Creating Eventarc triggers with Terraform
Terraform is increasingly the preferred tool for building, changing, and versioning infrastructure in Google Cloud and across clouds. In an earlier post, Google showed how to create Eventarc triggers using Google Cloud Console or via the command line with gcloud
. In this post, Google show how to create the same triggers with the google_eventarc_trigger Terraform resource.
See eventarc-samples/terraform
on GitHub for the prerequisites and main.tf for full Terraform configuration.
Define a Cloud Run service as an event sink
Before you can create a trigger, you need to create a Cloud Run service as an event sink for the trigger. You can use Terraform’s google_cloud_run_service resource to define a Cloud Run service:
resource "google_cloud_run_service" "default" {
name = "cloudrun-hello-tf"
location = var.region
template {
spec {
containers {
image = "gcr.io/cloudrun/hello"
}
}
}
traffic {
percent = 100
latest_revision = true
}
}
Define a Pub/Sub trigger
A Pub/Sub trigger connects a Pub/Sub topic to a Cloud Run service.
As a reminder, here’s how you can create a Pub/Sub trigger using gcloud
:
gcloud eventarc triggers create trigger-pubsub \
--destination-run-service=$SERVICE_NAME \
--destination-run-region=$REGION \
--event-filters="type=google.cloud.pubsub.topic.v1.messagePublished"
The same Pub/Sub trigger looks like this as a Terraform resource:
resource "google_eventarc_trigger" "trigger-pubsub-tf" {
name = "trigger-pubsub-tf"
location = var.region
matching_criteria {
attribute = "type"
value = "google.cloud.pubsub.topic.v1.messagePublished"
}
destination {
cloud_run_service {
service = google_cloud_run_service.default.name
region = var.region
}
}
depends_on = [google_project_service.eventarc]
}
Note: There’s a slight difference in how events are filtered in gcloud
vs. Terraform. In gcloud
, events are filtered with the --event-filters
flag; whereas in Terraform, matching_criteria
is used. This is for legacy reasons and hopefully will be corrected in the future.
Define an Audit Log trigger
An Audit Log trigger connects various Google Cloud services with Audit Logs to a Cloud Run service. Here’s what an Audit Log trigger for the Cloud Storage storage.object.create
event looks like in Terraform:
resource "google_eventarc_trigger" "trigger-auditlog-tf" {
name = "trigger-auditlog-tf"
location = var.region
matching_criteria {
attribute = "type"
value = "google.cloud.audit.log.v1.written"
}
matching_criteria {
attribute = "serviceName"
value = "storage.googleapis.com"
}
matching_criteria {
attribute = "methodName"
value = "storage.objects.create"
}
destination {
cloud_run_service {
service = google_cloud_run_service.default.name
region = var.region
}
}
service_account = "${data.google_project.project.number}-compute@developer.gserviceaccount.com"
depends_on = [google_project_service.eventarc]
}
Deploy with Terraform
Deploying resources with Terraform usually involves three steps:
1. Initialize Terraform:
terraform init
2. See the planned changes:
terraform plan -var="project_id=YOUR-PROJECT-ID" -var="region=YOUR-GCP-REGION"
3. Create resources:
terraform apply -var="project_id=YOUR-PROJECT-ID" -var="region=YOUR-GCP-REGION"
After a few minutes, all the resources (a Cloud Run service and two2 Eventarc triggers) will be created. You can double-check the list of triggers:
gcloud eventarc triggers list --location YOUR-GCP-REGION