feat: Add Pub/Sub Subscription support for specifying a service accou…

…nt (GoogleCloudPlatform#10967)
BBBmau · Jun 24, 2024 · 11cf99c · 11cf99c
1 parent 16bbdd4
commit 11cf99c
Show file tree

Hide file tree

Showing 4 changed files with 286 additions and 13 deletions.
diff --git a/mmv1/products/pubsub/Subscription.yaml b/mmv1/products/pubsub/Subscription.yaml
@@ -64,6 +64,15 @@ examples:
       subscription_name: 'example-subscription'
       dataset_id: 'example_dataset'
       table_id: 'example_table'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'pubsub_subscription_push_bq_service_account'
+    primary_resource_id: 'example'
+    vars:
+      topic_name: 'example-topic'
+      subscription_name: 'example-subscription'
+      dataset_id: 'example_dataset'
+      table_id: 'example_table'
+      service_account_id: 'example-bqw'
   - !ruby/object:Provider::Terraform::Examples
     name: 'pubsub_subscription_push_cloudstorage'
     primary_resource_id: 'example'
@@ -78,6 +87,14 @@ examples:
       topic_name: 'example-topic'
       subscription_name: 'example-subscription'
       bucket_name: 'example-bucket'
+  - !ruby/object:Provider::Terraform::Examples
+    name: 'pubsub_subscription_push_cloudstorage_service_account'
+    primary_resource_id: 'example'
+    vars:
+      topic_name: 'example-topic'
+      subscription_name: 'example-subscription'
+      bucket_name: 'example-bucket'
+      service_account_id: 'example-stw'
 docs: !ruby/object:Provider::Terraform::Docs
   note: |
     You can retrieve the email of the Google Managed Pub/Sub Service Account used for forwarding
@@ -150,6 +167,12 @@ properties:
           When true and use_topic_schema or use_table_schema is true, any fields that are a part of the topic schema or message schema that
           are not part of the BigQuery table schema are dropped when writing to BigQuery. Otherwise, the schemas must be kept in sync
           and any messages with extra fields are not written and remain in the subscription's backlog.
+      - !ruby/object:Api::Type::String
+        name: 'serviceAccountEmail'
+        description: |
+          The service account to use to write to BigQuery. If not specified, the Pub/Sub
+          [service agent](https://cloud.google.com/iam/docs/service-agents),
+          service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com, is used.
   - !ruby/object:Api::Type::NestedObject
     name: 'cloudStorageConfig'
     conflicts:
@@ -207,6 +230,12 @@ properties:
             name: 'writeMetadata'
             description: |
               When true, write the subscription name, messageId, publishTime, attributes, and orderingKey as additional fields in the output.
+      - !ruby/object:Api::Type::String
+        name: 'serviceAccountEmail'
+        description: |
+          The service account to use to write to Cloud Storage. If not specified, the Pub/Sub
+          [service agent](https://cloud.google.com/iam/docs/service-agents),
+          service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com, is used.
   - !ruby/object:Api::Type::NestedObject
     name: 'pushConfig'
     conflicts:

diff --git a/mmv1/templates/terraform/examples/pubsub_subscription_push_bq_service_account.tf.erb b/mmv1/templates/terraform/examples/pubsub_subscription_push_bq_service_account.tf.erb
@@ -0,0 +1,56 @@
+resource "google_pubsub_topic" "<%= ctx[:primary_resource_id] %>" {
+  name = "<%= ctx[:vars]['topic_name'] %>"
+}
+
+resource "google_pubsub_subscription" "<%= ctx[:primary_resource_id] %>" {
+  name  = "<%= ctx[:vars]['subscription_name'] %>"
+  topic = google_pubsub_topic.<%= ctx[:primary_resource_id] %>.id
+
+  bigquery_config {
+    table = "${google_bigquery_table.test.project}.${google_bigquery_table.test.dataset_id}.${google_bigquery_table.test.table_id}"
+    service_account_email = google_service_account.bq_write_service_account.email
+  }
+
+  depends_on = [google_service_account.bq_write_service_account, google_project_iam_member.viewer, google_project_iam_member.editor]
+}
+
+data "google_project" "project" {
+}
+
+resource "google_service_account" "bq_write_service_account" {
+  account_id = "<%= ctx[:vars]['service_account_id'] %>"
+  display_name = "BQ Write Service Account"
+}
+
+resource "google_project_iam_member" "viewer" {
+  project = data.google_project.project.project_id
+  role   = "roles/bigquery.metadataViewer"
+  member = "serviceAccount:${google_service_account.bq_write_service_account.email}"
+}
+
+resource "google_project_iam_member" "editor" {
+  project = data.google_project.project.project_id
+  role   = "roles/bigquery.dataEditor"
+  member = "serviceAccount:${google_service_account.bq_write_service_account.email}"
+}
+
+resource "google_bigquery_dataset" "test" {
+  dataset_id = "<%= ctx[:vars]['dataset_id'] %>"
+}
+
+resource "google_bigquery_table" "test" {
+  deletion_protection = false
+  table_id   = "<%= ctx[:vars]['table_id'] %>"
+  dataset_id = google_bigquery_dataset.test.dataset_id
+
+  schema = <<EOF
+[
+  {
+    "name": "data",
+    "type": "STRING",
+    "mode": "NULLABLE",
+    "description": "The data"
+  }
+]
+EOF
+}
diff --git a/...templates/terraform/examples/pubsub_subscription_push_cloudstorage_service_account.tf.erb b/...templates/terraform/examples/pubsub_subscription_push_cloudstorage_service_account.tf.erb
@@ -0,0 +1,46 @@
+resource "google_storage_bucket" "<%= ctx[:primary_resource_id] %>" {
+  name  = "<%= ctx[:vars]['bucket_name'] %>"
+  location = "US"
+  uniform_bucket_level_access = true
+}
+
+resource "google_pubsub_topic" "<%= ctx[:primary_resource_id] %>" {
+  name = "<%= ctx[:vars]['topic_name'] %>"
+}
+
+resource "google_pubsub_subscription" "<%= ctx[:primary_resource_id] %>" {
+  name  = "<%= ctx[:vars]['subscription_name'] %>"
+  topic = google_pubsub_topic.<%= ctx[:primary_resource_id] %>.id
+
+  cloud_storage_config {
+    bucket = google_storage_bucket.<%= ctx[:primary_resource_id] %>.name
+
+    filename_prefix = "pre-"
+    filename_suffix = "-%{random_suffix}"
+    filename_datetime_format = "YYYY-MM-DD/hh_mm_ssZ"
+
+    max_bytes = 1000
+    max_duration = "300s"
+
+    service_account_email = google_service_account.storage_write_service_account.email
+  }
+  depends_on = [
+    google_service_account.storage_write_service_account,
+    google_storage_bucket.<%= ctx[:primary_resource_id] %>,
+    google_storage_bucket_iam_member.admin,
+  ]
+}
+
+data "google_project" "project" {
+}
+
+resource "google_service_account" "storage_write_service_account" {
+  account_id = "<%= ctx[:vars]['service_account_id'] %>"
+  display_name = "Storage Write Service Account"
+}
+
+resource "google_storage_bucket_iam_member" "admin" {
+  bucket = google_storage_bucket.<%= ctx[:primary_resource_id] %>.name
+  role   = "roles/storage.admin"
+  member = "serviceAccount:${google_service_account.storage_write_service_account.email}"
+}