How to create a google cloud pubsub subscriptions with service account by terraform?

0
votes

From this document, I want to create the same thing by terraform.

https://cloud.google.com/run/docs/tutorials/pubsub

gcloud pubsub subscriptions create myRunSubscription --topic myRunTopic \
   --push-endpoint=SERVICE-URL/ \
   --push-auth-service-account=cloud-run-pubsub-invoker@PROJECT_ID.iam.gserviceaccount.com

terraform's main.tf

resource "google_pubsub_subscription" "my_task" {
  name  = "my-task-subscription"
  topic = google_pubsub_topic.my_task.name

  ack_deadline_seconds = 20

  push_config {
    push_endpoint = var.push_endpoint
  }

  dead_letter_policy {
    dead_letter_topic = "[email protected]"
  }
}

terraform apply

  # module.pubsub.google_pubsub_subscription.my_task will be created
  + resource "google_pubsub_subscription" "my_task" {
      + ack_deadline_seconds       = 20
      + id                         = (known after apply)
      + message_retention_duration = "604800s"
      + name                       = "my-task-subscription"
      + path                       = (known after apply)
      + project                    = (known after apply)
      + topic                      = "MyTask"

      + dead_letter_policy {
          + dead_letter_topic = "[email protected]"
        }

      + expiration_policy {
          + ttl = (known after apply)
        }

      + push_config {
          + push_endpoint = "https://an-endpoint.com"
        }
    }

Got error:

Error: Error creating Subscription: googleapi: Error 400: Invalid resource name given ([email protected]). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information.

From the terraform's document, dead_letter_policy is related to Pub/Sub service account: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription#dead_letter_policy

But why it doesn't work? How to set --push-auth-service-account as google official then?

2
google-cloud-platformterraformgoogle-cloud-pubsubterraform-provider-gcp
Have you set your IAM subscription policies using pubsub_subscription_iam?Marcin

2 Answers

3
votes

Your problem is here:

  dead_letter_policy {
    dead_letter_topic = "[email protected]"
  }

You are trying to assign a service account identity to dead_letter_topic. That is incorrect.

Instead use something like this to create a topic:

resource "google_pubsub_topic" "example_dead_letter" {
  name = "example-topic-dead-letter"
}

Or this to reference an existing topic:

data "google_pubsub_topic" "example_dead_letter" {
  name = "example-topic-dead-letter"
}

and then use that resource like this:

  dead_letter_policy {
    dead_letter_topic = google_pubsub_topic.example_dead_letter.id
  }
1
votes

The Terraform document you linked said as below.

The Cloud Pub/Sub service account associated with this subscription's parent project (i.e., service-{project_number}@gcp-sa-pubsub.iam.gserviceaccount.com) must have permission to Acknowledge() messages on this subscription.

It seems that your service account you use for dead letter policy doesn't have appropriate permission to acknowledge messages.

According to IAM document, It needs at least pub/sub subscriber role to acknowledge messsages.

Refer here to get more info about pubsub roles.