquery
+              version: ">= 10.0.0"
+            spec:
+              outputExpr: "{ \"name\": external_table_ids[0], \"table\": external_table_ids[0]}"
       - name: cloud_storage_subscriptions
         description: The list of the Cloud Storage push subscriptions.
         varType: |-
@@ -145,6 +176,12 @@ spec:
               minimum_backoff            = optional(string)
             }))
         defaultValue: []
+        connections:
+          - source:
+              source: github.com/terraform-google-modules/terraform-google-cloud-storage//modules/simple_bucket
+              version: ">= 9.0.1"
+            spec:
+              outputExpr: "{ \"name\": name, \"bucket\": name}"
       - name: subscription_labels
         description: A map of labels to assign to every Pub/Sub subscription.
         varType: map(string)
@@ -158,6 +195,8 @@ spec:
         varType: bool
         defaultValue: true
     outputs:
+      - name: pull_subscription_env_vars
+        description: Map of pull subscription IDs, keyed by project_subscription name for environment variables.
       - name: subscription_names
         description: The name list of Pub/Sub subscriptions
       - name: subscription_paths
@@ -170,12 +209,19 @@ spec:
           - roles/resourcemanager.projectIamAdmin
           - roles/bigquery.admin
           - roles/storage.admin
+          - roles/run.admin
+          - roles/iam.serviceAccountAdmin
+          - roles/iam.serviceAccountUser
+          - roles/resourcemanager.projectIamAdmin
+          - roles/logging.viewer
     services:
       - cloudresourcemanager.googleapis.com
       - pubsub.googleapis.com
       - serviceusage.googleapis.com
       - bigquery.googleapis.com
       - storage.googleapis.com
+      - run.googleapis.com
+      - iam.googleapis.com
     providerVersions:
       - source: hashicorp/google
         version: ">= 6.2, < 7"

modules/sub/outputs.tf

@@ -36,3 +36,10 @@ output "subscription_paths" {
   description = "The path list of Pub/Sub subscriptions"
 }
 
+output "pull_subscription_env_vars" {
+  value = {
+    for k, v in google_pubsub_subscription.pull_subscriptions : replace(upper("${v.project}_${v.name}"), "-", "_") => v.id
+  }
+
+  description = "Map of pull subscription IDs, keyed by project_subscription name for environment variables."
+}