Skip to content

Commit

Permalink
Example for pubsub subscription oidcToken (with CloudRun)
Browse files Browse the repository at this point in the history
  • Loading branch information
tmshn committed Aug 14, 2019
1 parent 909b964 commit ff275d1
Show file tree
Hide file tree
Showing 2 changed files with 77 additions and 0 deletions.
10 changes: 10 additions & 0 deletions products/pubsub/terraform.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,16 @@ overrides: !ruby/object:Overrides::ResourceOverrides
topic_project: "topic-project"
subscription_name: "example-subscription"
subscription_project: "subscription-project"
- !ruby/object:Provider::Terraform::Examples
name: "pubsub_subscription_push_with_service_account"
primary_resource_id: "example"
skip_test: true
vars:
cloudrun_name: "example-cloudrun"
cloudrun_region: "us-central1"
topic_name: "example-topic"
service_account_id: "example-service-account"
subscription_name: "example-subscription"
docs: !ruby/object:Provider::Terraform::Docs
attributes: |
* `path`: Path of the subscription in the format `projects/{project}/subscriptions/{name}`
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
data "google_project" "current" {}

# ------------------
# CloudRun
# ------------------
resource "google_cloud_run_service" "<%= ctx[:primary_resource_id] %>" {
name = "<%= ctx[:vars]['cloudrun_name'] %>"
location = "<%= ctx[:vars]['cloudrun_region'] %>"
provider = "google-beta"

metadata {
namespace = "${google_project.current.name}"
}

spec {
containers {
image = "gcr.io/cloudrun/hello"
}
}
}

# -------------
# Cloud Pub/Sub
# -------------
resource "google_pubsub_topic" "<%= ctx[:primary_resource_id] %>" {
name = "<%= ctx[:vars]['topic_name'] %>"
}

resource "google_project_iam_member" "pubsub_sa_token_creator" {
role = "roles/iam.serviceAccountTokenCreator"
member = "serviceAccount:service-${google_project.current.number}@gcp-sa-pubsub.iam.gserviceaccount.com"
}

resource "google_service_account" "<%= ctx[:primary_resource_id] %>" {
account_id = "<%= ctx[:vars]['service_account_id'] %>"
}

# TODO: grant role only to the CloudRun service rather than project wide.
# (CloudRun service iam policy is not implemented on the Terraform yet)
# ```
# gcloud beta run services add-iam-policy-binding "${google_cloud_run_service.<%= ctx[:primary_resource_id] %>.name}" \
# --member="serviceAccount:${google_service_account.<%= ctx[:primary_resource_id] %>.email}" \
# --role=roles/run.invoker
# ```
resource "google_project_iam_member" "<%= ctx[:primary_resource_id] %>_run_invoker" {
role = "roles/run.invoker"
member = "serviceAccount:${google_service_account.<%= ctx[:primary_resource_id] %>.email}"
}

resource "google_pubsub_subscription" "<%= ctx[:primary_resource_id] %>" {
name = "<%= ctx[:vars]['subscription_name'] %>"
topic = "${google_pubsub_topic.<%= ctx[:primary_resource_id] %>.name}"

push_config {
# TODO: this must be CloudRun's url, which is not currently exposed on the Terraform
# push_endpoint = "${google_cloud_run_service.<%= ctx[:primary_resource_id] %>.status.url}"
push_endpoint = "https://example.com/push"

attributes {
x-goog-version = "v1"
}

oidcToken {
serviceAccountEmail = "${google_service_account.<%= ctx[:primary_resource_id] %>.email}"
}
}
}

0 comments on commit ff275d1

Please sign in to comment.